Serverless & StatelessOne year in, what we’ve learnt

Intro• Been working on distributed apps for 10 years.

• Accordo’s new app has been built serverless* from the ground up and has been in production seven months

• Why serverless? Simple, get a lot more done for your business by not worrying about instances and administration.

* Disclaimer: At Accordo, Serverless has a broader meaning than static sites and FaaS

This isn’t all that new

If you struggle to explain to the boss. Think if it as outsourcing to the best in the business

Simply the next generation of distributed apps and containerisation

Serverless challenges are often just distributed app challenges

Main app overview1. Static website served via

cloudfront. Site is build using React, Redux and webpack

2. Users authenticate via auth0

3. Access data apis using JWT and APIGW

4. Most apis are implemented as lambdas.

5. Main data in RDS postgres

6. Same lambdas for user apis apso process async messages

Authorization – JWT claims based

Mind your (core) business• Developers vary in skill, capacity and maturity, but

they’re all expensive for what you get.

• Every day, they turn up and write ‘stuff’. Make sure they’re working on stuff that matters.

• Any hour spent on functionality not core to your business is potential waste

Potential waste?- A/B testing- Alerting- Analytics & Tracking- Authentication- Database- Email- Failover- Queues & Message processing- Reporting- Search

- Automated Tests (not the testing)- Configuration management- Logging- Permissions

Good ROI

Serverless Vs The Twelve-Factor AppCan feel like a mis-match, but not impossible.

…and getting easier. https://12factor.net

FaaS Vs Twelve-Factor pain points- Configuration

- Much improved. was a major pain. Azure and now AWS have environment variables.

- FaaS frameworks still have a tendency to bundle config with build and or use named environments.

- Ideally configuration management and updates don’t require a re-build of app.

- Build artifacts- Immutable build artifacts that and can be

deployed to any environment.- Still Nothing of the shelf, but there are good

SDKs, not that hard to roll your own.

- Managed CI/CD is fine for nano services or calculators. Be careful of loosing environment control with larger components (build promotion, rollbacks, config)

Frameworks

How to Manage your app?- Developer workflow- Build Test Artifact Deploy- Configuration - Triggers & Endpoints

All frameworks have opinions. Some you’ll agree with. Some….Be clear on how you want to work, try not to compromise- CI for a user facing app – needs a lot of test

automation- Its ok, it’s an evolving world, the frameworks will

catch up.

AWS Serverless Application Model (SAM)

Log everything- Logging services are the debugger

- Be careful of sensitive info.

- Log the positive and negative

- Keep them as long as is practical

- console.log(), console.time()

- Excited about AWS X-Ray or other things like Netflix Vizceral

Warning 1 – alias confusionAWS lambda Aliases and Versioning - Great idea, very powerful useful concept but….. no support for Alias level log groups or configuration.

V3

V2

V1

DEV

UAT

PROD

UAT API Stage

UAT API Stage

UAT API Stage

V2 logs

V2 code

V? config

Warning 2 – the cold startCold function invocation is a problem on AWS and Azure. Webpack and sensible dependency management helps the load speed.

Best band-aid to keep them alive is Cloudwatch + a scheduled event. Event input can be customised to a heartbeat type call.

Cold load is slow. Cold VPC load is like dial-up speed. If function calls any outside resource it waits for an ENI. Can be > 30 sec….

Semi related – database calls withcontext.callbackWaitsForEmptyEventLoop

Warning 3 – Lambda Fast, API Gateway Slow

Calls to API gateway are routed through cloudfront. Low traffic* APIs suffer from high latency delays within cloudfront. Delays reasons cited are low connection reuse, routing algorithms and extra SSL handshakes.This is made worse by app making OPTIONS calls.You need to manually add ‘Access-Control-Max-Age’

CORS OPTIONS call often takes ~1 second!

* Low traffic is less than 100 requests per second

Same level of latency affects all APIGW calls. Common to see 1.5 sec round trip, but just 0.1 sec lambda execution

Top 3 Integrations

Fastly - Consider a better CDN

Auth0 - Authenticate with anything…

Segment – Integrate with anything

Real-time CDN lets you purge content near instantly - less than 150ms!

Cache API responses

One integration to rule them all…

Developer first, anything is possible

Testing

Write testable code, Strive for functional

Abstract the calling interface asap (lambda | azure | mocha)

Don’t sweat too much about the mocking side of things. We’re not testing AWS or Azure

Links

Tidy diagrams https://cloudcraft.co/appSome Auth strategieshttps://aws.amazon.com/blogs/compute/introducing-custom-authorizers-in-amazon-api-gatewayhttps://auth0.com/docs/integrations/aws-api-gateway

Twelve-factor App https://12factor.netLambda Versioning & Aliases http://docs.aws.amazon.com/lambda/latest/dg/versioning-aliases.htmlOne of the latency forum threads https://forums.aws.amazon.com/message.jspa?messageID=729169#729169

Thanks!

linkedin.com/in/myles-henaghan