Off-by-none: Issue #184

April 12, 2022

Only have a few minutes? Check out this week's MOST POPULAR links as chosen by our email subscribers.

cURL your FURLs! 🧑‍💻

Welcome to Issue #184 of Off-by-none! This issue is sponsored by our friends at Courier, Conclave, and Lumigo.

In our previous issue, AWS started to treat accounts like cattle, we looked at the future of WebSockets, and we topped off our serverless Kool-Aid. This week, we cURL our FURLs, have a chat with Werner Vogels, and do our part to stamp out ridiculous serverless FUD. Plus, we have some great serverless content from the community.

PROGRAMMING NOTE: We are off next week, so there will not be an issue of Off-by-none. We’ll be back on April 26, 2022!

Before we jump in, here’s a simple walkthrough for adding Slack as a comms channel to your app. Sponsored

Lambda Function URLs

Perhaps the biggest news from AWS last week was the release (again) of AWS Lambda Function URLs, or FURLs 😉. Alex Casalboni’s official AWS blog post does a great job covering this new feature, but plenty others were quick to share their thoughts as well.

Renato Losio aggregated a bunch of feedback in this post, Jones Zachariah Noel gives a quick overview of how to set up and use Lambda functions over URLs, and Yan Cui shared his insights as well. Pawel Zubkiewicz also created this handy comparison of the (now) 4 ways of executing Lambda functions via an HTTP endpoint.

But while the technical aspect is certainly worth noting, I’m more interested in the use cases this feature opens up and what the tradeoffs look like. Hudson Tavares shared three use cases for AWS Lambda Function URLs, which points out both the monolithic function API and service-to-service use cases, but also mentions the long-running request option. This is an interesting one that lets you use the full 15 minutes of Lambda execution time. Is this something you want all the time? Definitely not. But I actually have several administrative/DevOps use cases that this is perfect for.

As an example, I have a task I manually run for this newsletter that takes about 45 seconds to complete. I trigger it with API Gateway and every time I get an API Gateway timeout error. But the function still completes in the background. There are other solutions for this (with added complexity, of course), but I just want a simple feedback loop, which Lambda Function URLs make possible now. I wouldn’t suggest using it for long-polling, but if your function is doing work and you want an uncomplicated way to get feedback, this fits the bill. Now just imagine if you could do HTTP streaming! 😲

AJ Stuyvenberg also has a good post that introduces Lambda Function URLs and points out a few use cases. Mentioned several times in many of these posts is the “Webhook” use case, which I also think makes a lot of sense. There’s a bit of security by obscurity necessary here, but if you trust the sender, the complexity is dramatically reduced.

And finally, Marin Radjenovic explains why AWS Lambda Function URLs will not be part of his projects. He makes some good points around the complexity argument, which I tend to agree with. For most use cases, adding an API gateway is likely the wiser and safer choice. However, there are more than a few situations where this new feature will be very useful.

Your Lambda Functions are under attack! (well, not really)

There were a flood of articles last week about “Denonia”, a supposed cryptomining malware targeting AWS Lambda.

With headlines like “Cryptocurrency-mining AWS Lambda-specific malware spotted“, “Researcher finds cryptomining malware targeting AWS Lambda“, “AWS Lambda sees its first malware attack with Denonia, and we don’t know how it got there“, and “‘Denonia’ research points to new potential cloud cyber threat, experts say,” it’s no wonder people were concerned.

But here’s the problem: all of these headlines are incredibly hyperbolic and mischaracterize the risk. Kyle Alspach wrote a good piece, “What counts as ‘malware’? AWS clarifies its definition,” that points out some important details. First of all, I agree that this could be considered “malware”, as any program that is intentionally harmful to a computer, network, or server should be. However, there are no “vulnerabilities” in AWS Lambda that can be exploited. All evidence points to the fact that it was installed using stolen credentials, and that it has no ability to self-replicate (like a worm) to other Lambda functions.

AWS can defend themselves against both cyber and public relation attacks, so they certainly don’t need me defending them. But all of these headlines (which is the only thing most people need to read before retweeting or sharing) spread misinformation that will be added to the list of other non-sensical “don’t use serverless” arguments. Do better. /endrant

Serverless News & Announcements 📣

In serverless observability news, Lumigo added Michael Davis and Orr Weinstein to their executive team, Grafana Labs raises another $240M for its modern observability and monitoring platform, and Sentry shows you how to monitor Serverless Cloud.

Also, the promise of WebAssembly heads to Ruby, Contrast Security shows you how to keep your serverless applications safe from Spring vulnerabilities (something you actually should worry about), and Stacktape introduces its new DevOps-free application development framework.

And finally, James Beswick shared his quarterly ICYMI: Serverless Q1 2022 recap with all the best AWS serverless releases and content.

Serverless Concepts 🏗

Lumigo | AWS Lambda Monitoring Platform | Get set up in minutes Sponsored

Dalibor Plavcic demystifies the AWS Lambda execution environment. You have a lot of control over this now, so if you haven’t looked in awhile, this is a good overview.

Michael Walmsley explains SOLID Architecture for Lambda, Kay Plößer shares 5 common Step Function issues, and Wojciech Matuszewski breaks down synchronous AWS Lambda & Amazon API Gateway limits and what to do about them.

Allen Helton compares Lambda and Step Functions in a battle of cost and performance. His conclusions might surprise some of you.

Serverless Tutorials 👷‍♀️

Confidential Computing Made Easy
Conclave Cloud is launching soon! A new confidential computing platform which provides a serverless execution environment with built-in privacy-preserving features using Intel SGX. Allowing stateless functions to be hosted, executed, and scaled on demand whilst ensuring your data is always encrypted—even during processing. Interested in early access? Register here. Sponsored

There are always way too many tutorials to share, so I try to find the ones that solve a tricky issue or help with an interesting use case. This one by Kelvin Mwinuka shows you how to deploy Cognito triggers using the Serverless Framework, giving you the ability to customize messages.

Louis Latreille explains how he eliminated pain points with the Serverless Framework for Typescript applications in this post.

Haiko van der Schaaf address a common use case of using an S3 trigger to push an uploaded CSV into DynamoDB, Marko Savic shows you an interesting way to replay events using AWS S3, and Jakob Ondrey uses serverless and the Wayback Machine to automate a paper trail.

Aravind VadamalaiMuthu has another post in his AWS CDK 101 series. This one focuses on scalable event-driven processing using Eventbridge and SQS.

Jon Holman shows you how to use AWS CloudFormation StackSets to go global with ease (ease being a relative term).

And finally, Lakindu Hewawasam explains how to manage micro-stacks using Pulumi. I like this approach of better compartmentalizing parts of your stack, especially since it could mean smaller deploys with a lower blast radius. Coordinating deployments and dependencies can become tricky, but definitely an interesting approach.

Serverless Reads 🤓

Lee James Gilmore writes about Serverless Architecture Layers and why he believes enterprises should be using domain-driven design.

Michael Coté says Kubernetes crossed the chasm, and shares other lessons from the 2021 CNCF Survey. Interesting read, especially the bit about serverless usage staying relatively steady over the last few years. I still contend that most people are using “serverless” in some form or another, but they either don’t realize it, or they don’t want to admit it.

Kai Hendry says do not complicate Serverless architectures with Private subnets, and I don’t think he’s necessarily wrong. Are the days of network isolation over? Identity-centric security in the cloud makes a heckuva lot more sense.

Part 2 in Daniele Frasca’s The Multi-Region road series. Starting with a look at CloudFront.

Spencer Mehta asks if we’re finally at the end of YAML? And gives a good overview of AWS CDK for Serverless.

And finally, Matt Coulter shares why architecture, DevOps and delivery teams need to think differently to enable serverless.

Podcasts, Videos, and more 🎧

On Serverless Chats Episode #132: The Evolution of Serverless at AWS, Rebecca and I chat with Dr. Werner Vogels about the customer pain points that led to the creation of Lambda, the patterns that emerged to create the larger serverless ecosystem, why we should be building sustainable architectures, the importance of developer community programs, and so much more.

Serverless Craic team wraps up their series on the Modern Cloud.

Marcia Villalba gives you a really quick explanation of Lambda Layers, and then shows you how AWS Lambda now supports up to 10GB of temporary storage, with a demo on how to add a watermark to video.

New from AWS 🆕

Lots of interesting announcements from AWS last week, including lots of news out of the Amplify team:

• Amplify Geo Launches React Component for Maps, powered by Amazon Location Service
• Announcing General Availability of Amplify Geo for iOS
• AWS Amplify Studio announces new file storage and file management capabilities
• AWS Amplify Hosting now uses a GitHub App to authorize access to repositories for CI/CD workflows

Plus some interesting database news:

• Amazon OpenSearch Service now includes an observability interface and expands log analytics
• Announcing general availability of Amazon Athena ACID transactions, powered by Apache Iceberg
• Cross-cluster search is now supported on existing Amazon OpenSearch Service domains
• Amazon Redshift announces support for role-based access control (RBAC) Enhancements to some popular serverless services:
• Amazon EventBridge introduces Global endpoints for automatic failover and recovery
• AWS AppSync adds support for enhanced filtering in real-time GraphQL subscriptions
• Introducing Amazon CloudWatch Metrics Insights (General Availability)
  And some other general updates:
• AWS Announces Data Transfer Price Reduction for AWS PrivateLink, AWS Transit Gateway, and AWS Client VPN services
• Announcing Unified Settings in the AWS Management Console
• AWS AI & ML Scholarship Program opens applications for underrepresented and underserved students
• AWS Shield Advanced now supports Application Load Balancer for automatic application layer DDoS mitigation
• AWS Single Sign-On is now HIPAA eligible
• Amazon Route 53 now offers usage-based pricing for resource records above the free tier limit

Upcoming Serverless Events 🗓

If you have an event, webinar, etc. that you’d like me to mention, please email me.

May 3–5, 2022 – Reactathon 2022 & Serverless in the Park

June 22, 2022 – ServerlessDays Paris 2022

June 24, 2022 – ServerlessDays New York 2022

Serverless Star of the Week ⭐️

There is a very long list of people who are doing #ServerlessGood and contributing to the Serverless community. These people deserve recognition for their efforts. So each week, I will mention someone whose recent contribution really stood out to me. I love meeting new people, so if you know someone who deserves recognition, please nominate them.

This week’s star is Bart Castle (@cloudbart). Bart is a Senior Technical Trainer at AWS, as well as a Cloud Solutions Architect, Systems Consultant, and Instructor at Castle IT Consulting. Prior to these roles, Bart was a Cloud and AWS Trainer for CBT Nuggets. You can find many of his courses on his YouTube channel where he provides videos on: AWS Identity and Access Management; AWS Training and Certification; and Introduction to Cloud Technologies (plus some cool non-cloud-related musical performances). Thank you, Bart, for making the cloud accessible to everyone through your work!

Final Thoughts 🤔

Just another reminder that there will be no newsletter next week. We’ll be back on April 26th to catch you up on everything serverless! And don’t forget to sign up for email updates on my upcoming DynamoDB modeling course.

See you in two weeks!
Jeremy

I hope you enjoyed this newsletter. We’re always looking for ideas and feedback to make it better and more inclusive, so please feel free to reach out to me via Twitter, LinkedIn, Facebook, or email.