Lambda Flashcards
Lambda: Synchronous Inovacation
Use an ALB to call the lambda function
Lambda@Edge
- Synchronous Invocation of Lambda
- More responsive applications
- You don’t manage servers; lambda is deployed globally
- Customize the CDN content
- Pay only for what you use
Lambda@Edge CloudFront Requests and Responses
- After CloudFront receives the request from a viewer
- Before CloudFront forwards the request to the origin
- After CloudFront receives the response from the origin
- Before CloudFront forwards the response to the viewer
Lambda - Destinations
- Asynchronous invocation
- AWS recommends to use destinations instead of DLQ
- Event Source Mapping
- SQS
- SNS
- you can send events to a DLQ directly for SQS
Lambda Execution Role
- Grants the Lambda Function permissions to AWS Services/ Resources
- lambda uses execution roles use event source mappings to invoke the lambda function
- Best Practice: create one Lambda Execution role per function
Lambda Managed Policies
- LambdaBasicExecutionRole
- LambdaKinesisExecutionRole
- LambdaDynamoDBExecutionRole
- LambdaSQSQueueExecutionRole
- LambdaVPCAccessExecutionRole
- XRayDaemonWriteAccess - upload trace data to X-Ray
Lambda Resource Bases Policies
- resource-based polices gives other accounts and AWS services permission to use your lambda resources
- similar to S3 bucket policies for S3 bucket
Lambda: Logging CloudWatch Logs
- execution logs are stored in CloudWatch Logs
Lambda CloudWatch Metrics
- metrics displayed in CW Metrics
- invocations, duration, concurrent executions
- Error count, success rates, throttles
- Async Delivery failures
- iteration Age (Kinesis & DynamoDB Streams)
Lambda Tracing with X-Ray
- enable lambda configuration
- runs the x-ray daemon for you
- use x-ray SDK in code
- AWSXRayDaemonWriteAccess Execution role
Lambda X-Ray Environment Variables
- _X_AMZN_TRACE_ID: contains the tracing hearder
- AWS_XRAY_CONTEXT_MISSING: default, LOG_ERROR
- AWS_XRAY_DAEMON_ADDRESS: X-Ray daemon IP_ADDRESS:PORT
Lambda VPC
- by default Lambda function is launched outside the your own VPC
- It cannot access resources in your
VPC - Define VPC ID, Subnets / Security Groups
- Lambda will create and ENI in your subnet
- AWSLambdaVPCAccessExecutionRole
Lambda VPC - Internet Access
- Lambda in your VPC does not have internet access
- deploying lambda function in a public subnet does not give it internet access
- deploying lambda function in a private subnet give it internet access if you have a NAT Gateway/instance
- VPC endpoints to privately access AWS Services without a NAT
Lambda Configuration RAM
- from 128MB - 3008GB in 64MB increments
- the move RAM to move vCPU credits
- at 1,792MB = 1 full vCPU
- after 1792MB you get move then one CPU you need to use multi threading
- Computation Heavy, increase RAM
- Time-out: default 3 seconds, max is 900 seconds (15 minutes)
Lambda Execution Context
- temporary runtime environment that initialized any external dependencies of your lambda code
- great for DB connections, HTTP clients, SDK
- maintained for some time in anticipation of another invocation
- next invocation and “re-use” the context
- includes the /tmp directory
Lambda /tmp space
- need to download files
- needs disk space
- Max size 512MB
- remains when execution context is frozen
- for permanent file storage use S3
Lambda Concurrency
- limit up to 1000 concurrent executions
- throttling errors (429) and system errors (500-series
- retry interval increases exponentially from 1 second to 5 min
- Concurrency limit applies to all the functions of the account
Lambda: Cold Start
- Provisioned Concurrency
- concurrently is allocated before the function is invoked
- ASG can manage concurrency
Lambda: Layers
- custom runtimes like C++ and Rust
- externalize dependencies to re-use them
Lambda: CodeDeploy
Linear: grow traffic every N minutes
Canary: try X percentage then 100%
AllAtOnce: immediate
Lambda: Limits Per-Region: Execution
- Memory Allocation: 128MB - 300MB
- Max execution: 900 seconds (15min)
- Environment Variables (4KB)
- Disk capacity /tmp 512MB
Lambda Limits: Deployment
- function size 50MB .zip
- uncompressed 250MB
- environment variable 4KB
Lambda: Best Practices
- heavy duty work outside function handler
- use environment variables: dB connections, s3 bucket
- minimize deployment package sizes
- avoid recurszie code, never have a lambda code calling itself.
Lambda Authorizer
An API GW Lambda Authorizer is a lambda function that you provide to control access to your API
- uses bearer token Auth or OAuth or SAML