Other AWS Services

• Web Socket Support: AppSync, ALB, API Gateway

Serverless = Invisible Server for Developer

Deploy code or function without creating/provision a server

Serverless in AWS:

• Lambda, API Gateway, Cognito, Step Function
• Dynamo DB, Aurora,
• S3, EFS,
• Fargate
• SNS, SQS, Kinesis FireHose,

Serverless Application Model(SAM)

Framework to develop deploying serverless application on Cloudformation

• Use YAML to define configuration and quickly deploy Serverless app
• Built on top of cloudformation

SAM Recipe

SAM template gets transform into Cloudformation template

• Transform Header: AWS::Serverless-2016-01-31

  indicate its a SAM tamplate for Cloudformation to transform into cloudformation template

• Write & run locally:
  • Lambda: AWS::Serverless:: Function
  • Dynamo DB: AWS::Serverless:: SimpleTable
  • API Gateway: AWS::Serverless:: Api
• Build: Fetch dependencies to build deployment artifact
  • sam build
• Package & Deploy:
  • sam package / aws cloudformation package : package & upload to S3 , generate CF Template
  • sam deploy / aws cloudformation deploy : Deploy to CLoudformation

SAM CLI+ AWS ToolKit

Allows you to debug your Lambda functions locally, inspect variables, and execute code line-by-line.

SAM CLI Run Lambda function locally and debug them before deploying them on AWS

AWS ToolKit: IDE Plugin allows to build, test debug, eploy & invoke lambda functions

SAM Policy Template: List of template to apply permission to Lambda Function

Transform into IAM role on cloud formation

• S3ReadPolicy: read from S3 Bucket
• SQSPollPolicy: Poll on SQS
• DynamoBCrudPolicy: CRUD on DynamoDB

Testing using Codedeploy

Can use Codedeploy to deploy Lambda function

• Allow traffic shifting to new Lambda Function Steps:
• Pretraffic Hook: Codeploy run lambda function to test V2
• Traffic Shifting: Direvrt traffic to V2
• Post Traffic Hook: RunAnother Lambda function to test V2 after traffic is shifted
• Remove the V1 Lambda

Serverless Application Repository(SAR)

Managed repository for Serverless Applications allows share Serverless applications packages using SAM with other AWS accounts

• Build & publish serverless applications shared by organizations
• Application settings can be configured using Environment Variables

---

AWS BATCH

Batch processing servicing to run batch job

• Dynamically run EC2 instance to execute Batch Jobs
• Batch Job defined as Docker Image
• Automatically assign resource to EC2 instance

AWS Lambda:

Service that lets you run code without needing to provision or mange server

• You can configure your Lambda function to pull in additional code and content in the form of layers.

-Quick Process with 15 Minute

• Scale to finish task with 15 Minutes
• Event Driven: Function gets triggered over an event.
• Multiple programming language supported
  • Node JS, Python, Java, C#, Golang, Ruby, Runtime
• Easy to get more resource (10 GB RAM)
• Pricing is good compare to running and scaling EC2
• Pay per call & duration of execution
• Good idea to deploy a CloudWatch Alarm that notifies your team when function metrics such as ConcurrentExecutions or Invocations exceeds the expected threshold
• Example: Resize Images, Check for NSFW images

Concurrency:

• Reserve Concurrency: Allocate & limits the maximum concurrency for the function

Lamda	Batch job
Time Limit 15 Minute	No time limit
Limited Runtime Supported	No run time
Limited Disk Space	No limit as uses EBS
Serverless	Use EC2 instance managed by AWS

Lambda Container Image:

Start Docker container with Lamda Runtime API

• Must build form AWS Lambda base image by AWS

• Pack large & complex dependencies as Image

• Lambda Run Time Interface Emulator: test Lambda container images locally

• Allow deploying image up to 10GB on ECR

Lambda Layer:

A layer is a ZIP archive that contains libraries, a custom runtime, or other dependencies.

• Limit: A function can use up to 5 layers at a time.
• You can use libraries in your function without needing to include them in deployment package to keep deployment package small, which makes development easier.
• Use Case:
  • Enable Custom Runtime: Example C++ & Rust
  • Reuse Dependencies
  • Create Small package

Lambda External Dependencies

Package code + dependencies in zip file & upload it to Lambda

• Size must be < 50MB else use S3
• Dependencies must compile & work on Amazon Linux AMI
• AWS SDK come with Lambda so no need to add it as dependency

Limit Per Region

• Execution

  • Environment Variable: 4KB
  • Storage: 512 MB Temp
  • RAM:128MB-10GB (1MB Increment)
  • More RAM -> More vCPU, 1790MB RAM -> 1 Full vCPU
  • Time: 3 Sec Default - to Max 900 Sec(15Min)
  • Concurrent:1000
• Deployment
  • 50MB compressed
  • 250MB Uncompressed(Code+ Dependency)
  • The total unzipped size of the function and all Layers can't exceed 250 MB.

Lambda Integration

• API Gateway -> Rest APi using Lambda
• Kinesis-> Data Transformation on the fly
• DynamoDB-> Trigger on DB Events
• S3 -> Create Thumbnail or extract MetaData
• CloudFront-> Lamda@Edge
• EventBridge/ CloudWatchEvent-> React to Events
• CloudWatch Log-> Stream Logs
• SNS, SQS-> React to SNS
• Cognito -> React to User Login

Lambda Synchronous Invocation

Return return right away along with errors

• Supports: CLI, SDK, ALB, API Gateway
• Error handled by Client

Supported Synchronous API:

Lambda@Edge

Deploy alongside app on CDN location to change request at origin

User <---> Cloudfront <----> Origin

• ViewerRequest: Change Request to CloudFront
• ViewerResponse: Change Response from CloudFront to Viewer
• OriginRequest: Change Request from CloudFront to Origin
• OriginResponse: Change Response from Origin to Cloudfront

Other Supported Synchronous API:

• ALB
• API Gateway
• Lambda@Edge
• S3 Batch
• Cognito
• Step Function
• Lex, Alexa
• Firehose

Lambda Asynchronous Invocation

• Auto retry 3 times: Immediately, 1 Minute After, 2 Minute After
• Make use of Queues
• Speed up processing on scale

Asynchronous Supported API:

S3 event notification:

Invoke Lambda when S3 Objects are modified

• Enable Versioning of object to get notification of all S3 object modifications
  • Trigger lambda directly
  • SQS-> Lamda-> DLQ
  • SNS-> SQSs->Lambdas`

Other Asynchronous Supported API:

• Cloudwatch Event/ Event Bridge
• Code Commit
• Code Pipeline
• SNS
• SES
• Cloud formation
• IOT
• Config

Lambda Destinations

Send Failed or success events for further processing

• Support: SQS, SNS, Lambda, Cloudwatch Events

Event Source mapping

Used for discarded Events which cant be processed

• Types
• Streams: Kinesis Data Stream, Dynamo DB Stream
  • Data is read from Shard
  • Data persist : other API can read data at same time
  • Shard can be batched & run in parallel for faster processing
  • Error Handling:

• Lambda: SQS, SNS

• Data is polled from Sources

---

API GATEWAY

Expose Lamda to Client Machine via REST API & WebSocket

• Fully managed service to create, publish, monitor API

• Protocol: REST API & WebSocket support

• Serverless & Scalable

• Auto Versioning of API to support old API users

• Stages: Support Multiple Environment dev, prod

• Transform & validate request response on API

• Swagger/OpenAPI 3.0 support to import & export predefined API

• Can Generate SDK & API Specification

• Cache API Response: reduce load on backend

  • Cache TTL: 5 Minutes Default, Min 0, Max 1 Hour
  • Expensive so use in prod only
  • Can be defined per Stage
  • Can be defined per Method
  • Can be encrypted
  • Size .5GB-237GB
  • Invalidate cache on UI or use header:CacheControl:max-age=0 with proper IAM authorization

API Gateway Integration:

• Lambda: Expose REST API backed by Lambda
• HTTP End Point: Internal HTTP PI from on premise server, ALB etc
• Expose Any AWS Service: Start Step FUnction, post message to SQS

Mapping Template:

Map Request-Response Data Map

• Can modify request/response, parameters,body contents, add headers
• Can rename variables and map them
• Can filter Response before sending back to client
• Use case: Connect SOAP API to JSON

API Gateway Integration Type

Ways to integrate API gateway with Backend

• MOCK
  • API gateway send response without ending request to Backend
  • No work needed on backend side
• HTTP/AWS:
  • Need to configure integration request & integration response using Mapping Template
• AWS_PROXY No Mapping Template. Request/Response send to/from to client send directly without any modification. backend handle the logic
• HTTP_PROXY: No Mapping to HTTP end point.

API Gateway Deployment : End Point Type

1. Edge Optimized(Default)

   Route through Cloudfront edge location

   • for global client
   • The API Gateway lives in only one AWS Region where it was created. But can be accessed from any Cloudfront edge location
   • API requests are routed to the nearest CloudFront Edge Location which improves latency.
   • Best for geographically distributed clients.
2. Regional

   For client in same region

   • Manually distribute using Cloudfront
3. Private

   Accessible within a VPC

   • Use interface VPC endpoint to distribute within a VPC

Logging & Tracing

• Cloudwatch Logs: Enable logging at Stage Level API level logging: ERROR, DEBUG, INFO
• XRay: Tracing information
• Cloudwatch Metrics: Monitor API calls per Stage
  • cacheMissCount: bad caching
  • cacheHitCount: good caching
  • count: API count/Sec
  • IntegrationLatency: Time taken by backend integration to response to API
  • Latency:IntegrationLatency + API gateway delay
  • 4XX: client side error
    • 400 Bad Request
    • 403 Access Denied
    • 429 Quota Exceed
  • 5XX: Server side error
    • 502 Bad gateway : proxy integration did not respond
    • 503 Service Unavailable Backend down
    • 504 Integration Failure API gateway failed to respond withing 30 second

Throttling

• Soft Limit 10k Request/Second/Account
• Error Code: 429 Too Many Request:
• Handling:
  • Exponential Backoff
  • Set Stage Limit & Method Limit
  • Usage Plan to create API plans & API Limits for customer

API Gateway Security

1. IAM

• Provide access to AWS resourceWithin AWS Account
• Leverage SigV4 to sign & place credentials in header
• Handle both AUthentication & Authorization
• Auth: IAM | Authorization: IAM Policy
• Can be combined with Resource Policies
• Resource Based Policy:

  JSON Policy Document Authorize API gateway to invoke Lambda Function Gateway level

  • Filter Ip address

2. Lambda Authorizer(Formally Custom Authorizer)

Token base Authorizer but require more involvement

• Great for 3rd party token
• Pay per Lambda invocation but we can cache response
• Auth: External | Authorization: Lambda Function

3. Cognito User Pool

• Use FB, Google login
• No need to write any code: automatically verified using CUP connection token.
• Auth: CUP | Authorization: Backend/API Gateway

Deployment Stage

• API wont work without deploying changes to stage
• Can be roll back because all history is kept
• Each stage have own configuration
• Use ful for deploying new versions or managing dev/prod/test environments

Stage Variables

• Environment variables for API Gateway pointing to reconfigurable environments
• HTTPS End Point
• Pass to Lambda Context object

Canary Deployment Test Beta API by routing partial traffic to new API Version

Simple Work Flow (SWF)

Coordinate work on EC2 instance with built in human interaction

• Older and not supported anymore
• Deprecated in favour of Step Function
• Use if you need: external signals to intervene, or child processes to return values to parent processes. For decoupled architectures.

Step Function

Lets you coordinate multiple AWS services into Serverless workflows.

• Design and run workflows that stitch together services such as AWS Lambda, AWS Glue and Amazon SageMaker.
• Can add jobs in parallel, sequence, time out & error handling
• Orchestrate multiple Lambda functions and wait for the result of all of them before making a final decision.
• Use JSON State machine to sequence Lambda Functions to communicate with multiple resources
• Replacement of SWF

Types of Step Function

Task State

Steps in a step function to invoke AWS service

• Choice State: condition check
• Fail/Success State : stop execution
• Pass State: pass input to output
• Wait State: timeout, delay with Maximum timeout 1 year
• Map State: iterate state
• Parallel State: parallel execution

Error Handling:

Predefined Error Codes checked with ErrorEquals in Retry or Catch

• States.ALL: any error name
• States.Timeout: no heart bean received or time exceeded
• States.TaskFailed
• States.Permission

Retry: repeat execution

• ErrorEquals: MAtch for error type
• IntervalSecond: delay before retry
• BackOffRate: delay multiplier for next retry
• MaxAttempt: Max Retries

Catch: failure path when all retries fail

• ErrorEquals: MAtch for error type
• Next next state for catch block
• ResultPath : Result to pass on to the next state. Used to pass error as input to next state

---

Amazon LIGHT SAIL

Simple Standalone service to host Wordpress like Site

• Great for people with little cloud experience
• Virtual Server to host sites, wordpress blog
• Low & predictable pricing

Amazon WORKSPACES

Managed Desktop as service (DaaS)

• Secure as integrated with KMS
• Deploy as close to work space to reduce latency
• eg. Use Windows/Linux Desktop on cloud

Amazon APPSYNC

Manged Graph QL Backend as Service to Store & Sync Data across mobile Apps & Web in real time

• GraphQL as service combine data from one or more sources
• local data access & synchronization
• Replacement for AWS Cognito Sync

• Integrated with Dynamo DB & Lambda
• RealTime Web Socket Or MQTT support

AppSync Security

• SSL using Cloudfront
• Analytics using CLoudWatch Log
• Authorize user for API using:
  • API_KEY:
  • IAM: IAM user & role
  • OPENID_CONNECT: JWT Token
  • COGNITO_USER_POOL: existing users

Amazon APPSTREAM 2.0

Desktop Streaming service to stream any app to any desktop without provisioning

• Run App on Browser
• Stream specific App instead of whole desktop
• Eg. Run Blender on Browser

Amazon SUMERIAN

VR/AR or 3D Model render on browser or in VR/AR headset

• Create 3D model with animation
• Render 3D scene on Web browser

Amazon IOT CORE

Connect IOT devices to AWS cloud

• Pub/Sub to communicate between devices
• Serverless,secure & scalable to billions of devices
• Backed by AWS services Suits
• Gather and process data from IOT devices

Amazon ELASTIC TRANSCODER

Convert media files on S3 to format required by consumer format

• Pipeline to process media file
• Scalable and easy to use
• Cost effective
• Manged & secure

DEVICE FARM

Fully manged service to test Apps on set of devices online

• Farm of devices connected to AWS cloud
• Test apps on tons of devices
• Take screenshots & interact with them

AWS ML & AI Services

• Amazon Rekognition: Find image, TEXT, scene , object using ML in Images & Video

• Amazon Transcribe: SPEECH to TEXT converter

• Amazon Polly: TEXT to SPEECH converter

• Amazon Translate: Localize large volume of TEXT to other language

• Amazon Comprehend: Find Patterns in TEXT. Find language, sentiment, tokens & organize in topics.

• Amazon Textract: Extract text from document

• Amazon Lex: Engine powering Alexa

• Amazon Connect: Receive calls and create contact flow eg CRM. Smart customer contact center

• Amazon SageMaker: ML Platform to Train model.

• Amazon Forecast: Create forecast based on historical data

• Amazon Kendra: Extract answers from the document. Create a knowledge Index to create a search engine.

• Amazon Personalize: provide recommendation based on user behavior.

• Amazon Augmented AI(A2I): ML Platform to train model

• Amazon Fraud Detector: Fraud Detection

• AWS Ground Station: Satellite

---

Container Service

AWS Elastic Container Service (ECS)

Run and manage Docker Containers on AWS

• Must provision & Maintain EC2 Instance
• AWS take care of start/stop container & making sure desired number of tasks are running in EC2 fleet
• Charged based on EC2 Instance & EBS Volume used
• EC2 instance must run special AMI with docker preinstalled
• To enable random host port, set host port = 0 (or empty), which allows multiple containers of the same type to launch on the same EC2 container instance.

The cluster name Parameter has not been updated in the file /etc/ecs/ecs.config during bootstrap - In the ecs.config file you have to configure the parameter ECS_CLUSTER='your_cluster_name' to register the container instance with a cluster named 'your_cluster_name'.

ECS Scaling

CPU & Memory racked in CLoudWatch at Service Level

ECS have 2 level of scaling

1. ECS Service Scaling(Task Level):

Set cloud watch alarm to watch CPU usage/ SQS & launch new ECS Container

• Spin up new Container in EC2

2. Cluster Capacity Provider:(For EC2 Launch Type)

launch new EC2 Container when CPU usage go high of an EC2 Instance

• spin up new EC2 instance to spin container

ECS Rolling Update

• Minimum Healthy Percentage: Min running Capacity
• Maximum percentage: New Task we can create to roll update

Integration with ELB, NLB, ELB:

• Dynamic Port Forwarding: ALB Automatically find the right port to connect with ECS Cluster
• ALB does the load balancing across ECS Containers
• ECS EC2 Security Group must allow Any Port coming form ALB to allow Dynamic Port Mapping possible with ALB

Task placement

Strategy to scale in/ out container

• Only for EC2 Launch Type
• Order of selection of EC2 instance to run ECS Task:
  1. Hardware requirements: CPU, RAM, port
  2. Task Placement Constrain:
     • distinctInstance: place in different Container instance
     • memberOf: place based on CLuster Query Language eg instance type t2
  3. Task Placement Strategy:
     • BinPack: put as many container as possible in single EC2 instance
       • Good for cost saving
       • based on CPU usage or Memory
       • Maximize EC2 instance utilization
     • Random: Randomly place ECS in EC2 instances
     • Spread: Spread ECS in AVZ based on specified value
     • Mixed: Mix above strategy

ECS Deep Dive

ECS Cluster: Regional logical grouping of EC2 instances

ECS Agent

Run on EC2 instances to create & register Docker Container

• Must run on EC2 instance to run ECS

Security:

• Secret Manager: Access Sensitive Data
• Access SSM Parameter Store

ECS task

start in EC2 instance by ECS Agent

• Number of tasks in EC2 instance is decided on EC2 size

ECS IAM Roles

1. EC2 Instance Profile:

IAM role assigned to ECS Agent

• Allows ECS Agent to
  • Pull Docker Images from ECR
  • Make API call to ECS
  • Register instance to ECS Cluster
  • Send Container logs to CLoudwatch

2. ECS Task Role:

IAM role assigned to ECS Task to have specific role

• Create Separate TasksRole for Different Tasks
• Role is defined in Task Definition

Task Definition

Metadata in JSON from to tell ECS how to run a docker container

Metadata could be:

• Port Binding for Host & container
• CPU & RAm required
• Docker Image Name
• network Information
• Environment variables

Deregister ECS Container:

• Terminate the container from RUNNING state: container instance is automatically removed, or deregistered, from the cluster.
• Terminating ECS container from STOPPED state: container instance isn't automatically removed from the cluster. You will need to deregister your container instance in the STOPPED state by using the Amazon ECS console or AWS Command Line Interface.

ECS Data Volumes

1. EBS

EBS can be unmount & Mount to ECS in 1 AVZ

• Give temporary extra storage
• If Task moved to other EC2 instance data become useless

2. EFS

EFS File System can be mount to multiple ECS

• Works with both EC2 & fargate Launch type
• Persistent across Multi AZ with Shared Volumes for ECS Container

3. Bind Mount

Shared between containers in one ECS Task

• One container write data & other can read from it
• Works with both ECS & Fargate(4GB of Volume Mount)

Launch Types for ECS

1. EC2 Launch Type

Must provision & Maintain EC2 Instance

2. FARGATE Launch Type

Serverless compute platform for ECS & EKS

• EFS + Fargate = True Serverless
• No need to create EC2 instance: AWS automatically provision server based on CPU/RAM
• Each task get unique Io address using ENI(Elastic Network Interface)
• Task Port from ALB must be allowed in ENI security group to allow Load Balancing

AWS Elastic Container Registry (ECR)

Private docker registry used by fargate and ECR to store, manager , deploy docker image

• Use IAM for security & backed by S3
• Can be automated using Code Build
• CLI login v1 use$ while v2 use pipe |

Command Pull docker image

// Login into ecr to get access token for 12 hour
$(aws ecr get-login --no-include-email)

// Pull Image
docker pull 1234567890.dkr.ecr.eu-west-1.amazonaws.com/demo:latest

AWS Elastic Kubernetes Service(EKS)

Launch Managed Kubernetes cluster on AWS

• Can use EC2 and fargate deploy mode
• Kubernetes can be deploy to any cloud Infra
• Charged based on vCPU & Memory used