[SAA + SAP] 10. Serverless Architecture - Part1
SAA
Case 1
- User can get Authed by using Cognito
- User need to access his own S3 folder, we can use Cognito to generate temp credentials by using STS, then clients are able to use temp credientials to store/retrieve file in S3
Caching
- We can cache on Database layer first, by using DAX
- We can then cache on API Layer, by using API Gateway caching
Summary
- Using Cognito to generate temp credentials with STS to access S3 bucket with restricted policy. App users can directly access AWS resources this way. Pattern can be applied to DynamoDB , Lambda...
- Caching the reads on DynamoDB using DAX
- Caching the REST requests at the API Gateway level
- Security for authentication and authorization with Cognito, STS
Case 2
- For users need to access static content globally, we can use S3 + CloudFront global distribution Edge location, so users in each region can access content in low letency
- Using Global DyanmoDB Table to serve data globally
- We can add caching for DynamoDB by using DAX
Welcome Email
- Once user registered, data was saved to DynamoDB, we can using DynamoDB Stream to invoke a Lambda function which has IAM role to send Email by using SES service.
Thumbnail Generation
- Client can upload image by using Pre-signed URL
- We can optionally use ClondFront Transfer acceleration to speedup file upload process
- Once file was uploaded, S3 notification trigger Lambda function to generate thumbnail and save into S3 bucket
- Optionally, S3 can further trigger SQS or SNS
Summary
- Static content being distributed using CloudFront with S3
- Global DyanmoDB table to serve the data globally
- (We could have used Aurora Global Tables)
- We enabled DynamoDB Stream to trigger Lambda
- Lambda function has IAM role to use SES
- S3 can trigger SQS / SNS / Lambda to notify of events
Case 3
- Route 53 can create many records redriect to different IP addresses.
- Can freely compose Serverless services to do the job
Case 4
- One Api Gateway resource can be used for user authoriztion, who can get access to the paid content
- One Api Gateway can be used for CRUD content
- Choose CloudFront Pre-Signed URL instead of S3 Pre-Sigend URL for better global acceleration
Summary
- Cognitor for authentication
- DynamoDB for stroing users that are premium
- 2 serverless apps: 1. permium user registration 2. CloudFront Signed URL generator
- Content is stored in S3
- Integrated with CloudFront with OAI for security
- CloudFront can only be used using Signed URLs to prevent unauthorized users
- What about S3 Signed URL? They are not efficient for global access
Case 4
Summary
- No change to architecture
- Will cache software update files at the edge
- Software update files are not dynamic, they are static
- Our Ec2 instaces are not serverless
- But CloudFront is and will scale for us
- Our ASG will scale not as much, and we'll save tremendously in EC2
- We'll also save in availability, network bandwidh, cost etc
- Easy way to make an existing application more scalable and cheaper!
Case 5
- IoT Core allows you to harvest data from IoT devices
- Kinesis is great for real-time data collection
- Firehose helps with data delivery to S3 in real-time (1 minute)
- Lambda can help Firehose with data transformations
- S3 can trigger notifications to SQS
- Lambda can subscribe to SQS (optional, S3 notification can do as well)
- Athena is a serverless SQL service and results are stored in S3
- The reporting bucket contains analyzed data and can be used by reporting tool such as AWS QuickSight, Redshift...