AWS Lambda function — Overview and preparation for the certification
I start a series of articles about AWS Console. I will start two other series : one about AWS Labs et one about AWS Cheatsheets. You will find too some tips to prepare AWS Certified Solutions Architect Associate or AWS Certified Developer Associate.
In this article, I introduce the Lambda function by describing :
- how to create a Lambda function (in the first page),
- how to manage it (in the header of the main page),
- how to configure it (in the Configuration tab),
- how to monitor it (in the Monitoring tab).
Lambda function is a serverless compute service. It executes some code only when needed and scales automatically. Lambda functions are stateless.
Here are several examples of use cases for Lambda functions :
- use a Lambda function as an event source for another AWS services;
- use API Gateway as trigger for a Lambda function;
- use an AWS SDK to invoke a Lambda function;
- use scheduled events to invoke a Lambda function.
Creation of a function
To create a Lambda function, you have the choice:
- create a function from scratch : you build your own function by yourself,
- create a function by using a blueprint : you create a function provided by AWS and you customize it,
- create a function by using an application from a repository : you create a function hosted on a repository.
Create a function from scratch
Let’s explore the first scenario. You build your own function by yourself.
Click on Author from scratch. Then screen is updated to :
Now, you have to provide multiple information :
- the function name (Function name) describes the purpose of the function;
- the environment (Runtime) describes the language or framework used to write the Lambda function.
The language can be :
- C#/PowerShell : .Net Core 1.0 (C#) or 2.1 (C#/PowerShell);
- Go 1.x;
- Java 8;
- Node.js : Node.js 8.10 or Node.js 10.x;
- Python (2.7, 3.6 or 3.7);
- Ruby 2.5.
A Lambda function needs permission to upload logs to Amazon CloudWatch Logs. For that, configure the role.
If your function needs more permission, such as using Amazon DynamoDB, add the policy to the role.
When AWS executes the Lambda function, it needs an IAM role. The execution role (Execution role) allows you :
- to create a new role (first option of the list) : the name of the new role is prefixed by the function name and it has the Lambda permissions;
- to create use an existing role (second option of the list) : the roles can be created in the IAM service;
- to create a role based on a policy template (third option of the list) : you choose the role name and one or more policy templates.
In any case, the role should have the permission to upload logs to Amazon CloudWatch Logs.
Create a function by using a blueprint
In first, use the filter box to find the most appropriate sample code for you. You can filter by language, name or keyword.
Then, configure it for your specific usage.
Create a function by using an application from a repository
In the AWS Serverless Application Repository, you can find :
- Public applications: they can be used by anyone with an AWS account;
- Private applications: they can be used only by specific AWS accounts defined by the publisher.
Once found, before to deploy the application, check the roles and resource policies defined by the publisher of the application.
Managing the Lambda function
In case of emergencies, you can throttle all the new invocations of a function by pressing the Throttle button.
To run different versions of your code, you can use versioning.
To publish a new version, click on the Actions button then select Publish new version. Then you can filter the versions through the Qualifiers button.
To simplify the deployment, you can create aliases by clicking on the button Actions then selecting Create alias. An alias points to a specific version. So when updating, you don’t have to change the version at each location where you use this function, you just have to change the version in this alias. Then you can filter the aliases through the Qualifiers button.
Of course, you can delete a function or export it (button Actions).
By clicking on the Test button, you can test a function by simulating :
- an AWS event, that you select in a list,
- a custom event, whose JSON data you specify.
Configuration of the Lambda function
The Lambda function is configured in the tab Configuration.
The Designer allows you to define the workflow. It’s based on blocks (ie the Lambda function and each resource used by the function) and triggers.
Triggers can be :
- API Gateway,
- AWS IoT,
- Alexa Skills Kit,
- Alexa Smart Home,
- Application Load Balancer,
- CloudWatch Events,
- CloudWatch Logs,
- Cognito Sync Trigger,
Configuration of the Lambda function block
When you click on the Lambda function block, several frames are displayed related to this block :
- the function code,
- the environment variables,
- the tags,
- the execution role,
- the basic settings,
- the network,
- the debugging (with AWS X-Ray),
- the error handling,
- the concurrency,
- the auditing and compliance,
- the monitoring,
- the layers.
The function code
First, you have to specify le language of the Lambda function (Runtime).
Then you provide the function code by one of these three ways :
- the editor code inline,
- AWS S3: the Lambda function is stored as a .zip file,
- locally: the Lambda function is stored locally and upload as a .zip file.
The deployment package size is limited to :
- 50 MB (when zipped);
- 250 MB (when unzipped, including layers);
- 3 MB (in the editor code inline).
The code is stored in S3. So, it’s encrypted at rest.
Specify the handler. The handler name refers to the method in the code where the execution begins. The handler is in the format index.handler : index is the filename (index.js) and handler is the method called in this file.
You can automate the release process using CodePipeline and CodeDeploy.
The environment variables
To store configuration settings, you can define environment variables.
Sensitive environment variables should be encrypted :
- at transit : use KMS by checking the checkbox Enable helpers for encryption in transit,
- at rest : use the default Lambda key ((default) aws/lambda) or use your own KMS key (Use a customer master key).
The environment variables are limited globally to 4 KB.
To filter your functions, it’s a best practice to use tags. They are case-sensitive.
The execution role
You can use an existing role or create a new role from AWS policy templates specifically for this Lambda function.
If you want to use this role with another Lambda function, you have to modify it through the IAM console.
You can specify a description.
You can specify the amount of memory allocated to the Lambda function. By default, your Lambda function has 128 MB memory to run. You can extend till 3008 MB, but it has a cost. AWS allows CPU proportionally to the allocated memory.
By default, your Lambda function has a timeout of 3 seconds: it will terminate at the timeout, after 3 seconds. You can change this duration but it will have an impact on the cost. The maximum is 15 minutes (900 seconds).
By default, Lambda functions run in a default VPC (choose No VPC as Virtual Private Cloud (VPC)). But if the function needs to access resources in a specific VPC (ie a database), run in a specific VPC (choose a VPC in the Virtual Private Cloud (VPC) list).
When use a VPC, you need to specify one or more subnets and a security group in the VPC.
In a such case, the role you use should have permissions to configure VPC.
To debug the Lambda function, activate the AWS X-Ray service.
X-Ray collects metadata from the Lambda service and from upstream and downstream services. It traces and monitors your Lambda function.
Lambda automatically retry failed executions for asynchronous invocations. But after maximum retries are exceeded, you can forward payloads to a SNS topic or a SQS queue. In this case, it works as a DLQ (dead-letter queue).
Lambda functions have a limit of the concurrency, the number of instances serving requests at a given time.
Lambda scales concurrently executing functions up. By default, this limit is 1000, but this limit can be changed (button Reserve concurrency) or deactivated (Use unreserved account concurrency).
Auditing and compliance
For auditing purposes or for compliance constraints, you can have to log function’s invocations. It will be done by AWS CloudTrail. API calls are captured and log files are stored in a S3 bucket.
Layers allow to separate some code or content (ie a library) in a .zip file. Then your Lambda function uses this layer as a dependency. Layer are versioned.
When you create a layer, you have to specify the following information:
- a name (Name),
- a description (Description),
- the code (Code entry type): you can upload it as a .zip file or store it in AWS S3,
- the language (Compatible runtimes),
- the license (License): you can use a SPDX license identifier (MIT), an URL of a license (https://opensource.org/licenses/MIT) or the full text of the license.
When you select a layer, AWS filters on the matching languages. To use another language, you can use an ARN: AWS won’t block it.
The number of layers is limited to 5.
Configuration of the Amazon CloudWatch Logs block
This blocks summaries the permissions that the execution role gave access to the Lambda function.
Monitoring a Lambda function
To monitor a Lambda function, AWS provides three services :
- Amazon CloudWatch to reports metrics on the function’s behalf (total requests, latency, error rates, function duration);
- CloudWatch Logs (button View logs in CloudWatch) to log requests handled by the function or your own custom logging statements;
- AWS X-Ray (button View traces in X-Ray) to detect, analyze, and optimize performance issues (performance bottlenecks, latency spikes).
The graphs are displayed in the tab Monitoring.
You can find for example :
- the number of requests,
- the latency per request,
- the number of requests in error.
The pricing of Lambda function is based on:
- the number of requests : the first 1 million is free; after the cost is $0.20 per million;
- the execution duration : it depends on the amount of memory allocated to the Lambda function.
Some tips to prepare the certification
When you invoke a Lambda function (on-demand invocation), you can specify to invoke it synchronously or asynchronously.
To offer the lowest network latency to your end users, you can use Lambda@Edge by setting CloudFront as trigger.
Functions can trigger other functions.
If a Lambda function needs to access to an external endpoint, create a NAT in the VPC to forward this traffic and configure your security group to allow the outbound traffic.
About event sources :
- For non stream-based event sources, each published event is ran in parallel up to the account limit;
- For stream-based event sources, the number of concurrencies matches the number of shards.
The downstream resources are AWS services called by a Lambda function.
The ephemeral disk capacity (in the /tmp space) is limited to 512 MB per invocation.
Now, you know the parameters used to create and manage Lambda functions. Don’t hesitate to read my Labs and Cheatsheets about Lambda function or other AWS services. It will be useful to practice AWS or to prepare the AWS certification.
Welcome to the DevOpsTestLab channel. This channel is about the DevOps and Agile culture. You will find trainings, tips…
More on my blog http://www.DevOpsTestLab.com
My LinkedIn profile: https://fr.linkedin.com/in/brunodelb