Table of Contents
Do not index
Do not index
Last week I attended Yan Cui’s two day Production-Ready Serverless Workshop and this is my review.
What is covered?
In this workshop, you will follow along with my instructions and build an e-commence web application step-by-step.Along the way you will learn how to:
- implement server-side rendering
- authenticate users with Cognito
- securing internal APIs
- testing strategies for serverless
- CI/CD best practices
- manage application configurations
- security best practices
- logging best practices
- monitoring and alerting best practices
- implement distributed tracing
- capture and forward correlation IDs
Logistics
Yan (https://theburningmonk.com) published the schedule 1 week prior with the agenda, logistics and joining instructions.
- Slack instructions: whilst most communication was real-time over Zoom, Slack chat helped synchronise the class (e.g. tick here when you have completed exercise 4).
- Software and AWS account setup. I would estimate half the class didn’t quite follow them, so they hit bugs with versions. Yan must have had this a lot as he could troubleshoot fast but was very stoic about it - never once sounded exasperated!
All training was delivered via Zoom to the 20 or so attendees for the live version. Yan records when he is speaking and stops recording during exercises. He does re-enable recording to capture questions-and-answers during the time allocated to work on exercises. I liked this since some of the questions were from people hitting different problems than me (we all had our fair share!) which meant I could keep my head down and progress with the exercise knowing I could review the recording later.
At the end of each day, he issued an mp4 video download of the Zoom call by Dropbox. Post-course, he also shared all the exercises in zip and full slides (with speaker notes), with links to the Zoom recordings. He gave a 30-day download period.
Yan started and finished on time. We ran behind, partly due to a more extended Lambda 101 session (AWS keep adding features!). Despite this, he did a smooth job of covering what needed to be covered and skimming over or skipping less critical material.
Course Schedule
Day 1
- 09:00 – Introductions
- 09:05 – AWS Lambda 101
- 09:45 – Serverless framework 101
- 10:15 – Break
- 10:30 – Building APIs with API Gateway and Lambda
- 11:00 – Securing APIs with IAM authorization
- 11:20 – Cognito 101
- 11:30 – Securing APIs with Cognito User Pools
- 12:00 – Lunch
- 13:00 – API Gateway best practices
- 13:20 – Writing integration tests for Lambda
- 14:10 – Writing acceptance tests for Lambda
- 14:30 – Break
- 14:45 – Setting up CI/CD pipelines
- 15: 00 – CI/CD security best practice
- 15:20 – Break
- 15:35 – Configuration management with SSM Parameter Store
- 16:00 – How best to secure credentials & API keys
- 16:30 – Day 1 wrap up + open questions
Day 2
- 09:00 – Project organization
- 09:20 – Processing events in realtime with Lambda
- 10:15 – How to choose the right application integration service
- 10:30 – Break
- 10:45 – SNS vs SQS vs Kinesis vs EventBridge
- 11:00 – Error handling for real-time event processing systems
- 11:15 – Per-function IAM roles
- 11:40 – Setting up log aggregation for Lambda functions
- 12:00 – Lunch
- 13:00 – Structured logging
- 13:30 – Sample debug logs in production
- 14:00 – Break
- 14:10 – Distributed tracing with X-Ray
- 15:00 – Capture and forward correlation IDs
- 15:30 – Break
- 15:50 – Alerts you should have
- 16:15 – Right-sizing function memories
- 16:30 – Day 2 wrap up + open questions
Naturally, the timings may differ in subsequent workshops.
The course content was a mix of presentations and exercises.
- Key concepts were presented via sparse/clear slides. No death by PowerPoint.
- Exercise instructions were in a GitHub repo that was shared in the introductory email. Yan encouraged attendees to share their screens when stuck and then co-debugged with them. Pretty much everyone had to drop/re-join to configure Zoom screen sharing. As he said, “it's your right of passage” (funny at the time!).
Presentation Material
With permission, I’m sharing a few example slides from the course as a taster:
Exercises
The exercises centered around a fictitious “Big Mouth” food delivery service application. Yan provided the initial code to get us bootstrapped and then after each concept lesson we incrementally built out features following his written exercise instructions. Each exercise made use of a serverless feature or options Yan had just taught. There’s no hand coding as such, all code was provided so it was just a case of copy and paste. The key to solidifying understanding was to read the supporting commentary explaining the what and the why. Some exercises ended on thought provoking questions to challenge and expand your new understanding.
Don’t do what I did and drop the prior days mp4 video in the folder you are using for the “Big Mouth” food delivery service. If you do, the next time you deploy the application you will be scratching your head wondering why the upload is so big (!).
Conclusion
I have attended many courses across my 30+ year career and I rank Production Ready Serverless Live class as top tier. I signed up on the strength of Yan’s reputation - he is clearly a highly experienced practitioner - which was the primary reason I learned this content from him. I have a strong preference to learn from active practitioners who train others, rather than trainers who solely train and learn solely through others.
Whilst the course was fast-paced, it didn’t feel rushed. From the introductions and interactions, the course was mostly attended by professional developers. This was reflected in the focus of the attendees' questions and the speed with which some of the more senior developers finished the exercises. Don’t let that put you off if, like me, you are not a developer; Yan found a good balance and was sufficiently generous with exercise time that most people completed most exercises (as evidenced by all the ✅ reactions!). If you have some basic programming skills and can comfortably operate an editor to create, navigate files, and copy/paste code then you will be fine.
The course was very reasonably priced for the value delivered, which helped make that side of the financial equation easier. As an independent consultant the immediate opportunity cost for attending any training is the consulting fees I forego, hence I weighed up the risk/reward carefully before signing up. I consider the skills I gained from this workshop are valuable to existing and future client. Now my task is to practice them and keep current!
Post-Course Teaser
After the course, Yan shared on LinkedIn some of his favourite questions he fielded during the workshop:
"If a function needs to call a slow external API (30 seconds), does it make sense to use a different service instead of Lambda?""If your API is intended for regional use, is there still a benefit to using CloudFront with API Gateway?""Would it be an anti-pattern to call a function's handler module directly rather than invoking the Lambda function?""When using temporary environments for running tests, what would you do if a service takes a very long time to spin up? e.g. RDS""Is there a scenario where you would use a Lambda onSuccess Destination to write the invocation result to EventBridge instead of writing custom code to do it yourself?"
If you are curious to get the answers, you’ll need to attend the course to ask for them!
I bought this course in a bundle with Testing Serverless Architectures and in light of my positive experience with this workshop, I cannot wait!
Written by
Independent Cloud Security Consultant. Advisor to Cloud Security Alliance. Former Group Security CTO at Barclays. Founder of GE Red Team