Aws Lambda High Availability, Monitoring & Security

The increased migration towards the concept of ‘agility’ is a direct result of serverless architecture. Serverless computing has almost entirely shifted the burden of infrastructure management to the cloud service provider, leaving developers with an immense amount of time, to focus on core competencies. You thought microservices were an upgrade to monolithic architecture, but what happens if the traditional three-tier microservice infrastructure can’t keep up because it’s expensive in time and cost? This is where Serverless comes in. It eliminates processes such as patching; cluster or capacity provisioning; the installation, maintenance and eventual decommission of hardware; and OS maintenance. Serverless computing, among which is AWS Lambda, entails the next sensible stelpin the ‘as a service’ model of delivering compute resources. 


What is AWS Lambda?

AWS Lambda is a serverless service that runs the code in response to specific circumstances and automatically maintains the resources for the infrastructure. AWS Lambda supports multiple platforms such as Java, Go, Ruby, Python, and also provides an API to use any additional programming language to scribe your function. There are multiple ways to invoke Lambda functions from S3 events to Alexa triggers to AWS SDKs triggers as well.

AWS Lambda invokes your user code only when needed and automatically scales to support the rate of incoming requests without requiring the user to configure anything. There is no limit to the number of requests a user code can handle.


Benefits of Lambda Function:

One of the significant benefits of using the Lambda function is cost saving. A company on an average can reduce costs to the tune of 60% or more, by switching their Infrastructure to Serverless Architecture. AWS Lambda can manage multiple activities such as code deploying, database management, maintaining servers, and many more. When you write your initial lambdas, the focus is barely on high performance. You’re caught up in the technicalities and the process of deploying lambdas. But as your lambda usage progresses, it becomes imperative to ensure that Lambdas perform extremely well. In this blog post, we have covered the best practices that can help in maintaining High Availability, Monitoring, and Security of the Lambda function.


Maintaining High Availability of Lambda Function:

1. VPC : When you run a Lambda function, the code by default runs on a VPC, that has Internet access. However, to enable your Lambda function to access resources inside your private VPC, you must provide additional VPC-specific configuration information that includes private subnet IDs and security group IDs. If a function runs on a Virtual Private cloud managed by Lambda, then Lambda assumes responsibility of ease of operation and on multiple AZs (Availability Zone) of that VPC region.

2. Availability Zones: Distributing your Lambda compute capacity across availability zones makes your Lambdas inherently fault-tolerant in case of any data center failures. Running the Lambda function on VPC, in most use cases, requires access to RDS and alternative VPC resources, which is why AZs become favourable to maintain high availability.

a. Design Lambda for high availability by choosing multiple subnets in several AZs

b. A secondary recommendation is to have backup AZs with the availability of sufficient IP Addresses that can handle concurrent Lambda requests; in case an AZ goes down

3. Stateless: Lambda functions need to be stateless, to allow AWS Lambda to launch as many copies of the function as needed, based on the requirement. This ensures scalability of the Lambda function. While Lambda’s programming model is stateless, the code can be used to access other stateful data. This ensures that there is no connection between the code and the underlying compute infrastructure.


4.Lambda Handler: Another good practice for high availability is to separate your Lambda handler from the core logic of the function. Separating the Lambda handler helps in making a more unit-testable function.


5. Execution Context: The production of your Lambda function can be enhanced by using the Execution Context. Also, make sure any externalized configuration or dependencies that your code retrieves, are stored and referenced locally after initial execution.


Monitoring AWS Lambda Function:

You can monitor and audit Lambda functions using different AWS services such as Amazon CloudWatch, Amazon X-Ray, Amazon CloudTrail, AWS Config. AWS Docs gives you a detailed overview on the monitoring tools, how to use them and what metrics to monitor. In order to ensure that AWS Lambda function doesn't break any codes, it is recommended to follow the best practices to monitor the functions.

Monitor CloudWatch Lambda Metrics:  AWS CloudWatch has different Metrics which are very useful in Monitoring the Lambda functions. Some of the best practices out of these are the following :

1.  CloudWatch Duration Metrics: Using CloudWatch Duration metrics, you can regulate the cost for Lambda functions. The cost incurred increases as the length of the executions increase. Hence, the timeout duration must be fixed based on your requirement, so that you can optimize costs and ensure the running is optimized. Optimization can be enabled by making sure that the above metrics are not working too closely to function timeout.


2. Throttling: Lambda functions have a limit of 1000 concurrent executions, which can lead to Throttling of your Lambda function. To avoid such situations, you need to raise a request in advance with AWS for the limit increase, which can be done using the CloudWatch Throttles metrics. In inverse cases, Throttling enables you to ensure that certain lambda functions are not accidentally invoked beyond a certain limit, leading to skyrocketed costs. 


3. AWS Config: AWS Config allows you to monitor any changes to the configurations of AWS Lambda. With Config, you can track changes to the Lambda function, runtime environments, tags, handler name, code size, memory allocation, timeout settings, and concurrency settings, along with IAM execution role, subnet, security group associations, and whether Lambda prohibits AWS access. This assures that AWS Config is adequately configured for such scenarios.


4. Invocation Metrics: So think of a scenario where you have to measure error tolerance of your Lambda function and get it down to zero or minimal value. For such scenarios, Invocation metrics need to be used in parallel to Error Metrics to determine error tolerance. If Invocations change, alarms on the Errors change as well.


5. IteratorAge: Another situation is one where you are using AWS Kinesis or Dynamo DB data streams to process incoming records using Lambda functions. In order to know whether such records have been processed or not, one needs to use IteratorAge, which also helps to prevent your applications from vulnerable heaps of unprocessed requests.


6. CloudWatch Logs Insight: Lambda logs all the requests handled by your AWS Lambda functions in order to help you through the troubleshooting process. Logging statements can be inserted into your code and Lambda automatically integrates with CloudWatch logs to enable monitoring. It is a platform that can be used to separate logs by patterns and timestamps.


Maintaining Security of Lambda function:

On cloud infrastructure, security is one of the primary concerns. Recently, there have been multiple threats that affected well-known companies, which has made security a point of focus for every CXO. We must have to follow the latest security measures and have to avoid any services which can lead us to trouble in the future. 

We are going to discuss a few steps here which are essential in securing your AWS Lambda functions from outside threats so that one can enjoy Serverless Architecture.

1. AWS Lambda Cross-Account Access Audit: While using AWS Lambda function, you need to ensure that all Lambda functions are configured to allow access only to the trusted AWS accounts which minimizes the risks of unauthorized account access. Allowing unauthorized or untrusted accounts to access Lambda functions can lead to data exposures, data loss, and a surprising rise in the AWS monthly billing cycle.


2. Using separate IAM-Roles for each Lambda functions:  Using a unique IAM (Identity and Access Management) role for each Lambda function can ensure none of the functions are sharing the same role. Using different roles can ensure the Principle of Least Privilege (POLP) by providing all unique function the minimum amount of access needed to perform its tasks. Using the right IAM controls, you can reduce the risk of unauthorized access to the account.


3. Using Tracing feature of AWS X-Ray: AWS X-Ray provides the capability of both monitoring and tracing at the same time. Once tracing mode is enabled for AWS Lambda functions, you can save a lot of time and energy in debugging. Tracing is also essential and helpful in identifying errors, bottlenecks, productions, and timeouts of the Lambda functions by breaking down the latency of functions.


Summary

In the article, we discussed multiple best practices for high availability, monitoring, and security of AWS Lambda function, which can be integrated while designing and deploying your lambda functions. Depending on the platform and the programming language you use, you can reduce costs and increase the code's productivity.






Aws Lambda High Availability, Monitoring & Security

Smart Scheduling at your fingertips

Go from simple to smart, real-time AWS resource scheduling to save cost and increase team productivity.

Learn More
More Posts

You Might Also Like

Product
Introducing the TotalCloud Smart Scheduler
Announcing the launch of the TotalCloud Resource Scheduler! Take complete advantage of AWS's 'pay for what you consume' model by putting a power control for every AWS resource that you use.
January 14, 2020
Sayonee
AWS Use Case Files
Increase EBS Volume Size In Aws
Learn how a simple workflow can auto-remediate and increase the EBS volume size when disk utilization goes beyond 90%
December 2, 2019
Sayonee
AWS Use Case Files
Aws EC2 Instance CPU Utilization Report
Learn how a single workflow can be used to generate a CPU Utilization Report for EC2 Instances and ensure you aren't over or under utilising them.
October 24, 2019
Sayonee
AWS Use Case Files
Aws Lambda Daily Cost Predictor
Learn how a simple workflow can be used to predict daily lambda costs, that can help prevent 'bill-shocks' and optimize your costs better
October 24, 2019
Sayonee
Cloud Automation
Putting Devops On Autopilot With Lego Like Automation
TotalCloud Workflow Editor assists you to do practically anything you want on your AWS infrastructure.
October 24, 2019
Sayonee
AWS Use Case Files
Reporting Security Groups - Tcp Port 22 (Ssh) Public Ip Access
Learn how to use a simple workflow to generate a report of Security Groups with unrestricted Port 22 access from Public IP
October 24, 2019
Sayonee