Lambda Flashcards
What is Serverless?
- Serverless is a new paradigm in which the developers don’t have to manage servers anymore…
- They just deploy code
- They just deploy… functions!
- Initially… Serverless == FaaS (Function as a Service)
- Serverless was pioneered by AWS Lambda but now also includes anything that’s managed: “databases, messaging, storage, etc.”
- Serverless does not mean there are no servers… it means you just don’t manage / provision / see them
What are the Serverless services in AWS?
- AWS Lambda
- DynamoDB
- AWS Cognito
- AWS API Gateway
- Amazon S3
- AWS SNS & SQS
- AWS Kinesis Data Firehose
- Aurora Serverless
- Step Functions
- Fargate
What platform is not for Lambda?
Docker
Apart from the supported programming languages by Lambda, what else can you do?
Custom Runtime API (community supported, example Rust)
What is Lambda pricing by call?
Pay per calls:
o First 1,000,000 requests are free
o $0.20 per 1 million requests thereafter ($0.0000002 per request)
What is Lambda pricing by duration?
Pay per duration: (in increment of 100ms, round up)
o 400,000 GB-seconds of compute time per month if FREE
o == 400,000 seconds if function is 1GB RAM
o == 3,200,000 seconds if function is 128 MB RAM
o After that $1.00 for 600,000 GB-seconds
How is calculated the duration of your Lambda?
To the nearest multiple of 100 ms, rounded up. This means that if your function ran in 1 ms you are billed for 100 ms
What is the Lambda Handler?
Handler = name of the file + “.” + name of the function
What is Lambda Execution Role?
A role to interact with the necessary services, it should allow you at least to upload logs to CloudWatch logs because each function invocation will create a new log stream in CloudWatch
What is best practice regarding to Lambda functions and the Role executions?
It is best practice to maintain 1 role per function.
How are Lambda invocations?
Sync and Asyc
What are the main service that invoke Lambda sync?
o ALB o API Gateway o CloudFront (Lambda@Edge) o CLI o SDK o Cognito o Step Functions
How can you expose a Lambda function as an HTTP(S) endpoint?
Using an ALB or API Gateway
What you must do to expose Lambda as an HTTP(S) endpoint using ALB?
The Lambda function must be registered in a target group
What particularity has ALB health checks for Lambda?
Health checks if enabled count as a Lambda function request
How is the comunication between the ALB and Lambda?
HTTP request is translated to JSON
What is the main information sent by an ALB to Lambda?
- ELB information
- HTTP method
- Path
- Query String Params (Key/Value)
- Headers (Key/Value)
- Body (for POST, PUT…)
- isBase64Encoded (flag)
What is the main information sent by Lambda to an ALB?
- Status Code
- Description
- Headers (Key/Value)
- Body
- isBase64Encoded (flag)
What is ALB multi-header setting?
/path?name=foo&name=bar
What happens when you enable ALB multi-headers in Lambda?
When you enable multi-headers, HTTP headers and query string parameters that are sent with multiple values are shown as arrays within the AWS Lambda event and response objects
What is Lambda@Edge?
Run a global AWS Lambda alongside your CDN
What is useful for Lambda@Edge?
You can use Lambda to change CloudFront requests and responses:
o After CloudFront receives a request from a viewer (viewer request)
o Before CloudFront forwards the request to the origin (origin request)
o After CloudFront receives the response from the origin (origin response)
o Before CloudFront forwards the response to the viewer (viewer response)
You can also generate responses to viewers without ever sending the request to the origin
What are Lambda@Edge use cases?
Lambda@Edge: Use Cases • Website Security and Privacy • Dynamic Web Application at the Edge • Search Engine Optimization (SEO) • Intelligently Route Across Origins and Data Centers • Bot Mitigation at the Edge • Real-time Image Transformation • A/B Testing • User Authentication and Authorization • User Prioritization • User Tracking and Analytics
What are the main services that invoke Lambda async?
- S3 Event Notifications
- SNS
- CloudWatch Events / EventBridge
- CodeCommit (CodeCommit Trigger: new branch, new tag, new push)
- CodePipeline (invoke a Lambda function during the pipeline, Lambda must callback)
Where are async calls placed in Lambda?
The events are placed in an Event Queue
What happens when Lambda fails processing an async call?
Lambda attempts to retry on errors 3 times
o 1-minute wait after 1st, then 2 minutes wait
How can you realize that Lambda has retryied an async call?
If the function is retried, you will see duplicate logs entries in CloudWatch Logs with the same request id
What you need to make sure in your Lambda function to handle retries successfuly?
Make sure the processing is idempotent, that way in case of retries the result is the same
What can you use for failed async invoked Lambda functions?
Can define a DLQ (dead-letter queue) – SNS or SQS – for failed processing (need correct IAM permissions)
What you must use from the CLI when invoking a Llambda function async?
From the CLI you must use –invocation-type Event
What is the response received in the CLI when invoking a Lambda function async?
the response StatusCode will be 202, synonym of asynchronous invocation
What you need to do in EventBridge to async invoke a Lambda function?
You need to create a rule and define an Event pattern or a Schedule
What services do Lambda polls records from them?
- Kinesis Data Streams
- SQS & SQS FIFO queue
- DynamoDB Streams
What is used by Lambda to poll records?
Event Source Mapping
How is your Lambda function invoked by the Lambda Event Source Mapping?
Your Lambda function is invoked synchronously
How does work the Lambda Event Source Mapping with Kinesis?
An event source mapping creates an iterator for each shard, processes items in order.
Start with new items, from the beginning or from timestamp
What happens to items in a kinesis stream that were read by the Lambda Event Source Mapping?
Processed items aren’t removed from the stream (other consumers can read them)
What can you do if the traffic in Kinesis is low and a Lambda Event Source Mapping is poling it?
Use batch window to accumulate records before processing.
How is error handling in Lambda when polling data from streams?
By default, if your function returns an error, the entire batch is reprocessed until the function succeeds, or the items in the batch expire
What does Lambda do to ensure in order processing while polling data from streams?
To ensure in-order processing, processing for the affected shard is paused until the error is resolved
How can you configure the Lambda Event Source Mapping for error handling?
o discard old events
o restrict the number of retries
o split the batch on error (to work around Lambda timeout issues)
Where can discarded events by the Lambda Event Source Mapping go?
to a Destination
How would Lambda Event Souce Mapping poll from SQS and SQS FIFO?
Using Long Polling, specifying a batch size in the range (1-10)
What is the recommended visibility timeout for SQS when a Lambda Event Source Mapping is polling from it?
Set the queue visibility timeout to 6x the timeout of your Lambda function
What is the best option to use if you need a DLQ while polling data from SQS using a Lambda Event Source Mapping?
To use a DLQ set-up on the SQS queue, not Lambda (DLQ for Lambda is only for async invocations) or use a Lambda destination for failures
How does Lambda scale while reading SQS queues?
- Up to the number of active message groups. Messages with the same GroupID will be processed in order
- Lambda scales up to process a standard queue as quickly as possible, up to 1000 batches of messages processed simultaneously
What could happen occasionally in the Lambda Event Source Mapping while polling SQS even if no function error occurred?
Occasionally, the event source mapping might receive the same item from the queue twice, even if no function error occurred
How does Lambda scale when polling stream shards?
o One Lambda invocation per stream shard
o If you use parallelization, up to 10 batches processed per Shard simultaneously
What is recommended to use over Lambda DLQs?
AWS recommends you use destinations instead of DLQ now (but both can be used at the same time).
What is the difference between Lambda destinations and Lambda DLQs?
Lambda destinations provide several destinations and you can send your successful events as well
How are used Lambda destinations for async invocations?
can define destinations for successful and failed processing events: o Amazon SQS o Amazon SNS o AWS Lambda o Amazon EventBridge bus
How are used Lambda destinations for Event Source Mappings?
for discarded event batches
o Amazon SQS
o Amazon SNS
Note: you can send events to a DLQ directly from SQS when using Event Source Mapping
What is the Lambda Execution Role?
Grants the Lambda function permissions to AWS services / resources.
When you use an event source mapping to invoke your function, Lambda uses the execution role to read event data
What are main managed policies for Lambda Execution Role?
o AWSLambdaBasicExecutionRole – Upload logs to CloudWatch.
o AWSLambdaKinesisExecutionRole – Read from Kinesis
o AWSLambdaDynamoDBExecutionRole – Read from DynamoDB Streams
o AWSLambdaSQSQueueExecutionRole – Read from SQS
o AWSLambdaVPCAccessExecutionRole – Deploy Lambda function in VPC
o AWSXRayDaemonWriteAccess – Upload trace data to X-Ray.
What is best practice for Lambda Execution Role?
create one Lambda Execution Role per function
What are Lambda Resource Based Policies?
Use resource-based policies to give other accounts and AWS services permission to use your Lambda resources
• Similar to S3 bucket policies for S3 bucket
How can you adjust your Lambda function behavior without updating code?
Using Lambda Environment Variables
What can you do with secrets in Lambda?
Use environment variables to store secrets (encrypted by KMS). Secrets can be encrypted by the Lambda service key, or your own CMK
What you need to do to to make sure that Lambda logs are stored?
o AWS Lambda execution logs are stored in AWS CloudWatch Logs
o Make sure your AWS Lambda function has an execution role with an IAM policy that authorizes writes to CloudWatch Logs
Where are Lambda metrics available?
In CloudWatch Metrics
How can you integrate X-Ray to lambda?
Enabling it in the Lambda Configuration (Active Tracing)
How can you write traces to X-Ray from your Lambda function?
- Use AWS X-Ray SDK in Code
* Ensure Lambda Function has a correct IAM Execution Role
What are the environment variables used by Lambda to communicate with X-Ray?
o _X_AMZN_TRACE_ID: contains the tracing header
o AWS_XRAY_CONTEXT_MISSING: by default, LOG_ERROR
o AWS_XRAY_DAEMON_ADDRESS: the X-Ray Daemon IP_ADDRESS:PORT (most important)
Where are my Lambda functions launched?
- By default, your Lambda function is launched outside your own VPC (in an AWS-owned VPC)
- Therefore, it cannot access resources in your VPC (RDS, ElastiCache, internal ELB…)
What you need to do to communicate i.e. with a RDS DB in a VPC from your Lambda?
You must define the VPC ID, the Subnets and the Security Groups
What happens to a Lambda function in a public subnet?
does not have internet access
What you must do to provide internet access to a Lambda function in a VPC?
Deploying a Lambda function in a private subnet gives it internet access if you have a NAT Gateway / Instance
What can Lambda use to privately access AWS services?
You can use VPC endpoints to privately access AWS services without a NAT
What is RAM in Lambda?
From 128MB to 3,008MB in 64MB increments
How can you add vCPU to your Lambda?
By adding RAM
At how much RAM does your Lambda have 1 vCPU?
o At 1,792 MB, a function has the equivalent of one full vCPU
o After 1,792 MB, you get more than one CPU, and need to use multi-threading in your code to benefit from it
What is Lambda timeout value?
default 3 seconds, maximum is 900 seconds (15 minutes)
What is the Lambda execution context?
The execution context is a temporary runtime environment that initializes any external dependencies of your lambda code
What is great for the Lambda execution context?
Great for database connections, HTTP clients, SDK clients…
How does work the Lambda execution context?
- The execution context is maintained for some time in anticipation of another Lambda function invocation
- The next function invocation can “re-use” the context to execution time and save time in initializing connections objects
- The execution context includes the /tmp directory
What is max size allowed in Lambda tmp directory?
512 MB
What can be used for the tmp directory in Lambda?
- If your Lambda function needs to download a big file to work…
- If your Lambda function needs disk space to perform operations…
What can you use for permanent persistence of object in Lambda?
S3
What is Lambda concurrency limit?
- The limit is shared by all your functions in the region, so no matter how many applications are using your lambda function. If one application reaches the limit, the other applications will throttle.
What is Lambda Throttle behavior?
Throttle behavior:
o If synchronous invocation => return ThrottleError - 429
o If asynchronous invocation => retry automatically and then go to DLQ
What you need to do if you need to go over your Lambda limits?
open a support ticket
What can you set about concurrency at the function level?
A reserved concurrency
What can you set about concurrency at the function level?
A reserved concurrency
What is done by Lambda if the function does not have enough concurrency available for async invocations?
- If the function doesn’t have enough concurrency available to process all events, additional requests are throttled.
- For throttling errors (429) and system errors (500-series), Lambda returns the event to the queue and attempts to run the function again for up to 6 hours.
What is the retry policy used by Lambda?
The retry interval increases exponentially from 1 second after the first attempt to a maximum of 5 minutes
What is Lambda Cold Start?
First request served by new instances has higher latency than the rest. If the init is large (code, dependencies, SDK…) this process can take some time.
What is Provisioned Concurrency?
o Concurrency is allocated before the function is invoked (in advance)
o So, the cold start never happens and all invocations have low latency
What can you do if your Lambda function depends on external libraries?
You need to install the packages alongside your code and zip it together
• Native libraries work: they need to be compiled on Amazon Linux
• AWS SDK comes by default with every Lambda function
How can you define Lambda functions in CloudFormation?
- Inline
- Through S3
What property is used in CloudFormation for defining inline Lambda function?
Use the Code.ZipFile property
What can’t you include in CloudFormation defined Lambda function?
You cannot include function dependencies with inline functions
Hoes does work CloudFormation defined Lambda functions thorugh S3?
- You must store the Lambda zip in S3
- You must refer the S3 zip location in the CloudFormation code
- S3Bucket
- S3Key: full path to zip
- S3ObjectVersion: if versioned bucket
What might happen if you update the code of a Lambda function in S3 that is referenced by CloudFormation?
If you update the code in S3, but don’t update S3Bucket, S3Key or S3ObjectVersion, CloudFormation won’t update your function
How can you use a Lambda Custom Runtime?
Using Lambda Layers
What is a Lambda Layer?
Externalize Dependencies to re-use them:
What caracteristic have Lambda Versions?
- immutable
- increasing version numbers
- own ARN
What are Lambda Aliases?
- Aliases are ”pointers” to Lambda function versions
* We can define a “dev”, ”test”, “prod” aliases and have them point at different lambda versions
What caracteristic have Lambda Aliases?
- mutable
- own ARN
What enables Lambda Aliases?
- Aliases enable Blue / Green deployment by assigning weights to lambda functions
- Aliases enable stable configuration of our event
What cannot do Lambda Aliases?
reference aliases
What can help you to automate traffic shift for Lambda Aliases?
CodeDeploy deployment configurations
What CodeDeploy deployment configurations are integrated with Lambda?
- Linear
- Canary
- AllAtOnce
How does work CodeDeploy Linear configuration?
grow traffic every N minutes until 100%
o Linear10PercentEvery3Minutes
o Linear10PercentEvery10Minutes
How does work CodeDeploy Canary configuration?
try X percent then 100%
o Canary10Percent5Minutes
o Canary10Percent30Minutes
How does work CodeDeploy AllAtOnce configuration?
immediate
What can you do to check the health of a Lambda function deployed using CodeDeploy?
Can create Pre & Post Traffic hooks to check the health of the Lambda function
What is the max size of Environment Variables in Lambda?
4 KB
What is the max size of Lambda zip file?
50 MB
What is the max size of Lambda uncompressed deployment (code + dependencies)?
250 MB
What you must avoid in Lambda functions code?
recursive code
What does Lambda do when you specify the VPC configuration?
- Lambda will create an ENI (Elastic Network Interface) in your subnets
- Your Lambda function needs AWSLambdaVPCAccessExecutionRole
What else you need to do to access RDS from your Lambda besides specifying the VPC configuration?
RDS security group must allow access from Lambda Security Group
