AWS Lambda

Trung Dang,
Solutions Architect, Amazon Web Services

© 2021, Amazon Web Services, Inc. or its Affiliates.

Agenda
• Lambda Overview
• Lambda Invocation models
• Lambda Execution Environments
• Lambda Scaling
• Monitoring
• Pricing
• AWS Step Functions
• AWS Serverless Application Model (SAM)
• Lambda Layers
• Lambda Container support
• Lambda Extensions
• Quotas
© 2021, Amazon Web Services, Inc. or its Affiliates.
What is Serverless?

No infrastructure provisioning, Automatic scaling

no management

Pay for value Highly available and secure

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Comparison of operational responsibility
AWS manages Customer manages
More opinionated

• Data source integrations • Application code

AWS Lambda • Physical hardware, software, networking,
Serverless functions and facilities
• Provisioning

• Container orchestration, provisioning • Application code

AWS Fargate • Cluster scaling • Data source integrations
Serverless containers • Physical hardware, host OS/kernel, • Security config and updates, network config,
networking, and facilities management tasks

• Container orchestration control plane • Application code

• Physical hardware software, • Data source integrations
ECS/EKS networking, and facilities • Work clusters
Container-management as a service • Security config and updates, network config,
firewall, management tasks

• Physical hardware software, • Application code

EC2 networking, and facilities • Data source integrations
Infrastructure-as-a-Service • Scaling
• Security config and updates, network config,
Less opinionated management tasks
• Provisioning, managing scaling and
patching of servers

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The high-level view

AWS Services

Event Databases

Etc.
Lambda
Function
Python
Javascript
Java
Golang
C#
BYOL
© 2021, Amazon Web Services, Inc. or its Affiliates.
Container images
The customer view

AWS Lambda
Alias: prod Alias: stage

Code Config
Zip + Layers 20%
Event Container Image 80% 100%

Source
and more
Mapping Execution Execution
Environments Environments

Version 1 Version 2

IAM or Lambda
or
Permissions IAM Execution
Functions Role
and more

© 2021, Amazon Web Services, Inc. or its Affiliates.

AWS Lambda under the hood

AWS Lambda Workers

microVM microVM
Event Execution Execution
Source Environment Environment
Mapping

Frontend
and more

Sync microVM microVM

Execution Execution
Internal Environment Environment
or
Async queue

and more

© 2021, Amazon Web Services, Inc. or its Affiliates.

Lambda invocation modes

© 2021, Amazon Web Services, Inc. or its Affiliates.

Lambda invocation modes

Event
Source
Mapping

Frontend
Sync

Internal
Async queue

© 2021, Amazon Web Services, Inc. or its Affiliates.

Three invocation modes

event
event

response
internal
queue

Synchronous Asynchronous Event Source

Mapping
When the caller When the caller doesn't Integration with specific
expects a response expect a response from event sources.
from the function. the function. Synchronous under the hood.

© 2021, Amazon Web Services, Inc. or its Affiliates.

Synchronous invocation mode

• Useful when you need an immediate

response from the function.
• Errors are returned to the caller.
• Returns throttles when you hit the
concurrency limit.

Frontend
Sync microVM
Execution
or Environment

and more

© 2021, Amazon Web Services, Inc. or its Affiliates.

Asynchronous invocation mode
• Caller only gets an acknowledgement
from the Lambda function.
• Internal queue that can persist
messages for up to 6 hours.
• Supports retries (up to 2 retries, or 3
invokes total), destinations and DLQ.

Frontend
microVM
Execution
Internal Environment
or
Async queue

and more

© 2021, Amazon Web Services, Inc. or its Affiliates.

Event Source Mapping

microVM
Event Execution
Source Environment
Mapping

Frontend
and more

• Event Source Mapping pulls messages

from source, then does synchronous
invokes.
• Can do batching, error handling, and
more. The exact capabilities differ by
© 2021, Amazon Web Services, Inc. or its Affiliates.
event source.
The Lambda Execution
Environment

© 2021, Amazon Web Services, Inc. or its Affiliates.

Lambda execution environments

Workers

microVM microVM
Execution Execution
Environment Environment

microVM microVM
Execution Execution
Environment Environment

© 2021, Amazon Web Services, Inc. or its Affiliates.

Lambda execution environments

• Execution Environment (EE): where Workers

your code actually runs. One EE
microVM microVM
handles one request at a time.
Execution Execution
• Concurrency: number of EEs actively Environment Environment

serving traffic for a given

Function/Version/Alias. microVM microVM
Concurrency ≈ RPS × Duration Execution Execution
Concurrency ≤ number of EEs Environment Environment

© 2021, Amazon Web Services, Inc. or its Affiliates.

Execution Environment Lifecycle
Environment
Execution

Invoke

Invoke

Invoke

Invoke

Invoke
Initialization Shutdown

Environment
Execution

Invoke

Invoke
Initialization Shutdown

time

© 2021, Amazon Web Services, Inc. or its Affiliates.

Handling requests (managed runtimes)

Execution Environment

Runtime Lambda Function Code

Runtime API

Lambda Extensions Layers

(Optional)

© 2021, Amazon Web Services, Inc. or its Affiliates.

Handling requests (managed runtimes)

Execution Environment

def handler(event, _):

Runtime name = event.get("name", "World!")
Runtime API

return f"Hello, {name}!"

Lambda Extensions
(Optional)

© 2021, Amazon Web Services, Inc. or its Affiliates.

Handling requests (custom runtimes)

Execution Environment

Custom Runtime and Code

Runtime API

Lambda Extensions
(Optional)

© 2021, Amazon Web Services, Inc. or its Affiliates.

Handling requests (container images)

Execution Environment

Runtime API

Container Image
Function Code
Extensions (Optional)

© 2021, Amazon Web Services, Inc. or its Affiliates.

Packaging code

Zip files Container images

Function Code (/var/task)

Function Layer (/opt)

Function Container Image
Function Layer (/opt)

Operating system (AL or AL2)

© 2021, Amazon Web Services, Inc. or its Affiliates.

Lambda & VPCs
Functions
Amazon VPC Hyperplane

Execution
Environments
Lambda functions
Same VPC
are not deployed
Config in your VPC.

ENIs are tied

Execution
Elastic Network Environments
to security group
Interfaces and subnet
pairing.

Different
VPC Config
Execution
Environments

© 2021, Amazon Web Services, Inc. or its Affiliates.

Sizing the Execution Environment

More memory
=
more CPU resources

From 128MB to 10GB

Up to 6 vCPUS

https://github.com/alexcasalboni/aws-lambda-
power-tuning

© 2021, Amazon Web Services, Inc. or its Affiliates.

CPU Architectures

Why Arm64?
Up to 19% better performance, and
Two architecture options: 20% lower cost.

• x86_64 Things to keep in mind

• Arm64 (powered by Graviton2) Binaries need to be compiled for
Arm64.
Some libraries/tools might not be
optimized for Arm64 yet.

© 2021, Amazon Web Services, Inc. or its Affiliates.

Scaling Lambda functions

© 2021, Amazon Web Services, Inc. or its Affiliates.

Lambda scaling quotas

Burst concurrency Account concurrency

Maximum increase in concurrency for Maximum concurrency in a given

an initial burst of traffic. region across all functions.

3000 in Oregon, N. Virginia and Ireland

This can be increased.
1000 in Tokyo, Frankfurt and Ohio
500 in all other regions

After that, functions can scale by 500

concurrency per minute.

© 2021, Amazon Web Services, Inc. or its Affiliates.

Lambda scaling quotas

© 2021, Amazon Web Services, Inc. or its Affiliates.

Concurrency controls

Provisioned concurrency:
• Pre-warm execution environments
to reduce cold start impact.
• Burst to standard concurrency if
need be.

© 2021, Amazon Web Services, Inc. or its Affiliates.

Concurrency controls

Reserved concurrency:
• Maximum concurrency for a given
function.
• Also reserves that concurrency
from the account quota.

© 2021, Amazon Web Services, Inc. or its Affiliates.

Other notable features

Amazon EFS Integration: Amazon RDS Proxy:

Mount an EFS file system to a localy Pool database connections to reach
directory. high concurrency without exhausting
DB connections.
Code Signing:
Ensure only trusted code runs in your
Lambda functions

© 2021, Amazon Web Services, Inc. or its Affiliates.

Monitoring and debugging Lambda functions
• AWS Lambda console includes a dashboard for functions
• Lists all Lambda functions
• Easy editing of resources, event sources and other settings
• At-a-glance metrics
• Metrics automatically reported to Amazon CloudWatch for each Lambda
function
• Requests
• Errors
• Latency
• Throttles

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is Lambda Insights?
Monitor, troubleshoot, and optimize the performance of AWS Lambda functions

Use Cases Features

• Deep linking and correlations across metrics, logs, and traces
• Identify function issues such as
• Curated automated dashboards summarizing the performance
memory leaks
and health of your Lambda functions
• Identify high-cost functions
• Deeper integration with CloudWatch Logs for deeper analysis
• Identify performance changes
of log data through Logs Insights and CloudWatch ServiceLens
caused by new function versions
to analyze trace dependencies
• Understand latency drivers in
• New performance metrics from AWS Lambda with observable
functions
context for each running function

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Multi-Function Dashboard
• Aggregated view across multiple Lambda
functions
• Search by “name” (“tag” upcoming) to focus
on a specific or a subset of Lambda
functions
• Understand how compute, memory
allocation, and function duration changes
over a period of time to help optimize
Lambda function utilization

• Integration to CloudWatch Logs

Insights to analyze function logs

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Single-Function Dashboard

• View of one single Lambda function

• Predefined performance metrics

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Single-Function Dashboard

• Integration to CloudWatch Logs Insights to analyze function logs

• Dive deep and troubleshoot individual request problems

• Integration to CloudWatch ServiceLens to analyze trace dependencies
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda Pricing

© 2021, Amazon Web Services, Inc. or its Affiliates.

The pricing view

Duration is metered by 1ms

Two pricing components: increment, based on the function
memory setting.

• Number of requests
• Duration (in GB-s) 100ms with 2GB of RAM
costs the same as
Free Tier 200ms with 1GB of RAM
1M requests and 400,000 GB-sec of
compute.
Every month, every customer.

© 2021, Amazon Web Services, Inc. or its Affiliates.

AWS Step Functions

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Orchestration for serverless apps

“I want to sequence functions”

“I want to select functions based on data”
“I want to run functions in parallel”
“I want to retry functions”
“I want to try/catch/finally”
“I want to run code for hours”
AWS Step Functions

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Step Functions
Easily coordinate multiple Lambda functions using visual workflows

Define in JSON Visualize in the Monitor

Console Executions

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Service integrations with Step Functions

AWS Lambda Amazon DynamoDB AWS Fargate Amazon Elastic

AWS Batch
Container Service

Amazon Simple AWS Step Functions Amazon Simple Amazon SageMaker AWS Glue
Notification Service Queue Service

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Serverless Application
Model

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Serverless Application Model (AWS SAM)
• Serverless framework for applications
• Two components:
• AWS SAM template specification
• AWS SAM CLI
• Benefits:
• Single deployment configuration
• Extension of CloudFormation
• Local debugging and testing
• Built-in best practices and development
tool integration
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS SAM: Less complexity, more power

CloudFormation template example – API triggering Lambda

AWSTemplateFormatVersion: '2010 -09-09' AssumeRolePolicyDocument:
Resources : Version: '2012 -10-17'
GetHtmlFunctionGetHtmlPermissionProd: Statement:
Type: AWS::Lambda::Permission - Action:
Properties: - sts:AssumeRole
Action: lambda:invokeFunction Effect: Allow
Principal: apigateway.amazonaws.com Principal:
FunctionName: Service:
Ref: GetHtmlFunction - lambda.amazonaws.com
SourceArn: ServerlessRestApiDeployment:
Fn::Sub: arn:aws:execute -api:${AWS::Region}:${AWS::AccountId}:${ServerlessRestApi}/Prod/ANY/* Type: AWS::ApiGateway::Deployment
ServerlessRestApiProdStage: Properties:
Type: AWS::ApiGateway::Stage RestApiId:
Properties: Ref: ServerlessRestApi
DeploymentId: Description: 'RestApi deployment id: 127e3fb91142ab1ddc5f5446adb094442581a90d'
Ref: ServerlessRestApiDeployment StageName: Stage
RestApiId: GetHtmlFunctionGetHtmlPermissionTest:
Ref: ServerlessRestApi Type: AWS::Lambda::Permission
StageName: Prod Properties:
ListTable: Action: lambda:invokeFunction
Type: AWS::DynamoDB::Table Principal: apigateway.amazonaws.com
Properties: FunctionName:
ProvisionedThroughput: Ref: GetHtmlFunction
WriteCapacityUnits: 5 SourceArn:
ReadCapacityUnits: 5 Fn::Sub: arn:aws:execute -api:${AWS::Region}:${AWS::AccountId}:${ServerlessRestApi}/*/ANY/*
AttributeDefinitions: ServerlessRestApi:
- AttributeName: id Type: AWS::ApiGateway::RestApi
AttributeType: S Properties: AWSTemplateFormatVersion: '2010-09-09’
KeySchema: Body:
- KeyType: HASH info: Transform: AWS::Serverless-2016-10-31
AttributeName: id version: '1.0'
GetHtmlFunction: title: Resources:
Type: AWS::Lambda::Function Ref: AWS::StackName
Properties: paths: GetHtmlFunction:
Handler: index.gethtml "/{proxy+}":
Code: x-amazon-apigateway -any-method: Type: AWS::Serverless::Function
S3Bucket: flourish -demo-bucket x-amazon-apigateway -integration:
S3Key: todo_list.zip httpMethod: ANY Properties:
Role: type: aws_proxy
Fn::GetAtt: uri: CodeUri: s3://flourish-demo-bucket/todo_list.zip
- GetHtmlFunctionRole Fn::Sub: arn:aws:apigateway:${AWS::Region}:lambda:path/2015 -03-
- Arn 31/functions/${GetHtmlFunction.Arn}/invocations
responses: {}
Handler: index.gethtml
Runtime: nodejs4.3
GetHtmlFunctionRole: swagger: '2.0' Runtime: nodejs4.3
Type: AWS::IAM::Role
Properties: Policies: AmazonDynamoDBReadOnlyAccess
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonDynamoDBReadOnlyAccess Events:
- arn:aws:iam::aws:policy/service -role/AWSLambdaBasicExecutionRole
GetHtml:
Type: Api
Properties:
Path: /{proxy+}
Method: ANY

ListTable:
Type: AWS::Serverless::SimpleTable

AWS SAM example – API triggering Lambda

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SAM CLI Environment Setup

• Configure AWS account credentials locally

• https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-getting-
started-set-up-credentials.html
• Install Docker, Homebrew (Linux, Mac), AWS SAM CLI
• https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-
install.html

© 2021, Amazon Web Services, Inc. or its Affiliates.

Deployment

• Bucket management
• ‘sam deploy’ command
• Uploads application resources
• Requests a CloudFormation change set
• ‘sam build’ command provides best practice build processes
• Built In – JavaScript, Python, Java, Ruby, Go, .NET
• Convenient for building in containers, and packaging for AWS Lambda

© 2021, Amazon Web Services, Inc. or its Affiliates.

© 2021, Amazon Web Services, Inc. or its Affiliates.
Local Debugging and Testing

• ‘sam local invoke’ – test Lambda functions locally

• Parameters: event, env-vars, template
• Lambda Layer code URI must point to local library directory
• ‘sam local start-api’ – create local HTTP server to host all functions

© 2021, Amazon Web Services, Inc. or its Affiliates.

AWS Service Integration

• Environment variables for flexible deployment options

• Update SNS emails
• CI/CD Integration
• CodeCommit, CodeBuild, CodeDeploy, CodePipeline
• Use CloudWatch events to trigger CodePipeline

© 2021, Amazon Web Services, Inc. or its Affiliates.

© 2021, Amazon Web Services, Inc. or its Affiliates.
Lambda Layers

Lets functions easily share code: Upload layer

once, reference within any function
Promote separation of responsibilities, lets
developers iterate faster on writing business logic
Built in support for secure sharing by ecosystem

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda Layers: Uses cases

• Custom code, that is used by more than one function

• Libraries, modules, frameworks to simplify the
implementation of your business logic
• Security/monitoring service
• Shared code that does not change frequently
• Bring your own Runtime
• C++
• Rust
• PHP
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Lambda container image support
PA C K A G E A N D D E P L OY F U N C T I O N S A S C O N TA I N E R I M A G E S

• Easier dependency management

and application building with
container images
• Use a consistent set of tools for
containers and Lambda-based
applications
• Deploy large applications with
AWS provided or third-party
images of up to 10 GB
Why container image support?
• Easier dependency management with Dockerfile
• Install native operating system packages
• Install language-compatible dependencies
• Similar tooling
• Use the same container registry to store application artifacts
(Amazon ECR, Docker Hub)
• Can utilize the same build and pipeline tools to deploy
• Tools that can inspect Dockerfiles will work the same
• Larger application artifact up to 10 GB
• Include larger application dependencies that previously
weren’t possible
Simple developer experience
C R E AT E F U N C T I O N A S C O N TA I N E R I M A G E

docker push CreateFunction Invoke

Container image Status: PENDING Status: ACTIVE

Container image Amazon Elastic

Container image AWS Lambda
Container Registry Lambda
function

Upload image to registry 1. Pull image from Amazon ECR Ready for invoke
2. Optimize image
3. Deploy image to Lambda
Container image security
Container images are stored in Amazon Elastic Container Registry (ECR)
Amazon ECR provides several mechanisms for security and controlling access to
container images:

Amazon Elastic
Container Registry
Lambda extensions

© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What are Lambda extensions?

Lambda extensions are companion processes that run within

Lambda’s execution environment that easily integrate
Lambda with your favorite tools for monitoring,
observability, security, and governance.

© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use cases
• Integrate AWS Lambda with your favorite monitoring, observability,
security, and governance tools
• Capture diagnostic information before, during, and after function
invocation
• Fetch configuration settings or secrets before the function’s
invocation
• Detect and alert on function activity through hardened security
agents, which can run as separate processes from the function

© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Extensions available today
AW S L A M B DA R E A DY PA R T N E R , AW S PA R T N E R , A N D AW S TO O L S U S I N G L A M B D A E X T E N S I O N S
How to deploy extensions

Deploy extensions as Lambda layers

• Using AWS Management Console, AWS CLI, AWS CloudFormation, AWS SAM,
Serverless Framework, Terraform, Stackery

Include extensions in Lambda container image

• Build image using Docker CLI/AWS SAM with a Dockerfile

Bootstrap
• Lambda starts any extensions found in the /opt/extensions/ directory
Important quotas

• Concurrent executions: 1000, can be increased to hundreds of thousands

• Burst capacity limit: 500-3000, hard limit
• Invocation payload: 6MB sync, 256KB async
• Deployment package:
• Zip file: 50MB zipped, 250MB unzipped
• Container image: 10GB
• Temporary storage: 512MB
• Invocations per second:
• Sync/Async non-AWS: 10x concurrent execution quota
• Async AWS: unlimited

© 2021, Amazon Web Services, Inc. or its Affiliates.

When do we choose Lambda
over other compute offerings?

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Picking a Compute Platform: Containers vs. Lambda

10 GB

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Useful resources

Security Overview of AWS Lambda: AWS Lambda Powertools (Python):

https://docs.aws.amazon.com/whitepapers/lat https://github.com/awslabs/aws-lambda-
est/security-overview-aws-lambda/security- powertools-python
overview-aws-lambda.html

Serverless Lens: AWS Lambda Powertools (Java):

https://docs.aws.amazon.com/wellarchitected/ https://github.com/awslabs/aws-lambda-
latest/serverless-applications- powertools-java
lens/welcome.html
AWS Lambda Power Tuning:
Serverless Rules: https://github.com/alexcasalboni/aws-lambda-
https://github.com/aws-samples/serverless- power-tuning
rules

© 2021, Amazon Web Services, Inc. or its Affiliates.

Thank you!

© 2021, Amazon Web Services, Inc. or its Affiliates.