I had the great privilege of speaking at ServerlessConf in Austin a couple of weeks ago. The conference is a community event run by the fine folks at A Cloud Guru, but you’d never know that they do other things with their time besides plan conferences, because the logistics were practically flawless. Perfect size (about 400 attendees), great food and a cool venue near downtown Austin made for a fun couple of days. Both the quality of sessions and the technical chops of attendees seemed exceptionally high, leading to lots of thought-provoking content and productive hallway conversations. The only negative comment I have about the event was the pacing – the organizers found a way to cram forty sessions into just two days, and the human brain can only absorb so much information before starting to check out.
Fortunately, all the sessions are now available on YouTube for further review. Here are my top five takeaways from the conference, as well as a few of my favorite sessions.
1. In the land of “No Ops”, ops is still king
Creating an app with serverless technologies is superficially easy, but actually deploying, testing, monitoring and debugging that app in production can be a nightmare. Without insight into the underlying services, you have less control over what breaks and less ability to fix it, and the ecosystem of tools that might help is still pretty thin. Nobody puts their finger better on this problem than DevOps legend Charity Majors, whose session was a rambling, electrifying rant on the folly of assuming that “going serverless” means you don’t have to think about traditional ops considerations anymore. If anything, getting rid of the in-house ops team removes the veil between developers and their own code: if something you wrote stops working in production, you’d better be prepared to fix it yourself. Unless you’ve hit a problem in the underlying services, in which case your app is completely beholden to somebody else’s dev cycle – a very real possibility that is not to be brushed off lightly.
One vendor at the conference who seems to be thinking intelligently about this problem is IOpipe. They make a monitoring service that wraps your AWS Lambda functions, giving you better insight into problems than writing print statements to CloudWatch logs. I may need to check this service out soon.
2. Event-driven architectures are the future. And the present.
Serverless developers love talking about their architectures, and a common theme at Serverlessconf was the move to event-driven systems – that is, applications that access data and trigger functions from a centralized event log instead of sharing state in a traditional database. Serverless systems more or less beg to be designed this way because they often operate as decentralized microservices, scaling rapidly while maintaining consistency between many immutable chunks of data. For an interesting application of these ideas in AWS, check out Nordstrom’s conference workshop. However, if you are just starting to get your head around the general concept of event-driven architecture, I highly recommend reading Martin Kleppman’s marvelous “Turning the database inside out” from Strange Loop 2014.
3. Serverless is really easy, and that’s a game-changer ….
The low barrier to entry for developers using serverless is one of its main selling points, but it’s still worth emphasizing, and several speakers at the conference did this in thought-provoking ways. Mike B. Roberts, speaking about serverless in the modern agile development cycle, pointed out that when an entire application or service can be prototyped and deployed in a matter of days or weeks, developers can try ideas at a more rapid pace, recover more quickly from the inevitable bad ideas and increase the likelihood that the rare good idea will reach the market in time to provide business value. In some cases, C-level executives are now building small serverless prototypes to try out ideas and win corporate buy-in, something that could never have happened when any development project required physical resources doled out by IT. Serverless has democratized the software development lifecycle by removing as many barriers as possible between the code and the consumer.
4. … as well as a risk
Guy Podjarny, the former CTO of Akamai and now the founder of a security startup, provided a marvelous talk on the common security issues facing serverless developers. I thought his most interesting point was that although the FaaS model doesn’t really invent new classes of vulnerabilities, the very ease of creating Lambda functions increases risk in surprising ways. Once created, a function is virtually free to keep around if it’s not being run, so a cloud environment can quickly bloat with lots of unused, untracked functions. The broad attack surface of hundreds of functions, combined with the fact that at least some of them are sure to have more permissions than they really need, is asking for trouble. I left this talk realizing that I need a better strategy for identifying and cleaning up expired Lambda functions across my AWS accounts.
5. AWS still rules the serverless roost, but the competition is fierce
AWS, Microsoft, Google and IBM all sent delegations to the conference, promoting their various serverless offerings. At this time, I believe AWS holds the clear edge over its competitors: they have the most mature FaaS product (Lambda), the most extensive suite of ancillary services and by far the most advanced developer tooling. That said, each of the other major cloud providers has distinct strengths. Azure offers a slick GUI-based workflow designer called “Logic Apps” that blows AWS Step Functions out of the water; Google probably has the most mature database services (BigQuery, Firebase); IBM OpenWhisk has open-sourced their entire platform so you can run it in your own datacenter for free. (Although if you must maintain your own datacenter, I don’t really know why you would expend a lot of innovation cycles converting your apps to a FaaS architecture, except in a few special cases.) AWS has a running start on the competition because they were the first FaaS provider on the market, but it will be interesting to see if the other cloud providers can close the gap in the coming months.
Top five sessions
Charity Majors: Serverless: The Toddler Years
Guy Podjarny: Serverless Security: What’s Left to Protect?
Mike B. Roberts: Serverless + Modern Agile
Chris Munns: Building CI/CD Pipelines for Serverless Applications
Lynn Langit: Serverless SQL Queries