An NCC Group Publication

SERVERLESS ARCHITECTURE: THE FUTURE OF CODE DEPLOYMENT IN THE CLOUD?

By Dave Fenton, Paul Robinson and Simon Casey

An NCC Group Publication | Serverless Architecture 2

What is Serverless Architecture?

A serverless architecture, also known as function-as-a-service (FaaS), is a method whereby software applications are hosted and ultimately deployed and executed by a third-party cloud provider.

With traditional source code deployment, a variety of manual techniques can be applied, such as installation, configuration, automated deployment pipelines and continuous integration tools, all of which require physical servers to be provisioned and maintained.

FaaS eliminates the need for on-premise infrastructure or complex cloud computing resources as well as the configuration and management of the hardware and server environments, enabling developers to focus entirely on the application itself.

Within a FaaS platform, cloud service providers offer compute runtimes, which allow for the execution of application logic but in turn store no data. At its basic level, FaaS could be described as a way to deploy a piece of code when an action is executed, for example, an API gateway receiving a HTTPS request.

FaaS use cases are particularly suited to high volume transactions, even up to hundreds of times per second. There is considerable value in being able to isolate a piece of business logic to a function that can also scale as demand dictates.

FaaS can also be valuable for dynamic or low volume workloads, where if you only execute a function once a day or once a month, there is no need to pay for 24x7 physical server uptime.

Developers can utilise FaaS to deploy an individual function, action, or piece of business logic with a start time within milliseconds.

With the development of FaaS, there has never been a better time to be a developer. With the increasing versatility of cloud computing, rapidly deploying applications is not only simpler, but it can also be more cost-effective.

An NCC Group Publication | Serverless Architecture 3

Scalability in Serverless Computing

Serverless computing offers the attractive potential of a platform in the cloud, for example, AWS Lambda and Azure Functions, whereby developers simply upload their source code and the platform executes it on their behalf at any scale, utilising flexible and versatile auto-scaling configuration. Auto-scaling is a cloud computing method whereby the amount of compute resource required in a server farm automatically changes, based on the number of active servers in the farm. This enables developers to focus on the application itself and not the infrastructure.

Serverless computing provides a programming model that is not simply elastic, in the sense that humans or scripts can add and remove resources as needed; the workload placed upon the code automatically drives the allocation and deallocation of resources. As modern applications increase in dynamics and complexity, the task of allocating Virtual Machines dynamically, monitoring services and responding to workload changes becomes increasingly onerous, requiring constant observation or bespoke scripts developed for individual applications. By providing auto-scaling, today’s FaaS offerings take a big step forward for cloud programming, offering a practically manageable and seemingly unlimited compute platform.

In certain applications, each function invocation is an independent task and never needs to communicate with other functions.

AWS Lambda can be configured to perform a wider variety of such “map” functions, including some simple linear algebra workloads. Such applications can directly exploit Lambda’s auto-scaling features to scale up or down on demand, as independent requests never need to communicate with each other and require only small amounts of compute resource. It is important to note that not all programming languages are flexible enough to support scalable serverless functions, the core supported languages being; Java, Go, PowerShell, Node.js, C#, Python and Ruby.

An NCC Group Publication | Serverless Architecture 4

Cost of Serverless Computing

A major advantage of serverless computing is the overall reduction in cost. Overheads are greatly reduced, as there is no need to provision and maintain servers running 24x7.

The pricing model of serverless computing is execution based, meaning that developers are charged only for the number of executions and not the running costs of the infrastructure. A certain number of seconds (typically milliseconds) of use are allotted based on the amount of memory required to execute the code. This pricing model is suited to functions that require a shorter execution with a typical peak time of around 300 milliseconds for most cloud vendors. This is very much a flexible pay-as-you-go approach, meaning that developers only pay for the services they use.

For example, AWS Lambda counts a request each time it starts executing in response to an event notification or invoke call, including test invokes from the console. Duration is calculated from the time the codes begins executing until it returns or otherwise terminates, rounded up to the nearest 100 milliseconds. Azure Functions adopts a similar pricing model. Both AWS and Microsoft charge additionally for the combination of allocated memory and the elapsed time of function execution.

As the amount of allocated memory can be configured between 128MB and 1.5GB, the cost per execution will vary. The cost per 100 milliseconds of the execution time for the highest level of specification will be around 12 times more expensive than that of the basic level 128MB option.

Despite the clear cost savings that can be achieved with a serverless compute stack, there are still a few areas that developers may need to be mindful of. Certain workloads require substantial compute resources, making the serverless model less cost-effective. The total cost of running a solution via a serverless stack should be calculated up-front using the pricing calculator provided by the cloud provider.

Building solutions based on small and focused units of business logic that can be delivered quickly and cost-effectively to the market, whilst also being fully scalable offers a massive competitive advantage in the marketplace. FaaS truly has the potential to bring disruption to traditional cloud deployment models.

An NCC Group Publication | Serverless Architecture 5

Performance and Availability in Serverless Computing

The performance and availability of manual deployment relies heavily on the user ensuring that physical servers are scaled correctly, updates are provisioned, security patches are applied and the entire infrastructure is constantly monitored. Serverless architecture removes this often significant resource, allowing developers to focus on the creation of the application and leave the performance and availability to the chosen Serverless vendor.

AWS Lambda handles all of the scalability and flexibility of the infrastructure and by being able to integrate with other Amazon services, performance and availability can be monitored.

AWS Lambda does not have its own code languages, tools or frameworks to learn. This gives developers the availability to upload their existing source code base and supporting third-party library files with ease. Source code can either be uploaded in a .zip archive format or developers can design it within the Integrated Development Environment. Furthermore, a selection of function samples are provided to help with the performance of an application, for example, image conversion, file compression and change notifications.

Concerning availability, AWS Lambda covers all regions available in Amazon Web Services except for Osaka (Asia Pacific). Although redundancy is short-lived, it can still happen. AWS Lambda allows developers to configure individual functions and set performance tuning by way of memory use (MB) and timeouts (min/sec). This helps make functions run more efficiently, especially with larger functions such as data analysis, transformation and long-running functions.

The Service Level Agreement (SLA) is specific to each customer account from which AWS states to make Lambda available with a Monthly Uptime Percentage of at least 99.95% per region. Service Credits are given to customers where Lambda does not meet this SLA.

Microsoft Azure Functions provides powerful and practical integrations and functions. Visual Studio Team Services, GitHub and Bitbucket can be integrated providing the availability of setting up a continuous integration process with a current source code base.

Azure Functions provides developers with the end-to-end development experience, allowing them to test the performance and debugging locally, before deploying. For example, developers can create tests outside of Azure Functions, within Visual Studio and Visual Studio Code using extensions and templates locally, before uploading.

Azure Functions supports applications that have been written in Microsoft’s native code language (C# and F#) within a web functions editor or a Bash, Batch or Powershell script can be uploaded. Azure Functions also supports functions written in JavaScript and Python. Code can be uploaded via the Azure Functions extension in Visual Studio. Once installed, this extension will show the user a list of all the function subscriptions available and enables them to create new functions within Visual Studio. Alternatively, the function itself can be uploaded to Azure via a .zip format and bash script.

Data can be stored quickly and easily using Azure Cosmos DB and direct triggers and input/output bindings. Using Cosmos DB alongside Azure Functions allows developers to create and deploy applications with integrated databases. With Cosmos DB being an elastic multi-model service, developers can

work their data with other services such as SQL, Mongol DB API, Azure Table API and Cassandra API as per their requirements.

Redundancy and timeouts are dictated by the chosen hosting plan, which in turn affect the scalability of applications, resource availability and supported features. The Azure Functions Consumption and Premium plans both include the scalability of the compute power according to when the instances require it. The Premium plan also allows developers to keep the instance constantly “warm”, meaning redundancy and timeouts are minimal, if not non-existent.

Similarly to AWS Lambda, Microsoft Azure SLA’s guarantee users that their functions will run 99.95% of the time after a trigger is successfully fired.

An NCC Group Publication | Serverless Architecture 6

An NCC Group Publication | Serverless Architecture 7

Monitoring Serverless Architecture

Whilst serverless architecture or FaaS has clear benefits, developers can be in a situation whereby they are relinquishing a certain amount of control over the performance of their source code, once deployed. It can become difficult to see how the source code will actually perform and because developers lose visibility of back-end processes, it can make debugging more complicated. If the vendor’s cloud computing service gets hacked or becomes the victim of malicious activity, it could lead to significant damage, particularly for applications that manage personally identifiable and sensitive data.

Serverless architecture can also give rise to additional security concerns. Without the provision of a discrete physical server, vendors providing FaaS may utilise a single server to run source code for several customers in a multi-tenanted scenario; improper configuration could allow a user to access sensitive data of another end-user.

Given the fact that serverless providers charge for the period of time that the code is running, although this may sound attractive to certain developers for certain applications, it may in fact cost more to run an application with long-running processes in a serverless infrastructure compared to the traditional on-premise server.

There is also a possibility that performance may be affected in this case, because the serverless code may need to “boot –up” as it’s not constantly being used and this start up time can degrade performance.

These considerations mean that it’s more important than ever to have effective monitoring in place of the serverless architecture, to ensure developers are getting the most out of their vendor’s service and ensure their business is meeting their objectives.

AWS Lambda automatically monitors functions on a developer’s behalf, which allows the execution of source code to be monitored in real-time by tracking the number of requests, the execution duration per request and the number of requests that result in an error. These metrics are reported through Amazon CloudWatch and the metrics can be leveraged to set customised alarms alerting the developer, by publishing them on a monitoring page.

CloudWatch allows developers to obtain metrics and logs to monitor performance, track deployment processing, on-the-fly filtering or image processing and backups. DynamoDB provides a layer of triggers which can be activated to monitor performance operations which sit outside the real-time ecosystem. API’s can be utilised to assess that the resource configurations comply with the pre-defined rules.

AWS Lambda can also be used to monitor the performance of data processing and trigger events such as changes in data, shifts in system state and actions taken by developers. By using an AWS S3 Bucket, AWS Lambda can provide real-time file processing. For example, following an upload of data, AWS Lambda can instantly use thumbnail images, transcode videos, process logs and index files.

The potential for failed invocations should be considered, particularly relevant for any streaming event sources, such as AWS Kinesis or S3 notifications. If an invocation fails, it will be retried for as long as the event is retained, which could be several days, therefore ensuring costs are being monitored regularly is very important.

Similarly to AWS, Microsoft Azure Functions allows developers to monitor performance by detecting anomalies and changes. Azure Functions integrates with Azure Application Insights, such as Logic Apps, which collects logs and error data and includes powerful analytical tools to diagnose issues, helping the developer to understand how functions are used. It is designed to continuously improve performance and usability.

Azure Monitor Logs provides developers with the ability to consolidate logs from different resources in the same workspace, where it can be analysed with queries. Users can then create test queries and save queries for use with alert rules. Azure Data Explorer includes advanced functionality such as aggregations, joins and smart analytics.

An NCC Group Publication | Serverless Architecture 8

An NCC Group Publication | Serverless Architecture 9

The Future of Serverless Containers

The continuous evolution of cloud technology and cloud-native applications are a result of the versatility and power of containerised software delivery and we are seeing ever-growing enterprise, large scape adoption.

Containerised serverless architecture has driven the development and growth of Containers-as-a-service (CaaS). CaaS is a cloud service model that allows users to manage and deploy containers, applications and clusters through container-based virtualisation. It is becoming increasingly useful for developers in building secure and scalable containerised applications and is particularly useful when deploying a hybrid of on-premise and cloud-based architectures and migrating Virtual Machines from an on-premise environment over to a cloud environment.

Being able to “lift and shift” an existing on-premise server environment to a cloud environment is becoming an increasingly attractive option for developers for the reasons we’ve already discussed and CaaS can support this process without the developer needing to re-architect or alter the application’s code base.

AWS Fargate allows developers to run containers without having to manage servers or provision, configure and scale clusters of Virtual Machines. This enables developers to concentrate on the building and operation of the software application rather than deciding on instance types or managing cluster scheduling. This makes scaling the application far quicker and easier.

Microsoft Azure Container Instances (ACI) also offer the opportunity for developers to focus on the design and build of their applications without managing infrastructure. ACI can be used to provision additional compute resources for demanding workloads, with a single command.

Virtual Kubelet integrates with ACI to provide ‘elastic bursting’ from Azure Kubernetes Service (AKS) whenever workload traffic spikes, without the need to manage servers, providing excellent scalability.

An NCC Group Publication | Serverless Architecture 10

The Best Use Cases for Serverless

Serverless deployment or FaaS can be more beneficial to certain developers compared to others. Developers who use a particularly agile development life cycle to decrease their go-to-market time and those who build flexible applications with the ability to quickly update and enhance functionality would benefit greatly from utilising FaaS.

Applications that see peak usage times during the development life cycle with inconsistent usage and times between very high and none at all would be wasting valuable resources by having one or multiple servers always running; serverless architectures would mitigate the risk of incurring costs when at rest.

Many software developers consider serverless architecture to be the Holy Grail; whilst FaaS can never be a complete replacement for traditional application architecture, it is a perfect fit for replacing microservice and background type services.

About NCC Group

NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape.

With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face.

We are passionate about making the Internet safer and revolutionising the way in which organisations think about cyber security.

About Escrow & Verification

With over 30 years’ experience we are one of the world’s leading software escrow providers protecting business critical software, data and information through escrow, verification testing and Cloud Resilience services.

Over 18,000 organisations worldwide benefit from our ability to offer our services under a variety of international laws and the assurance that comes from our global network of secure storage vaults across the UK, North America and Europe. Our expertise, offering and global scale are backed up by in-house technical and legal teams, guaranteeing an independent and quality service.

The principle behind our escrow offering is clear – to protect all parties involved in the development, supply and use of business critical software applications, information and technology.

response@nccgroup.trustwww.nccgroup.trust

UK: +44 (0) 161 209 5324 Netherlands: +31 (0) 20 620 7151 Switzerland: +41 (0) 41 763 2800 Germany: +49 (0) 89 599 7620 US: +1 (800) 813 3523

For more information from NCC Group, please contact:

All Rights Reserved. © NCC Group 2019