Serverless APIs and you

2

Comparing today’s IT landscape to 10 or 15 years ago, much has changed… 5

If you these together, we’re doing a lot more, much more quickly, but often with a huge operational burden. 6

7

8

9

10

11

After deployment, you get an https endpoint. You can also use a custom domain name with a managed SSL certificate if you prefer. 12

You can also use CloudFormation to achieve the same goal – walk through this screen. In addition to CF, we also offering SAM, a more serverless-specific deployment tool. 13

Having a serverless API is great but you can also leverage other services to build entirely serverless applications. This can help extend the benefits I talked about API Gateway having, throughout your stack. 14

AWS SKO Event 2019 10/10/2019 7:36 PM Many people think Lambda is the same thing as serverless but that’s just the compute (FaaS) part. More broadly, serverless represents a number of services that share these attributes… © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 15

ReInvent 2018 10/10/2019 7:36 PM API Gateway is a serverless, web-scale service that is the “public doorway” for many serverless applications. Applications consist of several other services… Using a combination of these services, you can built low-code, highly-scalable, low-maintenance applications. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 16

ReInvent 2018 10/10/2019 7:36 PM Combined with a range of application services, you can bring complex functionality into your apps. - Using machine learning to bring image recognition, sentiment analysis or language translation with minimal coding - Connect with the Internet of Things - Deploy mobile apps to hundreds of thousands of customers with no infrastructure © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 17

18

Web apps are an interesting case thanks to some of the technology happening on the frontend. This is a very simple pattern that can give you: 1. Global scale, high availability 2. Removes dependence on a single webserver or cluster 3. Delineates front-end and backend compute 19

20

21

The Gateway set up an ANY path and proxies everything to the target. The target business logic is now doing… - Web server router middleware - Body parsers - Route management - Request validation Where is the actual business logic in the handler? 22

In this first step, API Gateway now handles the routing (explain example). This is pseudocode so it fits on a slide… - Three defined routes - Include dynamic parameters, GET/POST, etc. - Any routes not matching this are rejected by the gateway without calling your function 23

Now, let’s make API Gateway do the validation by using a model. - Have the gateway check for the presence of the required parameters - Also check their types 24

Now the function we write to handle the create user function does exactly that – it creates the user. The code no longer needs to check the presence of parameters or ensure type. This is part of a broader idea called payload modelling 25

26

Simple weather example: - Two endpoints: - one unauthenticated for basic data, - another for premium info (using custom authorizer) 28

In this case where the API call is return items from a DynamoDB table, you don’t need the Lambda function. 29

Connect API Gateway directly to DDB 30

As an integration - No compute required - Faster API roundtrip - Potentially more scalable, depending on how this was setup How can you convert the DDB items to an API response without the compute layer? 31

Request can be modified at API GW level using Velocity Template Language - Velocity is a Java-based template engine, open sourced by Apache - Ensures clean separation between the presentation tier and business tiers in a Web application (MVC model) 32

Response can be modified at API GW level using VTL 33

35

ReInvent 2018 10/10/2019 7:36 PM Is the API Gateway HTTP integration timeout of 30 seconds too short for you? Some developers have an existing, synchronous web service that can take longer than 30sec to respond. There are three common patterns to convert a synchronous API call to asynchronous … © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 36

ReInvent 2018 10/10/2019 7:36 PM Response payload: - < 10 MB (APIGW payload limit) – Return the caller of /getResults the actual result of the work - > 10MB – Return the caller of /getResults an S3 presigned download URL © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 37

ReInvent 2018 10/10/2019 7:36 PM Execution time (similar considerations to the polling pattern): <15 mins – SQS to Lambda >= 15 minutes – Step Functions or AWS Batch Response payload (similar to the polling pattern, but now with SNS’ payload limits): <= 256kb – SNS > 256kb – SNS + S3 presigned URL © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 38

39

ReInvent 2018 10/10/2019 7:36 PM Why not just open the WebSocket API for the request? - RESTful APIs have strong controls to ensure user requests are validated – provides guardrails for the intended query purpose. - Helps prevent rogue requests (especially when exposed to a large number of users). - REST validation framework can detect header info on browser compatibility request layer can pass this browser metadata and determine whether a WebSocket API can be opened. - If low-latency request/response are critical, and there aren’t any browsercompatibility risks, use a WebSocket API with JSON model selection expressions to protect your backend with a schema. - Best practice: use a REST API for the request layer and a WebSocket API to listen for the result. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 40

41

ReInvent 2018 10/10/2019 7:36 PM As you start to stitch together Serverless services, you may hit payload sizes as your data flows through them. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 42

44

Stages can help deploy different versions of the same API to different audiences. 2. Always 1 stage in every deployment. 3. Map stages to anywhere but you can automate the reference to a Lamdba version using Stage variables. Stage vars: - These are associated w/ a deployment stage of a REST API. - They act like environment variables and can be used in your API setup/mapping templates. - You can map a stage for a given API to different integrations based upon stages. 45

Lambda function versions are immutable when published. You can define aliases for Lambda versions. Then ref this Lambda alias. When you change the Lambda version an alias point to, the API Gateway stage is automatically updated. 46

47

Stages are a good feature but for larger apps and projects there is a better way. Why? 2. For larger teams, use multiple AWS accounts. 3. 10-12 devs = 10-12 accounts. 4. One beta, gamma, alpha – one prod. 5. Also – AWS secrets manager. 48

49

ReInvent 2018 10/10/2019 7:36 PM There are a number of things to consider around API security, especially as API Gateway is your application’s “front door” © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 50

Let’s look at a simple, unsecured weather app as an example… 1. Structurally makes sense – explain flow… 2. Not secured: - Unauthenticated access to API - No usage limits 51

Now let’s compare with a secure version of the same app. - This is the same app implemented securely. - Adds another AWS account for a “weather update” service so we can talk about some a/c to a/c security. 52

First, it uses a Cognito authorizer to authenticate calls from users. - Allows simple username/password login, passing a token to the gateway to authenticate the user. - Can also support social login via Google, Facebook or use OpenID or SAML identity providers - Can federate through third party identity provider (IdP). - This can include MFA checks for compromised credentials, account takeover protection, and phone and email verification API Gateway: - You can use groups in a user pool to control permissions with API Gateway by mapping group membership to IAM roles. - The groups that a user is a member of are included in the ID token provided by a user pool when your app user signs in. More Cognito info: - User pools are user directories that provide sign-up and sign-in options for your web and mobile app users. - - The user pool manages the overhead of handling the tokens that are returned from social sign-in, and from OpenID Connect (OIDC) and SAML IdPs - Identity pools provide AWS credentials to grant your users access to other 53

AWS services. - Identity pools support anonymous guest users, as well as federation through third-party IdPs. 53

In the case of this weather app, there is a second Lambda in another account that can call the API Gateway. The best practice here is to use the IAM authorizer – the caller is authenticated based upon IAM permissions and there are no passwords or secrets to manage. This IAM approach is designed specifically for account-to-account access (or private API access). In both approaches: - All managed through configuration - No code 54

Now if it were necessary to use some custom identity setup, this is where a custom authorizer is useful. This involves writing your own solution as a Lambda function. The Gateway will call this function to authorize access and you can use any authorization logic you prefer. Suited for: - Non-AWS auth (like Auth0, JWTs for another service) - Corporate data center – LDAP, SAML - External services dependent on this service Your function must return a valid IAM policy. Benefits: - Centralize your auth logic in a single function rather than packaging it up as a library into each of your functions. If your auth logic changes in the future, you can simply redeploy a single fn. - Cache responses. usually your auth logic will need to make a remote call. This can add unneeded latency if you’re running this check within every function. By isolating the remote call in your custom authorizer, you will only need to pay the price once. Cache the value for up to 1hr. 55

Ensure that AWS Web Application Firewall (WAF) is integrated with Amazon API Gateway to protect your APIs from common web exploits: - such as SQL injection attacks, - cross-site scripting (XSS) attacks - and Cross-Site Request Forgery (CSRF) attacks … that could affect API availability and performance, compromise API data security or consume excessive resources. AWS WAF protects web applications from attacks by filtering traffic based on rules that you create. For example, you can filter web requests based on IP addresses, HTTP headers, HTTP body, or URI strings, 56

CORS: - What is it? - Cross-origin resource sharing is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served - mechanism that uses additional HTTP headers to tell browsers to give a web application running at one origin, access to selected resources from a different origin - Can be complex and frustrating for developers Key - “If your REST API’s resources receive non-simple cross-origin HTTP requests, you need to enable CORS support.” Enabling CORS Support for Lambda or HTTP Non-Proxy Integrations and AWS Service Integrations For a Lambda custom integration, HTTP custom (non-proxy) integration, or AWS service integration, you can set up the required headers by using API Gateway method response and integration response settings. API Gateway will create an OPTIONS method and attempt to add the Access-Control-AllowOrigin header to your existing method integration responses. Enabling CORS Support for Lambda or HTTP Proxy Integrations 57

For a Lambda proxy integration or HTTP proxy integration, you can still set up the required OPTIONS response headers in API Gateway. However, your backend is responsible for returning theheaders, because a proxy integration doesn’t return an integration response. 57

Amazon API Gateway provides two basic types of throttling-related settings: - Server-side throttling limits are applied across all clients. These limit settings exist to prevent your API— and your account — from being overwhelmed by too many requests. - Per-client throttling limits are applied to clients that use API keys associated with your usage policy as client identifier. API Gateway throttling-related settings are applied in the following order: Per-client per-method throttling limits that you set for an API stage in a usage plan Per-client throttling limits that you set in a usage plan Default per-method limits and individual per-method limits that you set in API stage settings Account-level throttling Account-level throttling – soft limit / 10k/sec (burst of 5k) - A usage plan specifies who can access one or more deployed API stages and methods — and also how much and how fast they can access them. - The plan uses API keys to identify API clients and meters access to the associated API stages for each key. It also lets you configure throttling limits and quota limits that are enforced on individual client API keys. 58

A throttling limit is a request rate limit that is applied to each API key that you add to the usage plan. You can also set a default method-level throttling limit for an API or set throttling limits for individual API methods. - A quota limit is the maximum number of requests with a given API key that can be submitted within a specified time interval. - You can configure individual API methods to require API key authorization based on usage plan configuration 58

59

60

Serverless APIs and you

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55

Slide 56

Slide 57

Slide 58

Slide 59

Slide 60

Slide 61

Slide 62