Well Architected Principles
Applying AWS Well-Architected Framework Principles to Microservices and Serverless Architectures
Section titled “Applying AWS Well-Architected Framework Principles to Microservices and Serverless Architectures”AWS Well-Architected Serverless Applications Lens
Section titled “AWS Well-Architected Serverless Applications Lens”The AWS Well-Architected Framework includes six pillars with best practices and questions for architecting cloud solutions. This section highlights best practices most relevant to serverless and microservice architectures.
Specialized Resource AWS provides a Serverless Applications Lens for the Well-Architected Framework covering common serverless scenarios and identifying key elements for best-practice architecture.
Best Practice Approach: Failure Management
Section titled “Best Practice Approach: Failure Management”Dead-Letter Queue Mechanism
Section titled “Dead-Letter Queue Mechanism”Serverless applications often use asynchronous calls in event-driven patterns. When these calls fail, they should be captured and retried to prevent data loss and degraded customer experience.
Implementation Examples:
- AWS Lambda: Send failed transactions to dedicated Amazon SQS dead-letter queue per function
- Amazon Kinesis Data Streams: Retry entire batch of items for failed processing
- Amazon DynamoDB Streams: Handle shard blocking from repeated errors
- Poison-Pill Messages: Configure Lambda controls to remove problematic messages and send metadata to SQS dead-letter queue
Transaction Rollback
Section titled “Transaction Rollback”For synchronous, transaction-based operations requiring guarantees:
- AWS Step Functions: Use state machines to decouple and simplify application logic
- Error Handling: Built-in rollback capabilities for failed transactions
- State Management: Maintain application state during rollback processes
Best Practice Approach: Identity and Access Management
Section titled “Best Practice Approach: Identity and Access Management”API Access Control
Section titled “API Access Control”APIs are frequent attack targets due to their operations and valuable data access:
Authentication and Authorization Mechanisms:
- Amazon Cognito User Pools: User authentication and authorization
- API Gateway Lambda Authorizer: Custom authorization logic
- API Gateway Resource Policies: Fine-grained access control
- Implementation Importance: Understand and properly implement authorization mechanisms
Application Security Boundaries
Section titled “Application Security Boundaries”AWS Lambda Security:
- Least Privileged Access: Only allow permissions needed for specific operations
- Role Minimization: Avoid attaching roles with excessive permissions
- Function Scope: Smaller functions performing scoped activities contribute to better architecture
- Security Context: Proper security boundaries prevent system abuse
Services AWS Lambda, Amazon Cognito, and API Gateway support these security best practices.
Best Practice Approach: Data Protection
Section titled “Best Practice Approach: Data Protection”Encryption Requirements
Section titled “Encryption Requirements”Protect sensitive data at all times across all layers:
Data in Transit and at Rest:
- Client-Side Encryption: Encrypt sensitive data before HTTP requests
- Header Protection: Encrypt headers containing sensitive data
- Lambda Processing: Encrypt sensitive data before processing or manipulation
- Storage Encryption: Use encryption at rest for DynamoDB, OpenSearch, S3
- Log Security: Prevent unencrypted sensitive data in standard output or CloudWatch Logs
Application Security Implementation
Section titled “Application Security Implementation”Validation and Sanitization:
- Input Validation: Validate and sanitize inbound events
- Security Reviews: Perform security code reviews as for non-serverless applications
- API Gateway Validation: Set up basic request validation against JSON-schema models
- Deep Validation: Implement application-specific validation in Lambda functions, libraries, or services
- Required Parameters: Validate URL, query string, and header parameters
Best Practice Approach: Selection
Section titled “Best Practice Approach: Selection”Performance Optimization
Section titled “Performance Optimization”Serverless components scale at different rates, requiring performance testing and optimization:
Testing and Tuning:
- Performance Tests: Run tests using steady and burst rates
- Capacity Tuning: Adjust capacity units and provisioning models
- Load Testing: Test after changes to determine optimal configuration
Service-Specific Optimization:
- Amazon API Gateway:
- Use edge endpoints for geographically dispersed customers
- Use regional endpoints for regional customers and same-region AWS services
- AWS Lambda: Test different memory settings (CPU, network, storage IOPS allocated proportionally)
- AWS Step Functions: Test Standard vs Express Workflows, evaluate execution start rates and state transition rates
Performance Different memory settings in Lambda affect CPU, network, and storage performance proportionally.
Best Practice Approach: Cost-Effective Resources
Section titled “Best Practice Approach: Cost-Effective Resources”Application Cost Optimization
Section titled “Application Cost Optimization”Serverless architectures simplify resource allocation management through pay-per-value pricing and demand-based scaling:
Cost Efficiency Benefits:
- Reduced Capacity Planning: Automatic scaling reduces planning effort
- Granular Billing: Pay only for actual usage
- Resource Efficiency: No idle resource costs
Lambda Cost Optimization:
- Memory Allocation: CPU, network, and storage IOPS allocated proportionally to memory
- Faster Initiation: Better performance leads to lower costs due to 1-millisecond billing increments
- Value Production: Optimized functions produce more value per dollar spent
Best Practice Approach: Optimizing Over Time
Section titled “Best Practice Approach: Optimizing Over Time”Direct AWS Service Integrations
Section titled “Direct AWS Service Integrations”Many AWS services can integrate directly without requiring Lambda functions as intermediaries:
Integration Services:
- Amazon EventBridge: Direct service integrations
- Amazon API Gateway: Native AWS service connections
- AWS Step Functions: Direct service invocations
- AWS Lambda Destinations: Route function results directly to other services
Cost-Effective Architecture Example
Section titled “Cost-Effective Architecture Example”Inefficient Pattern: Client → API Gateway → Lambda Function → Amazon Kinesis Data Firehose → Amazon S3
Optimized Pattern: Client → Amazon Kinesis Data Firehose → Amazon S3
Benefits:
- Eliminates API Gateway and Lambda costs
- Reduces latency and complexity
- Maintains same functionality with fewer components
Key Takeaways
Section titled “Key Takeaways”Applying AWS Well-Architected Framework principles to serverless architectures involves:
- Failure Management: Use dead-letter queues and transaction rollback mechanisms
- Security: Control API and application access with proper authentication and authorization
- Data Protection: Encrypt data in transit and at rest, implement comprehensive validation
- Performance: Optimize serverless application performance through testing and configuration
- Cost Optimization: Leverage pay-per-value pricing and optimize resource allocation
- Continuous Improvement: Use direct AWS service integrations where available to reduce complexity and cost
These practices ensure serverless and microservice architectures are secure, reliable, performant, and cost-effective while maintaining the flexibility and scalability benefits of serverless computing.