Lambda Execution Role (IAM Role)
- Lambda -> other serivce
- Grants the Lambda function permissions to AWS servcies / resources
- For example, when you want to send message to SQS, you need to have "AWSLambdaSQSQueueExecutionRole"
- Best Practice: create one Lambda Execution Role per function
'
Lambda Resource Based Policies
- Other services -> Lambda
- Give other account or AWS service to inovke your Lambda function.
Lambda with X-Ray
- AWS_XRAY_DAEMON_ADDRESS
When you enable "Active Tracing", AWS will include X-Ray Daemon automacticlly. But you do need to check IAM permission.
Lambda with VPC
- By default, Lambda is outside your own VPC, but inside AWS VPC
- So Lambda cannot access resouces inside your VPC, such as RDS, ElasticCache, internal ELB...)
- But Lambda can access public www, can access global DynamoDB
Lambda in VPC
- If you want to deploy Lambda incide your own VPC
- You must define VPC ID, the Subnets and the Security Gorups
- Under the hood, Lambda will create an ENI (Elastic Network interface) in your subnets, and through this ENI, Lambda able to communicate with RDS in your VPC
- Also need to attach: AWSLambdaVPCAccessExecutionRole, AWSLambdaENIManagementAccess
Lambda in VPC - Internet Acces
- If you have deployed your Lambda inside VPC, by default, you don't have access to public internet anymore.
- Also deploying a Lambda function in a PUBLIC SUBNET does NOT give it internet access or public IP.
- To get internet access, you need to deploy Lambda function in a private subnet and give it internet access if have a NAT Gateway / instance.
- NAT will talk to Internet Gateway of VPC, then you can access public internet.
- The same thing happens to Lambda in VPC to access DynamoDB
- Also need to via NAT-> IGW -> DynamoDB
- Or you can use VPC endpoints to privately access AWS service without NAT
Lambda Limitations
- If you application is computation heavy... CPU-bound, you can increase RAM to solve performance issue
- Timeout: default 3 secound, maximum 900 second (15 mins). So any computation longer than 15 mins is not suitable for Lambda. Considering using ECS, Fragate, EC2...
- RAM:
- From 128MB to 3008MB in 64 MB increments
- More RAM you add, the more vCPU credits you get, add more memory for LAMBDA is one way to increase the performance
- At 1792MB, a function has the quivalent of one full vCPU
- After 1792 MB, you get more than one CPU, and need to use multi-threading in your code to benefit from it
Lambda Concurrcy and Throttling
- Concurrency limit: up to 1000 concurrent execution
- If y ou need a higher limit, open a support ticket
- 1000 means for all your lambda function, NOT single lambda function!
- Therefore if you have one Lambda function has a high peak reach the limit, then other Lambda function will be throttled
You can set "reserved concurrency" at the function level.
- If set to 0, == throttling, will throw error
- Each invocation over the concurrency limit will trigger a "Throttle"
- If synchronous invocation => return ThrottleError - 429
- If asynchronous invocation => retry automatically and then go to DLQ
Cold Start Problem
You can enabled "Provisioned Concurrency" to solve the code start problem
- Appliation deps should be bundled into the zip file
Lambda with CloudFormation
- You can package your Lambda function code and dependencies as a container image, using tools such as the Docker CLI.
- You can then upload the image to your container registry hosted on Amazon Elastic Container Registry (Amazon ECR).
- Note that you must create the Lambda function from the same account as the container registry in Amazon ECR.
- Test your application locally using the runtime interface emulator.
- These base images include a runtime interface client to manage the interaction between Lambda and your function code.
- Alias enable stable configuration of our event triggers / event source mappings
- Aliases cannot ref aliaes
weighted traffic
Max 250mb unzipped, zipped 50 mb max
Enviornment variable 4 KB max
- To ensure that a function can always reach a certain level of concurrency, you can configure the function with reserved concurrency. When a function has reserved concurrency, no other function can use that concurrency.
- More importantly, reserved concurrency also limits the maximum concurrency for the function, and applies to the function as a while, including versions and aliaes.
- Provisioned concurrency to enable your function to scale without fluctuations in latency. By allocating provisioned concurrency before an increase in invocations, you cna ensure that all requests are served by initialized instances with very low latency.
- Provisioned concurency is not used to limit the maximum concurrency for a given Llambda function.