Off-by-none: Issue #24

February 12, 2019

Serverless will become the default computing paradigm of the Cloud Era…

Welcome to Issue #24 of Off-by-none. I’m glad you’re here! 🤘🏻

Last week we looked at how we could use serverless to deal with third-party API quotas, watched some helpful videos, and introduced “Serverless Stories.” This week, we geek out on a recent UC Berkeley paper about serverless, share some more great stories and use cases, and discuss how SaaS providers should be thinking about serverless integrations.

So much to get to this week, so let’s get to it. 🏎

When you get excited by an academic paper that says serverless is the future… 🕺💃

Cloud Programming Simplified: A Berkeley View on Serverless Computing is a new paper recently published by the University of California at Berkeley. For those of you that don’t want to read all 20 pages, here’s a quick synopsis: “Serverless computing will become the default computing paradigm of the Cloud Era, largely replacing serverful computing and thereby bringing closure to the Client-Server Era.”

If you’re interested in the details, I highly suggest reading the entire paper as it gives both a realistic look at the current limitations, but also points out how they could be (and most likely will be) solved. I wrote a recent post called Stop Calling Everything Serverless that pointed out (similar to this paper) that cloud providers monitored how their customers used virtual machines and built additional services to make those use cases better, faster, and easier. The same is true for serverless environments, with the ecosystem and available suite of services getting better each day.

The paper points out other important advantages that serverless has over (what they call) serverful architectures, and helps to clarify how modern FaaS implementations are superior to previous generations. It also notes that container technologies, like Kubernetes, are “a technology that simplifies serverful computing” and that the economies of cloud scale will eventually “diminish the importance of such hybrid applications.” This is noteworthy as we start to look at computing at the edge, and how that will affect application design.

And while there are obviously still limitations, the paper suggests advancements such as faster ephemeral and durable storage, lower startup times, and better coordination between functions, will eventually solve current system challenges. The paper also suggested introducing access to more cores, sharing of computation graphs, and collocation of functions to solve some of the networking problems and throughput issues.

The bottomline is that the cloud business is growing by 50% year-over-year, and 24% of serverless users are using the cloud for the first time. Serverless adoption is only going to grow, and as limitations get innovated out of existence, the need for serverful computing and the underutilization associated with it, are going to become less relevant. The paper doesn’t give a suggested timeline, but Forbes has some 2019 Serverless Computing Predictions.

When you’re looking for some serverless innovations and announcements… 🗣

Epsagon announced One-Click Serverless Monitoring, which lets you instrument your Lambdas functions without any configuration changes. This is the perfect use case for Lambda Layers, and it looks like they are monitoring updates to configurations, which will ensure that the layer is added on every deployment. Enforcing monitoring compliance without developers having to do anything is a huge advancement.

Dashbird announced their new incident management platform, a new component that lets you set alert conditions based on Lambda metrics. Reducing notification fatigue is a helpful way to make sure real issues are identified and addressed quickly. You can read about it in their public changelog (which I just realized they had). They also announced that they are now an AWS Advanced Technology Partner, which is pretty cool.

A new article, Lumigo: End-to-End Serverless Monitoring and Troubleshooting, gives a great overview of Erez Berkner and Aviad Mor’s new serverless observability company. There are several providers in this space now, but they’re all trying to do things a little differently. A helpful video is included with the article that shows how Lumigo deals with transaction reporting.

And congratulations to Serverless, Inc. for winning a Technology of the Year award from InfoWorld. The year’s best in software development, cloud, and machine learning highlights the Serverless Framework for being an outstanding tool that has had a massive influence on the adoption of serverless technologies. 🏆

When you feel the need to add an extra deadbolt to your serverless applications… 🔒

Hillel Solow makes the case for serverless, but points out several Serverless Computing Security Risks & Challenges. But who’s responsible for securing your serverless applications? Hillel suggests that we make it everyone’s problem by creating closer relationships with other teams in your organization.

In Serverless Computing: ‘Function’ vs. ‘Infrastructure’ as-a-Service, Ory Segal does a great job calculating the drop in security responsibilities when moving to FaaS solutions. Not all the requirements are created equal, but this is a fairly good estimate. I’d much rather be responsible for less than half of the security components versus the roughly 92% required using the IaaS approach.

Ed Moyle discusses the security implications of serverless cloud computing with a particular focus on CloudFlare Workers. While segmentation attacks and Rowhammer concerns are certainly valid in a containerized world, I think most cloud providers have a pretty good handle on this.

Puresec did some ethical hacking and took down a newsletter’s Lambda-backed signup form. Serverless Security And The Weakest Link (Or How Not to Get Nuked by App-DoS) documents how they did it (and graciously points out that it was not Off-by-none 😉). While Puresec did a good job anonymizing the victim, he was proud to take ownership (hint: it rhymes with “Maury Schwinn”). Even though this was a bit of fun, the community working together like this is a great way to learn and make our applications safer.

It was only a matter of time before McAfee jumped into the serverless security realm. The Exploit Model of Serverless Cloud Applications is a high-level overview of possible threats to your serverless applications. This picture looks scarier than the reality. Key thing to remember is that the cloud provider is handling the vast majority of network and infrastructure security for you. TLDR; Use best practices to write secure apps, scan your dependencies, and protect your secrets. Do this and your serverless applications will likely be more secure than traditional ones.

Where to go for some awesome serverless events… 🗓

IOpipe is hosting a Stories of serverless in the wild with Saks Fifth Avenue at the Serverless Seattle Meetup on February 22, 2019. Always fun to hear real world problems being solved by serverless.

Stackery also has a webinar coming up tomorrow entitled New serverless workflows, build faster than ever before. Great opportunity to brush up on your (or learn some) infrastructure-as-code skills.

And we are getting into the ServerlessDays season with several events coming one after another. Hamburg is this week, followed by Austin in just 10 days. Boston is four weeks away (and recently announced an amazing agenda), Amsterdam is in late March, and Atlanta has a crazy three-day event planned, with Zürich right on its tail. Also Tel Aviv was just announced and scheduled for June 4, 2019. Looks like you’ll need to choose between that and NYC. 🗽

Also, don’t forget that the Serverless Architecture conference in The Hague, Netherlands is being held from April 8th to the 10th. I’m actually giving two talks now, so that should be a lot of fun. There are plenty of great speakers, so be sure to get your tickets soon.

When you’re looking for some encouraging Serverless Stories… 👂

How We Moved Towards Serverless Architecture highlights the struggles that a team encounters when transitioning to serverless. Pravash Raj Upreti reviews the technologies his team used, some advantages and disadvantages of using serverless, and the choices they made in order to launch their first serverless application.

In Serverless Event Sourcing in AWS (Lambda, DynamoDB, SQS), Dom Kriskovic explains the serverless architecture used to build Beenion. He uses the CQRS pattern along with DynamoDB to capture and distribute events. I don’t agree with all of the choices, but this article does a great job exposing the tough decisions that need to be made.

Serverless GitLab Runner Builds on Lambda gives a developer’s account of experimenting with using Lambda to executed GitLab builds, inherit IAM permissions, and use additional binaries and its dependencies to execute things like terraform during the build. There some Lambda Layer experiments in there as well.

Joshua Toth built a serverless Node.js, AWS native, Serverless, IoT, FinTech project. Lots of really good information in here about the different technology choices made. Plus, the realization that the velocity of a serverless project was “mind-blowing.” 🤯

Antonio Terreno tells us about the Startup Pre-series A tech choices you can’t compromise on. Great story about a small company using serverless to build and iterate quickly. Now they have a team of 20 people.

When you’re looking for real-world serverless use cases… 🔍

While the Berkeley paper argued that certain machine learning tasks might be too much for serverless right now, Michael Hart and the team over at Bustle has news for them. In Massively Parallel Hyperparameter Optimization on AWS Lambda, they explain how they used the concepts from the Asynchronous Successive Halving Algorithm paper and applied them to text-classification with Lambda. This is a really great read and an amazing use case.

Renato Byrro from Dashbird discusses Building a Serverless News Articles Monitor that can be used to extract article data in a structured format. They also made it open source for you to use.

Generating thumbnails is a common use case given for serverless, but what about generating complex PDFs? Marc Mathijssen came up with a way to do this using the power of Apache FOP in a .NET world using Azure Functions.

Nader Dabit takes us through Building Chatt – A Real-time Multi-user GraphQL Chat App in his recent post. The code is also open source, so not only is this a good use case, but also a helpful template to get you started with serverless.

What to do if you’re craving some good serverless reads… 📖

Alex DeBrie put together the Complete Guide to Custom Authorizers with AWS Lambda and API Gateway for you, and it is an awesome resource. Anyone who has played around with custom authorizers is sure to have some of their own war stories, so having this as a reference could be a lifesaver (metaphorically speaking).

Gojko Adzic introduces us to BaDaaS and the future of cloud integration. He explains that there is a new pattern called “Business action deployment as a service” (or BaDaaS), that allows service providers to offer application components that interact directly with FaaS services instead of passing data through webhooks. Twilio is already doing it, and last week we mentioned Braintree’s serverless payment functions initiative. Pay attention SaaS providers, a new standard might be emerging.

The New Stack’s How Serverless Platforms Could Power an Event-Driven AI Pipeline is another take on how to bring machine learning into the serverless world. It rightly suggests that “event-driven artificial intelligence (AI) can lead to faster and smarter decisions” and will take a “hybrid architecture structure that takes the best of serverless and combines it with stateful database stores” in order for it to be applied successfully. Obviously we need a database to store training data, but I think we’ll see more serverless alternatives to this sooner rather than later.

If you’d rather not read, you can watch Marcia Villalba talking about Serverless with Ben Kehoe. Another insightful interview featuring someone definitely worth listening to.

Finally, Cory Schimmoeller says that Using AWS Amplify feels like cheating, and he may be right. This is a good overview of how simple it is to use Amplify and the CLI to connect to your AWS backends.

What to do if you’re new to serverless… 🐣

Have no fear, Toby Fee from Stackery takes you through the Anatomy of a Serverless App. This post explains the three layers of a serverless application (business logic, building blocks, and workflow dependencies) and acts as a great primer for the newly initiated.

Serverless Computing 101 is another overview of what serverless computing is, how it works with other resources (or BaaS), and highlights some use cases. Not all the “demerits” are created equally, but certainly gives you something to think about.

Eric Sales De Andrade helps you answer if serverless is right for your next application in Should I go “Serverless” — How to choose the right solution for Your Product and Business. Like most of these types of posts, the pros and cons are laid out for you. But my suggestion, just go serverless. 😉

When you want to get hands-on with some serverless how-tos and tutorials… 🛠

Yan Cui gives us the lowdown on AWS Lambda and Secret Management in a recent post. Should you choose Parameter Store, Secrets Manager, or HashiCorp’s Vault? Yan walks you through the when, why and how.

Many people associate the terms “machine learning” and “artificial intelligence” with lots of math and complexity that make them seem unapproachable. But the reality is that powerful ML and AI services are readily available and easy to integrate with your applications. James Beswick show us how to build a serverless Twitter bot using sentiment analysis so that you can automatically like positive comments on your tweets. And it’s much easier to do that you probably think.

Debugging Chronicles: Missing Lambda Invocation is more of a tip (and a warning) from Davide de Paolis. TLDR; make sure you pass the Authorization header for every request that is using Congito with API Gateway. 🤦🏻‍♂️

Optimizing your Node.js lambdas with Webpack and Tree shaking is a great post by Erez Rokah that shows you how to use Webpack to remove unused modules when packaging your Node.js files for deployment to a serverless environment. He gives an example of reducing his deployment package from 740.6kB to 6.6kB.

If you’re using the .NET runtime, it might be helpful to know How to Unwrap an AggregateException Thrown by AWS Lambda. Zac Charles shares the secret of setting the right environment variable. He also shared how to make .NET AWS Lambda Functions Start 10x Faster using LambdaNative, a handy Lambda Layer that you can use.

If you’re working with Azure, David Pallmann has a full tutorial on how to build a Document Search Engine using Azure Functions and Cosmos DB.

Julian Tellez from DAZN gives us some tips for Handling complexity in lambda functions using his Lambcycle middleware component for AWS Lambda.

If you still haven’t played around with Lambda Layers yet, Eric Johnson’s Working with AWS Lambda and Lambda Layers in AWS SAM post is an awesome overview to get you started (or take you even further down the rabbit hole).

And why not combine the power of WebSockets, Machine Learning, and Translation services to build a better chat application? Danilo Pocci gave a recent presentation called Serverless real-time apps: Let’s build a “positive” chat that does just this. The architecture is all in the slides, plus you can check out the demo here.

Finally, if you are building Large (Java) Applications on Apache OpenWhisk, James Thomas has some very helpful tips and tricks for you.

When you’re wondering what AWS has been up to… 🧙‍♂️

Keeping up with AWS announcements is a full-time job in itself, never mind figuring out when CloudFormation adds support for a new feature. AWS CloudFormation: 2018 in review documents all the new features added to CloudFormation in 2018. And if you really want to stay current with new information, their release history page is always up-to-date.

Speaking of CloudFormation support, you can now Automate WebSocket API Creation in Amazon API Gateway Using AWS CloudFormation. Expect support in other serverless frameworks to be added soon.

Amazon SNS Message Filtering Adds Support for Multiple String Values in Blacklist Matching, which is actually much more exciting than it seems. Filtering messages at the broker level dramatically simplifies (and reduces costs for) pub/sub implementations. Having the ability to add several items to the blacklist is a very handy feature.

AWS also announced an open source project for Deploying a personalized API Gateway serverless developer portal. Using this project, you can make your API Gateway APIs available to your customers by enabling self-service discovery of those APIs. They can then use the portal to browse API documentation, get API keys, test published APIs, and monitor their own API usage. Another thing you don’t need to worry about. 👍

I’m not a .NET guy, so I didn’t even know there wasn’t support for this already. In any case, AWS X-Ray SDK for .NET Core is Now Generally Available, so good news for those utilizing that runtime.

Serverless Star of the Week ⭐️

There is a very long list of people that are doing #ServerlessGood and contributing to the Serverless community. These people deserve recognition for their efforts. So each week, I will mention someone whose recent contribution really stood out to me. I love meeting new people, so if you know someone who deserves recognition, please let me know.

This week’s star is Aleksandar Simovic (@simalexan). Aleksander is the co-author of Serverless applications with Node.js, a core team member for Claudia.js, and an AWS Serverless Hero. He has done a tremendous amount of work on Jarvis, an Alexa skill that allows you to create serverless applications using only voice commands, which is pretty cool. He also has 20 applications published to the Serverless Application Repository that you can use to get started with serverless quickly. Aleksandar continues to make valuable contributions to the serverless community, and we’re all lucky to have him!

Final Thoughts 🤔

There are so many amazing things happening with serverless right now, and this recent Berkeley paper is so incredibly encouraging. There is certainly a place for containers and servers right now, but it’s important to remember that today’s limitations are tomorrow’s opportunities, and the cloud providers all see the writing on the wall. Expect more and more advancements that address these limitations, and soon, serverless will in fact become, the default computing paradigm.

I hope you enjoyed this issue of Off-by-none. I love hearing feedback and suggestions so I can keep making this newsletter better each week. Feel free to contact me via Twitter, LinkedIn, Facebook, or email and let me know your thoughts, criticisms, or how you’d like to contribute to Off-by-none.

And don’t forget to share this newsletter with your friends and coworkers who are interested in serverless. I’d really appreciate it.

Until next time,
Jeremy