The latest articles on DEV Community by Guillaume LANNEBERE (@guillan40). https://dev.to/guillan40 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F503307%2F0c2905bb-f184-46fe-aa66-1b72e4b152bd.jpg https://dev.to/guillan40 en Guillaume LANNEBERE Sat, 05 Feb 2022 08:22:08 +0000 https://dev.to/aws-builders/should-we-consider-migrate-to-amazon-eventbridge-from-amazon-sns-sqs--4dgi https://dev.to/aws-builders/should-we-consider-migrate-to-amazon-eventbridge-from-amazon-sns-sqs--4dgi <p>In early 2019, Betclic was in a corner, and we decided to migrate to microservices approach and migrate to the cloud.</p> <p>The first step of this change was the implementation of an Event Driven Architecture (EDA).</p> <h2> <strong>Betclic presentation</strong> </h2> <p>Before speaking of architecture and EDA, it’s essential to know what Betclic is doing to understand our choice quickly.</p> <p>Betclic is a French online gambling company. Betclic operates in Sports betting, horse race betting, and online poker.</p> <p>The specificity of gambling is that we don’t have predictive traffic. We have high traffic peaks during significant events and weekends. We can see an example of traffic on a soccer event:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fcdn-images-1.medium.com%2Fmax%2F2112%2F1%2Az9f5RHRSBqy5iFEc5te3zg.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fcdn-images-1.medium.com%2Fmax%2F2112%2F1%2Az9f5RHRSBqy5iFEc5te3zg.png" alt="Example of traffic"></a></p> <h2> <strong>EDA wishlist</strong> </h2> <p>When beginning 2019, we did a workshop to identify the key features of our ideal EDA; we would like something:</p> <ul> <li><p>allowing <strong>multiple reads</strong>: the same message can be read by various services</p></li> <li><p>with <strong>error recovery</strong>: in case of error, we would like to replay events</p></li> <li><p><strong>easy to monitor</strong>: particularly with <strong>Datadog</strong>, our centralized monitoring solution</p></li> <li><p>with <strong>schema registry</strong></p></li> <li><p><strong>language-agnostic</strong>: we use 3 main languages <strong>.net</strong>, *<em>Kotlin, **and **Typescript *</em>(for Lambda), and the chosen solution must work with all languages</p></li> <li><p>with <strong>analytics capabilities</strong>: we would like to integrate all our events of EDA in our data lake</p></li> <li><p><strong>fully managed</strong></p></li> <li><p>with <strong>auto scaling</strong>: essential feature for us; we have unpredictable traffic with big spikes at the end of matches, so we need to have an EDA to be able to absorb our spikes</p></li> <li><p>with <strong>low latency and high availability</strong>: also an essential feature, we would like our EDA to serve critical use cases for our final users, so we want something the most real-time and the most available possible</p></li> <li><p><strong>well-integrated with AWS services</strong>: EDA is one of our first bricks in the cloud, but we want something to help us to migrate to AWS</p></li> <li><p><strong>easy to use</strong>: we want all the time something easy to use :) but here it’s particularly true because EDA is a centralized solution, and the majority of our developers will use it (and back in 2019 majority of our developers wasn’t Cloud developer)</p></li> <li><p><strong>cost-effective</strong>: what is the cost-effectiveness?</p></li> </ul> <h2> <strong>2019: Amazon SNS + Amazon SQS: The best solution</strong> </h2> <p>Remember here; we were beginning 2019: Amazon EventBridge (<a href="https://aws.amazon.com/about-aws/whats-new/2019/07/introducing-amazon-eventbridge/" rel="noopener noreferrer">announced in July 2019</a>) or Amazon MQ for RabbitMq (<a href="https://aws.amazon.com/about-aws/whats-new/2020/11/announcing-amazon-mq-rabbitmq/" rel="noopener noreferrer">announced in November 20</a>20) weren’t out.</p> <p>Following our needs, we decided to combine Amazon SNS with Amazon SQS.</p> <p>Amazon SNS is essential in our solution because it helps us to do <strong>multiple reads</strong> and also helps us to <strong>centralize the solution.</strong></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fcdn-images-1.medium.com%2Fmax%2F2782%2F1%2Ae2DoSQSXWLkHezghh75zWw.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fcdn-images-1.medium.com%2Fmax%2F2782%2F1%2Ae2DoSQSXWLkHezghh75zWw.png" alt="Amazon SNS — Publisher"></a></p> <ul> <li><p>All events are published in a centralized Amazon SNS</p></li> <li><p>Each functional domain has its own topic</p></li> <li><p>Each functional domain can publish only on its own topic</p></li> <li><p>Lambda/Fargate/On-Premise publish in the same manner</p></li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fcdn-images-1.medium.com%2Fmax%2F3062%2F1%2AeFrIFYlUBAKV3IdY0kKfAQ.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fcdn-images-1.medium.com%2Fmax%2F3062%2F1%2AeFrIFYlUBAKV3IdY0kKfAQ.png" alt="Amazon SNS + Amazon SQS — Consumer"></a></p> <ul> <li><p>A service consume only events of another functional domain</p></li> <li><p>Each service has its own queue with its own filter</p></li> <li><p>A filter is based on an <a href="https://docs.aws.amazon.com/sns/latest/dg/sns-message-attributes.html" rel="noopener noreferrer">Amazon SNS message attributes, </a>and it’s limited to 10 attributes</p></li> <li><p>Fargate/On-Premise service consume in the same manner</p></li> <li><p>For Lambda, we prefer to create an Amazon SNS subscription of type Lambda with a filter and consume directly from Amazon SNS</p></li> </ul> <h3> <strong>Custom features</strong> </h3> <p>Following the wish list features listed above, the majority of features are taken into account in this architecture excepted:</p> <ul> <li><p>schema registry</p></li> <li><p>error recovery</p></li> <li><p>analytics capabilities</p></li> </ul> <p>We decided to make a custom implementation for these features.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fcdn-images-1.medium.com%2Fmax%2F3100%2F1%2A0QtGR7RA9-tF76GcCXY0lg.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fcdn-images-1.medium.com%2Fmax%2F3100%2F1%2A0QtGR7RA9-tF76GcCXY0lg.png" alt="Error recovery and analytics capabilities"></a></p> <ul> <li><p>Error recovery and analytics capabilities are implemented in the same architecture</p></li> <li><p>All events are stored in our Data Lake with the help of Kinesis Data Firehose and Amazon S3</p></li> <li><p>In case of an issue, we can replay events by extracting events from our data lake to Amazon S3. An object S3 triggers a Lambda and Lambda push events to correct topic in Amazon SNS.</p></li> <li><p>We store events in a file in case of connectivity failure between our on-premise and AWS. Once connectivity comes back, events of the files are pushed to Amazon SNS on the correct topic with the help of FluentD</p></li> </ul> <p>One feature that is missing for now on error recovery it’s the ability to replay events on a specific SQS queue. All the events are replayed to an SNS topic, so all events consumers service receive events again. <a href="https://en.wikipedia.org/wiki/Idempotence" rel="noopener noreferrer">**Idempotence</a>** is necessary for consumer services.</p> <p>Concerning schema registry, nothing is in production for now. We have just developed a portal with all the available events and a debug console to validate the event format in Stage environment.</p> <h3> Cost </h3> <ul> <li><p>550 million events are published by month</p></li> <li><p>The average size of an event is 630 B / event</p></li> <li><p>1.1 billion events are transferred for domain (average of 2 services consume an event)</p></li> <li><p>1.5 billion Amazon SQS requests are made to consume and delete events</p></li> </ul> <p><strong>Publication cost in Amazon SNS</strong></p> <ul> <li>550 million events published = <strong>$ 275.50</strong> </li> </ul> <p><strong>Consumption cost in Amazon SNS + Amazon SQS</strong></p> <ul> <li><p>Amazon SNS: Data transfer = 1.1 billion events x 630 B = 693 Gb transferred ==&gt; 693 x 0.09 (price by Gb out)= <strong>$ 63.78</strong></p></li> <li><p>Amazon SQS: Events sent = 1.1 billion events = <strong>$ 440</strong></p></li> <li><p>Amazon SQS: Receive + Delete = 1.5 billion requests = <strong>$ 600</strong></p></li> </ul> <p>Consumption cost = $ 1103.78</p> <p><strong>Error recovery + analytics capabilities</strong></p> <ul> <li><p>550 million events published to Kinesis Data Firehose = <strong>$ 104.50</strong></p></li> <li><p>346.5 Gb of data transferred from Amazon SNS to Kinesis Data Firehose = <strong>$ 31.09</strong></p></li> <li><p>Kinesis Data Firehose cost = <strong>$ 81.30</strong></p></li> <li><p>S3 cost with 1 month retention = 346.5 Gb of data = <strong>$ 7.97</strong></p></li> </ul> <p>Total cost = <strong>$ 1603.14</strong></p> <p>Lambda for replay isn’t estimated because we don’t know how many replays we do monthly.</p> <p>Detail of the price is available in AWS calculator <a href="https://calculator.aws/#/estimate?id=361d64ff4ebc02695480c818b205cafcfe1df0c7" rel="noopener noreferrer">here</a>.</p> <h2> 2021: Amazon EventBridge ? </h2> <p>As we saw in 2019, our best choice for EDA was Amazon SNS + Amazon SQS. Is it still right in 2021?</p> <p>A lot of interesting features have been out on Amazon EventBridge for 2 years:</p> <ul> <li><p><a href="https://aws.amazon.com/about-aws/whats-new/2020/02/introducing-content-filtering-amazon-eventbridge/" rel="noopener noreferrer">Content filtering </a>(02/2020)</p></li> <li><p><a href="https://aws.amazon.com/about-aws/whats-new/2020/04/amazon-eventbridge-schema-registry-now-generally-available/" rel="noopener noreferrer">Schema registry</a> (04/2020)</p></li> <li><p><a href="https://aws.amazon.com/about-aws/whats-new/2020/10/amazon-eventbridge-announces-support-dead-letter-queues/" rel="noopener noreferrer">Dead letter queues</a> (10/2020)</p></li> <li><p><a href="https://aws.amazon.com/about-aws/whats-new/2020/11/amazon-eventbridge-introduces-support-for-event-replay/" rel="noopener noreferrer">Event replay</a> (11/2020)</p></li> <li><p><a href="https://aws.amazon.com/about-aws/whats-new/2020/11/amazon-eventbridge-adds-server-side-encryption-sse-and-increases-default-quotas/" rel="noopener noreferrer">Increase quotas</a> (11/2020)</p></li> <li><p><a href="https://aws.amazon.com/about-aws/whats-new/2021/04/amazon-eventbridge-introduces-support-cross-region-event-bus-targets/" rel="noopener noreferrer">Cross account</a> (04/2021)</p></li> </ul> <p>According to this, all the features of our wishlist are natively supported.</p> <p>We can imagine doing something like this for publishing events with Amazon EventBridge:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fcdn-images-1.medium.com%2Fmax%2F2782%2F1%2AKKHft7ooAygd6hFYEksy0Q.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fcdn-images-1.medium.com%2Fmax%2F2782%2F1%2AKKHft7ooAygd6hFYEksy0Q.png" alt="Amazon EventBridge — Publisher"></a></p> <ul> <li><p>All events are published in a centralized Amazon EventBridge</p></li> <li><p>Each functional domain has its own Event Bus</p></li> <li><p>Each functional domain can publish only in its own Event Bus</p></li> <li><p>Lambda/Fargate/On-Premise publish in the same manner</p></li> <li><p>Schema Registry is natively supported, Events are defined in Schema Registry, and developers generate code based on these events (<a href="https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-schema-code-bindings.html" rel="noopener noreferrer">Code bindings</a> isn’t supported in the language that we use in Betclic)</p></li> <li><p>Schema Discovery allows knowing which events are published to Amazon EventBridge and allows to identify events that don’t respect the contract</p></li> <li><p>Schema Discovery and Schema Registry are fully managed</p></li> </ul> <p>Schema Discovery is generally activated on-demand in Production.</p> <p>For consuming events, something like that:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fcdn-images-1.medium.com%2Fmax%2F3422%2F1%2AZ4Gq526eIxDYG4MbhLyBbA.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fcdn-images-1.medium.com%2Fmax%2F3422%2F1%2AZ4Gq526eIxDYG4MbhLyBbA.png" alt="Amazon EventBridge — Consumer"></a></p> <ul> <li><p>A service consume only events of another functional domain</p></li> <li><p><a href="https://aws.amazon.com/blogs/compute/simplifying-cross-account-access-with-amazon-eventbridge-resource-policies/" rel="noopener noreferrer">To send events to other accounts</a>, we need to publish on a new Amazon EventBridge Event Bus</p></li> <li><p>Events can be filtered on all the data of the events</p></li> <li><p>Amazon EventBridge can’t publish directly to Fargate or On-Premise; we need to pass by an Amazon SQS queue to consume in this case</p></li> <li><p>Each service has its own EventBridge Rule, its own queue with its own filter</p></li> <li><p>Fargate/On-Premise service consume in the same manner</p></li> <li><p>For Lambda, we consume directly from Amazon EventBridge through a rule</p></li> </ul> <h3> <strong>Error recovery and analytics capabilities</strong> </h3> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fcdn-images-1.medium.com%2Fmax%2F2196%2F1%2Aluyx5a5ymPa5n39CKE4ebA.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fcdn-images-1.medium.com%2Fmax%2F2196%2F1%2Aluyx5a5ymPa5n39CKE4ebA.png" alt="Amazon EventBridge — Error recovery and analytics capabilities"></a></p> <ul> <li><p>Error recovery and analytics capabilities are fully managed with Amazon EventBridge</p></li> <li><p>All events are stored in our Data Lake with the help of Kinesis Data Firehose and Amazon S3</p></li> <li><p>In case of issue, we can replay events directly from Amazon EventBridge</p></li> <li><p>Possibility to replay data on a specific rule or all the rules</p></li> </ul> <h3> <strong>Cost</strong> </h3> <p>We have the following based on the same elements as Amazon SNS + SQS.</p> <p><strong>Publication cost in Amazon EventBridge</strong></p> <ul> <li>550 million events published = <strong>$ 550</strong> </li> </ul> <p><strong>Consumption cost in Amazon EventBridge</strong></p> <ul> <li><p>Amazon EventBridge: Events transferred to others Event Bus= 1.1 billion events = <strong>$ 1100</strong></p></li> <li><p>Amazon SQS: Events sent = 1.1 billion events = <strong>$ 440</strong></p></li> <li><p>Amazon SQS: Receive + Delete = 1.5 billion requests = <strong>$ 600</strong></p></li> </ul> <p>Consumption cost = <strong>$ 2140</strong></p> <p><strong>Error recovery + analytics capabilities</strong></p> <ul> <li><p>Kinesis Data Firehose cost = <strong>$ 81.30</strong></p></li> <li><p>S3 cost with 1 month retention = 346.5 Gb of data = <strong>$ 7.97</strong></p></li> <li><p>EventBridge archive for 3 months: = 346.5 Gb x 3 months = 1039 Gb x $ 0.11 = <strong>$ 114.29</strong></p></li> </ul> <p>Total cost = <strong>$ 2893.56</strong></p> <p>EventBridge replay and Schema Registry aren’t estimated because we don’t know how many replays/discoveries we will do monthly.</p> <p>Detail of the price (without EventBridge archive) is available in AWS calculator <a href="https://calculator.aws/#/estimate?id=79965fd07e79cf32088d8451951a3dfe3b1723bc" rel="noopener noreferrer">here</a>.</p> <h2> Conclusion </h2> <p>Amazon EventBridge has all the features that we want natively supported. No need to implement custom features with EventBridge.</p> <p>However, cross-account EventBridge is more complicated than Amazon SNS because 2 rules need to be updated to consume a new event in a domain. In contrast, SNS need only the creation of 1 subscription with the correct filter.</p> <p>It would have been nice to allow EventBridge to publish Events directly with Fargate and even better with On-Premise server. This feature is missing because we need to consume from Amazon SQS.</p> <p>So in terms of features, Amazon EventBridge wins over Amazon SNS + SQS.</p> <p>Concerning the price, it’s a little bit different.</p> <p>The cost of the architecture with Amazon SNS + SQS, in our case, is <strong>$ 1603.14.</strong></p> <p>While with EventBridge, the cost of the same architecture is <strong>$ 2893.56.</strong></p> <p><strong>80%</strong> of cost difference is huge. Is it the price of the missing features of Amazon SNS compared to EventBridge ?</p> <p>In Betclic, the choice is quickly seen; we have already developed the missing features that we want, so we are not interested in migrating to Amazon EventBridge. But we follow the news of Amazon EventBridge carefully because it’s a constantly evolving service.</p> aws architecture cloud eventdriven Guillaume LANNEBERE Mon, 11 Jan 2021 16:33:11 +0000 https://dev.to/aws-builders/serverless-proxy-with-aws-api-gateway-and-aws-lambda-3bd2 https://dev.to/aws-builders/serverless-proxy-with-aws-api-gateway-and-aws-lambda-3bd2 <p>It's sometimes difficult to communicate between public and private subnet in AWS.<br> We will see how we can easily do that with the help of API Gateway and AWS Lambda. </p> <h1> <strong>Use case example</strong> </h1> <h2> <strong>Example 1</strong> </h2> <p>It's sometimes necessary to have a Github repository communicating with a private EC2 instance.<br><br> But when an instance is private, it can be really complicated without impacting the security of the instance. </p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fhunix4fbomsybaxo1k73.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fhunix4fbomsybaxo1k73.png" alt="Alt Text"></a></p> <p><strong>Solution</strong></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fe9ekaa7igw73gl5raaau.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fe9ekaa7igw73gl5raaau.png" alt="Alt Text"></a></p> <p>Github Webhook calls a Public API Gateway, API Gateway triggers a Lambda attached to VPC. The role of this Lambda is to forward the content of the Github Webhook to the EC2 instance.<br><br> <strong>Remark</strong>: An AWS Lambda attached to a VPC isn't deployed inside the VPC, an Elastic Network Interface (ENI) is created to link the Lambda function and the different subnets inside the VPC. </p> <h2> <strong>Example 2</strong> </h2> <p>Other example, we may need to communicate between a public instance inside a public subnet and a private instance inside a private subnet inside a VPC. <br> For security reason, direct routing between Public subnet and private Subnet is not possible. So, to facilitate this, it's possible to use this solution of Serverless Proxy.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fspjtgmfdjvrmjfer6k71.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fspjtgmfdjvrmjfer6k71.png" alt="Alt Text"></a></p> <p><strong>Solution</strong><br><br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fz9fu2qjzvx1m15z9vi2h.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fz9fu2qjzvx1m15z9vi2h.png" alt="Alt Text"></a><br> On the same way as Solution 1, we can communicate between Public and Private instance via a Serverless Proxy thanks to AWS Api Gateway and AWS Lambda.<br> This solution is easy to implement, highly scalable, secure and not expensive.</p> <h1> <strong>Implementation</strong> </h1> <h2> <strong>AWS Lambda</strong> </h2> <p>Lambda function is quite simple. The goal of this lambda is just to forward the information received from API Gateway to the destination inside VPC. <br> Here we use python and Lambda function is as simple as that:</p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">urllib3</span> <span class="k">def</span> <span class="nf">main</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="n">url</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">'</span><span class="s">URL</span><span class="sh">'</span><span class="p">]</span> <span class="c1"># Two way to have http method following if lambda proxy is enabled or not </span> <span class="k">if</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">httpMethod</span><span class="sh">'</span><span class="p">):</span> <span class="n">http_method</span> <span class="o">=</span> <span class="n">event</span><span class="p">[</span><span class="sh">'</span><span class="s">httpMethod</span><span class="sh">'</span><span class="p">]</span> <span class="k">else</span><span class="p">:</span> <span class="n">http_method</span> <span class="o">=</span> <span class="n">event</span><span class="p">[</span><span class="sh">'</span><span class="s">requestContext</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">http</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">method</span><span class="sh">'</span><span class="p">]</span> <span class="n">headers</span> <span class="o">=</span> <span class="sh">''</span> <span class="k">if</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">headers</span><span class="sh">'</span><span class="p">):</span> <span class="n">headers</span> <span class="o">=</span> <span class="n">event</span><span class="p">[</span><span class="sh">'</span><span class="s">headers</span><span class="sh">'</span><span class="p">]</span> <span class="c1"># Important to remove the Host header before forwarding the request </span> <span class="k">if</span> <span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">Host</span><span class="sh">'</span><span class="p">):</span> <span class="n">headers</span><span class="p">.</span><span class="nf">pop</span><span class="p">(</span><span class="sh">'</span><span class="s">Host</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">host</span><span class="sh">'</span><span class="p">):</span> <span class="n">headers</span><span class="p">.</span><span class="nf">pop</span><span class="p">(</span><span class="sh">'</span><span class="s">host</span><span class="sh">'</span><span class="p">)</span> <span class="n">body</span> <span class="o">=</span> <span class="sh">''</span> <span class="k">if</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">body</span><span class="sh">'</span><span class="p">):</span> <span class="n">body</span> <span class="o">=</span> <span class="n">event</span><span class="p">[</span><span class="sh">'</span><span class="s">body</span><span class="sh">'</span><span class="p">]</span> <span class="k">try</span><span class="p">:</span> <span class="n">http</span> <span class="o">=</span> <span class="n">urllib3</span><span class="p">.</span><span class="nc">PoolManager</span><span class="p">()</span> <span class="n">resp</span> <span class="o">=</span> <span class="n">http</span><span class="p">.</span><span class="nf">request</span><span class="p">(</span><span class="n">method</span><span class="o">=</span><span class="n">http_method</span><span class="p">,</span> <span class="n">url</span><span class="o">=</span><span class="n">url</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">,</span> <span class="n">body</span><span class="o">=</span><span class="n">body</span><span class="p">)</span> <span class="n">body</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">result</span><span class="sh">"</span><span class="p">:</span> <span class="n">resp</span><span class="p">.</span><span class="n">data</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">)</span> <span class="p">}</span> <span class="n">response</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="n">resp</span><span class="p">.</span><span class="n">status</span><span class="p">,</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">body</span><span class="p">)</span> <span class="p">}</span> <span class="k">except</span> <span class="n">urllib3</span><span class="p">.</span><span class="n">exceptions</span><span class="p">.</span><span class="n">NewConnectionError</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">'</span><span class="s">Connection failed.</span><span class="sh">'</span><span class="p">)</span> <span class="n">response</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">500</span><span class="p">,</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="sh">'</span><span class="s">Connection failed.</span><span class="sh">'</span> <span class="p">}</span> <span class="k">return</span> <span class="n">response</span> </code></pre> </div> <p>To redirect requests I use the python lib urllib3, for more information or if you want to update the code check <a href="https://urllib3.readthedocs.io/en/latest/user-guide.html" rel="noopener noreferrer">the official documentation</a>.<br><br> To facilitate the deployment, backend url is passed in environment variable.<br><br> This lambda need to be attached to a VPC.<br><br> To know how to optimize Lambda for cost and/or performance, 2 tools exists:</p> <ol> <li>the well know <a href="https://github.com/alexcasalboni/aws-lambda-power-tuning" rel="noopener noreferrer">AWS Lambda Power Tuning</a> </li> <li><a href="https://aws.amazon.com/about-aws/whats-new/2020/12/aws-compute-optimizer-delivers-recommendations-aws-lambda-functions/" rel="noopener noreferrer">AWS Compute Optimizer</a></li> </ol> <p>By executing the Forwarder Lambda with 50 parallel executions thanks to Lambda Power Tuning tool, I have the following result:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F5wq5h6bg8ycvo4vnsgaz.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F5wq5h6bg8ycvo4vnsgaz.png" alt="Forward Lambda - Lambda Power Tuning"></a></p> <p>We can see that <strong>512 mb</strong> of memory is the best for this Lambda with 9 ms execution time on average.</p> <h2> <strong>AWS Api Gateway</strong> </h2> <p>Here AWS Api Gateway need to be public and have an AWS Lambda integration. So 2 types of Api Gateway can be used:</p> <ol> <li>REST Api</li> <li>HTTP Api</li> </ol> <p><a href="https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-vs-rest.html" rel="noopener noreferrer">Let's see how to choose between both types of Api Gateway.</a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fitxzru2sooqg34lm7k6u.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fitxzru2sooqg34lm7k6u.png" alt="REST Api / HTTP Api comparison"></a></p> <p>So here, we can see that REST Api have really more feature than HTTP Api, especially concerning security and optimization.<br><br> Concerning pricing, it's also really important to know that:<br> Requests are not charged for authorization and authentication failures.<br><br> Calls to methods that require API keys are not charged when API keys are missing or invalid.<br><br> API Gateway-throttled requests are not charged when the request rate or burst rate exceeds the preconfigured limits.<br> Usage plan-throttled requests are not charged when rate limits or quota exceed the preconfigured limits. </p> <p>More information <a href="https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-pricing.html" rel="noopener noreferrer">here</a>.<br><br> Another important things to know before choosing between REST Api or HTTP Api is to take care about security and particularly about the most common attacks in the cloud:</p> <ol> <li>Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks</li> <li>Denial-of-wallet (DoW) attacks</li> </ol> <p><a href="https://portswigger.net/daily-swig/denial-of-wallet-attacks-how-to-protect-against-costly-exploits-targeting-serverless-setups" rel="noopener noreferrer">Denial-of-Wallet (DoW)</a> exploits are similar to traditional denial-of-service (DoS) attacks in the sense that both are carried with the intent to cause disruption.<br><br> However, while DoS assaults aim to force a targeted service offline, DoW seeks to cause the victim financial loss.<br><br> And also we can see that everybody is concerned by DoW or generally costs out of control in the Cloud and not only big companies: multiple examples exist for example <a href="https://chrisshort.net/the-aws-bill-heard-around-the-world/" rel="noopener noreferrer">this one</a> or <a href="https://www.theregister.com/2020/12/10/google_cloud_over_run/" rel="noopener noreferrer">lately this one</a>.</p> <p><strong>Recommendation</strong><br><br> Following all the information above, my recommendation is to use REST Api when APIs calls can't be authenticated.<br><br> If it's possible to authenticate APIs calls and if pricing concern is an important consideration, HTTP api can be used.<br> So here in example 1, REST api should be used because it's not possible to authenticate calls from Github. In example 2, HTTP Api can be used if front APIs calls are authenticated else REST Api should be used.<br><br> <strong>Remarks</strong>: HTTP Api is quite new compared to REST Api. Some features are possible but complicate to deploy. Example, with Serverless Framework throttle isn't yet supported.</p> <h1> <strong>Deployment</strong> </h1> <p>To deploy the stack, I've decided to use Serverless Framework.<br> If you don't know Serverless Framework, I let you see the <a href="https://www.serverless.com/framework/docs/getting-started/" rel="noopener noreferrer">documentation</a>.<br> My serverless.yml looks like this:</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">service</span><span class="pi">:</span> <span class="s">serverless-proxy</span> <span class="na">plugins</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">serverless-python-requirements</span> <span class="pi">-</span> <span class="s">serverless-prune-plugin</span> <span class="na">custom</span><span class="pi">:</span> <span class="na">url</span><span class="pi">:</span> <span class="s">http://myurl:80</span> <span class="c1">#to be replaced by backend url</span> <span class="na">vpcId</span><span class="pi">:</span> <span class="s">vpc-123456</span> <span class="c1">#to be replaced by vpc id</span> <span class="na">subnetIds</span><span class="pi">:</span> <span class="pi">[</span> <span class="nv">subnet-123</span><span class="pi">,</span> <span class="nv">subnet-456</span><span class="pi">,</span> <span class="nv">subnet-789</span> <span class="pi">]</span> <span class="c1">#to be replaced by subnet ids</span> <span class="na">pythonRequirements</span><span class="pi">:</span> <span class="c1">#serverless-python-requirements configuration</span> <span class="na">dockerizePip</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">prune</span><span class="pi">:</span> <span class="c1">#serverless-prune-plugin configuration: 3 versions are kept</span> <span class="na">automatic</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">number</span><span class="pi">:</span> <span class="m">3</span> <span class="c1">#Create security group</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">Resources</span><span class="pi">:</span> <span class="na">SecurityGroup</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::SecurityGroup</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">GroupDescription</span><span class="pi">:</span> <span class="s">SG for Serverless Proxy forwarder</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="s">${self:custom.vpcId}</span> <span class="na">SecurityGroupEgress</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">IpProtocol</span><span class="pi">:</span> <span class="s">tcp</span> <span class="na">FromPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">ToPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">CidrIp</span><span class="pi">:</span> <span class="s">0.0.0.0/0</span> <span class="pi">-</span> <span class="na">IpProtocol</span><span class="pi">:</span> <span class="s">tcp</span> <span class="na">FromPort</span><span class="pi">:</span> <span class="m">443</span> <span class="na">ToPort</span><span class="pi">:</span> <span class="m">443</span> <span class="na">CidrIp</span><span class="pi">:</span> <span class="s">0.0.0.0/0</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">serverless-proxy-sg</span> <span class="na">provider</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">aws</span> <span class="na">runtime</span><span class="pi">:</span> <span class="s">python3.8</span> <span class="na">region</span><span class="pi">:</span> <span class="s">eu-west-1</span> <span class="c1">#to be changed by your AWS function</span> <span class="na">functions</span><span class="pi">:</span> <span class="na">serverless-proxy</span><span class="pi">:</span> <span class="na">handler</span><span class="pi">:</span> <span class="s">handler.main</span> <span class="na">name</span><span class="pi">:</span> <span class="s">serverless-proxy</span> <span class="na">description</span><span class="pi">:</span> <span class="s">Lambda Forwarder function</span> <span class="na">memorySize</span><span class="pi">:</span> <span class="m">512</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">URL</span><span class="pi">:</span> <span class="s">${self:custom.url}</span> <span class="na">vpc</span><span class="pi">:</span> <span class="na">securityGroupIds</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">SecurityGroup</span> <span class="na">subnetIds</span><span class="pi">:</span> <span class="s">${self:custom.subnetIds}</span> <span class="na">events</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">http</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">forward</span> <span class="na">method</span><span class="pi">:</span> <span class="s">get</span> <span class="pi">-</span> <span class="na">http</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">forward</span> <span class="na">method</span><span class="pi">:</span> <span class="s">head</span> <span class="pi">-</span> <span class="na">http</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">forward</span> <span class="na">method</span><span class="pi">:</span> <span class="s">post</span> <span class="pi">-</span> <span class="na">http</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">forward</span> <span class="na">method</span><span class="pi">:</span> <span class="s">put</span> </code></pre> </div> <p>2 Serverless plugins are used:</p> <ul> <li> <a href="https://github.com/UnitedIncome/serverless-python-requirements" rel="noopener noreferrer">serverless-python-requirements</a>: to automatically bundle Python dependencies from requirements.txt</li> <li> <a href="https://github.com/UnitedIncome/serverless-python-requirements" rel="noopener noreferrer">serverless-prune-plugin</a>: to purge previous versions of AWS Lambda automatically</li> </ul> <p>"requirements.txt" looks like this:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> urllib3==1.25.8 </code></pre> </div> <p>3 parameters need to be updated before deploy the stack:</p> <ul> <li>url: with the correct url of your backend service</li> <li>vpcId: vpc id of where is deployed your backend service</li> <li>subnetIds: subnet ids of where is deployed your backend service</li> </ul> <p>"resources" part is used to create a new security group, we will see this in detail in the security part.<br><br> Concerning "functions" part:</p> <ul> <li>memorySize is 512mb according to AWS Lambda Power Tuning</li> <li>url is passed in environment variable in "environment" part</li> <li>Lambda is attached to vpc in "vpc" part</li> </ul> <p>In "event", we have here a <strong>REST Api</strong> with 4 routes /forward: GET, HEAD, POST and PUT. If you want another HTTP verb simply add a new route here.</p> <p>If you want to replace <strong>REST Api</strong> by <strong>HTTP Api</strong>, you have just to replace:</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">events</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">http</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">forward</span> <span class="na">method</span><span class="pi">:</span> <span class="s">get</span> <span class="pi">-</span> <span class="na">http</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">forward</span> <span class="na">method</span><span class="pi">:</span> <span class="s">head</span> <span class="pi">-</span> <span class="na">http</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">forward</span> <span class="na">method</span><span class="pi">:</span> <span class="s">post</span> <span class="pi">-</span> <span class="na">http</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">forward</span> <span class="na">method</span><span class="pi">:</span> <span class="s">put</span> </code></pre> </div> <p>By:</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">httpApi</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/forward</span> <span class="na">method</span><span class="pi">:</span> <span class="s">get</span> <span class="pi">-</span> <span class="na">httpApi</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/forward</span> <span class="na">method</span><span class="pi">:</span> <span class="s">head</span> <span class="pi">-</span> <span class="na">httpApi</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/forward</span> <span class="na">method</span><span class="pi">:</span> <span class="s">post</span> <span class="pi">-</span> <span class="na">httpApi</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/forward</span> <span class="na">method</span><span class="pi">:</span> <span class="s">put</span> </code></pre> </div> <p>Once everything is good, simply execute the following command to deploy the stack:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> sls deploy </code></pre> </div> <h1> <strong>Security</strong> </h1> <h2> <strong>Lambda</strong> </h2> <p>To protect Lambda against security attacks like Denial-of-Service or Denial-of-Wallet, it's important to:</p> <ul> <li>protect security group</li> <li>set a good timeout for the function</li> </ul> <p><strong>Security Group</strong><br><br> For Security Group, only the Egress port of your backend route need to be open. And only the specific IP (or CIDR block) need to be opened. <strong>No Ingress rule need to be opened.</strong> </p> <p>Example: if your backend route is on port 80 and IP: 172.0.0.10, Security Group need to be as following:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fi0r8zyc58kslm9vdk13b.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fi0r8zyc58kslm9vdk13b.png" alt="Alt Text"></a></p> <p>This gives in "serverless.yml"</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">resources</span><span class="pi">:</span> <span class="na">Resources</span><span class="pi">:</span> <span class="na">SecurityGroup</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::SecurityGroup</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">GroupDescription</span><span class="pi">:</span> <span class="s">SG for Serverless Proxy forwarder</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="s">${self:custom.vpcId}</span> <span class="na">SecurityGroupEgress</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">IpProtocol</span><span class="pi">:</span> <span class="s">tcp</span> <span class="na">FromPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">ToPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">CidrIp</span><span class="pi">:</span> <span class="s">172.0.0.10/32</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">serverless-proxy-sg</span> </code></pre> </div> <p><strong>Timeout</strong><br><br> Concerning timeout, it's important to set a good timeout to protect cost. As a reminder, a Lambda function is priced in function of the memory and the execution time. Minimum timeout is 1 second and maximum 900 seconds.<br><br> My suggestion is to set a timeout to 3 times the average execution time, average execution time is 9ms so here, we need to set the timeout to the minimum of 1 second.<br><br> It gives in "serverless.yml"</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">memorySize</span><span class="pi">:</span> <span class="s">512</span> <span class="na">timeout</span><span class="pi">:</span> <span class="m">1</span> </code></pre> </div> <h2> <strong>Api Gateway</strong> </h2> <p>In the same way as Lambda, Api Gateway need to be protected against security attacks. And it's even more important because Api Gateway here is public.<br><br> So we need to ensure:</p> <ul> <li>throttling is enabled and set at a correct value by endpoint</li> <li>authentication is enabled when it's possible</li> <li>usage plan and api key is enabled</li> <li>resource policy</li> </ul> <p><strong>Throttling</strong><br> To understand more precisely how throttling works, check this <a href="https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-request-throttling.html" rel="noopener noreferrer">documentation</a>.<br><br> To enable throttling on REST Api with Serverless Framework, we need to install a new plugin:</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">plugins</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">serverless-api-gateway-throttling</span> </code></pre> </div> <p>After this, 2 ways, first you set a throttling at the stage level and it will be applied for all endpoint: </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">custom</span><span class="pi">:</span> <span class="na">apiGatewayThrottling</span><span class="pi">:</span> <span class="na">maxRequestsPerSecond</span><span class="pi">:</span> <span class="m">100</span> <span class="na">maxConcurrentRequests</span><span class="pi">:</span> <span class="m">50</span> </code></pre> </div> <p>Else, you set a throttling directly at an endpoint level:</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">events</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">http</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">forward</span> <span class="na">method</span><span class="pi">:</span> <span class="s">get</span> <span class="na">throttling</span><span class="pi">:</span> <span class="na">maxRequestsPerSecond</span><span class="pi">:</span> <span class="m">100</span> <span class="na">maxConcurrentRequests</span><span class="pi">:</span> <span class="m">50</span> </code></pre> </div> <p><strong>For HTTP Api, it's possible to have throttle but it's not possible to do it with Serverless Framework.</strong><br><br> <strong>Remark</strong>: It's important to set throttling that fit your use case.</p> <p><strong>Authentication</strong><br><br> Authentication is a good way to secure HTTP Api or REST Api and it's possible to do it with different manners. I won't detail in this article how we can manage authentication but it can be a really good article for later. </p> <p><strong>Usage plan and Api Key</strong><br> A good way to secure an Api is to provide an Api Key.<br><br> To do this, an Api Key need to be provided to the Api and after each call need to have a header name "x-api-key", more information <a href="https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-key-source.html" rel="noopener noreferrer">here</a>. Once it's done, it's possible to specify usage plan by endpoint to limit the number of calls allowed.<br><br> In Serverless Framework it's possible with the help of the plugin <a href="https://www.serverless.com/plugins/serverless-add-api-key" rel="noopener noreferrer">serverless-add-api-key</a> on this way:</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">plugins</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">serverless-add-api-key</span> </code></pre> </div> <p>To specify a key, let AWS auto set the value and specify Usage Plan at the stage level:</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">custom</span><span class="pi">:</span> <span class="na">apiKeys</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">secret</span> <span class="na">usagePlan</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">global-plan"</span> <span class="na">quota</span><span class="pi">:</span> <span class="na">limit</span><span class="pi">:</span> <span class="m">1000</span> <span class="na">period</span><span class="pi">:</span> <span class="s">DAY</span> <span class="na">throttle</span><span class="pi">:</span> <span class="na">burstLimit</span><span class="pi">:</span> <span class="m">100</span> <span class="na">rateLimit</span><span class="pi">:</span> <span class="m">50</span> </code></pre> </div> <p>To finish, it's important to required Api Key on all the endpoints in the following way:</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">events</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">http</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">forward</span> <span class="na">method</span><span class="pi">:</span> <span class="s">get</span> <span class="na">private</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">http</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">forward</span> <span class="na">method</span><span class="pi">:</span> <span class="s">head</span> <span class="na">private</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">http</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">forward</span> <span class="na">method</span><span class="pi">:</span> <span class="s">post</span> <span class="na">private</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">http</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">forward</span> <span class="na">method</span><span class="pi">:</span> <span class="s">put</span> <span class="na">private</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <p>Once it's done, to call api, you need to do:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> curl -X GET https://ep.execute-api.eu-west-1.amazonaws.com/stage/forward -H "x-api-key: my-generate-key" </code></pre> </div> <p><strong>Remark</strong>: This feature is available only with REST Api, not with HTTP Api. It's not possible to do that easily with Github example 1, because with Github Webhook it's not possible to add a key "x-api-key"… Something is possible with a Lambda authorizer but it's much more complicated.</p> <p><strong>Resource Policy</strong></p> <p>Resource Policy is a good way to secure REST Api, for example by limiting invocation to specific IPs or CIDR blocks.<br><br> In example 1 with Github Webhook, is a good way to limit invocation only to Github hooks CIDR blocks. Github hooks CIDR blocks are publicly available <a href="https://api.github.com/meta" rel="noopener noreferrer">here</a>. So with the help of the following policy, only Github IPs are able to call my REST Api.</p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Deny"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"execute-api:Invoke"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"execute-api:/*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"NotIpAddress"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:SourceIp"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"192.30.252.0/22"</span><span class="p">,</span><span class="w"> </span><span class="s2">"185.199.108.0/22"</span><span class="p">,</span><span class="w"> </span><span class="s2">"140.82.112.0/20"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"execute-api:Invoke"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"execute-api:/*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"IpAddress"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:SourceIp"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"192.30.252.0/22"</span><span class="p">,</span><span class="w"> </span><span class="s2">"185.199.108.0/22"</span><span class="p">,</span><span class="w"> </span><span class="s2">"140.82.112.0/20"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>If we do exactly the same thing with Serverless Framework:</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">provider</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">aws</span> <span class="na">runtime</span><span class="pi">:</span> <span class="s">python3.8</span> <span class="na">region</span><span class="pi">:</span> <span class="s">eu-west-1</span> <span class="na">resourcePolicy</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Deny</span> <span class="na">Principal</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*"</span> <span class="na">Action</span><span class="pi">:</span> <span class="s">execute-api:Invoke</span> <span class="na">Resource</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">execute-api:/*/*/forward</span> <span class="na">Condition</span><span class="pi">:</span> <span class="na">NotIpAddress</span><span class="pi">:</span> <span class="na">aws:SourceIp</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">192.30.252.0/22</span> <span class="pi">-</span> <span class="s">185.199.108.0/22</span> <span class="pi">-</span> <span class="s">140.82.112.0/20</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*"</span> <span class="na">Action</span><span class="pi">:</span> <span class="s">execute-api:Invoke</span> <span class="na">Resource</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">execute-api:/*/*/forward</span> <span class="na">Condition</span><span class="pi">:</span> <span class="na">IpAddress</span><span class="pi">:</span> <span class="na">aws:SourceIp</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">192.30.252.0/22</span> <span class="pi">-</span> <span class="s">185.199.108.0/22</span> <span class="pi">-</span> <span class="s">140.82.112.0/20</span> </code></pre> </div> <p><strong>Remarks</strong>: This feature is available only with REST Api, not with HTTP Api.</p> <p>With all the security protection above, serverless.yml looks like:</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <p><span class="na">service</span><span class="pi">:</span> <span class="s">serverless-proxy</span></p> <p><span class="na">plugins</span><span class="pi">:</span><br> <span class="pi">-</span> <span class="s">serverless-python-requirements</span><br> <span class="pi">-</span> <span class="s">serverless-prune-plugin</span><br> <span class="pi">-</span> <span class="s">serverless-api-gateway-throttling</span><br> <span class="pi">-</span> <span class="s">serverless-add-api-key</span></p> <p><span class="na">custom</span><span class="pi">:</span><br> <span class="na">url</span><span class="pi">:</span> <span class="s"><a href="http://myurl:80" rel="noopener noreferrer">http://myurl:80</a></span> <span class="c1">#to be replaced by backend url</span><br> <span class="na">vpcId</span><span class="pi">:</span> <span class="s">vpc-123456</span> <span class="c1">#to be replaced by vpc id</span><br> <span class="na">subnetIds</span><span class="pi">:</span> <span class="pi">[</span> <span class="nv">subnet-123</span><span class="pi">,</span> <span class="nv">subnet-456</span><span class="pi">,</span> <span class="nv">subnet-789</span> <span class="pi">]</span> <span class="c1">#to be replaced by subnet ids</span><br> <span class="na">pythonRequirements</span><span class="pi">:</span> <span class="c1">#serverless-python-requirements configuration</span><br> <span class="na">dockerizePip</span><span class="pi">:</span> <span class="kc">true</span><br> <span class="na">prune</span><span class="pi">:</span> <span class="c1">#serverless-prune-plugin configuration: 3 versions are kept</span><br> <span class="na">automatic</span><span class="pi">:</span> <span class="kc">true</span><br> <span class="na">number</span><span class="pi">:</span> <span class="m">3</span><br> <span class="na">apiGatewayThrottling</span><span class="pi">:</span><br> <span class="na">maxRequestsPerSecond</span><span class="pi">:</span> <span class="m">100</span><br> <span class="na">maxConcurrentRequests</span><span class="pi">:</span> <span class="m">50</span><br> <span class="na">apiKeys</span><span class="pi">:</span><br> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">secret</span><br> <span class="na">usagePlan</span><span class="pi">:</span><br> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">global-plan"</span><br> <span class="na">quota</span><span class="pi">:</span><br> <span class="na">limit</span><span class="pi">:</span> <span class="m">1000</span><br> <span class="na">period</span><span class="pi">:</span> <span class="s">DAY</span><br> <span class="na">throttle</span><span class="pi">:</span><br> <span class="na">burstLimit</span><span class="pi">:</span> <span class="m">100</span><br> <span class="na">rateLimit</span><span class="pi">:</span> <span class="m">50</span></p> <p><span class="na">resources</span><span class="pi">:</span><br> <span class="na">Resources</span><span class="pi">:</span><br> <span class="na">SecurityGroup</span><span class="pi">:</span><br> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::SecurityGroup</span><br> <span class="na">Properties</span><span class="pi">:</span><br> <span class="na">GroupDescription</span><span class="pi">:</span> <span class="s">SG for Serverless Proxy forwarder</span><br> <span class="na">VpcId</span><span class="pi">:</span> <span class="s">${self:custom.vpcId}</span><br> <span class="na">SecurityGroupEgress</span><span class="pi">:</span><br> <span class="pi">-</span> <span class="na">IpProtocol</span><span class="pi">:</span> <span class="s">tcp</span><br> <span class="na">FromPort</span><span class="pi">:</span> <span class="m">80</span><br> <span class="na">ToPort</span><span class="pi">:</span> <span class="m">80</span><br> <span class="na">CidrIp</span><span class="pi">:</span> <span class="s">0.0.0.0/0</span><br> <span class="pi">-</span> <span class="na">IpProtocol</span><span class="pi">:</span> <span class="s">tcp</span><br> <span class="na">FromPort</span><span class="pi">:</span> <span class="m">443</span><br> <span class="na">ToPort</span><span class="pi">:</span> <span class="m">443</span><br> <span class="na">CidrIp</span><span class="pi">:</span> <span class="s">0.0.0.0/0</span><br> <span class="na">Tags</span><span class="pi">:</span><br> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span><br> <span class="na">Value</span><span class="pi">:</span> <span class="s">serverless-proxy-sg</span></p> <p><span class="na">provider</span><span class="pi">:</span><br> <span class="na">name</span><span class="pi">:</span> <span class="s">aws</span><br> <span class="na">runtime</span><span class="pi">:</span> <span class="s">python3.8</span><br> <span class="na">region</span><span class="pi">:</span> <span class="s">eu-west-1</span><br> <span class="na">resourcePolicy</span><span class="pi">:</span><br> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Deny</span><br> <span class="na">Principal</span><span class="pi">:</span> <span class="s2">"</span><span class="s"><em>"</em></span><br> <span class="na">Action</span><span class="pi">:</span> <span class="s">execute-api:Invoke</span><br> <span class="na">Resource</span><span class="pi">:</span><br> <span class="pi">-</span> <span class="s">execute-api://<em>/forward</em></span><br> <span class="na">Condition</span><span class="pi">:</span><br> <span class="na">NotIpAddress</span><span class="pi">:</span><br> <span class="na">aws:SourceIp</span><span class="pi">:</span><br> <span class="pi">-</span> <span class="s">192.30.252.0/22</span><br> <span class="pi">-</span> <span class="s">185.199.108.0/22</span><br> <span class="pi">-</span> <span class="s">140.82.112.0/20</span><br> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span><br> <span class="na">Principal</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span><br> <span class="na">Action</span><span class="pi">:</span> <span class="s">execute-api:Invoke</span><br> <span class="na">Resource</span><span class="pi">:</span><br> <span class="pi">-</span> <span class="s">execute-api:/<em>/</em>/forward</span><br> <span class="na">Condition</span><span class="pi">:</span><br> <span class="na">IpAddress</span><span class="pi">:</span><br> <span class="na">aws:SourceIp</span><span class="pi">:</span><br> <span class="pi">-</span> <span class="s">192.30.252.0/22</span><br> <span class="pi">-</span> <span class="s">185.199.108.0/22</span><br> <span class="pi">-</span> <span class="s">140.82.112.0/20</span></p> <p><span class="na">functions</span><span class="pi">:</span><br> <span class="na">serverless-proxy</span><span class="pi">:</span><br> <span class="na">handler</span><span class="pi">:</span> <span class="s">handler.main</span><br> <span class="na">name</span><span class="pi">:</span> <span class="s">serverless-proxy</span><br> <span class="na">description</span><span class="pi">:</span> <span class="s">Lambda Forwarder function</span><br> <span class="na">memorySize</span><span class="pi">:</span> <span class="m">512</span><br> <span class="na">timeout</span><span class="pi">:</span> <span class="m">1</span><br> <span class="na">environment</span><span class="pi">:</span><br> <span class="na">URL</span><span class="pi">:</span> <span class="s">${self:custom.url}</span><br> <span class="na">vpc</span><span class="pi">:</span><br> <span class="na">securityGroupIds</span><span class="pi">:</span><br> <span class="pi">-</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">SecurityGroup</span><br> <span class="na">subnetIds</span><span class="pi">:</span> <span class="s">${self:custom.subnetIds}</span><br> <span class="na">events</span><span class="pi">:</span><br> <span class="pi">-</span> <span class="na">http</span><span class="pi">:</span><br> <span class="na">path</span><span class="pi">:</span> <span class="s">forward</span><br> <span class="na">method</span><span class="pi">:</span> <span class="s">get</span><br> <span class="na">private</span><span class="pi">:</span> <span class="kc">true</span><br> <span class="pi">-</span> <span class="na">http</span><span class="pi">:</span><br> <span class="na">path</span><span class="pi">:</span> <span class="s">forward</span><br> <span class="na">method</span><span class="pi">:</span> <span class="s">head</span><br> <span class="na">private</span><span class="pi">:</span> <span class="kc">true</span><br> <span class="pi">-</span> <span class="na">http</span><span class="pi">:</span><br> <span class="na">path</span><span class="pi">:</span> <span class="s">forward</span><br> <span class="na">method</span><span class="pi">:</span> <span class="s">post</span><br> <span class="na">private</span><span class="pi">:</span> <span class="kc">true</span><br> <span class="pi">-</span> <span class="na">http</span><span class="pi">:</span><br> <span class="na">path</span><span class="pi">:</span> <span class="s">forward</span><br> <span class="na">method</span><span class="pi">:</span> <span class="s">put</span><br> <span class="na">private</span><span class="pi">:</span> <span class="kc">true</span><br> <span class="c1">#- httpApi:</span><br> <span class="c1"># path: /forward</span><br> <span class="c1"># method: get</span><br> <span class="c1">#- httpApi:</span><br> <span class="c1"># path: /forward</span><br> <span class="c1"># method: head</span><br> <span class="c1">#- httpApi:</span><br> <span class="c1"># path: /forward</span><br> <span class="c1"># method: post</span><br> <span class="c1">#- httpApi:</span><br> <span class="c1"># path: /forward</span><br> <span class="c1"># method: put</span></p> </code></pre> </div> <h1> <br> <br> <br> <strong>To go further</strong><br> </h1> <p>If in front of your EC2 instance, you have a Network Load balancer (NLB) or an Application Load Balancer (ALB), it can be possible to integrate it without Lambda.</p> <p>It's possible because:</p> <ul> <li>HTTP Api can be integrated with private API through <strong>NLB and ALB</strong> </li> <li>REST Api can be integrated with private API through <strong>NLB only</strong> </li> </ul> <p>For example, Example 1 with an NLB in front of EC2 instance gives:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F9rj0clwuhs2evwwzyct1.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F9rj0clwuhs2evwwzyct1.png" alt="Alt Text"></a></p> <p>To do that you should:</p> <ol> <li>Create a VPC link in API Gateway</li> <li>Change method execution from Lambda to VPC Link</li> </ol> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F1ltyaex004y1yc033odk.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F1ltyaex004y1yc033odk.png" alt="Method Execution - VPC Link"></a></p> <p><a href="https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-with-private-integration.html" rel="noopener noreferrer">More information here.</a></p> <p><strong>Remarks:</strong></p> <ul> <li>I have the same recommendation as above concerning choice between REST Api and HTTP Api</li> <li>All security stuffs listed above are applicable here for API Gateway</li> <li>This solution is more simple but also less customisable</li> </ul> <h1> <strong>Conclusion</strong> </h1> <p>This solution is relatively easy to implement, highly scalable, secure and not expensive. It can be deployed when we have communication issue between public and private zone.<br><br> You can find the implementation of the solution in <a href="https://github.com/guillan/serverless-proxy" rel="noopener noreferrer">my github account</a>.</p> aws serverless architecture github