book

Learning Serverless

Name: Learning Serverless
Author: Jason Katzer
ISBN: 9781492057017

by Jason Katzer

October 2020

Beginner

230 pages

6h 59m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
About This BookHow This Book Is OrganizedConventions Used in This BookO’Reilly Online LearningHow to Contact UsAcknowledgments
Introduction to Serverless
What Is Serverless?History of ServerlessThe Cloud Provider LandscapeReliability, Availability, Disaster RecoveryStrengths of ServerlessIncreased Scalability, Security, and ReliabilityYou Only Pay for What You UseSaving Time and Money on Managing ServersImproved Developer ProductivityDecreased Management ResponsibilitiesConvenient IntegrationsWeaknesses of ServerlessThe Cold (Start) WarCompute TimeVPC/Network IssuesApplication SizePotential to Be More ExpensiveVendor Lock-InComplex DebuggingWhen Does It Make Sense to Use Serverless?When Is Serverless Compute Not Right for You?Let’s Get Started
I. The Path to Production
1. Distributed Systems
What Is a Distributed System?Why Do We Want a Distributed System?The Harsh Realities of Distributed SystemsThe Physical WorldMissing MessagesUnreliable ClocksCascading FailuresUnexpected OrderingIdempotencyWhat Am I Responsible For?What Do You Need to Consider When Designing a Distributed System?Loose Coupling (or Decoupling)Fault ToleranceGenerating Unique (Primary) KeysPlanning for IdempotencyTwo-Phase ChangesFurther ReadingConclusion
2. Microservices
Why Do You Want to Use Microservices?Improved Developer VelocityIncreased Developer FreedomIssues with MicroservicesIncreased ComplexityProper DevOps Practices and Resources NeededChallenges with Local Development and TestingHow Do You Use Microservices Effectively?Consistent InterfacesLoosely CoupledHow Micro Is a Microservice?Choosing Between Monoliths and MicroservicesWhen Should You Use a Monolith?When Do You Want to Use Microservices?Conclusion
3. Serverless Architecture and Patterns
The Role of an ArchitectWhat Do You Need to Know to Be an Architect?Making DecisionsWhat Kinds of Decisions?Documenting Your DecisionsHow Do We Make Decisions?When Do We Make Decisions?Cloud Provider ComponentsStreamsQueuesBucketsComputeDatastoresIdentity ServiceAPI GatewaysGraphQLNetworkingState MachinesLoggingMonitoring and AlertingEvents from Your Cloud ProviderPeriodic InvocationsPatternsExample 1: Serverless MonolithExample 2: Incoming WebhookExample 3: Using Your Cloud Provider for User AuthenticationExample 4: Generic Background Task PatternExample 5: Streaming Extract, Transform, LoadExample 6: Create Your Own Polling IntegrationExample 7: Processing Files and ImagesExample 8: Migration Service PatternExample 9: Fanning OutConclusion
4. Interfaces
Interfaces: Some Assembly RequiredThe MessageThe ProtocolThe ContractServerless InterfacesAutomatic Retries and Dead Letter QueuesFinite Versus Infinite ScaleDesigning Your InterfacesMessages/PayloadsSessions and Users/AuthAvoid Unbounded RequestsInterface Versus ImplementationLines with LogicDesigning the Unhappy PathValidating InputFailuresStrategies for Integrating with Other ServicesTime-OutsRetriesExponential BackoffWebhooksEvaluating External ServicesRate LimitsConclusion
II. The Tools
5. The Serverless Framework
Why Use the Serverless Framework?When the Serverless Framework Isn’t for YouAWS Is the Only First-Class CitizenAWS CloudFormation Is Not PerfectRelying on Strangers for Your InfrastructureWhat to Know Before You StartYAMLNode.jsCloud Resources and PermissionsInfrastructure TemplatesProduction Secrets.gitignoreThe Components of a serverless.yml FileProviderEnvironmentFunctionsResourcesPackagePlug-InsCustomNamespacing for Sanity and SecurityUsing the serverless CommandInstalling ServerlessSetting Up Serverless with CredentialsPulling in Templates Using serverless installInspecting the Package of Our Sample Project (What’s Inside)DeploymentInvoking the Function, and Viewing LogsRollbacksDestroying the ServiceDeployment PackagesReal-World serverless.ymlSetting Environment VariablesModify PermissionsConclusion
6. Monitoring, Observability, and Alerting
What Is Monitoring?Why Do We Need Monitoring?How Does Monitoring Relate to Serverless?The On-Ramp to AutomationWhat Are My Options?Hosted SaaS OfferingsSelf-Hosted and Open SourceComponents of MonitoringMetricsCharts/GraphsDashboardsAlerts/AlarmsA Selection of Advanced PracticesHeartbeatsSmoke Testing and/or CanariesThe Most Important Metric in the WorldAvoiding Vendor Lock-InCleaning Up Metrics and Alerts over TimeConclusion

7. Logging
What Does It Mean to Log?Why Log?When to Rely on Logs Instead of MetricsWhat Should You Log?What Shouldn’t You Log?How Does Logging Work?Ensuring Your Logs ScaleStructured LoggingMore Effective Debugging with LogsSearching LogsException Logging (Sentry)Collecting Other LogsComplianceDistributed TracingEncrypting Logs for Privacy and ComplianceEncrypt Only the Values of Sensitive FieldsEncrypt the Entire Log StatementConclusion
8. Changes, Automation, and Deployment Pipelines
Dealing with ChangeThe Role of AutomationWhat Do We Automate?Getting Your Code Ready for ProductionInfrastructure as CodeDatabase Changes (Migrations)Configuration ManagementWhat Is a Pipeline?Decisions to Make Regarding Your PipelineCanaries and Blue/Green DeploymentsPipeline PermissionsWhy Do You Need a Pipeline?Key Phases of a Deployment PipelineStep 1. Enforce StandardsStep 2. Build and PackageStep 3. TestStep 4. Publish the ArtifactStep 5. Deploy to the Target EnvironmentStep 6. Validate DeploymentStep 7. Roll Back if Necessary (and Possible)Handling Pipeline FailuresConclusion
III. Concepts
9. Security, Permissions, and Privacy
Everyone Is Responsible, but You Are Especially ResponsiblePrepare to Be HackedUnderstanding Your Threats and Your AttackersDesign for SecurityLimit, Track, and Review All Secrets and AccessBe Ready to RollDefense in DepthLimit Blast RadiusTrust but VerifyValidate All User Input and Double-Check Those SettingsMonitoring Your System for AnomaliesTest Your SecuritySelect Dependencies Carefully and Keep Your Software Up to DatePrioritize Privacy for Your Data and Your Customers’ DataDon’t Mess with ProductionKeep Your Machine SecureKeep LearningConclusion
10. Quality, Testing, and Staging
The Role of Code QualityCode StyleLintingTestingWhat to Test and What Not to TestTypes of TestingCode CoveragePower Up Your TestingStagingConclusion
11. Planning for Failure
Introduction: Understand It, Even if You Don’t Manage ItIdentify RisksExercise: Finding Your Failure PointsBe PreparedMaking a RunbookPlanning for OutagesOn-Call/Escalation PlanMonitor Your Cloud ProviderKnow Your (Service) LimitsConclusion
12. Conclusion
Deciding among VendorsCommunityGather the Advice of OthersWhat to Do When You Get StuckTaking the Next Step in Your Career
Index

Content preview from Learning Serverless

Chapter 9. Security, Permissions, and Privacy

Security must be baked in. It’s not a seasoning to sprinkle onto your system at the end. Even if your company has a dedicated security team, you aren’t off the hook. You’re still responsible to protect your customers and your company.

Michael T. Nygard, Release It!, 2nd Edition (Pragmatic Bookshelf)

There is no shame in making a mistake with security. It is impossible to be perfect. But it is inexcusable to make such mistakes out of apathy, ignorance, or fear of speaking up. If you are building a prototype and don’t have time to incorporate security, ensure that your stakeholders understand the time that will be needed to secure that system and the consequences of launching without it. If you are building a new feature on a production system with real live users, you don’t get that option. The feature has to at least maintain, if not improve, the system’s current state of security.

This chapter will cover only a small portion of the security knowledge you will need to be fully effective. Any part of your system that’s not fully serverless will have its own requirements. As it is, cloud security is so complex that we’ll barely scratch the surface. The best way to learn to build more secure software is to learn about attacks and the underlying principles of security that prevent those attacks. Learning why attacks work will help you spot weaknesses or potential issues as the software is being built instead of trying to bolt on extra ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781492057000Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Learning Serverless

by Jason Katzer

Chapter 9. Security, Permissions, and Privacy

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.