Lambda

Lamda function URL | Custom runtime | Lambda Destination | Troubleshooting | Execution Environment | Lambda quotas | Concurrency |

Overview

What is Lambda?

Lambda = CODE + CONFIG

What you can config

• Memory size

• Time out

Limitations

• limited by time (<15min)

• limited by region: 1000 function / region. But you can extend if create a ticket.

• Memory < 10GB

• GPU is not support

• Not support statefull

http://myapp-study9.s3-website-ap-northeast-1.amazonaws.commyapp-study9.s3-website-ap-northeast-1.amazonaws.com

New AWS accounts have reduced concurrency and memory quotas. AWS raises these quotas automatically based on your usage. So it's still best to request a quota increase if you need more than 1000 concurrency and

Features

Lambda - Function URLs

• A function URL is a dedicated HTTP(S) endpoint for Lambda function. Once you create a function URL, its URL endpoint never changes. Function URLs are dual stack-enabled, supporting IPv4 and IPv6.

• Access through Internet. Do not support AWS PrivateLink

https://<url-id>.lambda-url.<region>.on.aws

Lambda - Function Alias

• A Lambda alias is a pointer to a function version that you can update. Each alias has a unique ARN. An alias can point only to a function version, not to another alias.

-> That means a Lambda function alias can only point to an unqualified function ARN

Lambda - Destination

A destination can be SNS topic, Lambda, SQS queue, EventBridge event bus.

Condition: on failure, and on success.

Dead Letter Queue

Invocation models

• pattern to determine how your function is triggered and how it handles incoming events.

• 3 ways of invoke

-	Synchronous	Asynchronous	Poll based
Define	request -> (waiting) <- response	request come in queue. no Waiting for response.	Lambda will manage the poller on your behalf, retrieve any matching events and perform Synchronous invokes
Error/Retry behavior	None	built-in 2x retry	retry based on data expiration
Services	- ELB (ALB) - Cognito - Lex - Alexa - API Gateway - Cloudfront - Kinesis - Step Function	- S3 - SNS & SQS - SES - CloudFormation - CloudWatch Logs - EventBridge - CodeCommit - AWS Config - IoT Events	- Kinesis - SQS - DynamoDB Streams

Execution environment

• Isolated runtime environment that Lambda execute your function in.

• the environment shared between the functions and extensions, include: permissions, resources, credentials, and env variables.

• properties

  • isolated

  • secure

  • provide life cycle support

  • provide external extensions associated with your function.

Lifecycle

• 3 phases
• Cold & warm starts

	Cold start	Warm start
differ	create new execution env	retain the environment
	save time

Storage option

Security

Permissions

• Require 2 different IAM policies
• Compare between 2 types

	Resource-based policy	Execution role
when	add triggered	created when you create a Lambda func
how	associated with a push event	- IAM policy: include actions you can take with the resouce - Trust policy: allow Lambda to AssumeRole
what	allows the event src to take the lambda:InvokeFunction
limit/note	policy size limit	creator must have permission for iam:PassRole

Lambda function

• When a function is invoked, it call the handler

• The handler method takes 2 objects (event object, optional context-object)

  • Event object: is used to pass in data to the function from the trigger (data from an S3 event, an API Gateway request, a DynamoDB stream record, etc)

  • Context object: is passed to your function by Lambda at runtime. Doesn't contain information about the event itself but about the environment in which the Lambda function is running. It includes metadata such as the function name, the memory limit, the function version, and importantly, the awsRequestId.

Best practice

• initialize the SDK clients and database connections outside of the function handler.

• Minimize cold start times

  • understand the latency requirements --> optimize for peak performance

  • using provisioned concurrency

• Take advantage of warm starts

  • Store and reference dependencies locally

  • Limit re-init of variables

  • Add code to reuse existing connections

  • Use tmp space as transient cache

  • Check that background processes have completed.

• Use AWS SAM to help manage the policies.

1. Seperate business logic: portable, can target unit-tests without worrying about the configuration

2. Write modular functions: reduce the amount of time it takes for package to be downloaded and unpacked before invocation. This is the same principles as developing microservices.

3. Treat functions as stateless If you want to store state data, consider:

• DynamoDB

• ElastiCache

• S3

4. Only include what you need

Troubleshooting

• X-Amz-Function-Error: header property that contains error response when status code = 200. 400 and 500-series status codes are reserved for invocation errors.

• Method completed with status: 502: Lambda responded with wrong JSON format.

Lambda: Logs or traces don't appear

To enable logs and traces (X-Ray), add the following roles

• AWSLambdaBasicExecutionRole

• AWSXRayDaemonWriteAccess

It may take 5 to 10 minutes for logs to show up after a function invocation.

Trivia

• Lambda supports custom runtimes.

• Do not assump Lambda will reuse the execution env, maybe it will create new env.

• The /tmp directory is the recommended location for storing temporary files within an AWS Lambda function. Data in /tmp persists across invocations in the same execution environment -> You can add extra code to check if the cache has the data that you stored.

• AWS Lambda functions provide each execution environment with 512 MB of ephemeral disk space for the /tmp directory.

• You can configure the amount of memory allocated to Lambda function from 128MB to 10240MB.

• Lambda scaling ability is faster than EC2 Auto Scaling, Elastic Beantalk, or EC2 due to its lightweight nature. Can handle burst of traffic within seconds.

• If a function is CPU-, network- or memory-bound, then changing the memory setting can dramatically improve its performance.

• You use the Lambda execution role to grant Lambda permission to AWS resources. The resource-based policy allows other services to invoke the Lambda function.

• To ensure sufficient capacity for running multiple Lambda functions simultaneously, it's recommended to set the reserved concurrency.

• If you want your Lambda function to interact with resources (e.g., RDS database, EC2 instance) inside a private subnet, the proper way is configure your function to connect to a VPC.

• Lambda inside a VPC need AWSLambdaVPCAccessExecutionRole

  • specify the VPC where your private resources are located

  • Choose the subnets where the ENIs are deployed and a security group that controls the traffic between your Lambda function and VPC

  • Once connected, your Lambda function will lose internet access. Create a NAT gateway if you want Internet access.

  • When your Lambda, and your resource have the same SG, then allow both inbound and outbound of that SG to access the private resource. When in different SG, make sure to allow outbound traffic for Lambda, and inbound traffic for that resources. Refer this.

Concepts

• Function: a resource you can invoke to run your code in Lambda.

• Unqualified function ARN: does not include the version identifier at the end of the ARN. A qualified function ARN includes the version.

  For example:

  1. Unqualified function ARN:

     arn:aws:lambda:us-west-2:123456789012:function:my-function

  2. Qualified function ARN (includes version):

     arn:aws:lambda:us-west-2:123456789012:function:my-function:1

• Concurrency: the number of instances serving requests simultaneously. Burst capacity ranges from 500 - 3000 instances, varying by region.