AWS Lambda Concepts: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
 
(30 intermediate revisions by the same user not shown)
Line 6: Line 6:


AWS Lambda executes function code securely within an anonymous VPC by default. The function can be configured to securely access resources within a specific VPC, as described in the [[#Relationship_to_a_VPC|Relationship with a VPC]] section.
AWS Lambda executes function code securely within an anonymous VPC by default. The function can be configured to securely access resources within a specific VPC, as described in the [[#Relationship_to_a_VPC|Relationship with a VPC]] section.
=Lambda as AWS Service=
AWS Lambda is an [[Amazon_AWS_Concepts#AWS_Service|AWS service]], named "lambda.amazonaws.com".


=Function Name=
=Function Name=
Line 21: Line 25:
==Handler Code==
==Handler Code==


The handler is the function AWS Lambda calls to start execution of the [[#Function_Code|function code]]. The handler is identified when the lambda function is created. When a Lambda function is invoked, AWS Lambda starts executing your code by calling the handler function. AWS Lambda passes any event data to this handler as the first parameter. Your handler should process the incoming event data and may invoke any other functions/methods in your code.
The handler is the client function AWS Lambda calls to start execution of the [[#Function_Code|function code]]. The handler is identified when the lambda function is created. When a Lambda function is invoked, AWS Lambda starts executing the code by calling the handler function. AWS Lambda passes any event data to this handler as the first parameter. The handler should process the incoming event data and may invoke any other functions/methods in your code. The format in which the handler is declared includes the filename and can also include namespaces and other qualifiers, depending on the runtime. Update requires no interruption
 
Java handler function example: <code>playground.amazon.lambda.AJavaLambda::handleRequest</code>


=Runtime=
=Runtime=
Line 30: Line 36:


The '''runtime identifiers''' are available [https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html here]. Examples:
The '''runtime identifiers''' are available [https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html here]. Examples:
* java-1.8.0-openjdk
* java8: java-1.8.0-openjdk


==Runtime Interface==
==Runtime Interface==
Line 69: Line 75:


{{External|[https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html AWS Lambda Layers]}}
{{External|[https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html AWS Lambda Layers]}}
Function layers can be added to the function execution environment. Each layer can be specified by its ARN and version.


=Action=
=Action=
Line 86: Line 94:
=Relationship to a VPC=
=Relationship to a VPC=


{{External|https://docs.aws.amazon.com/lambda/latest/dg/vpc.html Configuring a Lambda Function to Access Resources in an Amazon VPC]}}
{{External|[https://docs.aws.amazon.com/lambda/latest/dg/vpc.html Configuring a Lambda Function to Access Resources in an Amazon VPC]}}
{{External|[https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-vpcconfig.html VpcConfig]}}
 
The function may want to connect to resources protected by a VPC, and for that, the function configuration allows configuring VPC connectivity, in form of [https://docs.aws.amazon.com/lambda/latest/dg/vpc.html VPC settings]. These include a list of subnets and security groups in the VPC. AWS Lambda uses the subnet information to set up [[Amazon_VPC_Concepts#Elastic_Network_Interface_.28ENI.29|elastic network interfaces (ENIs)]], <font color=darkgray>one for each subnet</font>, that enable the function to connect securely to other resources within the specified VPC. The security group IDs designate security groups that include resources to which your Lambda function requires access. The security group information is used to <font color=darkgray>... ?</font> When a function is connected to the VPC, it can only access resources and the internet through that VPC. The update requires no interruption.
 
When a VPC relationship is declared, <font color=darkgray>CloudFormation might not be able to delete the stack if another resource in the template, such as a security group, requires the attached ENI to be deleted before it can be deleted. It is recommended to run CloudFormation with the ec2:DescribeNetworkInterfaces permission, which enables CloudFormation to monitor the state of the ENI and to wait up to 40 minutes for Lambda to delete the ENI.</font>
 
==ENI Permissions==
If the function is configure to interact with a VPC, its [[#Role|execution role]] must have give it permissions to create, describe and delete ENIs, as such:
<syntaxhighlight lang='yaml'>
Resources:
  LambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      Policies:
        - PolicyName: 'inline-policy'
          PolicyDocument:
            ...
            Statement:
              ...
              - Effect: 'Allow'
                Action:
                  - 'ec2:CreateNetworkInterface'
                  - 'ec2:DescribeNetworkInterfaces'
                  - 'ec2:DeleteNetworkInterface'
                Resource:
                  - '*'
</syntaxhighlight>
 
It is important to not delete this role immediately after the Lambda function execution. There is a delay between the time the Lambda function executes and ENI deletion. If the role is deleted immediately after function execution, the ENIs cannot be deleted automatically and you are becoming responsible for deleting the ENIs.
 
=Memory Configuration=
 
The amount of memory allocated to the function can be declared in the function configuration. Increasing the function's memory also increases its CPU allocation. The default value is 128 MB. The value must be a multiple of 64 MB.
 
=Role=
 
When the function is declared, it needs the ARN of its execution role. Example:
 
<syntaxhighlight lang='yaml'>
Resources:
  LambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: playground-lambda-execution-role
      Path: /service-role/
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: 'Allow'
            Principal:
              Service:
                - "lambda.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      Policies:
        - PolicyName: 'inline-policy'
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: 'Allow'
                Action:
                  - 'logs:CreateLogGroup'
                  - 'logs:CreateLogStream'
                  - 'logs:PutLogEvents'
                Resource:
                  - 'arn:aws:logs:*:*:*'
</syntaxhighlight>
 
If the function is configure to interact with a VPC, its execution role must have permissions to create, describe and delete ENIs, as described in the [[AWS_Lambda_Concepts#ENI_Permissions|ENI Permissions]] section.
 
=Timeout=
 
The amount of time that Lambda allows a function to run before terminating it. The default is 3 seconds. The maximum allowed value is 900 seconds.
 
=Concurrent Execution=
 
{{External|[https://docs.aws.amazon.com/lambda/latest/dg/concurrent-executions.html Managing Concurrency]}}
 
The function declaration allows specification of the maximum number of instances of the function that process events simultaneously, as "ReservedConcurrentExecutions". The option both sets the maximum concurrency for the function and reserves concurrency to ensure that it is available.
 
=Dead Letter=
 
{{External|[https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-deadletterconfig.html DeadLetterConfig]}}
 
=KMS Management Service Key=
 
The function encrypts environment variables, and uses a configurable key while doing so. The ARN of the key can be specified. If not provided, AWS Lambda uses a default service key.
 
=Tracing=


The function may want to connect to resources protected by a VPC, and for that, the function configuration allows configuring VPC connectivity, in form of [https://docs.aws.amazon.com/lambda/latest/dg/vpc.html VPC settings]. These include a list of security groups and subnets in the VPC. When a function is connected to the VPC, it can only access resources and the internet through that VPC. The update requires no interruption.
{{External|[https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-tracingconfig.html TracingConfig]}}


When a VPC relationship is declared, <font color=darkgray>CloudFormation might not be able to delete the stack if another resource in the template, such as a security group, requires the attached ENI to be deleted before it can be deleted. It is recommended to run CloudFormation with the ec2:DescribeNetworkInterfaces permission, which enables CloudFormation to monitor the state of the ENI and to wait up to 40 minutes for Lambda to delete the ENI.
The execution of a function can be traced with AWS X-Ray by setting the "TracingConfig" to "Active".

Latest revision as of 04:27, 8 April 2019

Internal

Overview

AWS Lambda executes function code securely within an anonymous VPC by default. The function can be configured to securely access resources within a specific VPC, as described in the Relationship with a VPC section.

Lambda as AWS Service

AWS Lambda is an AWS service, named "lambda.amazonaws.com".

Function Name

If no name is specified when the function is declared, a name will be generated. If a name is specified, no updates that require replacement of this function can be performed. The only updates that can be performed are those that require no or some interruption. To replace the function, a new name must be specified.

Code

AWS Lambda Function Code
Lambda Programming Model

It represents the code for the lambda function. The code for all runtimes can be specified by the location of the deployment package, as an S3 location. For Node.js and Python, the code can be specified in-line. The code specification is required. To update the code, the function requires no interruption. However, changes to a deployment package in Amazon S3 are not detected automatically. To update the function code, the object key can be changed, or use object versioning and change the version number in the template.

Function Code

Handler Code

The handler is the client function AWS Lambda calls to start execution of the function code. The handler is identified when the lambda function is created. When a Lambda function is invoked, AWS Lambda starts executing the code by calling the handler function. AWS Lambda passes any event data to this handler as the first parameter. The handler should process the incoming event data and may invoke any other functions/methods in your code. The format in which the handler is declared includes the filename and can also include namespaces and other qualifiers, depending on the runtime. Update requires no interruption

Java handler function example: playground.amazon.lambda.AJavaLambda::handleRequest

Runtime

AWS Lambda Runtimes

The runtime specifies the programming language for the function. A required configuration parameter. Requires no interruption on update. All runtimes share the execution environment, which provides additional libraries and environment variables that can be accessed from the function code. A runtime can support a single version of a language, multiple versions of a language, or multiple languages.

The runtime identifiers are available here. Examples:

  • java8: java-1.8.0-openjdk

Runtime Interface

AWS Lambda Runtime Interface

Custom Runtime

Custom AWS Lambda Runtimes

Custom runtimes can be implemented.

Execution Environment

Lambda Execution Environment and Available Libraries

When a function is invoked, AWS Lambda attempts to re-use the execution environment from a previous invocation, if one is available. This saves time preparing the execution environment, and allows to save resources like database connections and temporary files in the execution context. The execution environment is shared by all runtimes and provides additional libraries and environment variables that you can access from the function code.

The execution environment provides a runtime interface for getting invocation events and sending responses.

Execution Context

AWS Lambda Execution Context

The execution context is a temporary runtime environment that initializes any external dependencies of the Lambda function code, such as database connections or HTTP endpoints. Setting up the execution context is known as "bootstrapping", which is a process that takes some time and consequently introduces latency in the lambda function execution. After a Lambda function is executed, AWS Lambda maintains the execution context for some time - the context is "frozen" after the execution completes, and its thawed for reuse. This approach has the following implications:

  • Any declaration in the function code - outside the handler code - remains initialized. For example, if a function establishes a database connection, the original connection is used in subsequent invocations.
  • Each execution context provides 512MB of additional disk space in the /tmp directory. The directory content remains when the execution context is frozen, providing transient cache that can be sued for multiple invocations.
  • Background processes or callbacks initiated by the function that did not complete when the function ended resume if the execution context is reused.

However, reusing the execution context is an optimization, and it is not guaranteed. When you write your Lambda function code, do not assume that AWS Lambda automatically reuses the execution context for subsequent function invocations. Other factors may dictate a need for AWS Lambda to create a new execution context, which can lead to unexpected results, such as database connection failures.

Environment Variables

AWS Lambda Function Environment

Environment variables that are accessible from function code during execution can be listed in the function declaration. Updates require no interruption. For an example see Creating a Lambda Function with CloudFormation.

Layer

AWS Lambda Layers

Function layers can be added to the function execution environment. Each layer can be specified by its ARN and version.

Action

Actions

CreateFunction

Invoke

Invoke

The function-invoking action of the Lambda service.

It may serve as integration endpoint for Amazon API Gateway Lambda function integration.

Relationship to a VPC

Configuring a Lambda Function to Access Resources in an Amazon VPC
VpcConfig

The function may want to connect to resources protected by a VPC, and for that, the function configuration allows configuring VPC connectivity, in form of VPC settings. These include a list of subnets and security groups in the VPC. AWS Lambda uses the subnet information to set up elastic network interfaces (ENIs), one for each subnet, that enable the function to connect securely to other resources within the specified VPC. The security group IDs designate security groups that include resources to which your Lambda function requires access. The security group information is used to ... ? When a function is connected to the VPC, it can only access resources and the internet through that VPC. The update requires no interruption.

When a VPC relationship is declared, CloudFormation might not be able to delete the stack if another resource in the template, such as a security group, requires the attached ENI to be deleted before it can be deleted. It is recommended to run CloudFormation with the ec2:DescribeNetworkInterfaces permission, which enables CloudFormation to monitor the state of the ENI and to wait up to 40 minutes for Lambda to delete the ENI.

ENI Permissions

If the function is configure to interact with a VPC, its execution role must have give it permissions to create, describe and delete ENIs, as such:

Resources:
  LambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      Policies:
        - PolicyName: 'inline-policy'
          PolicyDocument:
            ...
            Statement:
              ... 
              - Effect: 'Allow'
                Action:
                  - 'ec2:CreateNetworkInterface'
                  - 'ec2:DescribeNetworkInterfaces'
                  - 'ec2:DeleteNetworkInterface'
                Resource:
                  - '*'

It is important to not delete this role immediately after the Lambda function execution. There is a delay between the time the Lambda function executes and ENI deletion. If the role is deleted immediately after function execution, the ENIs cannot be deleted automatically and you are becoming responsible for deleting the ENIs.

Memory Configuration

The amount of memory allocated to the function can be declared in the function configuration. Increasing the function's memory also increases its CPU allocation. The default value is 128 MB. The value must be a multiple of 64 MB.

Role

When the function is declared, it needs the ARN of its execution role. Example:

Resources:
  LambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: playground-lambda-execution-role
      Path: /service-role/
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: 'Allow'
            Principal:
              Service:
                - "lambda.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      Policies:
        - PolicyName: 'inline-policy'
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: 'Allow'
                Action:
                  - 'logs:CreateLogGroup'
                  - 'logs:CreateLogStream'
                  - 'logs:PutLogEvents'
                Resource:
                  - 'arn:aws:logs:*:*:*'

If the function is configure to interact with a VPC, its execution role must have permissions to create, describe and delete ENIs, as described in the ENI Permissions section.

Timeout

The amount of time that Lambda allows a function to run before terminating it. The default is 3 seconds. The maximum allowed value is 900 seconds.

Concurrent Execution

Managing Concurrency

The function declaration allows specification of the maximum number of instances of the function that process events simultaneously, as "ReservedConcurrentExecutions". The option both sets the maximum concurrency for the function and reserves concurrency to ensure that it is available.

Dead Letter

DeadLetterConfig

KMS Management Service Key

The function encrypts environment variables, and uses a configurable key while doing so. The ARN of the key can be specified. If not provided, AWS Lambda uses a default service key.

Tracing

TracingConfig

The execution of a function can be traced with AWS X-Ray by setting the "TracingConfig" to "Active".