The Life of a Serverless Microservice on AWS

In this post, I will demonstrate how you can develop, test, deploy, and operate a production-ready serverless microservice using the AWS ecosystem. The combination of AWS Lambda and Amazon API Gateway allows us to operate a REST endpoint without the need of any virtual machines. We will use Amazon DynamoDB as our database, Amazon CloudWatch for metrics and logs, and AWS CodeCommit and AWS CodePipeline as our delivery pipeline. In the end, you will know how to wire together a bunch of AWS services to run a system in production.The LifeMy idea of "The Life of a Serverless Microservice on AWS" is best described by this figure:A developer is pushing code changes to a repository. This git push triggers the CI & CD pipeline to deploy a new version of the service, which our users consume. The load generated on the system produces logs and metrics that are used by the developer to operate the system. The operational feedback is used to improve the quality of the system.What is Serverless?Serverless or Function as a Service (FaaS) describes the idea that the deployment unit is a single function. A function takes input and returns output. The responsibility of the FaaS user is to develop the function while the FaaS provider's responsible is to execute the function whenever some event happens. The following figure demonstrates this idea.Some possible events:File uploaded.E-Mail received.Database changed.Manual invoked.HTTP API called.Cron.The cool things about serverless architecture are:You only pay when the function is executed.No under/over provisioning.No boot time.No patching.No SSH.No load balancing.Read more about Serverless Architectures if you are interested in the details.What is a Microservice?Imagine a small system where users have a public visible profile page with location information of that user. The idea of a microservice architecture is that you slice your system into smaller units around bounded contexts. I identified three of them:Authentication Service: Handles authentication.Location Service: Manages location information via a private HTTP API. Uses the Authentication Service internally to authenticate requests.Profile Service: Stores and retrieves the profile via a public HTTP API. Makes an internal call to the Location Service to retrieve the location information.Each service gets its own database, and services are only to communicate with each other over well-defined APIs, not the database!Let's get started!The source code and installation instruction can be found at the bottom of this page. Please use the us-east-1 region! We will use services that are not available in other AWS regions at the moment.CodeAWS CodeCommit is a hosted Git repository that uses IAM for access control. You need to upload your public SSH key to your IAM User as shown in the following figure:Creating a repository is simple. Just click on the Create new Repository button in the AWS Management Console.We need a repository for each service. You can then clone the repository locally with the following command. Replace $SSHKeyID with the SSH Key ID of your IAM user and $RepositoryName with the name of your repository.git clone ssh://$SSHKeyID@git-codecommit.us-east-1.amazonaws.com/v1/repos/$RepositoryName` We now have a home for our code.Continuous Integration & Continuous DeliveryAWS CodePipeline is a service to manage a build and deployment pipeline. CodePipeline itself is only responsible triggering integrations to do things like:Build.TestDeploy.We need a pipeline for each service that:Downloads the sources from CodeCommit if something changes there.Runs our test and bundles the code in a zip file for Lambda.Deploys the zip file.Luckily, CodePipeline has native support for downloading sources from CodeCommit. To run our tests, we will use a third-party integration to trigger Solano CI to run our tests and bundle the source files. The deployment step is implemented in a Lambda function that triggers a CloudFormation stack update. A CloudFormation stack is a bunch of AWS resources managed by CloudFormation based on a template that you provide (Infrastructure as Code). Read more about CloudFormation on our blog.The following figure shows the pipeline:The cool thing about CloudFormation is that you can define the pipeline itself in a template. So we get Pipeline as Code.The CloudFormation template that is used for service deployment describes a Lambda function, a DynamoDB database, and an API Gateway. After deployment you will see one CloudFormation stack for each service:We now have a CI & CD pipeline.ServiceWe use a bunch of AWS services to run our microservices.Amazon API GatewayAPI Gateway is a service that offers a configurable REST API as a service. You describe what should happen if a certain HTTP Method (GET, POST,PUT, DELETE, ...) is called on a certain HTTP Resource (e.g. /user). In our case, we want to execute a Lambda function if an HTTP request comes in. API Gateway also takes care of mapping input and output data between formats. The following figure shows how this looks like in the AWS Management Console for the Profile Service.The API Gateway is a fully managed service. You only pay for requests, no under/over provisioning, no boot time, no patching, no SSH, no load balancing. AWS takes care of all those aspects.Read more about API Gateway on our blogAWS LambdaTo run code in AWS Lambda you need to:use one of the supported runtimes (Node.js (JavaScript), Python, JVM (Java, Scala, ...).implement a predefined interface.The interface in abstract terms requires a function that takes an input parameter and returns void, something, or throws an error.We will use the Node.js runtime where a function implementation looks like this:exports.handler = function(event, context, cb) { console.log(JSON.stringify(event)); // TODO do something cb(null, {name: 'Michael'}); }; In Node.js, the function is not expected to return something. Instead, you need to call the callback function cb that is passed into the function as a parameter.The following figure shows how this looks like in the AWS Management Console for the profile service.AWS Lambda is a fully managed service. You only pay for function executions, no under/over provisioning, no boot time, no patching, no SSH, no load balancing. AWS takes care of all those aspects.Read more about Lambda on our blogAmazon DynamoDBDynamoDB is a Key-Value-Store or Document-Store. You can lookup values by their key. DynamoDB replicates across multiple Availability Zones (data centers) and is eventually consistent.The following figure shows how this looks like in the AWS Management Console for the authentication service.Amazon DynamoDB is a 99% managed service. The 1% that is up to you is that you need to provision read and write capacity. When your service makes more request than provisioned, you will see errors. So it is your job to monitor the consumed capacity to increase the provisioned capacity before you run out of capacity.Read more about DynamoDB on our blogRequest FlowThe three services work together in the following way:The user's HTTP request hits API Gateway. API Gateway checks if the request is valid — if so, it invokes the Lambda function. The function makes one or more requests to the database and executes some business logic. The result of the function is then transformed into an HTTP response by API Gateway.We now have an environment to run our microservices.Logs, Metrics, and AlertingA Blackbox is very hard to operate. That's why we need as much information from the inside of the system as possible. AWS CloudWatch is the right place to store and analyze this kind of information:Metrics (numbers).Logs (text).CloudWatch also lets you define alarms on metrics. The following figure demonstrated how the pieces work together.Operational insights that you get out-of-the-box:Lambda writes STDOUTand STDERR to CloudWatch logs.Lambda publishes metrics to CloudWatch about the number of invocations, runtime duration, the number of failures, etc.API Gateway publishes metrics about the number of requests, 4XX and 5XX Response Codes, etc.DynamoDB publishes metrics about consumed capacity, the number of requests, etc.The following figure shows a CloudWatch alarm that is triggered if the number of throttled read requests of the Location Service DynamoDB table is bigger or equal to one. This situation indicates that the provisioned capacity is not sufficient to serve the traffic.With all those metrics and alarms in place, we now can be confident that we receive an alert if our system is not working properly.SummaryYou can run a high-quality system on AWS by only using managed services. This approach frees you from many operational tasks that are not directly related to your service. Think of operating a monitoring system, a log index system, a database, virtual machines, etc. Instead, you can focus on operating and improving your service's code.The following figure shows the overall architecture of our system:Serverless or FaaS does not force you to use a specific framework. As long as you are fine with the interface (a function with input and output), you can do whatever you want inside your function to produce an output with the given input. Read more

Google beats children's web privacy appeal, Viacom to face one claim

Google and Viacom on Monday defeated an appeal in a nationwide class action lawsuit by parents who claimed the companies illegally tracked the online activity of children under the age of 13 who watched videos and played video games on Nickelodeon's website.By a 3-0 vote, the 3rd U.S. Circuit Court of Appeals in Philadelphia said Google, a unit of Alphabet Inc, and Viacom Inc were not liable under several federal and state laws for planting "cookies" on boys' and girls' computers, to gather data that advertisers could use to send targeted ads.The court also revived one state law privacy claim against Viacom, claiming that it promised on the Nick.com website not to collect children's personal information, but did so anyway.Monday's decision largely upheld a January 2015 ruling by U.S. District Judge Stanley Chesler in Newark, New Jersey. It returned the surviving claim to him.Jay Barnes, a lawyer for the parents, declined to comment.Viacom spokesman Jeremy Zweig said the company is pleased with the dismissals and confident it will prevail on the remaining claim. "Nickelodeon is proud of its record on children's privacy issues and strongly committed to the best practices in the industry," he added. Google did not immediately respond to a request for comment.Monday's decision is a fresh setback for computer users, after the same appeals court last November 10 said Google was not liable under federal privacy laws for bypassing cookie blockers on Apple Inc's Safari browser and Microsoft Corp's Internet Explorer browser.Circuit Judge Julio Fuentes, who wrote both decisions, said that ruling doomed many of the parents' claims against Mountain View, California-based Google and New York-based Viacom. He also rejected the parents' claims under the Video Privacy Protection Act, a 1988 law adopted a year after a newspaper wrote about movies rented by failed Supreme Court nominee Robert Bork, based on a list provided by a video store.Fuentes said the law was meant to thwart the collection of data to help monitor people's video-watching behavior.He said Congress, despite amending the law in 2013, never updated it to cover the collection of data such as users' IP addresses, browser settings and operating settings, and reflect a "contemporary understanding" of Internet privacy. "Some disclosures predicated on new technology, such as the dissemination of precise GPS coordinates or customer ID numbers, may suffice," Fuentes wrote. "But others--including the kinds of disclosures described by the plaintiffs here--are simply too far afield from the circumstances that motivated the act's passage to trigger liability."The revived privacy claim accused Viacom of reneging on a promise on Nick.com that said: "HEY GROWN-UPS: We don't collect ANY personal information about your kids. Which means we couldn't share it even if we wanted to!"Fuentes said a reasonable jury might find Viacom liable for "intrusion upon seclusion" if it found its alleged privacy intrusion "highly offensive to the ordinary reasonable man."The case is In re: Nickelodeon Consumer Privacy Litigation, 3rd U.S. Circuit Court of Appeals, No. 15-1441. (Reporting by Jonathan Stempel in New York; Editing by David Gregorio; Editing by David Gregorio) Read more

Behind Tesla carnage, signs of support for Musk's SolarCity deal

Some of Tesla Motor Inc's (TSLA.O) biggest investors have signaled support for CEO Elon Musk's plan to buy solar power company SolarCity Corp (SCTY.O), although the electric car maker's stock cratered on Wednesday, lopping more than the $2.8 billion value of the proposed deal off Tesla's market capitalization. “It’s a natural evolution of their mission to transform transportation into a sustainable business,” said Joe Dennison, a portfolio manager of Zevenbergen Capital Investments, which has about 600,000 Tesla shares, or about 0.4 percent of shares outstanding. It is still early in the process, he said, but "We expect it to go through and believe that most investors who actually own the stock understand management's long-term vision for the company."That was not the market's broad reaction, sending Tesla's shares down more than 10 percent, and taking more than $3 billion off its market value, which now stands around $28.7 billion. That was a blow to Musk, who is chief executive of Tesla, chair of SolarCity and the biggest shareholder in both companies. He is also the CEO of rocket-maker SpaceX.He and Tesla management risk being distracted from rolling out the new Model 3 sedan, a mass-market electric vehicle key to the success of the young firm, analysts said, questioning whether merging two companies which both need substantial cash was a good idea.The audacious entrepreneur envisions a one-stop shop for clean-energy fans, who could buy an electric car, home solar system and battery backup in a single visit. Some argued the two firms cater to different groups of customers, with little crossover.Shares of the much smaller SolarCity rose more than 3 percent, valuing the U.S. market leader in residential rooftop solar panels at $2.15 billion.PLANS IN THE PIPELINE In a hastily arranged call with investors and Wall Street analysts early on Wednesday, where Tesla executives defended the deal, Musk said institutional shareholders had some idea of the plan. He had not disclosed the deal, he said, but over the years, "this idea has been bandied about with some of our largest shareholders, institutional shareholders. Yeah, there have been discussions." The manager of the second largest mutual fund investor in Tesla, the $12 billion Fidelity OTC Portfolio, which is also the largest institutional holder of SolarCity, praised a tie-up in comments earlier this year."We remain fans not just of Tesla products, but of the concepts and potential future partnerships behind the company. We foresee fruitful synergies between say, Tesla and SolarCity – or any company that can benefit from superior battery technology," Gavin Baker, who runs the Fidelity OTC fund, said in his first-quarter commentary for investors. It owns 2.1 percent of shares.Overall, 45 percent of Tesla shareholders also hold SolarCity stock, a person familiar with the matter said. Baker and Will Danoff, who runs the $100 billion-plus Fidelity Contrafund (FCNTX.O), the largest mutual fund investor in Tesla with 3.5 percent of stock, have both told Reuters in interviews that they tend to give more leeway to founder-run companies which they believe are still in the early stages of growth. Musk, a founder of Tesla and SolarCity who owns about a fifth of each, will recuse himself from board and shareholder votes, leaving the fate of the deal in the hands of outside investors, led by major fund companies such as Fidelity Investments.Musk himself said that Tesla could be a trillion-dollar company one day, despite its current market value being less than 3 percent of that figure."I have no doubt about this - zero," Musk said on the call with analysts and investors before markets opened on Wednesday. "We should have done it sooner."LOST GOLDEN TOUCH?The quiet support was drowned out by criticism as the stock fell. "This deal feels like (Musk) has lost his Midas touch. I also feel like Musk is trying to do too much," said well-known investor Jeffrey Gundlach, chief executive at DoubleLine Capital, which does not hold Tesla shares.Investors who short Tesla, betting that shares will fall, pointed to the conflict of interest and raised financial concerns about uniting two money-losing companies which both regularly raise cash to support their expansion."When a company's executives misunderstand modern corporate finance and technology strategy, they can make profound miscalculations and errors of judgment," Salome Gvaramia, chief operating officer of Devonshire Capital, which has a short position in Tesla, said in a statement.SolarCity shares have fallen more than 50 percent this year in a highly competitive market, fanning criticism that a Tesla deal was meant to save SolarCity.Some analysts noted that SpaceX has bought SolarCity bonds, giving it and Musk incentive to support SolarCity.Short-seller Jim Chanos of Kynikos Associates blasted Tesla's proposed acquisition of SolarCity, describing it in a statement as a "brazen" bailout" and "shameful example of corporate governance at its worst."Musk said SolarCity would post positive cash flow in the next three to six months and would not have a material impact on Tesla's future cash needs or expectation to be cash-flow positive by year-end. Costs for both companies would go down significantly after the merger, he said, without giving specifics.Share lending data suggested short sellers were increasing their bets against both companies. Interest rates to borrow Tesla shares rose to 5 percent on Wednesday from 1.5 percent early in the day, according to S3 Partners, a financial analytics firm. Hardly any SolarCity shares were available for borrowing. (Additional reporting by Jennifer Ablan, Supantha Mukherjee, Narottam Medhora,Liana Baker, Paul Lienert, Michael Flaherty, Alexandria Sage, Tim McLaughlin, Ross Kerber, Rishika Sadam, Nichola Groom and Noel Randewich; Writing by Peter Henderson; Editing by Anil D'Silva, Lisa Von Ahn and Bill Rigby) Read more

Sun-powered phone charger gives migrants in Greece free electricity

LESBOS, Greece For refugees and migrants stuck in Greece, a smartphone is a lifeline -- as long as its battery lasts.But access to electricity can be hard to find in overcrowded camps, nor is it always free in cafes where young and old crowd together over a socket, waiting anxiously to phone home.A team of students from Edinburgh University is hoping to change that, having designed a mobile phone charging station powered only by the sun -- something Greece has plenty of.They have installed two units in camps, each configured to generate electricity for 12 plugs an hour using solar energy alone, providing free power to as many as 240 people per unit each day.The idea was borne out of a visit last summer of one of the founders, 20-year-old Alexandros Angelopoulos, to the island of Samos, one of the entry points into Europe for nearly a million people fleeing wars and poverty in the Middle East and beyond.Hundreds arrived on its shores each day, soaked and exhausted from clinging onto rubber boats from Turkey. Relieved to have made it, they snapped selfies. Others logged on to messaging applications and Google Maps to plan their onward journey to northern Europe. "People started asking for my phone to call family and to use the internet," Angelopoulos said. Often, they were stranded at the port sharing one plug."We just wanted to make a positive contribution to local communities through renewable energy," said co-founder Samuel Kellerhals, 21.The first two units of Project Elpis -- which means "hope" in Greek -- were designed and built with the help of Greek solar technology company Entec. The pair said they had to overcome red tape along the way. "Initially it was quite difficult. Everything in Greece is quite bureaucratic," Angelopoulos said. Now, another three units are in the works with money raised through crowdfunding, a method of generating funds from a large number of people via the internet. Its founders hope to reach as many of the dozens of camps around Greece as possible. At the Kara Tepe camp on Lesbos where the first unit was installed, authorities and residents are thrilled. "I told them -- you should've brought it yesterday and not one, but four," said Stavros Miroyannis, who manages the camp for families which is run by the local municipality."They've promised me three more and I'm expecting them with great pleasure."Miroyannis hopes to one day power the entire site using solar energy. Solar panels have already replaced street lamps."This is a gift from God," he said, pointing to the blazing sun. (Editing by Catherine Evans) Read more

Alibaba's Ant Financial buys 20 percent of data firm for $35 million: source

HONG KONG Chinese e-commerce firm Alibaba Group Holding Ltd's (BABA.N) affiliate Ant Financial has bought a fifth of financial data provider Shanghai Suntime Information Technology for around $35 million, a source with direct knowledge of the deal said."The acquisition will provide Ant Financial with good financial products so that it can attract more clients," the source told Reuters on Friday.Ant Financial Services Group [ANTFIN.UL], valued at close to $60 billion, offers services like online payment, wealth management products and insurance. Its core Alipay online payment business was founded in 2004. The Alibaba affiliate closed a $4.5 billion funding round in April. Ant Financial and Shanghai Suntime, which was founded in 2003, were not immediately available for comment on Friday, a public holiday in China. The source was not authorized to speak to media and therefore declined to be identified. (Reporting by Vicky Bi; Writing by Michelle Chen; Editing by Muralikumar Anantharaman) Read more

Older PostNewer Post