AWS re:Invent 2018 Day 2
DEV321: What’s new with AWS CloudFormation?
We started with a quick reminder of what CloudFormation is.
And then dived into what’s new.
Recent redesigned user experience
The CloudFormation console got a major overhaul at the beginning of the month.
They encouraged us to send any feedback through the console.
Support keeps improving
Today there are 300 resources types supported.
That’s 65 new resources just this year (to date).
Otherwise, you can use custom resources to create any other resources.
More enterprise features
Run checks against your stacks and highlight differences in the viewer.
For improved security, you can access CloudFormation API from a PrivateLink directly inside your VPC.
Added support for multiple user roles and level access control.
Selective update operation on stack instances.
Improve handling of secrets
Last year, CloudFormation added parameter store support.
This year, Secure String Parameter and Secrets Manager are now supported.
You can even use dynamic references directly inside a template to resolve parameters or secrets.
Launched in September, Macros enables you to write short-hand expressions that expand when deployed.
You can easily add utility functions like string operations, loop, math…
Once the macro is created, you can share it and reuse across stacks.
AWS provides an open source CloudFormation linter to validate templates.
Used with IDE plugins, it gives quick feedbacks on errors and warnings.
Feedback from Amazon on using StackSets
Amazon uses StackSets to easily create and managed temporary account for their developers:
- 100 short-lived accounts created daily
- 1000$ budget limit for each account
- 2 active short-lived account per developer at a time
Enforcing some account policies requirements like:
- AWS CloudTrail
- IAM Roles for audit, compliance and incident response
- AWS Budgets to prevent runaway spending
- SNS topic for notifications from AWS Budgets
Before switching to StackSets, Amazon used to have a custom workflow with a lot of steps.
Now, it’s a single step. Changes are automatically propagated and take hours instead of weeks.
It’s 3 times faster to deploy new AWS resource when policy requirements change.
With 8 times less code.
SRV401: Optimizing your Serverless applications
This talk was given by Chris Munns, AWS Principal Developer Advocate for Serverless.
He insisted on some best practices when building Serverless applications:
No orchestration in code
Waiting for a result or before a retry is not a good idea in Serverless.
To avoid unnecessary charges, use Step Functions instead.
Use X-Ray for observability and debugging
X-Ray added API Gateway support in September.
You can easily capture AWS calls and identify your bottlenecks.
Tweak compute power
Allocated CPU depends on the amount of memory you specify for the function.
For example, with over 1.8GB of memory, you start to get a multi-core CPU.
Moreover, as counter-intuitive as it seems, it might be cheaper to use more memory.
Because if your function runs faster, you are billed for less execution time.
You should try different memory value and find your sweet spot.
Gateways and routers
API Gateway is not always the right answer for Serverless functions.
If you don’t need the response, use async invocation directly with the SDK.
When applicable, use events or messages instead.
Per Function Concurrency controls
You can define a max concurrency per function, this can be a way to protect data sources like RDS that might not scale the same way as your functions.
It is also a “Kill switch” by setting it to 0.
Dead Letter Queues
On async Lambda functions, always turn on Dead Letter Queues.
You can monitor it via an SQS Queue length metric/alarm.
When something goes wrong, DLQ saves the event information.
Do I need a VPC?
Putting your functions inside of a VPC provides little extra security benefit for your AWS Lambda functions.
Unless you need to restrict outbound access to the internet.
If you do VPC
- ALWAYS configure at least 2 AZ
- Give your Lambda functions their own subnets
- With a large IP range to handle potential scale
- If you need outbound access to the internet, you need a NAT
Tonight is the traditional re:Invent Pub Crawl.
There are more than 20 locations (in bars or restaurants) around the campus with free drinks and appetizers for attendees.
This year each location will highlight a specific topic, that’s why I will be at the Aria in the Serverless zone.