Takeaways from the ServerlessConf SF 2018

By Erez Berkner, CEO & Co-Founder of Lumigo

Last week I attended ServerlessConf SF. This was the 8th and largest ServerlessConf to date with more than 550 attendees.

The conference had an effective agenda with a strong slate of talks and an impressive presence of community thought leaders.

Kudos to the ACloudGuru team for organizing the event!

The conference is proof for how serverless is maturing, examining material concepts of the technology and its side effects

Focus was given to serverless as a system and not just a bunch of functions, especially when it comes to visibility, traceability and security.

In a nutshell: a functions-centric approach is out and an application-centric approach is where the industry is heading to.

The state of serverless security, SW lifecycle and costs were also discussed in detail with interesting insights and predictions.

Here are my key takeaways from the conference, including serverless tips, predictions and actionable recommendations for building a well-architected serverless applications:

It’s Not Just About Functions!

Serverless is more than just Function as a Service (FaaS). Mark Nunnikhoven described the serverless ingredients: functions, managed services and data flow. When you are adopting serverless, you are, by definition, giving up on some control and visibility.

Make sure you bake into your serverless architecture visibility and security tools that can help you understand how data flows within your system, across the different functions and services.

Ben Kehoe suggested keeping tabs on the entire serverless execution flow in your organization, as it changes overtime.

Simon Wardley used his famous strategic planning tool, Wardley Maps, to analyze the key evolutionary steps which led to serverless.
He later made a great observation which may very well turn out to be a game changer:

“Serverless enables us, for the first time, to put a clear price tag on an application flow, allowing unprecedented visibility and accuracy when designing the supply chain of our businesses”.

Serverless Myths and Predictions

Some worthy-to-mention predictions and myth refutations were heard from some of the industry’s top influencers:

Ben Kehoe (iRobot) gave an exciting talk focusing on upgrades, and shared the following observations:

  • Serverless upgrades are lacking overall upgrade process visibility, especially with gradual canary upgrades.
  • System-wide canary upgrades are not in-sync across services, which can lead to mixed flows (such as a blue API implementation leading to a green function). Permission policies further complicate the situation.
  • Currently, in order to avoid this problem, we need to create a duplicated version of all components-chain between the upgraded services, and then propagate the Blue/Green states through all those components.

Tim Wagner provided interesting predictions:

#1: Serverless will pave the road to new supercomputing paradigm.
#2: Blockchain (Ledger) will somehow engage with serverless.
#3: Serverless vendor limitation will go away.

Mark Nunnikhoven gave his angle on the subject of serverless security:

  • Serverless is more secure than server-based due to the following reasons: Cloud Service Provider (CSP) competency; more granular access control; automatic auditing; no server affinity; time limitations; and frequent restarts.
  • Traditional perimeter security is not a good fit for serverless which requires a more granular security paradigm.
  • While some decent solutions for FaaS are emerging, security solutions for managed services are still not to be found.
  • PLEASE, PLEASE, DO NOT WRITE YOUR OWN SANITIZATION LIBRARY!

Actionable Tips: Serverless Dos and Don’ts

Chris Munns’ shared a lot of valuable serverless development tips:

  • Beware of code vulnerabilities in external dependencies.
  • Don’t put static secretes in your code. Don’t put them unencrypted in your environment variables. Either encrypt them, use parameter stores or secrets manager.
  • Event parsing: use existing libraries to parse the event object to make sure you get what you expect.
  • The security benefits of putting the Lambda within the VPC are negligible.
  • Turn on CloudTrail, Config and CloudTrail events — they cost extra dollars, but they will save you in the long run.
  • If your functions don’t share an event source — put them in two different repos.
  • If your functions do share an event source, but have completely different flows — divide them into two separate lambdas (allowing better performance, security and manageability).

Rob Gruhl presented a how-to-build-your-serverless-architecture-to-scale guide. His tips included the following:

  • Make sure your components are idempotent — events and replies will get lost and retries will happen.
  • Beware of retry storms during high loads / throttling.
  • Avoid recursive lambda invocations.
  • Implement apoptosis mechanisms.
  • Understand when you might break the abstraction layer of your cloud provider and have monitoring tools to identify when you reach those limits (such as a number of buckets; data layer limitations; functions concurrency; and network capacity).

The Rapid Growth of Serverless

ServerlessConf allowed participants to hear first-hand several exciting serverless early-adopter stories. These can give a peek into how modern cloud architectures will look like in the near future.

Rob Gruhl covered the monstrous serverless footprint at Nordstrom:

  • 100+ serverless-based apps in production (significant amount of them are customer-facing).
  • 200M+ invocations per day.
  • More than 5K unique functions.
  • More than half of all dev teams are using serverless.
  • They are serverless and/or Kubernetes first (dev teams can choose what best suits their app).
  • Developers survey showed a 91% satisfaction rate from serverless with a Net Promoter Score of 55!
  • ServerlessArtillary — a salable load tests tool using Headless Chrome.

Jason Katzer described how Capital One continues its amazing journey to transfer their eight huge on-premise data centers to pure cloud. He explained how they architect serverless environments which scale (100M invocations each hour!) while Kapil Thangavelu elaborated on how the popular cloud custodian open source tool uses serverless to enforce policies across clouds.

Joe Emison, CTO of Branch, gave a brilliant talk on serverless architectures, presented a great usage pattern for AWS AppSync and stressed that you should avoid writing code when you can and that you should “get rid of backend functions” in general.

Sam Kroonenburg outlined ACloudGuru’s impressive serverless journey, reassured that the company is pure serverless and highlighted serverless community resources such as Serverless Zone, The New Stack, and Serverless Slack Channel.

Observability + Serverless = Observerless

Corey Quinn gave a hilarious session, as always, and coined the term #Observerless: the hottest new thing in monitoring you’re already doing (check out Observerless.com)

With Observerless principles, your application is always up. If it isn’t, how would you know? “Blameless postmortems” can now devolve into shouted accusations of “peeking.”

Rumor has it that #GoObserverlessDays 2019 is on its way. The time is Meow! :)

Tel-Aviv — The New Serverless Capital

At last, and as a member of the Tel-Aviv startup scene, I have to say that the number of Tel-Aviv based serverless companies participating in ServerlessConf SF was astonishing. From serverless engines (Iguazio, Binaris, Spotinst, vFunctions) through visibility and troubleshooting (Lumigo and Epsagon), production debugging (Rookout) to Security (PureSec) — the serverless startup community in Tel-Aviv is definitely thriving! : )

***

These are my key impressions from the ServerlessConf SF 2018, see you all again in the next serverless conference!