Amazon API Gateway and AWS Lambda – Better Together

Modern application development extensively relies on REST APIs. You can hardly find a client application that doesn’t require backend services, and REST protocol is a popular choice because of simplicity and wide platform support. Things start to get complicated when you deploy the REST API to the public domain. Now you have to worry about maintenance, scalability, security, and other responsibilities that come with hosting a publicly accessible web service. Many times these APIs aren’t very complex and don’t require much business logic so the service maintenance overhead can be very significant relative to the overall service functionality. A combination of Amazon API Gateway and AWS Lambda services can significantly reduce the complexities typically associated with hosting and managing your REST APIs.

AWS Lambda service introduction

AWS Lambda is a managed compute service that executes your application code units (referred to as Lambda functions) triggered programmatically or in response to various events raised by other AWS services. Some of the key features of AWS Lambda are:

  • Fully managed – there’s no infrastructure to manage. Simply upload the code and let AWS Lambda take care of the rest.
  • Scalability and high availability – AWS Lambda automatically scales and manages compute resources across multiple Availability Zones.
  • Cost efficiency – only pay for the time your code actually runs, in 100ms increments.
  • Compatibility – currently supports Node.js and Java programming languages.

Amazon API Gateway service introduction

Amazon API Gateway is a fully managed application service that acts as a frontend to your REST APIs and handles traffic management, authorization and access control, monitoring, and API version management. Amazon API Gateway can also generate client SDKs from your REST API for popular development languages and platforms such as JavaScript, iOS and Android. The cost model is very simple and you only pay for the number of your API calls and data transfer out.

Amazon API Gateway and AWS Lambda

As you can see, these services can already be very useful on their own but they also complement each other greatly. Amazon API Gateway tightly integrates with AWS Lambda and allows developers to implement truly serverless REST APIs. Amazon API Gateway endpoints can be configured to invoke AWS Lambda functions which makes it possible to build and deploy publicly accessible, secure, scalable, and reliable REST APIs backed by Node.js or Java code of practically any complexity without having to worry about the infrastructure.

Additional resources

AWS Budgets Feature Overview

Earlier this week, Amazon Web Services announced AWS Budgets – a new feature you can use to track your monthly AWS spending and, optionally, receive SNS notifications when certain spending thresholds are reached. Unlike CloudWatch billing alarms – the only cost monitoring and notification feature previously available, the new AWS Budgets are much more flexible and allow you to slice the costs by service, tag, availability zone, and other dimensions.

I’m sure that many developers will appreciate and take advantage of the new feature to manage costs of their Dev and Test environments. Similarly, many organizations will gain more visibility into their AWS spending across all linked accounts and will be able to proactively address unexpected service usage charges.

You can create a new AWS Budget in the Billing & Cost Management section of the AWS Management Console. Below is a screenshot of a sample budget configuration that would trigger an email alert when the actual usage costs exceed 80% or when the forecasted costs exceed 100% of the monthly budget amount (Figure 1). The “Include costs related to” option lets you narrow down the scope to a specific Availability Zone, Linked Account, API Operation, Purchase Option, Service, or Tag.

Figure 1 - create budget
Figure 1 – create budget

Additional resources

Amazon Web Services Tips for Developers and Solutions Architects

Amazon Web Services (AWS) provides a full range of services that allow developers and solutions architects to design and build scalable and fault tolerant applications without a large up-front hardware investment. There’s a vast amount of information about what AWS has to offer available online but the following features are worth mentioning again.

  • AWS Free Tier: included services and limits, billing alerts
  • AWS Accounts and IAM Users: quick overview and best practices
  • AWS EC2: IAM Roles for EC2, Instance Metadata and User Data
  • AWS S3: Lifecycle rules and Amazon Glacier
  • AWS Architecture Center: reference architectures, architecture whitepapers and official icons

AWS Free Tier

AWS Free Tier allows you to use most of the core AWS services free of charge for 12 months. As of August 2014, these services include, but are not limited to:

  • Amazon EC2 – resizable compute capacity in the Cloud. 750 hours of t2.micro instance usage per month.
  • Amazon S3 – highly scalable, reliable, and low-latency data storage infrastructure. 5 GB of Standard Storage, 20,000 Get Requests and 2,000 Put Requests.
  • AWS Trusted Advisor – AWS Cloud Optimization Expert. 4 best-practice checks on performance and security. Notification and customization features.
  • Amazon Mobile Analytics – fast, secure mobile app usage analytics. 100 Million free events per month.
  • Amazon Cognito – mobile user identity and synchronization. Unlimited user authentication and ID generation. 10 GB of cloud sync storage. 1,000,000 sync operations per month.
  • Amazon DynamoDB – fully managed NoSQL database service with seamless scalability. 100 MB of storage, 5 Units of Write Capacity and 10 Units of Read Capacity.

Additional information about the free AWS offerings can be found on AWS Free Tier page.

Keep in mind that not all of the AWS services are included in the free usage tier so it’s very easy to accidentally start accumulating balance while exploring the various AWS services. Billing alarms can be used to generate notification emails once your account balance reaches a certain threshold to avoid unexpected billing charges.

AWS Accounts and IAM Users

It’s tempting to start using your new AWS account (email address and password combination) to access the AWS resources but that goes against the AWS security best practices. AWS Identity and Access Management (IAM) users and groups should be used to manage access to AWS resources. Here’s a quick summary that describes each of these account types:

  • AWS account – this is the account you create when you sign up for AWS and it represents a business relationship with AWS. AWS accounts have root permissions to all AWS resources and services and should not be used for day-to-day interactions with AWS.
  • IAM users – can be a person, service, or application that needs access to your AWS resources. Best practice is to create IAM users and assign them individual security credentials needed to access AWS services and resources. You can also create an IAM user for yourself, grant it administrative privileges, and use that IAM user to access the AWS management console or the APIs.

For more details, refer to the IAM Best Practices article and the AWS Security Best Practices whitepaper.

AWS EC2

It may be challenging to securely distribute and rotate AWS credentials used by your EC2 instances to communicate with other AWS services and resources. In a typical application, the AWS access keys are included in the application configuration file which means that they are visible to anyone who has access to the EC2 instance and makes it difficult to rotate the credentials on a regular basis when you have a large number of running EC2 instances. IAM Roles were designed specifically to address this problem and they let you delegate permissions to your EC2 instances to make API requests without the need to manage security credentials at the application level.

You can read more about AWS IAM Roles in the IAM Roles for Amazon EC2 article.

In addition to AWS credentials, your application may need to retrieve additional information about the EC2 instance it’s running on. For example, when logging application errors you may want to also include the EC2 instance ID or the AMI ID used to launch the instance. Another common requirement is passing configuration information to a newly launched EC2 instance. AWS offers an elegant solution for these problems called Instance Metadata and User Data. The instance metadata is organized in categories and is accessible from within the instance via the following URL: http://169.254.169.254/latest/meta-data

To get the instance AMI ID, simply call http://169.254.169.254/latest/meta-data/ami-id or call http://169.254.169.254/latest/meta-data/hostname to get the hostname of the current EC2 instance.

To retrieve user data available to the instance, use the following URL: http://169.254.169.254/latest/user-data

To learn more about, visit the Instance and Metadata and User Data page.

AWS S3

AWS Simple Storage Service (S3) is a well-known cloud file storage service. One of the lesser known features of Amazon S3 is the ability to auto archive content to Amazon Glacier, an extremely low cost cloud archive service optimized for infrequently accessed data. Content archival is controlled by Lifecycle rules that enable you to ensure that data is automatically stored on the cloud storage option that is most cost-effective for your needs. Be aware that Amazon Glacier is not currently available on the AWS Free Tier.

For more information, please visit the Amazon Glacier section of the Amazon S3 FAQs article.

AWS Architecture Center

AWS Architecture Center is the go-to place to find the guidance and best practices necessary to build highly scalable and reliable applications on the AWS platform. Some of the highlights are:

  • AWS Reference Architectures – single-page datasheets that provide you with the architectural guidance on how to take full advantage of AWS services.
  • Architecture Whitepapers from AWS – offers in-depth articles that focus on particular concepts such as fault-tolerance or security best practices in the AWS Cloud. SharePoint 2013 on AWS whitepaper will teach you how to deploy SharePoint 2013 on AWS, following best practices for deploying a secure and highly available architecture across multiple Availability Zones.
  • AWS Simple Icons – an official icon set that includes icons for several AWS products and resources. Available in MS PowerPoint, MS Visio and SVG and EPS formats.