Serverless Best Practices in software development

Serverless function-based compute platforms like AWS Lambda are built for scale. They automatically provision computing resources as needed and are designed to handle tens of thousands of requests per second. This makes them a great fit for modern web applications and APIs.

But “serverless” doesn’t mean you don’t have to think about servers or architecture anymore, or that you can completely ignore best practices used in software development. It just means you don’t have to worry about infrastructure management and scaling, so your focus can shift to building new features and delivering value faster, which is the ultimate goal of serverless.

Here are some best practices we’ve learned at Serverless over the past few years while building serverless applications on AWS Lambda.

What is serverless?

Serverless computing is a cloud-computing codeless execution model in which the cloud provider runs the server and dynamically manages the allocation of machine resources. Pricing is based on the actual amount of resources consumed by an application, rather than on pre-purchased units of capacity. It is a form of utility computing. The name “Serverless Computing” was created by Amazon Web Services (AWS) to describe AWS Lambda.

Serverless best practices

Start locally

From day one, this is the best practice for working with serverless code. If you can code it locally, you can likely deploy it to AWS Lambda and run it successfully in production. Start locally and build your function using the same language runtime and same SDK as you would use on Lambda and AWS. The role of Lambda is to execute your code on-demand, so focus on writing good code first and then start exploring how to deploy that code on Lambda.

Use 1 function per route

This will help in debugging and code maintenance. If you want to change the execution path of your API, you can do it by changing a single file instead of making changes to multiple files and routes.

Use error handling middleware

Anything can go wrong in your API request and you should be prepared for it. Your API might get a request that is not valid or an internal error can occur during the processing of the request. You should be able to handle these errors gracefully and inform the client about what happened and the possible next steps for them.

Manage code, not configurations

The serverless programming model requires a different approach to configuration management. Rather than managing configurations across all your services, you should manage code. You can use Lambda layers to do this. Layers allow you to separate concerns and reuse code across all the functions. As a best practice, use Lambda layers to manage shared dependencies like libraries, frameworks, SDKs, or runtimes. This approach also has the benefit of reducing deployment package sizes (and thus deployment times) because only changes in your function code need to be packaged and deployed.

Serverless best security practices

Deploy API gateways for security

API gateways are a standard feature of modern software architecture, and they have several important functions, including the handling of authentication and authorisation. API gateways provide a single point of entry for a variety of services and allow you to hide direct access to other downstream services. This can make it easier to work with third-party APIs and also provide some added security. If you are using an API gateway to connect with other services, be sure to use HTTPS protocols throughout so that you don’t accidentally expose sensitive data at any point in the process.

Properly Handling Secrets

To secure your serverless applications, you must focus on managing the secrets that your functions use. The first step is to avoid hardcoding secrets into the code itself. Hardcoded secrets are a security concern because they are visible to anyone who can view the source code. AWS Lambda provides a Secrets Manager that you can access from any function, and it makes it easy to rotate secrets without redeploying your application.

Limiting Permissive IAM Policies

When using a serverless stack, most of the permissions for AWS resources need to be set in an IAM role. In general, these roles should be given the least amount of permission needed to function properly. However, this can be difficult to accomplish with serverless functions because the code is not necessarily known at the time the role is created. Therefore, it is common practice to give a serverless function’s role full access to AWS resources.

Article source: https://article-realm.com/article/Computers/Software/25320-Serverless-Best-Practices-in-software-development.html