DEV Community: Fively

Browser Extension Development Companies: How to Choose the Right Partner

Vsevolod Ulyanovich — Thu, 22 Jan 2026 10:46:08 +0000

Today, browser extensions have moved far beyond simple add-ons and shortcuts. They’ve become essential product components for SaaS platforms, productivity tools, eCommerce optimization, security solutions, and AI-powered workflows. With Chrome, Edge, Firefox, and Safari reaching billions of users every day, browser extensions offer one of the fastest and most effective ways to deliver lightweight, high-impact functionality directly inside the browser.

At the same time, the extension landscape has become significantly more demanding. Modern browser extensions must comply with stricter security standards (including Manifest V3), support multiple browsers, integrate seamlessly with backend services, and meet high expectations around performance, privacy, and scalability. This complexity has pushed companies to rely on specialized extension development partners who understand not only frontend JavaScript but also APIs, authentication flows, secure data handling, and long-term maintenance within browser ecosystems.

Nowadays, the leading browser extension development companies are those that combine deep browser-specific expertise with strong product thinking — delivering secure, compliant, and user-friendly extensions that scale reliably as products and user bases grow.

How We Selected the Top Browser Extension Development Companies

To create a reliable and practical list, we focused on companies with real-world experience building, shipping, and maintaining browser extensions — not just generic web development agencies:

We evaluated development companies that actively deliver browser extension projects for clients, including Chrome, Firefox, Edge, and Safari extensions. Product-only companies, templates, and marketplaces were excluded;
Our research covered 100+ agencies across trusted B2B platforms such as Clutch, company portfolios, public case studies, and technical blogs. Verified client feedback played a key role in shortlisting;
Proven experience with Chrome Extension APIs, Manifest V3, background scripts, content scripts, permissions, and browser-specific limitations.
Ability to build extensions that meet modern security, privacy, and store policy requirements, including data handling and permission minimization. Demonstrated success in delivering extensions that work reliably across multiple browsers with minimal duplication and performance overhead;
Capacity to handle updates, store reviews, browser policy changes, bug fixes, and long-term support after release. We also paid attention to real customer feedback and documented project outcomes that confirm delivery quality and reliability.

Top Browser Extension Development Companies

Fively

Website: https://5ly.co

A custom software agency specializing in browser extension development, SaaS platforms, and AI-driven tooling — delivering secure, high-performance extensions across Chrome, Firefox, and Edge.

Best for: Enterprise extensions, data integrations, AI workflows;
Engagement Models: Project-based, dedicated team, long-term support.

Airdev

Website: https://airdev.co

A no-code/low-code development agency that can build browser extensions and complement them with backend logic and user workflows, ideal for rapid prototyping and MVPs.

Best for: MVP extensions, no-code enhancements, prototypes;
Engagement Models: Project-based, prototype sprint, support.

Vincit

Website: https://www.vincit.com

A well-established product development partner with expertise in modern web technologies and custom tooling — including browser extensions that require deep UI/UX and platform integrations.

Best for: UX-centric extensions, cross-platform products;
Engagement Models: Project-based, discovery + delivery, retainers.

Brightscout

Website: https://www.brightscout.com

A product and engineering agency that builds custom browser extensions as part of broader digital experiences — especially for cloud platforms and analytics interfaces.

Best for: Analytics extensions, cloud-connected tools;
Engagement Models: Project engagement, discovery + build.

Qodic Technosoft

Website: https://qodictech.com

A software services company delivering web and browser-based solutions, including extension projects that tie into ecommerce, social tools, and business platforms.

Best for: Ecommerce extensions, business workflows;
Engagement Models: Project-based, support plans.

Tridhya Tech

Website: https://tridhyatech.com

A software development company experienced with custom client projects that include browser add-ons, automation tools, and platform extensions integrated with SaaS backends.

Best for: Automated browser tooling, add-ons with backend logic
Engagement Models: Fixed price, hourly, support.

How to Choose the Best Browser Extension Development Company

Choosing the right development partner is critical for browser extension success. Unlike standard web apps, extensions must comply with strict browser policies, security rules, and ongoing compatibility requirements. Here’s what to look for when selecting a browser extension development company:

Proven Browser Extension Experience Look for companies with real, production-ready browser extension case studies — not just generic web development projects. Experience with Chrome Extension APIs, Manifest V3, content scripts, background services, and permissions management is essential.
Security & Privacy Expertise Extensions often handle sensitive user data and run with elevated browser permissions. A reliable partner should demonstrate strong security practices, permission minimization, secure API communication, and awareness of privacy regulations and store review requirements.
Cross-Browser Compatibility The best teams know how to build once and adapt across Chrome, Firefox, Edge, and Safari. Ask about their approach to handling browser-specific APIs, differences in store policies, and long-term maintenance.
Backend & Integration Skills Most modern extensions rely on APIs, authentication flows, and backend systems. Choose a company that can design and integrate secure backend services alongside the extension itself.
Post-Launch Support & Maintenance Browser extensions require continuous updates due to browser changes, policy updates, and user feedback. Make sure the company offers ongoing support, bug fixes, performance improvements, and store compliance updates after launch.
Transparent Communication & Process Clear documentation, predictable workflows, and proactive communication help prevent delays during development and store review. A strong partner will guide you through technical decisions and review cycles.
Verified Client Feedback Check verified reviews, testimonials, and references that specifically mention browser extension work. Real feedback is one of the strongest indicators of long-term reliability.

Browser Extension Development Process

Let’s take a closer look at how browser extension development typically works in practice. At Fively, we follow a clear, security-first, and product-driven workflow focused on building extensions that are intuitive to use, compliant with modern browser requirements, and designed for long-term support.

Planning

The process begins with defining the extension’s purpose, core features, and success criteria. At this stage, our engineers identify the target browsers (Chrome, Firefox, Edge, Safari), review relevant store policies (including Manifest V3 requirements), and align the extension logic with backend systems, APIs, and security constraints. This early groundwork ensures the solution is feasible, scalable, and compliant from the start.

Development

Next, our UI specialists design the extension’s interface and interaction flows with usability and performance in mind. Engineers then implement the functionality using modern web technologies such as JavaScript or TypeScript, browser APIs, and secure background and content scripts. Throughout development, we ensure cross-browser compatibility and pay close attention to permissions, data handling, and communication with external services.

Testing

QA specialists conduct comprehensive testing to validate stability, security, and real-world behavior. This includes functional testing, cross-browser validation, edge-case coverage, and regression checks. Extensions are tested across multiple operating systems and browser versions to ensure consistent performance and policy compliance before release.

Deployment

Once the extension is ready, we package it and manage submission to browser marketplaces, guiding it through the review and approval process. After launch, we provide ongoing maintenance, updates, and compatibility fixes based on user feedback, browser policy changes, and evolving product requirements.

Real-World Browser Extension Cases

Below are examples of browser extensions Fively custom software development company have already built for identity security, access management, and eCommerce automation.

Identity Verification Services Development

Swordfish is a browser extension that supports identity verification workflows directly within the user’s browser. It interacts with external verification services, securely processes user data, and assists in real-time validation without disrupting the core user journey.

Key challenges included strict security requirements, sensitive data handling, and seamless integration with backend identity services. Our solution focused on permission minimization, secure API communication, and compliance with modern browser policies — ensuring both reliability and trust.

Best for: Security-focused extensions, identity verification, regulated environments.

Identity & Access Management Automation

Uniqkey is a browser extension designed to automate identity management tasks that works alongside existing IAM systems, helping users manage credentials, permissions, and access flows directly from the browser interface.

The core complexity lay in synchronizing browser-level actions with backend access control logic while maintaining performance and security. We delivered a scalable, cross-browser solution that supports automation without exposing sensitive authentication data.

Best for: Enterprise extensions, IAM tooling, security automation.

Shopify Abandoned Cart Recovery Extension

MessageBuy, a browser extension that integrates with Shopify stores to support abandoned cart recovery workflows; enables merchants to interact with customer data, automate follow-ups, and trigger recovery actions without leaving their browser environment.

This project required deep Shopify ecosystem knowledge, real-time data handling, and a user-friendly interface for non-technical users. The result was a lightweight yet powerful extension that enhanced conversion rates while remaining easy to operate and maintain.

Best for: eCommerce extensions, Shopify automation, sales optimization tools.

Wrapping Up

Browser extensions are no longer just optional add-ons. Instead, they’re powerful product components that drive security, automation, and user engagement directly within the browser. Choosing the right development partner means working with a team that understands browser ecosystems, evolving security requirements, and the realities of long-term maintenance.

By focusing on industry experience, security practices, and a proven development process, companies can build reliable, scalable browser extensions that deliver real and lasting business value.

Deno vs Node.js: Which One Will Rule the JavaScript Runtime World in 2025?

Kiryl Anoshka — Mon, 03 Mar 2025 23:11:27 +0000

Learn how Deno and Node.js offer distinct benefits for your development needs, with Deno excelling in security and microservices, and Node.js in APIs and serverless environments.

The battle of the JavaScript runtimes is on, and in one corner, we have the well-established Node.js, powering the backend of countless web applications. But wait, there’s a new contender in town — Deno, the modern, security-first runtime that promises to challenge Node’s dominance.

Is Deno ready to dethrone Node.js, or does Node still reign supreme? Let’s dive deep into this showdown and figure out which one is the right fit for your development needs in 2025 and beyond. Get ready to pick your side — it’s going to be a thrilling ride!

What is Deno?

Deno is a secure, modern JavaScript and TypeScript runtime built by Ryan Dahl, the creator of Node.js, as a response to some of the limitations and design decisions he regretted in Node.js.

According to Dahl, the creator of both runtimes, Node.js has three significant drawbacks:

A poorly designed module system that relies on centralized distribution.
Unstable legacy APIs.
Lack of security.

Launched in 2018, Deno was designed with a focus on security, simplicity, and developer experience. Unlike Node.js, Deno runs on TypeScript out of the box, without the need for additional tools like Babel or transpilers. It also comes with a built-in package manager, eliminating the need for npm.

Deno’s security-first approach means that scripts are sandboxed by default, preventing access to files, network, or environment variables unless explicitly granted. With a fresh take on modern JavaScript development, Deno offers improved performance, streamlined tooling, and a more secure environment for developers looking to build scalable, future-proof applications.

Here's a simple example of using Deno to run a basic script fetching data from an API:

Create a file named fetchData.ts (note that Deno supports TypeScript natively:

Run the script using the following command:

deno run - -allow-net fetchData.ts

Here, --allow-net is a permission flag that allows network access (in this case, to fetch data from the URL). The script fetches a post from a public API and logs the response to the console.

What is Node.js?

Node.js is a powerful, open-source JavaScript runtime built on Chrome’s V8 engine that enables developers to execute JavaScript code on the server side. Unlike traditional JavaScript, which runs in the browser, Node.js allows developers to build scalable and high-performance server-side applications using JavaScript.

It was created in 2009 by Ryan Dahl and has since gained widespread popularity due to its non-blocking, event-driven architecture, making it ideal for handling I/O-heavy operations such as real-time data processing and handling multiple concurrent requests. Node.js uses npm (Node Package Manager) to manage libraries and dependencies, providing access to a vast ecosystem of open-source modules.

It is commonly used for building web servers, RESTful APIs, and full-stack JavaScript applications, and it supports both asynchronous and synchronous programming paradigms. Thanks to its fast execution speed and scalability, Node.js has become the backbone of many modern applications, from web development to microservices.

Here's a simple example of using Node.js to create a basic web server that listens on a port and responds with a message:

Create a file named server.js.

Run the script using the following command:

node server.js

This starts a simple HTTP server that listens on port 3000. When you visit http://127.0.0.1:3000/ in your browser, you’ll see the message "Hello, World!".

Deno vs Node.js: Main Differences

When comparing Deno and Node.js, several key differences set them apart in terms of functionality, architecture, and developer experience. Let’s dive into the most significant distinctions:

Security: Why Deno Outshines Node.js

Security was one of the primary driving factors behind the creation of Deno by Ryan Dahl. Unlike Node.js, Deno was designed with a secure environment in mind, prioritizing developer control and permission management.

Deno runs all code within a sandboxed environment, preventing unauthorized access to critical system resources, such as the file system. Before any interaction with these resources is allowed, Deno requires explicit permission from the developer. This permission is granted via command-line flags, ensuring that the developer retains full control over their code's behavior.

Some of the key flags include:

--allow-env: Grants access to environment variables for configuration management.

--allow-hrtime: Allows high-resolution time measurement, useful for performance monitoring.

--allow-net: Provides network access for making API calls or connecting to databases.

--allow-read: Enables read access to files on the system.

--allow-run: Grants permission to run subprocesses.

--allow-write: Allows modifications to the file system, such as writing files or creating directories.

Node.js, on the other hand, does not enforce such strict sandboxing and does not require permission for accessing system resources. This lack of inherent security measures can lead to potential vulnerabilities, particularly when third-party libraries are introduced without proper caution. While Node.js does have built-in protections for common threats like Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS), its security relies more heavily on the developer’s practices, such as logging, error handling, and user input validation.

Third-party Package Management

Node.js: Node.js relies on npm (Node Package Manager) to manage third-party packages. Npm is a massive ecosystem that provides a vast collection of open-source libraries and tools.

Deno: Deno, on the other hand, does not use npm. It has no centralized package manager. Instead, it imports packages directly via URLs, making it more decentralized and simplifying dependency management. This means you can load any module hosted on a server by providing a URL to it.

APIs

Node.js: Node.js comes with a rich set of built-in APIs for handling everything from networking to file system manipulation. The APIs are synchronous by default, but Node.js relies heavily on asynchronous programming for non-blocking operations.

Deno: Deno’s APIs are designed with modern web standards in mind. Deno uses promises and async/await syntax by default, making the code cleaner and more modern. It also introduces some new features, such as a more secure execution environment for sandboxing, making it more focused on developer security.

TypeScript Support

Node.js: earlier, Node.js didn’t natively support TypeScript. Developers needed to install and configure tools like TypeScript or Babel to compile TypeScript into JavaScript. However, since V22.6.0, Node.js has experimental support for some TypeScript syntax via "type stripping". You can write code that's valid TypeScript directly in Node.js without the need to transpile it first (read more here).

Deno: Deno has built-in support for TypeScript out of the box, meaning you don’t need any extra configuration or transpilers. Deno natively handles .ts files, simplifying the process for TypeScript developers and making it easier to work with modern JavaScript.

Browser Compatibility

Node.js: Node.js is primarily designed for server-side applications and does not provide native support for running in the browser. While many tools and bundlers (like Webpack) can make Node code compatible with the browser, it's not inherently designed for it.

Deno: Deno is more aligned with modern browser standards and is designed to make it easier to run code in both the browser and the server. It has a more browser-compatible design, enabling smoother transitions for developers who are building full-stack applications.

Community Support

Node.js: Node.js has been around for over a decade and has an enormous, active community. With millions of developers contributing to its ecosystem, Node.js boasts a rich set of libraries, tools, and documentation.

Deno: Deno is much younger, with a smaller community compared to Node.js. However, it’s quickly gaining traction, and its modern approach is appealing to developers who want a more secure and forward-thinking alternative to Node.js. While Deno’s ecosystem is still growing, it is backed by Ryan Dahl, the original creator of Node.js, which gives it credibility and a bright future.

Pros and Cons of Deno

As with any technology, Deno comes with its advantages and drawbacks. Here's a breakdown of the key pros and cons to help you decide whether it's the right choice for your project.

Pros of Deno

Security-first Design

Deno's sandboxed environment ensures that your code is more secure by default. It requires explicit permission to access critical system resources like the file system, network, and environment variables, which reduces the risk of malicious actions.

Built-in TypeScript Support

Deno has native support for TypeScript, meaning you don't need to set up additional tools or compilers. This makes it easier to develop applications using TypeScript right out of the box.

Modern Standard Library

Deno comes with a modern, well-designed standard library. Unlike Node.js, Deno doesn’t rely on external modules for essential functionality, which can reduce the complexity and overhead of managing dependencies.

No Package Manager

Deno eliminates the need for a package manager like npm. Instead, it imports modules directly from URLs, simplifying dependency management and avoiding the clutter of package.json files.

Built-in Tooling

Deno includes built-in tools for testing, formatting, and bundling, saving developers time and effort by offering these utilities out of the box.

Simplified Imports

Deno uses URLs for importing packages, making it more flexible and easier to import external modules directly from a remote repository, without the need for an intermediary package manager.

Promises

Deno is built with Promises at its core — all asynchronous methods return Promises by default. It supports top-level await, allowing developers to use await in the global scope without needing to wrap it in an async function. While Node.js recently introduced support for top-level await, Deno has had this feature from the start, making asynchronous programming more intuitive.

Even though modern Node.js now supports Promises and async/await, many of its core APIs still rely on callbacks for backward compatibility—something Deno eliminates entirely by making Promises the default.

Cons of Deno

Smaller Ecosystem

Deno is still relatively new, and its ecosystem is not as extensive as Node.js. While it’s growing rapidly, many popular libraries and frameworks from Node.js may not have native Deno support, requiring workarounds or additional development effort.

Learning Curve for Developers

Deno introduces a few significant changes compared to Node.js, such as its permission model and module system. For developers familiar with Node.js, it may take time to adjust to these new concepts and best practices.

Less Community Support

While Deno's community is active, it is still smaller compared to Node.js. This means fewer resources, tutorials, and third-party tools, which can make finding solutions to problems a bit more challenging.

Compatibility Issues

Since Deno is not fully compatible with Node.js, many Node.js modules and tools don’t work directly with Deno. As a result, migrating existing Node.js projects to Deno could require significant refactoring.

Performance Considerations

While Deno performs well in many cases, it may not always match the performance of Node.js in certain scenarios, especially for highly optimized Node.js applications that have benefited from years of performance tuning.

Thus, Deno is a powerful and modern runtime with a strong focus on security, ease of use, and TypeScript support. However, its smaller ecosystem, learning curve, and compatibility issues with existing Node.js modules may pose challenges for certain projects. As Deno matures, many of these drawbacks may be addressed, making it a strong contender for new applications, particularly those focused on security and simplicity.

Pros and Cons of Node

Node.js has become one of the most popular JavaScript runtimes for building scalable and fast applications. Below, we’ll look at its key advantages and challenges to help you understand if it’s the right choice for your project.

Pros of Node.js

Non-blocking, Asynchronous I/O

Node.js is built on a non-blocking, event-driven architecture, allowing it to handle a large number of concurrent requests efficiently. This makes Node.js highly scalable and perfect for I/O-heavy applications like chat systems, real-time collaboration tools, and streaming services.

JavaScript Everywhere

With Node.js, you can use JavaScript both on the server side and client side. This unified language environment reduces the learning curve for developers and improves consistency throughout the application.

Large Ecosystem (npm)

Node.js has one of the largest and most active ecosystems of open-source libraries, thanks to npm (Node Package Manager). You can easily find libraries to address virtually any need, reducing development time and effort.

Fast Execution

Built on Google Chrome's V8 JavaScript engine, Node.js compiles JavaScript into machine code for fast execution. This high-performance runtime is particularly beneficial for applications that require real-time data processing, such as messaging apps or online gaming.

Scalability

Node.js is designed to handle a large number of simultaneous connections. It is well-suited for building scalable applications due to its event-driven nature, making it ideal for applications that require high scalability, such as microservices or APIs.

Active Community and Support

Node.js boasts a vast, active community, offering plenty of resources, tutorials, and third-party tools. This large community also means you’ll have access to extensive support when troubleshooting and resolving issues.

Cons of Node.js

Single-threaded Model

Node.js operates on a single thread, which can become a limitation for CPU-heavy tasks such as image processing or data manipulation. While it is excellent for I/O-bound tasks, it may not be the best choice for compute-intensive operations.

Callback Hell

Asynchronous code execution in Node.js can lead to "callback hell," where deeply nested callbacks can make the code hard to maintain and understand. Although this can be mitigated with Promises and async/await syntax, it remains a potential challenge for complex applications.

Performance Bottlenecks with Heavy Computation

Since Node.js is single-threaded, handling heavy computational tasks may block the event loop and degrade performance. For applications that require intensive processing, additional solutions such as worker threads or clustering may be necessary.

Immaturity of Some Libraries

While npm offers a vast number of libraries, some of them may be immature or not maintained well. This can introduce bugs or security vulnerabilities, making it important to carefully choose and audit third-party packages.

Lack of Built-in Tools

Unlike some other backend frameworks, Node.js doesn’t come with many built-in tools or features. This may require developers to rely on third-party packages or build functionality themselves, which can increase development time.

Memory Consumption

Node.js can sometimes consume more memory compared to other languages or runtimes, especially in cases of heavy use of resources. This can be an issue in environments where memory optimization is crucial.

Node.js offers excellent performance, scalability, and a large ecosystem of libraries, making it ideal for building high-speed, real-time applications. However, it can struggle with CPU-heavy tasks and may require additional strategies to avoid common pitfalls like callback hell.

Despite these challenges, Node.js remains a powerful choice for web developers looking to build scalable and high-performance applications, particularly for I/O-intensive use cases.

Deno vs Node.js Performance

So, who is in the lead?

To compare their performance, let’s turn to the benchmarks represented in this GitHub repository. As we can see on the diagram below, Deno v2.2.0 demonstrates a significant performance advantage over Node.js v22.14.0:

While these results showcase Deno's strengths against Node.js, real-world performance depends on multiple factors, that’s why most part of developers still choose Node over Deno. Why? And is it really time to switch to Deno? Let’s figure it out.

Should You Switch to Deno?

The big question remains: is it time to move away from Node.js?

The answer isn’t one-size-fits-all — it depends on what you prioritize. If security, built-in modern features, and a simpler developer experience matter most, Deno offers a fresh approach, making it an excellent choice for new projects or teams looking to break free from legacy constraints.

With Deno 2, Node.js compatibility has improved significantly, making it easier to integrate with existing applications or migrate without major rewrites.

However, Node.js is far from obsolete. It remains the backbone of JavaScript development, and recent updates have introduced key improvements, including:

Watch mode for real-time development updates
Expanded Web API support, including Fetch and WebSockets
Native TypeScript support (though experimental yet)
A built-in test runner for streamlined testing
An experimental permissions system for added security

Many of the advantages that once set Deno apart are gradually finding their way into Node.js, closing the feature gap between the two.

Should you make the switch? If you’re working with an existing Node.js codebase, sticking with it may still be the most practical choice. But if you're starting fresh and want a modern, security-first environment, Deno is an exciting alternative worth considering.

Either way, the growing competition between these two runtimes is a win for JavaScript developers — driving innovation, improving security, and expanding possibilities.

Use Cases for Deno and Node.js

Both Deno and Node.js are excellent choices for building modern web applications, but their use cases differ due to their architecture, security features, and the ecosystems they are built on. Let’s explore the key use cases for each.

Deno Use Cases

Secure Applications: Deno was designed with security in mind. Its sandboxing feature and explicit permission handling make it ideal for building secure applications where controlling access to resources like the file system, environment variables, and networks is critical. It's perfect for applications that handle sensitive data or require higher levels of security, such as banking, healthcare, or privacy-focused tools.

Typescript-First Projects: Deno’s native TypeScript support without requiring additional configuration makes it an excellent choice for projects that heavily rely on TypeScript. Whether you are building APIs, web apps, or real-time systems, Deno provides an efficient, streamlined workflow for developers who prefer TypeScript from the outset.
Small-Scale Applications and Microservices: For projects that require lightweight, modular, and high-performance microservices or small applications, Deno’s modern runtime, lightweight design, and native ES module support make it an attractive option. It's particularly useful for microservices that need minimal dependencies and lean codebases.
CLI Tools: Due to Deno’s built-in TypeScript support and security features, it is a great choice for creating command-line tools that require secure, fast, and efficient execution. With Deno's simpler runtime and less configuration, it's easier to build, distribute, and maintain CLI tools.
Serverless Functions: Deno’s emphasis on modern JavaScript/TypeScript features, combined with fast performance and secure execution, makes it an excellent fit for serverless architectures. It is ideal for use cases where lightweight, stateless, and ephemeral functions need to be executed in response to events.

Node.js Use Cases

Real-Time Applications: Node.js is renowned for handling I/O-bound tasks and can handle thousands of concurrent requests without blocking. This makes it the go-to technology for building real-time applications such as chat apps, social media platforms, and live collaboration tools that require constant server-client communication.

Microservices: Node.js is well-suited for building microservices due to its asynchronous, event-driven architecture. It is ideal for handling many small services that communicate via HTTP or message brokers, making it an excellent choice for building scalable and decoupled architectures.
APIs and Web Servers: Node.js shines in building RESTful APIs or GraphQL servers, particularly when combined with frameworks like Express.js. Its non-blocking I/O model ensures that APIs can scale to handle high numbers of requests and respond quickly, making it the go-to for web server and backend development.
Single Page Applications (SPAs): With frameworks like React, Vue, and Angular, Node.js is commonly used to build SPAs. It allows seamless integration between the frontend and backend, as the same JavaScript language is used throughout the stack, making development faster and more cohesive.
Streaming Applications: Node.js excels in building streaming applications like video streaming services, audio streaming apps, and live media broadcasting platforms. The non-blocking nature of Node.js allows efficient handling of streams, which is essential for delivering real-time media content.
IoT Applications: Node.js is also ideal for building Internet of Things (IoT) applications due to its ability to handle many simultaneous connections efficiently. It is well-suited for collecting and processing data from IoT devices in real-time, making it perfect for smart home devices, sensors, and industrial IoT systems.

Final Thoughts: The Right Tool for Your Project Architecture

As you can see, while Deno and Node.js share common roots, they serve different purposes. Deno excels in security, modern standards, and TypeScript-first development, making it a strong choice for microservices and next-gen applications. On the other hand, Node.js remains the industry favorite for scalable, real-time applications, APIs, and serverless solutions.

Ultimately, the best choice depends on your project’s architecture, goals, and technical requirements. Whether you're embracing Deno’s modern approach or leveraging Node.js’s vast ecosystem, what matters most is using the right tool for the job.

No matter which path you take, Fively is here to help. Our expert developers can guide you through the best solutions for your needs. Whether it’s building a Deno-powered microservice or scaling a Node.js application - let’s create something great together!

Axon Framework: Explaining the Power of Event-Driven Architecture

Vsevolod Ulyanovich — Thu, 26 Dec 2024 09:31:42 +0000

The world of technology is always changing, refining, and reaching new heights in software development. The Axon framework is a new word in technology, bringing with it a whole new philosophy and strategy for building apps.

It stands out as a powerful tool for building event-driven microservices with ease and efficiency. By embracing the principles of Domain-Driven Design (DDD), Command Query Responsibility Segregation (CQRS), and event sourcing, Axon empowers developers to create scalable, maintainable applications that respond seamlessly to changing business needs.

In this article, we explore the core features and benefits of the Axon framework, delving into its architecture, practical use cases, and how it can revolutionize your approach to modern application development.

About CQRS

Before we dive into what the Axon framework is, we need to understand some basics about CQRS and Event Sourcing.

Command Query Responsibility Segregation (CQRS) is a powerful architectural pattern that distinctly separates read (query) operations from write (command) operations, which allows devs to optimize each side independently, leading to improved performance and scalability.

In other words, the change it brings is the division of the conceptual model into two separate models:

● Command Model — intended for updating;

● Query Model — intended for displaying the information.

In a traditional CRUD (Create, Read, Update, Delete) approach, the same model is often used for both reading and writing data, which can lead to complexities and inefficiencies as the application grows. With CQRS, the read side and the write side can evolve independently, allowing for tailored data models and storage solutions. This flexibility makes it easier to implement features like event sourcing, where changes to the application’s state are captured as a sequence of events.

Additionally, CQRS aligns well with microservices architecture, enabling teams to develop and deploy services independently. By employing CQRS within the Axon, developers can leverage its built-in support for handling commands and queries, ensuring a robust application that is capable of scaling effectively in response to varying workloads.

📌 Right now you can get a free consultation on your project if you contact our engineers. We will help you plan the project budget correctly.

About Event Sourcing

Now, let’s move on to event sourcing — what is it?

Event Sourcing is an innovative architectural pattern that focuses on capturing and storing the state changes of an application as a sequence of events, rather than merely storing the current state of data.

In an event-sourced application, every change to the app’s state is represented as an immutable event. In other words, these events are stored in an event store, serving as the primary source of truth for the application’s state. When reconstructing the current state, the application replays these events in the order they occurred, ensuring that the historical context is preserved.

In contrast to traditional database models, where data is updated directly, event sourcing retains the complete history of changes, allowing for greater transparency and traceability in the system. This not only provides a reliable audit trail but also enables features like time travel, allowing developers to investigate the state of the application at any point in its history.

Event sourcing complements CQRS effectively, as it allows the write side (commands) to emit events that are then consumed by the read side (queries). This decoupling of read and write operations improves the scalability and performance of the app, as each side can be optimized independently.

Moreover, by using the Axon framework’s built-in support for event sourcing, developers can easily implement robust architectures that accommodate complex business requirements.

Components of Axon Framework

This innovative framework offers a comprehensive suite of components designed to facilitate the development of event-driven applications. Each component plays a crucial role in enabling the principles of CQRS and event sourcing, fostering a structured approach to managing application complexity. Here’s a breakdown of the key components:

Axon Framework (Core)

The core of the framework provides the foundational building blocks for developing event-driven applications. It includes essential libraries and tools that simplify the implementation of CQRS and event sourcing, allowing developers to focus on business logic without getting bogged down in infrastructure concerns.

Axon Server

Axon Server is a dedicated server designed to manage the storage and retrieval of events, commands, and queries. It serves as a centralized hub for event storage, providing features such as event replay, monitoring, and distributed event handling. Axon Server enhances scalability and performance, allowing applications to handle high-throughput workloads with ease.

Domain Model Components

In Axon, domain model components encapsulate the core business logic and rules. They consist of aggregates, entities, and value objects that collectively represent the state and behavior of the application domain. This modular design promotes a clear separation of concerns and facilitates easier testing and maintenance.

Commands

Commands are messages that represent requests for state changes in the application. They encapsulate user intentions and are dispatched to command handlers for processing. In Axon, commands are immutable, ensuring that the requested changes are clear and explicit, thereby preventing unintended side effects.

Events

Events are immutable messages that capture state changes that have occurred within the system. Once an event is published, it signifies that something significant has happened, allowing other components to react accordingly. Events serve as the primary mechanism for communication between aggregates, command handlers, and event handlers in an event-driven architecture.

Aggregates

Aggregates are the central building blocks of the domain model, representing a cluster of domain objects that are treated as a single unit for data changes. They encapsulate the business logic and ensure that invariants are maintained. Aggregates respond to commands and generate events that reflect state changes, helping to maintain consistency within the application.

🔥 Need a Project Estimation?
Let’s calculate the price of your project with Fively.
👉 Estimate a project

Command Handlers

Command handlers are responsible for processing incoming commands and executing the associated business logic. They receive commands, validate them, and invoke methods on aggregates to perform state changes. In Axon, command handlers are designed to be simple and focused, promoting a clean separation of concerns.

Event Handlers

Event handlers react to published events and execute logic in response to state changes. They can be used to update projections, trigger notifications, or initiate further processing. Axon allows for flexible event handling, enabling multiple handlers to listen to the same event and respond accordingly.

Query Handlers

Query handlers are responsible for processing read requests and returning data to clients. They operate on projections, which are read-optimized views of the application’s data. By decoupling read and write operations, query handlers can be optimized for performance, ensuring quick access to relevant information.

Sagas

Sagas are long-running business processes that span multiple aggregates and may require coordination between them. They manage the state and behavior of complex workflows, handling events and commands as necessary to ensure that the process progresses smoothly. Sagas help maintain consistency across different parts of the system while allowing for eventual consistency in distributed architectures.

All of the Axon framework components work together harmoniously to provide a robust and scalable infrastructure for building event-driven applications.

Infrastructure Components

In addition to the core domain model components, Axon includes several infrastructure components that facilitate communication and coordination within an event-driven architecture. These components ensure that commands, events, and queries are handled efficiently, enabling a seamless flow of information throughout the system. Here’s an overview of the key infrastructure components:

Command Buses

The command bus is a critical component responsible for dispatching commands to the appropriate command handlers. It acts as a mediator, ensuring that commands are routed correctly based on their type and intent.

The command bus supports both synchronous and asynchronous processing, allowing for flexible handling of command requests. By decoupling the sending of commands from their execution, the command bus enables better scalability and fault tolerance in the system.

Event Buses

The event bus plays a vital role in the Axon framework by facilitating the publication and subscription of events. When an event is generated, it is dispatched through the event bus, which notifies all registered event handlers that are interested in that specific event type. This decoupling of event producers from consumers allows for a flexible and extensible architecture, enabling multiple components to react to events independently.

The event bus also supports various delivery mechanisms, ensuring that events are delivered reliably to subscribers.

Query Bus

The query bus is responsible for handling read requests and routing them to the appropriate query handlers. Similar to the command bus, it provides a layer of abstraction that decouples the query logic from the components that request data. By utilizing the query bus, applications can optimize read operations separately from write operations, enhancing performance and scalability. The query bus allows for various querying strategies, enabling developers to design efficient and responsive data retrieval mechanisms.

The infrastructure components of the Axon form the backbone of an event-driven architecture. They facilitate the efficient handling of commands, events, and queries, enabling developers to build scalable and maintainable applications that respond effectively to changing business requirements.

📌 Right now you can get a free consultation on your project if you contact our engineers. We will help you plan the project budget correctly.

Advantages of Using Axon Framework

Axon offers numerous advantages for developers looking to build event-driven applications, particularly in complex domains. Here’s a closer look at these key benefits:

Scalability

One of the primary advantages of this framework is its ability to scale effortlessly. By separating read and write operations through CQRS and utilizing event sourcing, applications can be designed to handle varying workloads efficiently. Axon Server provides a centralized event storage solution that can manage large volumes of events, enabling systems to scale horizontally as demand grows. This architecture allows teams to allocate resources dynamically, ensuring that applications can maintain performance under high-traffic conditions.

Flexibility

It promotes flexibility by decoupling different components of the application, such as commands, events, and queries. This separation allows developers to modify, replace, or extend individual parts of the system without affecting the overall architecture. The use of Sagas further enhances flexibility by enabling complex workflows to be managed independently. As business requirements evolve, teams can adapt their applications more easily, facilitating continuous improvement and innovation.

Auditability

With event sourcing as a core principle, Axon inherently supports auditability. Every state change is captured as an event, providing a complete history of changes made within the application. This historical record allows teams to track the evolution of the application state over time, making it easier to investigate issues, ensure compliance, and perform audits. The ability to replay events also allows for powerful debugging and testing scenarios, enhancing the overall reliability of the application.

Consistency

It ensures consistency in applications through its use of aggregates and command handling. By encapsulating business logic within aggregates, the framework maintains invariants and consistency across state changes. Additionally, the use of event sourcing and the event bus ensures that all components react to events in a coordinated manner, reducing the likelihood of data inconsistencies. Axon’s architecture supports eventual consistency, allowing applications to achieve reliable state synchronization across distributed systems.

Challenges

While the Axon framework offers numerous benefits for developing event-driven applications, it also presents certain challenges that developers should be aware of. Understanding these challenges can help teams prepare and implement best practices to mitigate potential issues:

Complexity

The architecture of this framework can introduce additional complexity compared to traditional CRUD applications. Concepts such as CQRS, event sourcing, and Sagas require a deeper understanding of event-driven design patterns, which may not be familiar to all developers. This complexity can lead to longer onboarding times for new team members and increased development overhead as teams navigate the intricacies of the framework.

Additionally, debugging and testing such systems can be more challenging due to the asynchronous nature of command and event processing.

Insufficient Attention to Event Modeling

Effective event modeling is crucial for leveraging the full potential of this framework. Developers must carefully design event schemas that accurately represent domain changes and capture the necessary context for consumers. Failing to invest sufficient time and effort in event modeling can lead to poorly defined events, resulting in confusion and potential inconsistencies within the application.

It’s essential for teams to prioritize event design and establish clear guidelines for creating and managing events throughout the development process.

Ignoring Event Serialization+

Event serialization is a critical aspect of such architectures, as it determines how events are stored and transmitted between components. Neglecting proper serialization techniques can lead to issues such as data loss, compatibility problems, and performance bottlenecks.

It’s essential for developers to choose suitable serialization formats and libraries that align with the requirements of their applications. Additionally, maintaining backward compatibility for event schemas becomes increasingly important as applications evolve over time, necessitating careful planning and management of serialization strategies.

As you can see, while Axon provides powerful tools for building event-driven applications, it also introduces challenges that teams must address. By recognizing the complexities, prioritizing event modeling, and paying attention to serialization, developers can successfully navigate these challenges and fully harness the benefits of the Axon.

Use Cases of Axon Framework

This framework is versatile and can be applied across various domains and architectures, making it a valuable asset for developers. Organizations in various industries, including finance, healthcare, and logistics, leverage it to develop systems that demand high reliability and scalability.

Here are some prominent use cases where the Axon Framework excels:

Building Applications

The use of thie tool streamlines application development by offering a rich set of annotations and APIs that simplify the definition of command handlers, event handlers, and aggregates. This structure allows developers to implement business logic more effectively while focusing on the core functionality of their applications.

The framework supports both synchronous and asynchronous processing of commands and events, enabling teams to choose the most suitable approach for their specific use cases.

Microservices Architectures

It is particularly advantageous for microservices architectures, where services are often distributed and need to communicate efficiently. By promoting the decoupling of services through event-driven communication, Axon enables services to evolve independently without tight coupling. This flexibility allows teams to deploy, scale, and maintain services autonomously, enhancing overall system resilience.

Additionally, the use of CQRS and event sourcing within Axon facilitates better management of data and business logic across distributed systems, ensuring that each service can respond to changes in real time.

🔥 Need a Project Estimation?
Let’s calculate the price of your project with Fively.
👉 Estimate a project

Event-Driven Systems

Axon is ideal for applications that require complex architectures, enabling businesses to react to changes in real time. By capturing and processing events as they occur, organizations can build systems that provide immediate feedback and updates to users.

This capability is particularly valuable in scenarios such as monitoring IoT devices, managing e-commerce transactions and facilitating real-time analytics, where timely data processing is essential for decision-making.

Complex Business Workflows

For organizations with intricate business rules and workflows, the Axon Framework provides the tools needed to model and manage complex processes. Sagas enable coordination across multiple aggregates and services, allowing for seamless management of long-running transactions.

For instance, in the finance sector, Axon can be used to implement systems that require complex transaction processing, ensuring data consistency and compliance with regulations.

In healthcare, it can help manage patient records and workflows, where maintaining accurate data and responding swiftly to changes is critical. Similarly, logistics companies can utilize Axon to streamline supply chain processes, track shipments, and manage inventory levels, ensuring operational efficiency and responsiveness to market dynamics.

This capability is crucial for applications where consistency must be maintained across various business processes, such as order fulfillment, customer onboarding, and regulatory compliance.

Wrapping Up

The Axon framework is a powerful tool that can be applied in a variety of contexts, from building standard applications to complex microservices architectures. Its strengths in handling event-driven systems and supporting intricate business workflows make it an ideal choice for organizations seeking to enhance reliability, scalability, and responsiveness in their software solutions.

By embracing core principles such as CQRS and event sourcing, Axon empowers developers to decouple their systems, streamline application development, and enhance data consistency. While challenges like complexity and event modeling exist, the framework’s benefits far outweigh these hurdles, providing a robust foundation for organizations across various industries.

As organizations continue to navigate the complexities of modern software development, adopting the Axon framework can pave the way for more efficient, resilient, and responsive applications, ultimately driving success in an increasingly competitive landscape.

✨ This is the end of my explanation of Axon framework. Did you find it useful? Feel free to share your thoughts and contact us in case you have any questions or need professional Axon development and support.

Mild Introduction to Modern Sequence Processing. Part 2: Recurrent Neural Networks Training

Andrew — Mon, 25 Nov 2024 23:01:30 +0000

In our previous article, we learned the fundamental concepts of RNN and examined the core logic of forward pass. In this one, we are going to circle back to forward pass to review the formulas and to recollect the intuition on what the RNN is doing, and immediately after that, we turn our attention to the training process.

Many-to-One RNN: What Is It and How Does It Work

First, let’s examine in detail one of the variants of the RNN, a slightly simplified version of the model from the previous entry - many-to-one RNN. This one only outputs once the whole sequence (all the tokens of the sequence) is processed.

This architecture has multiple applications, like sentiment analysis, speech and handwriting recognition, machine translation, text and music generation, video analysis, time series forecasting, as well as dialogue systems and chatbots.

In the era of LLMs, one could argue that everything might be done using LLMs now, which is partially true, but examining how simpler models work gives a better insight into how it all evolved.

Overall, when one needs to map or represent a sequence to a single value, the many-to-one RNN can be useful, especially if you’re building your local model for your business, and don’t have enough resources to spin up/train/rent a powerful LLM. Also, it becomes easier to fine-tune your own model in case underlying data changes.

So, we’d like to advise to consider RNNs and their enhanced variants when a custom solution is developed (depending on a specific use case, of course).

There are also advanced variants of the basic RNN architecture, like LSTM and GRU. Those serve the same purpose as RNN but are highly better at capturing long-term dependencies, say long texts, due to their specific architecture bits. If interested, please take a good look at this well-recognized industry article.

We approach network training with a Backpropagation algorithm. It typically encompasses several steps that are:

Forward Pass
Loss calculation
Backward Pass
Weights update

The Backpropagation is run in a cycle until accurate enough predictions for the training data are reached – or the Loss is lowered to a reasonable extent.

For simplicity of telling, say we need to compose a model that learns to reply to “The Forest” with 0, 128, 0 (RGB for Green), to “The Sea” with 0, 0, 255 (RGB for Blue), to “The Fire” with 255, 165, 0 (RGB for Orange) effectively predicting a “color” of some natural event description. This is in fact a regression problem. All sequences have two tokens (a token would be a single word in our case). This is not strictly required of course but is done for simplicity as well, since if provided sequences were of various amounts of tokens then we’d need to apply techniques (which are out-of-context of the article), like padding to make them same-length token sequences which is required by RNN definition.

We can’t operate on raw strings hence those first need to be pre-processed.

“The Forest” could be encoded as [0, 1], “The Sea” - [0, 2], “The Fire” - [0,3]. In this regression setup, the output layer of the model will produce a 3-dimensional continuous vector representing the RGB color values – simply speaking an array of three.

As soon as the data is digitized, the model is able to start the Forward Pass. During that process, the data (the sequences) is fed to the net to produce outputs (y^t – predicted label from Figure 1) – 3-dim vectors just like the original labels – which are then used in Backward Pass - the main subject of the article that is outlined down below.

Forward Pass

Now, let’s look closer at the Forward Pass and how it works underneath.

W, U, V are essentially parameter matrices which control how input data is transformed by the neural net to throw the predicted label at the end. If you recollect the simple linear function y = ax + b, the a, and b are similar concept – parameters that affect x (independent input data) to produce y (dependent label). The a affects the slope/gradient of the line, and b is the y-axis intercept which moves the line along the y-axis. You can imagine that you could possibly change a, and b to configure the equation to fit some set of data points (x and y coordinates).

This is a more-less dump recreation of what a neural network can do, and what factually our example model does – it builds some arbitrary function to fit input data (training data). Once we have the function built, we can get insight into what y could be, provided some value x – and we train the model to get its parameters/weights as accurately as we can to fit the training data and hopefully, the real-world data when it comes to testing/using it in prod environment.

h is a hidden state – the heart of RNN – it represents the model “knowledge through time (as I like to call it)”, as in RNN we need it to collect the context as we traverse the sequence. You could envision it like that: when you read some sentence, you’re trying to remember what you’ve read so far so that sentence still makes sense when you finish it. You most likely aren’t able to comprehend the idea of the message if you just see/remember one word. This “memory” is what a hidden state appears to be in the world of AI.

h0,1,2,..., t means hidden state value at a t time step.

Before Forward Pass comes into action, the weights and hidden state are somehow initialized: e.g. randomly or with zeros.

Forward Pass does just that: takes token sequences, one token at a time (called time step), multiples it by the U parameter, sums up with the product of the W parameter and current hidden state h, applies activation function over the result, and continues to do that, until inclusively the latest token (latest time step) is done and for which the latest h is calculated. Then we get the h times V parameter to get the predicted label.

Most transformations in the neural net are linear, like matrix multiplications that you can see on screenshots. Activation functions bring non-linearity to the table.

If there were no such functions incorporated that would apply non-linearity on top of those multiplications, no matter how many layers you’d put in, the model wouldn’t be able to learn these non-linear patterns, since the output of any layer was a linear transformation of its input – and that is why we use neural nets in the first place: learn complex non-linear patterns. An example would be finance, where lots of factors have an impact on stock prices, a quite popular application of ML.

The last step here is to calculate the error i.e. how far off the actual, or so-called ground truth, values that we want to see for the observations we used for training (the sequences) are spread out from the predicted values. The crucial thing here is that we need some accumulated representative number – the Loss.

The Loss can be calculated using a Loss Function, which typically varies from one neural nettype to the other, and from one application to the other. In our example as a baseline, we can leverage the Loss Function called MSE, mean squared error. The Loss function is a model hyperparameter so it is selected by the model developer.

The result of the function above is the error that we need to propagate back through the net to tweak the model's parameters W, U, and V to lower the error.

Backward Pass

The Backward Pass is the essence and the most complex part of backpropagation. It operates on the result of loss, applying calculus and linear algebra, to deduce how to update weights to make the next Forward Pass output less wrong results.

Derivatives

Simply put, in calculus, a derivative shows how the function changes given its input change. Say, there is a function f(x) – its derivative at some arbitrary point x measures the slope of the tangent line to the function at that point. The nature of this slope line gives a sense of function behavior at that point x: If the derivative is positive, the function is increasing; if it’s negative, the function is decreasing. When the derivative is zero, the function has reached an extremum.

Speaking the real math language, the derivative of a function at some point is a limit of the ratio of the function differential to the argument differential. The differential is an infinitesimally small change of some variable. When the derivative of a function with a single argument is calculated, everything but the x in a function is naturally treated as constant(s). E.g., the derivative of the well-known function f(x) = x^2 (as well as f(x) = x^2 + 2) is f’(x) = 2x. The derivative of a constant value is 0.

Partial Derivatives

If a function depends on multiple arguments, a partial derivative is used to understand the function change concerning each individual argument. When the partial derivative is calculated, all args are treated as constants except for the arg, which the derivative is being calculated concerning.

Using derivatives, one gets to understand what to do to the argument in order to change the function value to the direction of choice. So it becomes more obvious now, why we need math/calculus in ML – using these terms we infer how to change the network parameters to actually lower down the Loss Function value, which reflects the overall error. This is what lies in the very foundation of any state-of-the-art ML system.

Backward Pass Logic

Our goal is to decrease the loss value. To do that, the W, U, and V need to be updated so that when the next forward pass round is executed, the loss lowers to some extent. The key idea is to calculate the gradient of loss. The gradient is a vector of the partial derivatives w.r.t to each argument, so we need to differentiate the loss function. The gradient just shows how the loss changes given all of those weights matrices change. The insight from calculus is that the gradient points in the direction where the loss increases the fastest. Naturally, we need to move in the direction of anti-gradient to decrease the loss value.

That’s why, as soon as we get the gradient, we become able to tweak those matrices as we need to.

Let’s check out formulas that allow us to do just that.

The one below is the simplest and depicts how to get gradient w.r.t to hidden-to-output weights. This one (and so are others) uses the chain rule method that enables the calculation of the derivative (when we talk derivative we imply the partial derivative) with respect to the argument that implicitly affects the differentiated function, by breaking the derivative down into the product of derivatives of the inner and outer functions: in the case of V, it is used to compute y^t, which in its turn is used to compute the loss as shown in Figure 4.

Hence, the chain - at first the derivative of loss w.r.t. to y^t is calculated, then the derivative of y^t w.r.t to, finally, V, is done. Ultimately, the product of these terms is taken, which results in a partial derivative of loss w.r.t to V – the first part of the loss gradient. This should more or less give an intuition of how this thing works: we’re basically talking gradient descent here. The same approach applies for W and U but is slightly modified.

The hidden-to-hidden derivative, too, is using the chain rule. We also work backward there, but since the W is affecting the hidden state all along the network, we need to walk through all the time steps to get the result, which is compactly shown above.

The actual tricky part here consists in the fact that the derivative of any, but the very first, time step hidden state w.r.t to the W is not just the derivative of h^t w.r.t to W itself – the W has an impact on the previous time step as well. As in, to get h^t, the W is needed alongside h^t-1, which likewise has been impacted by W. So, the h^t depends on W directly as well as indirectly, through h^t-1.

Exactly the same logic adapts to the computation of U, shown below.

Once we get the gradient at hand, the little part of the backpropagation remains to complete - weights update. We refine W, U, and V using the same technique: weight matrix = weight matrix - learning rate * weight matrix gradient. Subtract happens ‘cause we should move in the direction of anti-gradient. Learning rate is a critical network hyperparameter that controls how large a step you take towards minimizing the loss function. Without this coefficient involved, the gradient descent might take too large steps, and it typically results in very slow convergence (training time increases too much).

Recap

In this entry, we’ve walked you through the model training process, backpropagation, and its foundational steps. Also, we got a glimpse of calculus terms that form the basis of ML. But let’s move past the dull theories; the true way to learn any data-related aspect is through hands-on experience.

It’s time to create something genuinely working! In the next session, let’s build an advanced and extensively trained text generation RNN model using cloud GPU, and evaluate the outcomes. Stay tuned!

Mild Introduction to Modern Sequence Processing. Part 1: Looking into Recurrent Neural Networks

Andrew — Sun, 27 Oct 2024 22:41:15 +0000

Today, everyone is talking about recent advancements in AI, especially about the most popular and frequently used tool ChatGPT. But few know that all these AI breakthroughs could only become possible thanks to the existence of Transformer models. In this series of articles I, as a leading ML specialist at Fively, will tell you about how they make all this magic work, but first, let’s start with their predecessor - RNN.

The Concept of RNNs

Recurrent Neural Networks (RNNs) represent a pivotal milestone in the evolution of deep learning, revolutionizing the way sequential data is processed and understood.

In essence, RNNs are sophisticated architectures equipped with the ability to retain the memory of past inputs, thereby enabling them to capture patterns and dependencies within sequential data.

This unique characteristic has propelled RNNs to the forefront of numerous domains, including natural language processing, time series analysis, speech recognition, and more.

The inception of RNNs marked a significant departure from traditional feedforward neural networks, which lack the capacity to retain information over time. Instead, RNNs introduce recurrent connections that gear them with a form of temporal memory, allowing them to incorporate context and sequential information into their predictions.

This capability has led to groundbreaking advancements in various fields, from generating coherent text (we’ll build a basic text generator at the end of the article, so hang around) to predicting future stock prices and so on.

At each time step, the RNN receives an input (token/word/etc). At the beginning, the RNN initializes its hidden state to a fixed value, often a vector of zeros. This hidden state acts as a kind of memory that retains information from previous time steps.

At each time step, the RNN updates its hidden state based on the current input and the previous hidden state. This update is determined by learned parameters (weights and biases) within the network.

In essence, the RNN takes the current input and blends it with the information it has retained from previous time steps to update its memory. The algo of hidden state calculation is represented in the image down below:

These three formulas represent the core Forward Pass logic of the standard RNN i.e. the calculation of hidden state and output (if needed), where the U is the input-to-hidden, V - is the hidden-to-output, and W - is the hidden-to-hidden weight. The sigma (σ) is an activation function of the hidden state. Commonly used functions are sigmoid, hyperbolic tangent, ReLU.

The hidden state acts as a memory that stores information about previous inputs in the sequence. It captures relevant information from past time steps and combines it with the current input to generate an output and update its own state.

Depending on the specific task, the RNN may produce an output at each time step (i.e. in sequence-to-sequence task). This output is generated based on the current hidden state and can be used for various tasks such as video classification on the frame level.

The process repeats for each time step in the sequence, with the hidden state evolving over time as new inputs are processed. The RNN essentially unfolds across time, maintaining and updating its hidden state at each step.

During training, the RNN adjusts its internal parameters (weights and biases) based on the error it makes in its predictions. This adjustment is done through a process called backpropagation through time (BPTT), where gradients are computed and used to update the parameters.

This allows the RNN to learn to capture relevant patterns and dependencies in the data over time. The next article’s focus will be just that – how the training of RNN is happening alongside the math in the background.

Diving Deeper Into RNNs Capabilities and Limitations

However, while the basic RNN architecture is elegant in its simplicity, it is not without its limitations. Training RNNs over long sequences can cause problems like vanishing or exploding gradients.

Furthermore, the invention of specialized RNN architectures, such as Long Short-Term Memory (LSTM) networks and Gated Recurrent Units (GRUs), has significantly augmented the capabilities of traditional RNNs. These architectures introduce sophisticated mechanisms, such as memory cells and gating units, which enable them to more effectively capture long-term dependencies and mitigate issues like vanishing gradients.

All in all, RNNs suffer from several notable disadvantages:

Difficulty in capturing long-term dependencies: While architectures like LSTMs and GRUs address some issues with vanishing gradients, they may still struggle to capture dependencies across very long sequences effectively. This limitation can impact the performance of RNNs in tasks requiring the understanding of extensive context.
Computational inefficiency: RNNs are inherently sequential models, processing data one step at a time. This sequential nature can lead to slower training and inference times, especially when compared to parallelizable architectures like convolutional neural networks (CNNs).
Sensitivity to input order: RNNs process sequential data in the order it is presented. This means that the model's predictions can be sensitive to variations in the order of input sequences, which may not always be desirable, especially in tasks where the inherent order is ambiguous or irrelevant.
Limited memory capacity: Despite their ability to retain information over time steps, RNNs still have finite memory capacity. This limitation can become problematic when dealing with sequences that are extremely long or when trying to capture very distant dependencies.

Transformer Models: the Next Step in Sequence Processing

Although, in recent years, researchers have made strides in addressing some of these challenges through the development of alternative architectures and training techniques. Everyone now has heard of Transformer architecture which is backing up the extensively used OpenAI’s ChatGPT.

Transformers process sequences all at once through the mechanism of self-attention, which allows them to capture dependencies between all tokens in a sequence simultaneously.

This is in contrast to RNNs, which process sequences sequentially, one token at a time. Because self-attention is applied independently to each token, all tokens can be processed simultaneously, enabling highly parallel computation.

That is why Transformer models are sort of easier to train – the training can be parallelized on the GPU level. Likewise, self-attention enables us to process sequences in any order, unlike RNN. That's merely a teaser regarding transformers; we'll delve deeper into the topic in one of our upcoming articles.

RNNs: a Short Practical Example

At long last, let's ignite the fun and code something! We’ll build a very simple character-level text generator off of complete works of Lovecraft, step-by-step.

During my experiments with the code above and playing around with all possible hyperparameters I was able to generate the following text:

"Cthulhu isdismissal in disgrace from the subject, and all wondered that he had been swept

away by death and

decomposition. Amidst a wild and reckless throng I was the wildest and more frings of disaster.

Alone I mounted the tomb each night; seeing, hearing, and doing things I must never

reveal. My speech, always susceptible to sense

something of surroundings. Never a

competent navigator, I could now conversed a series of

leaps directly upward in the burgon him would soon

pass, and of the sound no..."

The code showcases how the simple generator can be built with a few lines of Python and the data from the Internet. It is worth mentioning that to build a really robust and impressive model, I’d encourage one to try to fiddle with all possible parameters, like the number of layers, types of layers, number of neurons, activation functions, and so forth. I’d expect rather interesting results.

On that note, I’d like to wrap up this small blog post, hope you liked it. Today we’ve introduced the high-level neural network sequence processing things: we’ve had a glance at some forward pass math, and on the tensorflow code to see that all in action. Did you find it useful? Feel free to share your thoughts and contact us in case if you have any questions or need professional ML development and support.

In the upcoming discussion, I aim to explore the inner workings of RNNs, uncovering how they become "intelligent" through training on data. We’ll examine Forward Pass further and will notably learn about Backpropagation/BPTT. So stick around there and let’s learn together!

Securing the Digital Frontier: Top 10 Web App Vulnerabilities and How to Fix Them

Vsevolod Ulyanovich — Fri, 16 Aug 2024 12:16:23 +0000

Explore the top 10 web application vulnerabilities and learn practical mitigation strategies by Fively specialists to enhance your app security and protect your digital assets.

In the rapidly evolving digital landscape, web applications have become central to business operations, serving as gateways to invaluable data and services. However, this prominence also makes them prime targets for cyber-attacks.

To assist organizations in understanding and securing apps against common threats, the Open Web Application Security Project (OWASP), an online community, developed the OWASP Top 10. This list serves as a crucial awareness document for developers and professionals in web application security, encapsulating a broad consensus on the most significant security risks that applications face today.

Today, let’s delve with our highly experienced full-stack engineer Aryna Tanana into the top 10 web application vulnerabilities as identified by security researchers and industry standards like the OWASP Top 10. We will explore each vulnerability in detail, examining its potential impact, and most importantly, practical strategies to mitigate these risks. By equipping yourself with this knowledge, you can enhance the security posture of your applications and protect your organization from the dire consequences of a security breach.

🔥 Need a Project Estimation?

Let’s calculate the price of your project with Fively.

👉 Estimate a project

1. Broken Access Control

Broken access control occurs when an application does not properly enforce restrictions on what authenticated users are allowed to do. Users may be able to access parts of the system that they should not have access to, or perform actions outside of their permitted scope. This could happen due to misconfigurations, flawed logic in access control implementations, or the failure to consistently apply security controls across an application.

Examples include allowing users to modify or view data belonging to other users, accessing sensitive files directly through predictable resource locations, or performing actions without proper authentication.

How to fix it: To prevent broken access control, it is essential to implement robust authentication and authorization controls that adhere to the principle of least privilege. A role-based access model can be highly effective, where access permissions are granted according to the user’s role within the organization. Access should be denied by default, and only allowed when explicitly granted. This ensures that unless a resource is intended to be publicly accessible, it remains secure from unauthorized access. Additionally, routinely review and update access controls to adapt to new security threats or changes in the organization.

2. Sensitive Data Exposure

Sensitive data exposure is another frequent vulnerability, it occurs when an application inadvertently exposes personal data, financial data, or other sensitive information due to inadequate security controls. This can happen in various ways, such as transmitting data in plain text over the internet, storing sensitive information without proper encryption, or failing to properly mask data in user interfaces.

Web applications that do not implement sufficient encryption measures for data at rest and in transit or that expose sensitive information in URLs, logs, or error messages are particularly vulnerable.

How to fix it: To mitigate the risk of sensitive data exposure, begin by ensuring that sensitive data such as passwords, credit card details, or personal information are not stored unnecessarily. If storage is unavoidable, such data should be stored in encrypted forms, using strong, industry-standard cryptographic protocols. Avoid placing files containing sensitive data in application publish directories where they might be easily accessible.

Additionally, ensure that sensitive data is not disclosed during the use of application functions unless absolutely necessary for the function to operate. Implement strong access controls and regularly audit data access logs to detect and respond to unauthorized data access attempts.

📌 Right now you can get a free consultation on your project if you contact our engineers. We will help you plan the project budget correctly. 🔥👨‍💻😎

3. SQL Injection

Most high-risk vulnerabilities in 2021–2023 were associated with SQL Injection. SQL Injection is a critical vulnerability that arises when an attacker is able to manipulate SQL queries by injecting malicious SQL code into them. This typically occurs through user input fields such as search boxes, login forms, or URL parameters that directly interact with the database.

Vulnerabilities of this type can lead to theft of sensitive information or remote code execution. When the application fails to sanitize and validate user inputs before incorporating them into SQL statements, it allows attackers to execute arbitrary SQL commands, which can lead to unauthorized access, data leakage, and even full database control.

How to fix it: To effectively mitigate SQL Injection vulnerabilities, always use parameterized queries or prepared statements instead of dynamically constructing SQL queries with user input. Parameterized queries ensure that user inputs are treated strictly as data, not executable code, which prevents attackers from altering the SQL query’s logic. In environments where parameterized queries cannot be implemented, ensure rigorous input validation and sanitization to eliminate any characters or patterns that could alter SQL execution.

Additionally, adopt the principle of least privilege by restricting database permissions and access rights to only what is necessary for the application to function. Implementing these measures significantly reduces the risk of SQL injection attacks.

4. Cross-Site Scripting (XSS)

Cross-Site Scripting, commonly known as XSS, occurs when attackers inject malicious scripts into content that other users see. This can happen when an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser, which can hijack user sessions, deface websites, or redirect the user to malicious sites.

Possible Mitigation: To prevent XSS attacks, it is crucial to sanitize all user input by encoding or escaping HTML, JavaScript, and CSS outputs. This involves replacing potentially dangerous characters with their safe equivalents — for example, transforming characters like <, >, “, ‘, and & into HTML entities like ‘<’, ‘>’, ‘"’, ‘'’, and ‘&’.

This process should be applied to any data received from external sources, including data displayed in the browser and data contained in HTTP headers like User-Agent and Referer. Additionally, implementing Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting the sources from which scripts can be loaded. Regularly updating and auditing web applications for XSS vulnerabilities in both new and existing code is also essential.

5. Broken Authentication

Although almost half of the vulnerabilities in this category usually carry a medium risk level, and there are also high-risk ones as well, allowing access to the app on behalf of the customers’ clients.

Broken authentication typically occurs when security measures related to authentication and session management are implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens. This vulnerability can lead to unauthorized access to multiple users’ accounts or even the entire system. Common issues include poorly protected credentials, predictable login credentials, session IDs exposed in URLs, and improperly managed session lifetimes.

Possible Mitigation: To mitigate broken authentication vulnerabilities, ensure that all authentication data undergoes strict validation procedures. It is critical to verify the signatures of tokens and session IDs to confirm their authenticity and integrity. Use high-entropy secrets for authentication processes such as encryption keys and signatures, and ensure these secrets are unique to each instance and not hardcoded into application code.

Furthermore, store secrets securely using dedicated secure storage mechanisms rather than placing them within the application code where they can be easily accessed. Implementing multi-factor authentication can also significantly enhance security by adding an additional layer of protection beyond just passwords. Regularly review and update authentication methods to keep up with new security practices and potential threats.

🔥 Need a Project Estimation?

Let’s calculate the price of your project with Fively.

👉 Estimate a project

6. Using Components with Known Vulnerabilities

This vulnerability occurs when web applications use third-party components such as libraries, frameworks, and other software modules that have known security flaws. Attackers can exploit these vulnerabilities when they are not addressed by patches or updates, potentially leading to serious data breaches or server takeovers. Often, developers are not aware of the vulnerabilities within these components, or they fail to keep them updated due to compatibility issues or oversight.

How to fit it: To protect against the risks associated with using components with known vulnerabilities, it is essential to maintain a regular inventory of all third-party components used within your applications. Keep these components up to date by applying security patches and updates as they become available. Use components only from trusted sources and ensure they have undergone rigorous security testing before integration.

Additionally, disable or remove any components that are not necessary for the application’s functionality. This reduces the attack surface and helps prevent potential exploits. Implementing automated tools to track vulnerabilities and manage dependencies can also streamline this process and ensure greater security compliance.

7. Security Misconfiguration

Security misconfiguration is one of the most common application vulnerabilities, arising when security settings are not defined properly, are left incomplete, or are misconfigured. This can include misconfigured HTTP headers, verbose error messages containing sensitive information, unnecessary services running on the server, and default accounts with unchanged passwords.

Such configurations provide attackers with opportunities to exploit these weaknesses to gain unauthorized access or retrieve confidential information.

How to fit it: To avoid security misconfigurations, always adhere to security best practices for system configurations. Automate the configuration process as much as possible to reduce human error and ensure consistency across deployments. This includes using secure templates and management tools that enforce security policies. Ensure that different credentials are used for development, test, and production environments to prevent crossover risks.

Additionally, regularly review and disable any unnecessary features, components, services, or pages that are not required for the application to function. Regular updates and patches should also be applied to all systems to protect against known vulnerabilities. Conducting periodic security audits can help identify and rectify misconfigurations before they can be exploited.

8. Insufficient Protection from Brute-Force Attacks

This is another common vulnerability. Brute-force attacks involve attackers using trial-and-error methods to guess login info, encryption keys, or find hidden web pages. This type of attack is particularly effective when applications do not implement adequate safeguards to deter multiple failed attempts. Web applications become vulnerable when they allow unlimited, rapid-fire login attempts, which can eventually lead to unauthorized access.

Possible Mitigation: To protect against brute-force attacks, implement several layers of defense. First, consider integrating CAPTCHA challenges on login pages and after several failed authentication attempts to complicate automated login attempts by bots.

Additionally, employ prevention controls such as Web Application Firewalls (WAF) and Intrusion Prevention Systems (IPS) that can detect and block suspicious activities. These systems can be configured to recognize patterns typical of brute-force attacks, such as rapid succession login attempts or simultaneous logins from different accounts originating from the same IP address.

Furthermore, enforce account lockout policies where consecutive failed login attempts result in a temporary account lock to further hinder brute-force attempts. Regularly updating and fine-tuning these security measures will help maintain robust protection as attack strategies evolve.

9. Weak User Password

Weak user passwords are a common vulnerability that often results from inadequate password policies. When applications allow users to create simple, easily guessable passwords, it significantly lowers the barrier for attackers to gain unauthorized access through brute force or dictionary attacks. Common weak passwords include simple strings like “password,” “123456,” or even predictable combinations of names and dates.

Possible Mitigation: To combat the issue of weak user passwords, implement robust password policies that require users to create strong, complex passwords. Passwords should be a minimum length — typically 12 to 16 characters — and include a mix of uppercase letters, lowercase letters, numbers, and special characters. Enforce password changes at regular intervals and prevent the reuse of previous passwords to continuously refresh access security.

Additionally, educate users about the importance of using strong passwords and the risks associated with weak ones. Consider implementing multi-factor authentication (MFA) as an extra layer of security, which requires users to provide two or more verification factors to gain access, making it much harder for attackers to breach accounts even if they compromise a password. Utilize password strength meters during account creation or password updates to provide real-time feedback to users about the strength of their passwords.

10. Server-Side Request Forgery (SSRF)

Server-Side Request Forgery (SSRF) occurs when an attacker manipulates a server into making an unexpected network request to a third-party server or resource. This vulnerability exploits the trust that a server has in the user’s browser, potentially allowing attackers to bypass firewalls, access private internal networks, and retrieve or manipulate sensitive data. SSRF is particularly dangerous because it enables attackers to send requests from the server, which might have special access privileges or visibility that external devices do not.

Possible Mitigation: To mitigate SSRF vulnerabilities, start by implementing strict validation rules for incoming requests, particularly those that can cause the server to fetch data from external sources. Set up an allowlist of approved resources and ensure that the server only makes requests to services on this list. Reject any request that contains complete URLs or unauthorized domains. Additionally, configure your server’s firewall to block outgoing requests to untrusted services or those that do not meet specific criteria. Regularly update and audit your allowlists and firewall settings to adapt to new security developments and potential threat vectors. Applying these preventive measures helps shield your infrastructure from SSRF attacks by controlling what your servers can request and access.

Protecting Web Applications Against Vulnerabilities

Ensuring the security of web applications is a critical challenge but an essential responsibility for developers and administrators. By understanding and addressing the core app vulnerabilities, organizations can significantly enhance their defense mechanisms against cyber threats.

Here’s a consolidated list of mitigation strategies compiled by our specialists to help secure your applications:

Implement Role-Based Access Controls: Enforce strict authentication and authorization measures based on user roles to manage access to sensitive data and functionalities;
Encrypt Sensitive Data: Protect data in transit and at rest by implementing strong encryption protocols and ensuring secure storage practices;
Use Parameterized Queries: Prevent SQL Injection by using parameterized queries that separate SQL logic from data inputs;
Sanitize Input Data: Protect against XSS and other injection flaws by sanitizing user inputs and validating data before processing;
Regularly Update Components: Keep all software components updated to protect against vulnerabilities in third-party libraries and frameworks;
Enforce Secure Configuration: Apply security best practices in system configurations, disable unused features, and ensure minimal privileges for system operations;
Limit Login Attempts: Implement account lockout policies and CAPTCHAs to defend against brute-force attacks;
Strengthen Password Policies: Require complex passwords, enforce regular password changes, and educate users about secure password practices;
Utilize Allowlists: Restrict server requests to known, safe entities to prevent SSRF and reduce exposure to unauthorized external resources;
Configure Firewalls and Filters: Set up firewalls and network filters to control incoming and outgoing network traffic and block malicious requests.

By adopting these practices, organizations can build robust defenses against the most common and damaging web application vulnerabilities. Regular security audits and continuous monitoring are also crucial to adapt to evolving threats and maintain a secure app environment.

✨ Also, please remember that here at Fively, we take security in the first place.

🔹 We’re always here to ensure your web app security is doubtless. Feel free to contact us in case if you have any questions or need help, and stay tuned for more articles like this!

AWS Lambda vs. Cloudflare Workers Detailed Comparison

Kiryl Anoshka — Thu, 18 Jul 2024 11:21:32 +0000

Explore the strengths and weaknesses of AWS Lambda and Cloudflare Workers in this in-depth comparison and determine which serverless platform best fits your development needs.

In this article, as we continue our adventure into the world of Lambdas, I’d like to compare AWS Lambda and Cloudflare Workers, based on their theoretical capabilities and my practical experience. While both platforms offer serverless environments and allow developers to execute their functions without managing servers, they differ significantly across various aspects.

I'd like to explore these differences across several key categories such as performance, runtime, language support, pricing, resources used, integrations available, and, of course, imitations. Plus, I'll share my insights about which platform stands out, and also give you a cold start comparison to illustrate the differences.

It’s worth mentioning that we will compare these platforms on relatively small tasks because Cloudflare Workers (in contrast with AWS Lambda) can’t be used on heavy workloads. Let’s start.

The Essence of AWS Lambda and Cloudflare Workers

First, let’s start with a short course of theory and look at how these two platforms work.

Cloudflare Workers are service workers that manage HTTP traffic within the Cloudflare ecosystem. Designed to intercept and manipulate HTTP requests destined for your domain, Cloudflare Workers allow you to handle web requests directly on the edge of the network, providing the flexibility to respond with any valid HTTP output.

This capability enables virtually unlimited possibilities, as you can program the workers to perform a wide range of web tasks, from modifying requests to making external API calls.

AWS Lambda, on the other hand, is a serverless computing service provided by Amazon Web Services that executes your code in response to events and automatically manages the computing resources required.

Lambda can be integrated into numerous AWS services to add custom functionalities, such as processing data as it enters Amazon DynamoDB, modifying files as they are uploaded to Amazon S3, or implementing custom logic for API calls within the AWS ecosystem. Lambda ensures high availability by operating across multiple Availability Zones, and its performance does not depend on the reuse of the execution environment, although it can benefit from it.

Both platforms offer unique advantages and capabilities, making them suitable for different types of applications depending on the needs and strategies of the developer. AWS Lambda excels in integrating and enhancing other AWS services, while Cloudflare Workers offer real-time data manipulation at the network edge

AWS Lambda vs. Cloudflare Workers: Key Comparison Parameters

Now, let’s compare both services by core metrics such as performance, runtime, language support, pricing, tools, ecosystem, and limitations.

Performance

Winner: it depends.

As you know, most serverless platforms initialize a container upon the first request and reuse it for subsequent requests until a period of inactivity leads to its termination. This initialization phase, known as the "cold start problem," introduces a delay before the function is ready to execute.

AWS Lambda operates by running code inside containers based on Node.js. This configuration can sometimes lead to latency issues known as "cold starts," where there's a delay before the function executes while the environment initializes.

Cloudflare has adopted a unique approach to address this issue. They claim to achieve virtually instantaneous function starts, or "0ms cold starts," globally. This is made possible by utilizing the Chrome V8 Engine, which powers their Workers’ runtime. This engine efficiently executes JavaScript by employing "isolates," which sandbox processes to securely run code from different users within a single process without significant overhead.

Moreover, Cloudflare Workers are hosted on Cloudflare's extensive global network, which ensures reduced latency worldwide due to the geographical proximity of the code to the end-user. The use of Anycast technology ensures that incoming requests are directed to the nearest data center, reducing latency substantially compared to traditional serverless platforms where new endpoints must be established in each location to minimize latency globally.

In contrast, to achieve minimal latency with AWS Lambda, both the function and the client need to be located in the same AWS region, which can limit flexibility in some scenarios.

So, let’s see how both serverless platforms perform while they work as a proxy function that uploads the file to S3.

// Detect dark theme var iframe = document.getElementById('tweet-1813892154655400032-992'); if (document.body.className.includes('dark-theme')) { iframe.src = "https://platform.twitter.com/embed/Tweet.html?id=1813892154655400032&theme=dark" }

Here, AWS Lambda wins. But, the first load in the Cloudflare Worker was 838 ms, and in AWS Lambda, due to a cold start, it was as much as 2.3 seconds.

Let’s now retest their performance as there's no cold start already:

// Detect dark theme var iframe = document.getElementById('tweet-1813892204349563162-599'); if (document.body.className.includes('dark-theme')) { iframe.src = "https://platform.twitter.com/embed/Tweet.html?id=1813892204349563162&theme=dark" }

As you can see, AWS Lambda wins again. But Cloudflare Workers wins in terms of startup time.

This, again, proves that there is no such thing as a cold start when you deal with Cloudflare Worker, and if an infrequent operation needs to be carried out once, then it wins over AWS Lambda. But if you pull the AWS Lambda often, it is faster than the Cloudflare Worker.

Summing up, if we are dealing with a cold start, then AWS Lambda is definitely slower because there is a cold start which can add a second or even more. If there are no cold starts (for example, there is constant loading or rare cold starts are not so important), then AWS Lambda is faster, especially since we can configure its power/hardware.

Runtime & Language Support

AWS Lambda offers native support for Java, PowerShell, Node.js, C#, Python, and Ruby, catering to a diverse development community. Cloudflare Workers, however, supports only JavaScript, Python, and TypeScript, and also allows the use of WebAssembly (WASM) compiled languages, although implementing these can be complex.

We can say that AWS Lambda obviously wins, but Lambdas are most often written based on Node.js or Python, therefore Cloudflare Workers is almost equal to AWS in this category.

Configurability and Limitations

Winner: AWS Lambda.

AWS Lambda provides significant flexibility in terms of configuration options. Users can select custom runtimes through Lambda Layers and can adjust memory allocation from 128MB to a substantial 10GB.

Additionally, Lambda functions can run for up to 900 seconds (15 minutes), which is considerably longer than the maximum execution time of 30 seconds for Cloudflare Workers. Another limitation of Cloudflare Workers is that they are not based on Node.js, which means they do not support packages that require Node dependencies. In contrast, AWS Lambda supports a broader range of dependencies and configurations, making it more versatile for complex applications.

Given these aspects, AWS Lambda is considered more advantageous in terms of configurability and support for long-running processes.

Pricing

Winner: Cloudflare Workers.

AWS Lambda charges $0.20 per 1 million requests and about $16.67 per million GB-seconds for function execution.
Cloudflare Workers offer a lower rate at $0.15 per 1 million requests and $12.50 per million GB-seconds.

Thus, Cloudflare Workers emerge as a more budget-friendly option in this pricing comparison, especially for projects with high request volumes and significant compute time.

You can read more about pricing in this [blog post](https://www.vantage.sh/blog/cloudflare-workers-vs-aws-lambda-cost).

Tools and Resources

Winner: AWS Lambda.

AWS Lambda, launched in 2014, is often recognized as a forerunner in the serverless computing arena. Over the years, it has got a robust set of tools and resources, supported by both Amazon and a vibrant third-party ecosystem. This extensive support includes a variety of management and deployment tools that enhance the user experience and streamline processes.

In contrast, Cloudflare Workers, introduced in 2018, while steadily growing, currently offers fewer tools and technical resources compared to AWS Lambda. This makes AWS Lambda more resource-rich for developers looking for diverse tools and extensive community support.

In this category, AWS Lambda has the edge due to its maturity and broader range of developer tools and resources.

Ecosystem and Integrations

Winner: AWS Lambda.

AWS Lambda seamlessly integrates with a multitude of other AWS services, allowing for extensive versatility in application scenarios. It can interact with AWS databases, trigger functions based on events in other AWS services, and serve a myriad of use cases—from API backends to data processing engines. Conversely, Cloudflare Workers, primarily focused on web applications and edge computing, presents a narrower range of integration options. While it supports features like Worker KV and Durable Objects for stateful applications at the edge, the scope of integration is much less diverse compared to the expansive AWS ecosystem.

With its deep integration capabilities and the breadth of use cases it supports, AWS Lambda is the clear winner in this category.

Let’s now look at what we’ve got in the table below:

Category	Winner
Performance	It depends
Runtime & Language Support	AWS Lambda
Tools and Resources	AWS Lambda
Pricing	Cloudflare Workers
Ecosystem and Integrations	AWS Lambda
Configurability and Limitations	AWS Lambda
Supported languages	AWS Lambda

Conclusion

In this analysis, I've delved into the nuances of two serverless instruments - AWS Lambda and Cloudflare Workers. It's important to note that there is no one-size-fits-all answer when deciding which platform is superior. The choice largely depends on specific use cases and individual preferences.

While AWS Lambda is often seen as the more robust option for a variety of applications due to its extensive integration capabilities and broader language support, it has a well-known cold start delay, while Cloudflare Workers excels in scenarios that demand minimal latency on a global scale.

To my mind, particularly noteworthy is Cloudflare Workers' approach to the cold start problem, where they stand out with virtually no delays, making them a promising option for performance-sensitive environments.

I encourage you to share your thoughts and experiences regarding these platforms. Whether you agree or disagree, your feedback is valuable. Please feel free to leave a comment on this article or discuss this further on my LinkedIn page.

Also, if you need professional Cloud development services or any related help, feel free to contact me or Fively - our experienced engineering team is here to help your business thrive and ensure that your serverless apps work seamlessly.

SST Ditches AWS CDK: Time to Move on to Ion

Kiryl Anoshka — Thu, 13 Jun 2024 10:13:45 +0000

Explore how SST shifted from AWS CDK to Ion, uncover the challenges of the old bucket construct, and see the benefits of starting new software projects with SST 3 Ion.

As we all know, staying ahead means embracing the latest in technology and innovation fields. Recently, SST, a pioneer in serverless solutions, made a significant shift by moving away from the AWS Cloud Development Kit (CDK) to Ion, a new and promising framework.

This bold move signals a change in how developers will build, deploy, and manage cloud resources. With this article, I want to study the reasons behind SST's decision to transition to the new version, explore its benefits, and discover what it means for the future of cloud development.

AWS CDK Concerns: Why It’s Not a Good Choice Anymore?

First, let’s start with AWS CDK: what’s wrong with it in the context of SST?

Well, the first two versions of SST were basically the wrappers and enhancers of AWS CDK. If we go to any construct of the first two versions of SST we will find a connection to AWS CDK (look at imports):

In fact, these first two versions allowed us to use AWS CDK and SST together in one codebase. For example, SST never provided the constructs for Step Functions, but developers could seamlessly use AWS CDK’s constructs to describe and manage Step Functions, demonstrating the compatibility and extendibility of using both tools together.

The deployment process was based on AWS CDK as well, which included Cloudformation template generation and stacks deployment. However, the reliance on AWS CDK brought with it lots of limitations, particularly in terms of deployment speed and transparency, so that the deployment time was unpredictable.

Also, developers could often face the infamous UPDATE_ROLLBACK_FAILED status and then you need special techniques to deal with the status as well as your panic attack.

The worst nightmare was cycling dependencies of stacks. This was not just a minor inconvenience - it fundamentally impacted how infrastructure updates could be managed. It also meant that if you need to update your infrastructure then you just update it.

For example, when you need to do something as simple as renaming a stack in the CloudFormation model, then you don't merely rename the existing stack but instead need to create an entirely new one.

Such CDK behavior necessitated meticulous planning from developers. If you already have a resource that you need to “check out” into your IaC and then update it, then you need to use Custom Resource, which significantly complicates the update process, and so on and so forth.

This has damaged a lot of mental health for every developer trying to manage and scale their cloud infrastructure efficiently. But it was not SST’s fault. These were faults inherited from AWS CDK and CloudFormation.

So what SST decided to do is that they ditched AWS CDK and jumped from templates-driven IaC to API-driven IaC. This meant that the resources on the lower level were created by AWS SDK and managed by SST instead of Cloudformation.

For this, they found out that Pulumi which uses Terraform Providers (because it uses Pulumi Classic) is the best option.

How SST 3 Ion Will Work?

Below, you can see a piece of the new SST bucket construct. Just compare the previous bucket construct with a new one: you may notice right away the imports from Pulumi. It means the whole deployment process will be built on Pulumi now.

With the integration of Pulumi, SST now supports all of the Pulumi packages, which opens up a vast array of new capabilities and integrations previously unavailable in the older versions that relied solely on AWS CDK. This includes access to a wide range of Pulumi's own components, along with a large number of custom components developed by SST itself.

The most radical advancement is that they can support other clouds as well now! SST now includes support for providers beyond AWS, such as Azure, Google Cloud, and even niche providers like Cloudflare, for which SST has already created a number of specialized components. This capability, known as providers in Pulumi's terminology, allows SST to operate across different cloud platforms seamlessly.

That’s not everything! One of the most groundbreaking features introduced with the move to Pulumi is the ability to link resources from one cloud provider to resources from another. This cross-provider linking eases the creation of multi-cloud infrastructure as code (IaC), so that you can manage and orchestrate your applications across multiple cloud environments using SST's enhanced and user-friendly API.

Should I Switch to Ion or Stay with SST v2?

So, my advice is the following: if you already have an old SST codebase - switching to Ion will not be a trivial task. The underlying architecture changed so radically that we are talking about two different libraries here. It will require a careful consideration of how much effort it can be and how to avoid downtimes.

However, if you have a brand new project, then surely you should start with SST 3 Ion: the benefits of adopting this platform are clear and significant. While the SST 3 Ion is not officially stable yet I don’t think it will be an exaggeration to say that we are one inch from there. The creators of SST are very public and well-known on X/Twitter, and it drives them to do their best to fix bugs very fast. Thus, you can join their official Discord - in my opinion, some of the bugs could be resolved in a couple of days.

Also, if you need expert guidance or hands-on assistance with your cloud projects, Fively cloud specialists are here to help. Whether implementing a new project with SST 3 Ion or transitioning from an older system, our team can provide the support and expertise necessary to ensure your project’s success.

Stay tuned for more like this.

Optimizing Costs in DevOps: Migrating a Kubernetes App from Amazon to Digital Ocean

Valentin Parshikov — Wed, 22 May 2024 10:50:01 +0000

Discover how we successfully migrated our Kubernetes application from Amazon to Digital Ocean, and get significant cost savings without compromising quality or flexibility.

In a strategic move to optimize costs without compromising on quality and flexibility, I recently undertook the task of migrating our Kubernetes eCommerce application from Amazon Web Services (AWS) to Digital Ocean. This bold decision proved to be a game-changer, resulting in significant cost savings while maintaining the integrity and scalability of our system.

How did I make it? Read in my today’s article.

About Our SaaS Platform Otomate

Otomate is our PIM (product information management) SaaS platform for the eCommerce industry that provides a single source of truth for all product data and ensures the efficient management and distribution of product catalogs across online sales channels. While Open Source and Tailored PIM tools have their unique advantages, a Software-as-a-Service PIM often stands out as the most balanced choice for a wide range of businesses.

Why SaaS PIM Often Wins:

Ease of use and quick deployment: solutions like Otomate are designed for ease of use and rapid implementation. This means you can get your product information management system up and running quickly, without the lengthy development and implementation phases associated with custom solutions;
Cost-effective and scalable: With a SaaS PIM, you enjoy the benefits of a subscription-based model, which is typically more cost-effective than the significant upfront investment required for tailored systems. Plus, SaaS solutions like Otomate are highly scalable, growing seamlessly with your business;
Regular updates and professional support: SaaS solutions provide the advantage of regular updates and enhancements without additional costs or efforts from your team. Otomate PIM, for example, offers continuous updates and professional support, ensuring that your system is always at the cutting edge.
Robust security and reliability: With such a PIM, you benefit from robust security measures and reliable performance. Providers like Otomate invest heavily in security protocols and infrastructure to ensure that your data is protected and your system is always available.

All these features are possible thanks to the sophisticated architecture of Otomate SaaS PIM, which uses the following technologies and tools:

Kubernetes: a powerful container orchestration platform, ensuring high availability, scalability, and efficient resource utilization;
BullMQ (Redis-based queue): enhances performance and resilience, and manages asynchronous tasks and job processing;
MySQL: a widely used relational database management system known for its stability and versatility;
ElasticSearch: employed for fast and efficient search capabilities, enabling users to quickly retrieve product information and insights.

Why Did We Need a Migration?

At Otomate, we understand the complexities and challenges of managing product information. The named above technologies form the backbone of Otomate's SaaS PIM, providing users with a seamless experience while ensuring the reliability, scalability, security, and efficiency that businesses need to manage their product data effectively and drive their e-commerce success.

However, the old AWS provider, though effective and powerful, was quite expensive and thus slowed down the further development of the Otomate platform and its features. That’s why we started thinking of switching to Digital Ocean.

When comparing AWS vs. Digital Ocean, several factors were carefully evaluated to determine the most suitable platform for hosting the application.

AWS, as one of the leading cloud service providers, offered us a comprehensive suite of services such as AWS EKS, AWS RDS, and others, as well as a wide range of managed services, including databases, storage solutions, and machine learning capabilities, providing us with the flexibility and agility to host our complex platform.

On the other hand, Digital Ocean is known for its simplicity and ease of use, making it an attractive option for startups and small to medium-sized businesses. With its straightforward pricing model and intuitive user interface, Digital Ocean appeals to developers looking for a hassle-free cloud hosting experience. While Digital Ocean may not offer the same breadth of services as AWS, it excels in providing high-performance virtual machines and developer-friendly tools, such as Kubernetes and managed databases.

Thus, the decision to migrate the application from AWS to Digital Ocean was driven by factors such as cost-effectiveness, ease of management, and performance. By leveraging Digital Ocean's streamlined infrastructure and cost-effective pricing, the organization was able to achieve significant cost savings without compromising on performance or reliability.

Additionally, Digital Ocean's robust support for Kubernetes and other modern DevOps tools made it an ideal choice for deploying and managing containerized applications, further enhancing operational efficiency and agility.

How Did the Migration Happen?

Now, let’s take a look at how the migration itself took part from the technical side.

The migration process involved meticulous planning and execution, with careful consideration given to every aspect of the app's architecture.

First and foremost, I embarked on replicating the existing infrastructure on Digital Ocean using Infrastructure as Code (IaC) principles, specifically leveraging tools like Terraform to automate the setup process.

As you know, 2 key IaC principles are idempotency and immutable infrastructure. Here, idempotency means no matter how many times you run your IaC and what your starting state is, you will end up with the same end state.

This involved configuring the necessary resources such as:

virtual machines,
networking components,
and storage solutions, in order to mirror the environment previously hosted on Amazon Web Services (AWS).

Once the infrastructure was provisioned, I proceeded to deploy the Kubernetes application onto the new cloud environment, ensuring seamless compatibility and functionality. To facilitate a smooth transition, the application was pointed to a subdomain for validation purposes, allowing for comprehensive testing and validation of the migrated system.

Additionally, leveraging the capabilities of Digital Ocean's database migration tool, I established database replication between the existing AWS RDS instance and the new Digital Ocean database instance, ensuring data consistency and integrity throughout the migration process. With meticulous verification and testing procedures in place, including thorough checks of all critical functionalities and performance metrics, the team verified that all aspects of the application were functioning as expected in the new environment.

Finally, once the migration was deemed successful and all stakeholders were satisfied with the validation results, I initiated the DNS switchover to point to the new deployment on Digital Ocean, seamlessly transitioning end-users to the updated infrastructure.

The Results and Advantages

So, what did we get as a result of the migration?

One of the key advantages of migrating to Digital Ocean was its cost-effectiveness. By utilizing Digital Ocean's competitive pricing model and tailored infrastructure solutions, we were able to achieve substantial savings on our cloud infrastructure expenses. This move allowed us to reallocate resources to other critical areas of development while maintaining a lean and efficient budget.

Moreover, the migration did not compromise the quality or flexibility of our system. In fact, Digital Ocean's intuitive platform and powerful tools provided enhanced performance and scalability capabilities, enabling us to deliver an even better experience to our users. With features such as automated backups, seamless scaling, and robust security measures, we gained greater control and visibility over our application environment

Overall, the successful migration of our Kubernetes application from Amazon to Digital Ocean stands as a testament to our team's expertise and innovation in optimizing cloud infrastructure. By embracing cost-effective solutions without sacrificing performance, we continue to drive efficiency and value in our operations, ultimately delivering superior results for our clients and stakeholders.

Thank you for reading my article on the migration of an eCommerce app Otomate from Amazon to Digital Ocean. How did you find it? Feel free to write in the comments for any questions or details you’re interested in. Also, stay tuned for articles like this, and remember, if you need professional DevOps services, just write us and we’ll be happy to help you with your projects!

Lambda Internals: Why AWS Lambda Will Not Help With Machine Learning

Kiryl Anoshka — Thu, 25 Apr 2024 14:22:04 +0000

Explore the constraints in the use of AWS Lambda in machine learning, and discover the capabilities of Cloudflare for GPU-accelerated serverless computing.

AWS Lambda, built atop Firecracker, offers a lightweight, secure, and efficient serverless computing environment. I'm very passionate about this technology but there is one caveat that we need to understand - it can't use GPU. In today’s short article, I invite you to continue our dive into the world of Lambda we started recently, and I will explain to you why the use of Lambda in Machine Learning is limited.

What’s Wrong with Firecracker?

First, let’s see how Firecracker works on the inside.

Firecracker's architecture uniquely supports memory oversubscription, allowing it to allocate more virtual memory to VMs than physically available, enhancing its efficiency.

How is it possible to allocate more virtual memory to VMs than is physically available? This cool feature of Firecracker, called memory oversubscription, leverages the fact that not all applications use their maximum allocated memory simultaneously. By monitoring usage patterns, Firecracker dynamically allocates physical memory among VMs based on current demand, increasing the efficiency and density of workloads.

This strategy allows for a high number of microVMs to run concurrently on a single host, optimizing resource utilization and reducing costs.

This architecture leverages microVMs for rapid scaling and high-density workloads. But does it work for GPU? The answer is no. You can look at the old 2019 GitHub issue and the comments to it to get the bigger picture of why it is so.

But to be short, memory oversubscription will not work with GPU because of the following reasons:

With current GPU hardware, performing device pass-through implies physical memory which would remove your memory oversubscription capabilities;
You can only run one customer workload securely per physical GPU, and switching takes too long.

Can We Use Lambda in Machine Learning at All?

AWS Lambda cannot directly handle GPU-intensive tasks like advanced machine learning, 3D rendering, or scientific simulations, but it can still play a crucial role. By managing lighter aspects of these workflows and coordinating with more powerful compute resources, Lambda serves as an effective orchestrator or intermediary, ensuring that heavy lifting is done where best suited, thus complementing the overall machine learning ecosystem.

This includes tasks such as initiating and managing data preprocessing jobs, coordinating interactions between different AWS services, handling API requests, and automating routine operational workflows, thereby optimizing the overall process efficiency.

For heavy-duty machine learning computations that require GPUs, Lambda can seamlessly integrate with AWS's more robust computing services like Amazon EC2 or Amazon SageMaker. This integration allows Lambda to delegate intensive tasks to these services, thereby playing a vital role in a distributed machine learning architecture. Lambda's serverless model also offers scalability and cost-efficiency, automatically adjusting resource allocation based on the workload, which is particularly beneficial for variable machine learning tasks.

As we can see, AWS Lambda may not execute the most computationally intensive tasks of a machine learning workflow, but its role is an orchestrator. Its scalability and its ability to integrate diverse services and resources make it an invaluable component of the machine learning ecosystem.

But I Want a Serverless GPU! Is It Impossible in All of the Worlds?

For those exploring serverless architectures that require GPU capabilities, it's essential to look beyond AWS Lambda to platforms designed with GPU support in mind. While AWS Lambda, a pioneer in serverless computing, does not directly offer GPU capabilities, the technological ecosystem is vast and diverse, offering other platforms that cater to this specific need.

If you want to explore serverless architectures that necessitate GPU support for tasks such as deep learning, video processing, or complex simulations, a notable example can be Cloudflare, as its recently presented WebGPU which supports Durable Objects, and it is built with modern cloud-native workloads in mind.

Unlike Lambda, the use of Durable Objects makes it possible to perform tasks such as:

Machine learning - implement ML applications like neural networks and computer vision algorithms using WebGPU compute shaders and matrices;
Scientific computing - perform complex scientific computation like physics simulations and mathematical modeling using the GPU;
High performance computing - unlock breakthrough performance for parallel workloads by connecting WebGPU to languages like Rust, C/C++ via WebAssembly.

What’s also important, the use of Durable Objects ensures memory and GPU access safety, and it also guarantees a reduced driver overhead and better memory management.

In essence, while the quest for serverless GPU computing may seem daunting within the confines of AWS Lambda's current capabilities, the broader technological ecosystem offers promising avenues. Through innovative platforms that embrace device pass-through and GPU support, the dream of a serverless GPU is becoming a reality for those willing to explore the cutting-edge of cloud computing technology.

Wrapping Up

Finalizing our today’s explanation, the quest for serverless GPU capabilities, while elusive within the constraints of the use of Lambda in Machine Learning, is far from a lost cause. The landscape of serverless computing is rich and varied, offering innovative platforms like Cloudflare that bridge the gap between the desire for serverless architectures and the necessity for GPU acceleration.

By leveraging the Cloudflare's cutting-edge Durable Objects technology, this platform offer a glimpse into the future of serverless computing where GPU resources are accessible and scalable, aligning perfectly with the needs of modern, resource-intensive applications.

As the serverless paradigm continues to evolve, it's clear that the limitations of today are merely stepping stones to the innovations of tomorrow. The journey towards a fully realized serverless GPU environment is not only possible but is already underway, promising a new era of efficiency, performance, and scalability in cloud-native applications.

Stay tuned with our special series on AWS Lambda, and feel free to contact us if you need professional cloud computing development services!

Azure vs. AWS: a Deep Dive Into the Cloud Security

Valentin Parshikov — Mon, 18 Mar 2024 10:48:27 +0000

Cloud has become the backbone of enterprise IT infrastructure, offering scalability, flexibility, and innovation. However, as organizations migrate their critical workloads to the cloud, security stands as the paramount concern, and choosing a cloud provider is a crucial decision. Among the titans of cloud computing, AWS and Microsoft Azure leading the pack, each offering robust platforms with unique strengths and approaches to security.

As a highly experienced senior software developer and DevOps engineer, I’d like to dive deep into their peculiarities, seeking to unravel the complex tapestry of Azure security vs AWS security. By examining their security models, features, compliance certifications, and real-world applications, I want to provide clarity and insights to IT professionals, security analysts, and business leaders making pivotal decisions about their cloud strategy. Join us and let’s start!

Fively’s Advice: Choose AWS for Most of the Cases

Yes, that’s it: AWS presents a more user-friendly experience, boasting an interface that’s both intuitive and user-centric compared to Azure’s more complex navigation and denser dashboards. This ease of use is paramount, especially when considering the learning curve and training requirements for your team.

As a leader in the cloud market, AWS enjoys several key benefits. Its position allows for enhanced refinement of its platform's stability, reliability, and security measures over time. AWS's extensive history in the cloud domain means it has developed a vast and engaged developer community, complemented by comprehensive and high-quality documentation, which is invaluable for troubleshooting.

Furthermore, AWS's server capacity significantly outstrips Azure's, with some estimates suggesting it offers up to 6 times the capacity of its 12 nearest competitors combined.

Amazon’s global investment in data centers supports this capacity, favoring organizations with a global footprint by minimizing latency and enhancing performance across geographically diverse teams.

Customer support with AWS stands out as exemplary. Unlike Azure, which has been criticized for its inconsistent support and occasional service disruptions, AWS prioritizes customer satisfaction and business continuity. AWS goes above and beyond in its customer relations, including developing bespoke solutions to meet unique client challenges.

When to Opt for Azure?

While AWS often comes highly recommended, Azure stands as a formidable contender in the cloud space, rapidly advancing with each new iteration. There are distinct scenarios where Azure emerges as the more strategic choice.

For organizations deeply entrenched in the Microsoft ecosystem, Azure is a natural extension. Its seamless integration with Microsoft products offers a cohesive environment, streamlining workflows and system cohesion.

Those familiar with Microsoft’s suite, including PowerShell and other applications, will find Azure’s naming conventions and user interface reassuringly familiar.

Choosing Azure is particularly prudent for businesses in direct competition with Amazon or those serving Amazon’s competitors. This includes sectors like retail, consumer electronics, and logistics. While concerns about data security with Amazon are not substantiated, the preference to avoid Amazon’s infrastructure for competitive reasons is understandable.

Azure also shines in scenarios requiring robust support for hybrid environments. Unlike AWS, which has traditionally prioritized cloud-native solutions and is only beginning to explore hybrid options, Azure has long embraced hybrid deployments. It offers an extensive array of hybrid connectivity options such as ExpressRoute, VPNs, and CDNs, making it the go-to platform for businesses seeking versatile cloud and on-premise integration.

What’s About Pricing in AWS and Azure?

To be short: it depends.

Attempting to directly compare the pricing structures of AWS and Azure is akin to comparing the depths of two oceans – both vast and varied in their offerings. Each platform provides a range of services in storage, computing, traffic, and databases, adding layers of complexity to any pricing comparison.

Nevertheless, a closer look at bundled offerings of similar services from AWS and Azure reveals some insights:

On-demand pricing: Both giants adopt pay-as-you-go models, with charges applied per second, minute, or hour. When considering on-demand services, Azure frequently emerges as the more cost-effective option, offering lower rates for similar services;
Reserved instances: Opting for reserved pricing entails committing to a certain level of usage over a fixed term, available in one-year or three-year commitments from both providers. In this arena, AWS often outpaces Azure with more significant discounts for longer-term commitments, presenting a more budget-friendly choice for those able to plan their usage in advance. Furthermore, AWS distinguishes itself with greater flexibility, permitting changes to instance types mid-contract – a level of adaptability not typically found with Azure;
Both AWS and Azure equip potential users with pricing calculators, enabling a detailed estimation of costs before committing to services. This tool is invaluable for businesses meticulously planning their cloud budgets.

Now, let’s dive deeper into the AWS vs Azure security services comparison.

Identity and Access Management (IAM)

Fively recommends: choose AWS.

In the digital expanse of cloud computing, Identity and Access Management (IAM) forms the cornerstone of cloud security, empowering organizations to meticulously manage access and permissions. It ensures that only authorized eyes gaze upon your data and only approved hands wield your applications. While AWS and Azure each present their unique IAM frameworks, delving into these differences is crucial for a comprehensive understanding of cloud security.

AWS IAM

AWS IAM offers a robust and flexible framework for managing users, groups, and permissions with no additional charge for registered AWS users, underscoring the platform's view of IAM as an essential component of cloud infrastructure. AWS IAM delivers comprehensive access controls, allowing for detailed management of permissions through features like user groups, roles, multi-factor authentication, live access tracking, and policy management using JSON.

AWS IAM is designed with robust default security protocols. For instance, it requires administrators to explicitly grant permissions to users, ensuring that new accounts have no access capabilities until appropriately authorized.

One area where AWS IAM could be seen as lacking is in its native Privileged Identity Management, a feature that Azure Active Directory offers directly. To access similar functionality in AWS, users must turn to third-party solutions available through the AWS Marketplace.

To sum up, with AWS IAM, you can:

Create and manage AWS users and groups: Assign specific permissions to ensure users have only the access they need;
Use roles and policies: Dynamically assign roles to AWS resources, applying granular permissions policies to control access to AWS services and resources;
Multi-factor authentication (MFA): Enhance security by requiring a second factor of authentication, beyond just a password;
Integration and federation: Seamlessly integrate IAM with your existing identity systems, enabling users to federate into the AWS Management Console or call AWS APIs;
Detailed logging and monitoring: With AWS CloudTrail, monitor and log all actions taken through IAM for auditing and compliance.

Azure Active Directory (Azure AD)

Microsoft's Azure Active Directory is a comprehensive identity and access management cloud solution, optimized for hybrid cloud environments. While not labeled as IAM in the traditional sense, Azure AD encompasses a broad suite of access and authorization services integral to the Microsoft cloud ecosystem.

Subscribing to any of Microsoft’s commercial online services, such as Azure or Dynamics 365, automatically grants users the basic features of Azure AD. This free tier includes essential IAM capabilities like cloud-based authentication, unlimited single sign-on (SSO), multi-factor authentication (MFA), and role-based access control (RBAC), catering to general security needs without additional costs.

But for organizations seeking advanced IAM functionalities — like enhanced mobile access security, detailed security reporting, and improved monitoring — Azure AD offers premium tiers. Premium P1 is available at $6 per user per month, and Premium P2 at $9 per user per month, introducing a cost for more sophisticated features. In this aspect, AWS stands out by providing a comprehensive suite of IAM features at no extra charge.

Thus, Azure AD enables you to:

Single sign-on (SSO): Provide users with secure access to your applications, both in the cloud and on-premises, with a single set of credentials;
Conditional access policies: Implement automated access control decisions for accessing your cloud apps, based on conditions;
Multi-factor authentication: Protect your accounts from 99.9% of cybersecurity attacks with MFA;
Device management: Manage how your cloud apps are accessed depending on the device and its compliance with your security standards;
Hybrid identity: Azure AD can be integrated with your existing on-premises directory, enabling a consistent identity for users across environments.

The choice between AWS and Azure may come down to specific organizational needs, existing infrastructure, and the particular nuances of each IAM solution. But for most of the projects, we recommend choosing AWS.

Virtual Private Network (VPN)

Fively recommends: choose AWS.

The necessity for secure data transmission over the Internet cannot be overstated, especially with the ever-present risks of data interception. Cloud platforms like AWS and Azure address these concerns by offering robust Virtual Private Network (VPN) functionalities, ensuring data moves securely within a network.

AWS Virtual Private Cloud (VPC)

AWS and Azure both employ subnetting to divide networks, yet AWS stands out with its extensive customization capabilities. AWS VPC uniquely offers both private and public subnets, enabling a secure environment for running public-facing applications while safeguarding back-end systems. For example, you can host the front-end components of a layered website in a public subnet, while the database servers reside securely in a private subnet.

The adaptability of AWS VPC is notable, allowing for precise configuration of your virtual network to meet specific requirements. AWS enriches this experience with a suite of tools, including programmable APIs, Command Line Interfaces (CLIs), Cloud Formation Templates, and an intuitive management portal, facilitating a bespoke VPC architecture.

Moreover, AWS VPC's architecture options are diverse, ranging from setups with a single public subnet to more complex structures featuring private subnets accessible only via hardware VPN, catering to the intricate needs of multi-tier web applications efficiently.

Microsoft Azure Virtual Network (VNet)

Conversely, Azure VNet, by default, enables internet access for all its resources, lacking the innate public-private network segregation seen in AWS. Nonetheless, Azure VNet does offer tools like a management portal, CLI, and PowerShell for network architecture customization, albeit with fewer choices compared to AWS VPC.

Azure Virtual Network remains a powerful tool for network management, granting users significant control over routing, filtering traffic, and facilitating resource communication. Its design tends more towards serving enterprise needs, contrasting with AWS VPC's broader appeal, especially for customer-centric web applications.

Thus, in the realm of VPN services, AWS emerges as the frontrunner, particularly for its versatility, customization options, and ability to cater to both public-facing applications and secure back-end operations. While Azure VNet offers substantial capabilities, especially for enterprise-level networking, AWS VPC's extensive features and flexibility make it the preferred choice for safeguarding and structuring complex network architectures.

Data Encryption

Fively recommends: choose AWS.

While both providers deliver exemplary encryption services, a closer examination reveals key distinctions that merit attention.

AWS Simple Storage Service (S3)

At the forefront of Amazon's encryption offerings is the Simple Storage Service (S3), renowned for its comprehensive encryption capabilities. Amazon S3 ensures data security through both server-side and client-side encryption, effectively encrypting data at its origin before transmission and storage.

Employing Advanced Encryption Standard (AES) with Galois Counter Mode (GCM), AWS enhances data security by facilitating the authentication of encrypted data, guarding against unauthorized alterations. AWS further empowers users by accommodating customer-provided keys (SSE-C) for server-side encryption, alongside its managed key services through SSE-KMS (Key Management Service) and SSE-S3 options, thereby relieving users from the complexities of key management.

Azure Blob Storage

Microsoft's Azure Blob Storage parallels AWS in offering both server-side and client-side encryption, utilizing AES-256 symmetric keys to secure data. Azure matches AWS in providing managed key services, ensuring robust encryption standards across its platform.

Despite the close competition, AWS secures a slight advantage, particularly with its implementation of Galois Counter Mode (GCM), which adds an extra layer of security by verifying the integrity of encrypted data. AWS distinguishes itself further with a broader array of encryption services and key management solutions, complemented by more detailed documentation on leveraging these options effectively.

As we can see, when comparing AWS security vs Azure security, AWS edges out with its nuanced encryption enhancements, comprehensive key management services, and extensive support resources, positioning it as the preferred choice for organizations seeking advanced data encryption solutions.

Cryptographic Key Management

Fively recommends: choose AWS.

As organizations entrust cloud platforms with their most sensitive data, the mechanisms these platforms employ for key management become a focal point of their security posture. Both AWS and Azure offer sophisticated solutions for cryptographic key management, but understanding their nuances is a must:

AWS Key Management

Amazon Web Services Key Management Service (KMS) stands out for its robust approach to cryptographic key management. AWS KMS operates with a dual-key hierarchy: it generates master keys for the creation of data keys, which are then utilized for data encryption and decryption processes.

In this system, users have control over their data keys, while master keys can be managed by either the customer or AWS. Built on FIPS 140-2 validated hardware security modules, AWS KMS ensures the highest level of security for key management:

Centralized key management: Offers streamlined control over keys across the AWS ecosystem;
Seamless AWS integration: Enhances data encryption across various AWS services effortlessly;
Automatic key rotation: Improves security by regularly updating keys;
Secure storage: Utilizes hardware security modules for the safeguarding of keys;
Comprehensive compliance: Meets a wide range of security standards and regulations, ensuring adherence to stringent security protocols.

Microsoft Azure Key Vault

It excels in the secure management and storage of cryptographic keys, secrets, and certificates, overseeing the entire lifecycle of keys:

Protected storage: Utilizes FIPS 140-2 Level 2 validated hardware for the secure retention of keys and secrets;
Access control and audit logging: Monitors and controls access, providing detailed logs for critical operations;
Seamless integration: Facilitates encryption and decryption across Azure services, enhancing application security;
HSM support: Offers options for additional protection via Hardware Security Modules;
Regulatory compliance: Azure security features ensure data and application safety in the cloud while maintaining compliance with relevant standards.

The choice between Azure security vs AWS security may hinge on specific organizational needs and integration requirements within their respective cloud environments.

Monitoring

Fively recommends: choose AWS.

The stream of data generated by your cloud and on-premise environments is invaluable for maintaining the health and performance of your infrastructure. However, the true utility of this data lies in its interpretation and application. Both AWS and Azure furnish comprehensive tools to distill, analyze, and act upon your infrastructure data effectively.

AWS CloudWatch

Amazon Web Services presents CloudWatch, its flagship monitoring solution, designed to centralize operational and performance data from all your systems and applications:

Enhanced visibility: The CloudWatch dashboard champions clarity, offering extensive customization to track specific application groups. Its intuitive visualizations, including graphs and metrics, provide immediate insights into key infrastructure aspects tailored to your organizational context.
Proactive monitoring: Leveraging user-defined thresholds alongside machine learning algorithms, CloudWatch adeptly spots anomalies, triggering alarms to alert administrators about unusual activities. This proactive stance is complemented by the ability to initiate automated responses, such as deactivating idle instances, optimizing both security and resource utilization.
Operational efficiency: Beyond monitoring, CloudWatch enhances operational efficiency through features like auto-scaling, which dynamically adjusts performance based on real-time metrics such as CPU usage, ensuring optimal resource allocation.

Azure Monitor

Microsoft's Azure Monitor aims to aggregate and present performance and availability data across the Azure ecosystem, extending its reach to on-premise environments for comprehensive visibility

Data organization: Azure Monitor endeavors to streamline data navigation by segregating it into metrics and logs, each serving distinct purposes – from quick issue detection to in-depth data analysis across various sources;
User-driven customization: While it offers a wealth of data, Azure Monitor requires users to navigate through its dense dashboard and learn its data categorization for effective use, presenting a steeper learning curve compared to CloudWatch;
Automation and response: Azure Monitor matches CloudWatch in offering automation for resource scaling and security alerts. However, it primarily relies on predefined metrics, contrasting with CloudWatch’s integration of machine learning for a more adaptive and intuitive monitoring experience.

Monitoring is a critical component of cloud management, ensuring the robustness and efficiency of cloud infrastructure. While both AWS and Azure offer powerful tools for infrastructure monitoring, AWS CloudWatch takes the lead with its user-friendly interface, advanced anomaly detection, and comprehensive automation capabilities, making it a preferred choice for organizations aiming for in-depth monitoring and operational intelligence.

Threat Detection

Fively recommends: choose Azure.

Ensuring your cloud environment is monitored for vulnerabilities is crucial, yet the real game-changer is the ability of your cloud service to autonomously detect anomalies signaling potential cyber threats. Both AWS and Azure excel in offering automated security assessments to safeguard your infrastructure.

AWS Inspector

AWS introduces AWS Inspector, an agent-driven service meticulously designed to scan your cloud environment for security weaknesses. While AWS Inspector provides a solid foundation for identifying vulnerabilities, particularly within AWS EC2 instances, it presents certain limitations.

Considerations for AWS Inspector:

Manual intervention: Insights gleaned from AWS Inspector require manual remediation efforts, and understanding these insights necessitates exporting data into CSV formats, adding steps to the security management process;
Scope of scanning: The scope of AWS Inspector's vulnerability scanning is predominantly confined to EC2 instances, restricting its breadth of threat detection across the AWS ecosystem.

AWS GuardDuty

AWS GuardDuty is a fully managed threat detection service that employs sophisticated machine learning and anomaly detection techniques. It scrutinizes event logs, including AWS CloudTrail, Amazon VPC flow logs, and DNS logs, to detect unexpected and unauthorized activities that may indicate a security threat.

Advantages of AWS GuardDuty:

No manual setup required: GuardDuty is designed to be easily enabled with just a few clicks, requiring no additional software or agents to be installed, thus providing immediate threat detection capabilities;
Real-time alerts: Upon detection of a potential threat, GuardDuty sends out detailed alerts, enabling swift action to mitigate risks, thereby improving the organization’s response to incidents;
Continuous monitoring and updates: AWS continuously updates GuardDuty’s intelligence feeds and detection algorithms, ensuring the service evolves to meet emerging threats.

AWS GuardDuty exemplifies AWS’s commitment to robust cloud security, offering an advanced, intelligent solution for threat detection.

Azure Security Center

In contrast, Azure amplifies threat detection capabilities within the Azure Security Center, presenting a more comprehensive solution for identifying potential security threats across a wider array of services.

Advantages of Azure Security Center:

Extensive coverage: Azure's approach to threat detection spans a broader spectrum, including firewalls, Azure virtual machines, storage disks, and SQL databases, ensuring a more exhaustive security posture;
Seamless reporting: Uniquely, Azure Security Center benefits from direct integration with Microsoft Power BI, Microsoft’s advanced business analytics service. This integration facilitates the effortless visualization of security reports directly within Azure, streamlining the process of interpreting and acting on security data.

Azure Sentinel

In the vanguard of Microsoft Azure's security services, Azure Sentinel stands as a cutting-edge security information and event management (SIEM) service. Designed to empower security analysts to detect, prevent, and respond to threats across their entire enterprise, Azure Sentinel harnesses the power of cloud-scale AI to provide a comprehensive and proactive security solution.

Key Features of Azure Sentinel:

Wide-ranging data collection: Sentinel seamlessly collects data across all dimensions of the enterprise, providing a holistic view of the security posture.
Advanced threat detection: Utilizing state-of-the-art AI, Sentinel detects known and unknown threats, employing analytics that minimize false positives and ensure accurate threat identification.
Automated security orchestration: Azure Sentinel automates common tasks and orchestrates responses to incidents, allowing security teams to focus on more strategic activities.
Integrated investigation and response: The service offers integrated tools for investigating alerts and incidents, enabling analysts to swiftly understand and remediate threats.

While both AWS and Azure provide valuable automated security assessment tools, Azure takes a definitive lead in threat detection with its Azure Security Center. Its comprehensive coverage across various Azure services, coupled with the seamless integration with Power BI for enhanced report visualization, positions Azure as the superior choice for organizations prioritizing advanced threat detection and streamlined security management in their cloud infrastructure.

Sensitive Data Discovery

Fively recommends: it depends.

Both AWS and Azure offer sophisticated tools designed to navigate through the complex cloud environment, identify sensitive data, and implement protective measures. These tools, Amazon Macie and Azure Information Protection, stand as sentinels in the cloud, each with unique capabilities to safeguard valuable data assets.

Amazon Macie

Amazon Macie emerges as a key player in AWS's security suite, specifically engineered to bolster data protection within the AWS ecosystem. Macie excels in uncovering, classifying, and securing sensitive data sprawled across AWS services.

Key Features of Amazon Macie:

Automated Data Identification: Utilizes advanced pattern recognition and machine learning technologies to automatically pinpoint and classify sensitive data, including personal information, intellectual property, and financial records;
Proactive monitoring: Monitors data access and user activity to identify potential data breaches or unauthorized access, ensuring vigilant protection against data leaks;
Alert system: Informs users of potential security incidents, enabling swift action to mitigate risks.

Azure Information Protection

Azure Information Protection is Microsoft's answer to sensitive data management within the Azure cloud platform, offering a comprehensive solution for discovering, classifying, and safeguarding sensitive information.

Distinctive Aspects of Azure Information Protection:

Sensitive data discovery: Scans the Azure environment to locate sensitive data, leveraging policy-based classifications to streamline data management;
Data protection measures: Employs encryption and rights management to secure data, ensuring its protection persists even when shared externally;
Lifecycle management: Facilitates persistent protection throughout the data's lifecycle within the cloud, adapting protections as necessary based on the data’s movement and usage.

Amazon Macie and Azure Information Protection each provide robust frameworks for the discovery and protection of sensitive data within their respective cloud environments. While both tools offer powerful features for data security, the choice between them may hinge on specific organizational needs and the cloud ecosystem in use.

Hardware Security Modules

Fively recommends: choose AWS.

Both AWS and Azure recognize the critical role of HSMs in cloud security, offering their specialized services: AWS CloudHSM and Azure HSM. These services underscore each platform's commitment to providing high-level security for their users' most valuable digital assets.

AWS CloudHSM

Amazon Web Services offers the AWS CloudHSM service, a dedicated hardware security module that champions the protection of encryption keys and the execution of cryptographic operations within a highly secure environment:

Key security and cryptographic operations: AWS CloudHSM is engineered to secure encryption keys against unauthorized access and cyber threats, ensuring a safe haven for cryptographic operations;
Ownership and control: It empowers users with the ability to generate, manage, and own their encryption keys, providing an enhanced layer of security within the AWS ecosystem;
Assured data integrity: The service allows users to maintain control over key management, crucial for preserving data integrity and security within the cloud.

Azure HSM

In the Azure cloud platform, Azure HSM stands as a robust hardware security module service, delivering key features to safeguard data protection efforts:

High-level hardware security: Leveraging FIPS 140-2 Level 3 validated hardware, Azure HSM meets stringent security standards, ensuring the utmost protection for cryptographic operations.
Support for essential cryptographic algorithms: Azure HSM supports a variety of cryptographic algorithms, including RSA and AES, facilitating secure encryption, decryption, and digital signature processes.
Seamless integration with Azure Key Vault: Enhancing its security capabilities, Azure HSM integrates with Azure Key Vault, offering a more secure management and storage solution for encryption keys.

While both services offer robust protection, the choice between AWS CloudHSM and Azure HSM may depend on specific security needs, platform preferences, and integration capabilities. However, we recommend using AWS in most cases, which offers the bedrock upon which organizations can build a secure and resilient digital infrastructure.

DDoS Protection

Fively recommends: it depends.

Distributed Denial of Service (DDoS) attacks remain one of the most potent dangers to cloud-based services: they aim to overwhelm systems with a flood of internet traffic, disrupting service and potentially causing significant downtime. Recognizing the severity of these threats, both AWS and Microsoft Azure have developed robust DDoS protection services: AWS Shield and Azure DDoS Protection.

AWS Shield

AWS Shield is a managed DDoS protection service that offers automatic safeguards against common and complex DDoS attacks. It is engineered to protect applications running on AWS.

Key Features of AWS Shield:

Two tiers of protection: AWS Shield provides two levels of service: Standard and Advanced. Shield Standard offers basic protection at no additional cost for all AWS customers, automatically protecting services like Amazon EC2, Amazon CloudFront, and Amazon Route 53. Shield Advanced provides enhanced protections with additional detection and mitigation capabilities, along with 24/7 access to the AWS DDoS Response Team (DRT);
Cost protection: AWS Shield Advanced includes financial safeguards against scaling charges resulting from DDoS-related traffic spikes, offering peace of mind during attacks;
Integration and simplicity: Seamlessly integrated with AWS services, AWS Shield provides easy deployment and management, allowing for automatic protection without the need for manual intervention.

Azure DDoS Protection

Azure DDoS Protection, part of Microsoft's Azure platform, provides full-spectrum DDoS protection to safeguard Azure resources.

Key Features of Azure DDoS Protection:

Comprehensive protection: Azure DDoS Protection Standard offers enhanced DDoS mitigation capabilities for Azure services, including virtual networks. It is designed to defend against a wide range of DDoS attack vectors;
Adaptive tuning: Leveraging machine learning, Azure DDoS Protection automatically tunes protection policies based on insights into application traffic patterns, enhancing defense mechanisms over time;
Detailed analytics: It provides extensive monitoring and alerting capabilities, allowing users to analyze traffic and understand attack patterns through Azure Monitor views;
Integration and support: Azure DDoS Protection integrates with other Azure security services for a holistic security posture and is backed by Microsoft's global incident response team.

DDoS attacks can strike at any time, disrupting operations and compromising user trust. Both AWS Shield and Azure DDoS Protection offer formidable defenses against these disruptions, tailored to their respective cloud environments.

Navigating the Cloud with Fively: AWS or Azure?

Throughout my exploration of AWS vs Azure security, I've delved into various aspects of cloud security, from data encryption and key management to DDoS protection. Each platform brings its unique strengths to the table, catering to different requirements and scenarios.

Understanding that each project is unique, Fively takes a tailored approach to cloud services. While we often recommend AWS services for their comprehensive features, scalability, and robust security, we recognize that Azure holds a significant place in the cloud ecosystem, especially for projects deeply integrated with Microsoft products or requiring specific Azure strengths.

Our Tips for Choosing the Right Platform for Your Project:

Evaluate your needs: Consider the specific requirements of your project. Are you looking for extensive machine learning capabilities, IoT integration, or perhaps, seamless integration with existing Microsoft infrastructure?
Consider security and compliance: Both AWS and Azure offer strong security features, but your industry's particular compliance requirements might sway your choice;
Flexibility and scalability: Assess how each platform's scaling options and pricing models align with your anticipated growth and budget constraints.

Fively is here to guide you through this decision-making process, ensuring that your cloud strategy is robust, secure, and perfectly aligned with your objectives. Don’t hesitate to contact us to talk about your project idea and let’s fly together!

Lambda Internals: the Underneath of AWS Serverless Architecture

Kiryl Anoshka — Fri, 15 Mar 2024 14:15:31 +0000

Discover how AWS Lambda works under the hood and get several tips on performance enhancement to refine your cloud solutions and serverless knowledge background.

In 2024, AWS Lambda redefines cloud computing with its serverless model, freeing developers from managing infrastructure. In this article I'd like to explore Lambda's internals: its operational model, containerization benefits, invocation methods, and the underlying architecture driving its efficiency and scalability.

Lambda Through the Eyes of a Regular Developer

For developers, AWS Lambda symbolizes a streamlined approach to application deployment and management. It's a shift from traditional server management to a more straightforward, code-focused methodology. It allows you to get the following benefits:

Deployment Simplified: Lambda allows developers to deploy their code easily, either by uploading a ZIP file or using a container image. This simplicity means developers spend less time on setup and more on writing effective code.
Language Choice: With support for various programming languages like Node.js, Python, Java, and Go, Lambda offers the freedom to work in a preferred language, enhancing coding efficiency and comfort.
Automatic Scaling: Lambda's auto-scaling feature removes the burden of resource management from the developer. This means no worrying about server capacity, regardless of the application's demand.

Now, let’s dive deeper into how the choice of deployment type can affect your overall AWS performance.

Deployment Choices and Performance Optimization in AWS Lambda

AWS Lambda offers two primary deployment methods for functions, each catering to different application sizes and requirements.

Deployment Options:

ZIP Deployment: This method suits smaller functions with limited dependencies. The ZIP deployment is straightforward but constrained by a lower size limit, making it less suitable for more extensive applications.
Container Image Deployment: For larger applications, Lambda supports container images up to 10 GB. This increased capacity is ideal for applications that need larger libraries or more significant dependencies.

What about performance optimization? AWS Lambda has several peculiarities here:

1) Invocation Constraint in Firecracker

Lambda uses Firecracker for creating microVMs, each handling one invocation at a time. This model means a single instance cannot simultaneously process multiple requests, a consideration for high-throughput applications.

2) Caching as a Performance Enhancement

Lambda employs a three-tiered caching system to improve function performance:

L1 Cache (Local Cache on Worker Host): Located directly on the worker host, this cache allows for quick access to frequently used data, essential for speeding up function invocations.
L2 Cache (Shared Across Worker Hosts and Customers): This shared cache holds common data across different Lambda functions and customers, optimizing performance by reducing redundant data fetching.
L3 Cache (S3 Bucket Managed by AWS): The L3 cache, for less frequently accessed data, provides efficient long-term storage in an S3 bucket, reducing retrieval times.

3) Optimizing Container Deployment

To maximize caching benefits, especially with container images, it's advisable to strategically structure container layers. Place stable elements like the operating system and runtime in base layers, and put frequently changing business logic in upper layers. This setup allows for more efficient caching of static components, speeding up the Lambda function's loading process.

Invocation Methods and Architecture of AWS Lambda

Now, let's focus on invocation methods to better understand how AWS Lambda genuinely works.

Lambda offers diverse invocation methods to suit different application needs and its architecture is designed to support these methods efficiently.

Invocation Methods:

Synchronous Invocation: Typically used for interactive workloads like APIs. An example is an API Gateway triggering a Lambda function, which then queries a database and responds directly. This method is immediate and responsive, suitable for real-time data processing.
Asynchronous Invocation: Used for scenarios like processing data uploaded to S3. The event triggers an internal queue managed by AWS Lambda, which then processes the function asynchronously. This method is ideal for workloads where immediate response to the triggering event is not required.
Event Source Mapping: Particularly useful for streaming data services like Kinesis or DynamoDB Streams. Lambda polls these sources and invokes the function based on the incoming data. This method efficiently handles batch processing and is integral for applications dealing with continuous data streams.

Lambda Architecture Under the Hood

Finally, we’re ready to dive into how Lambdas work under the hood:

Frontend Service: When a Lambda function is invoked, the frontend service plays a crucial role. It routes the request to the appropriate data plane services and manages the initial stages of the invocation process;
Worker Hosts and MicroVMs: Lambda operates with worker hosts that manage numerous microVMs, crafted by Firecracker. Each microVM is uniquely dedicated to a single function invocation, ensuring isolated and secure execution environments. Furthermore, the architecture is designed so that multiple worker hosts can concurrently handle invocations of the same Lambda function. This setup not only provides high availability and robust load balancing but also enhances the scalability and reliability of the service across different availability zones;
Firecracker: Firecracker is a vital component in Lambda’s architecture. It enables the creation of lightweight, secure microVMs for each function invocation. This mechanism ensures that resources are efficiently allocated and scaled according to the demand of the Lambda function;
Internal Queueing in Lambda: For asynchronous invocation processes, AWS Lambda implements an internal queuing mechanism. When events trigger a Lambda function, they are initially placed in this internal queue. This system efficiently manages the distribution of events to the available microVMs for processing. The internal queue plays a crucial role in balancing the load, thereby maintaining the smooth operation of Lambda functions, especially during spikes in demand or high-throughput scenarios.

As you can see, it is the infrastructure that ensures the successful operation of AWS Lambdas. The number of Lambda calls is already surpassing trillions per month, and recently, on the 6th of December 2023, the scalability feature of AWS Lambda has been further enhanced up to 12 times, so the understanding of the Lambda internals will help you grasp how this became possible.