Simulated Slot Machine Browser Game

In the “Architecting on AWS” course there is a slide showing how the AWS SDK for JavaScript can be used to allow a client side script to invoke a Lambda function.

In this example, a simulated slot machine browser-based game invokes a Lambda function that generates the random results of each slot pull, returning those results as the file names of images used to display the result. The images are stored in an Amazon S3 bucket that is configured to function as a static web host for the HTML, CSS, and other assets needed to present the application experience.

The example is taken from:

Tutorial: Creating and Using Lambda Functions

The tutorial is mainly about using the SDK for JavaScript and so is outside the scope of an Architecting course. However, it is a very interesting project. There are SDKs for IOS, Android and JavaScript. The SDK for JavaScript is for desktop and other web browsers.

I would recommend the following as pre-requisite knowledge, all of which are covered in the course:

  • Lambda
  • Assigning Roles to Lambda
  • S3 Static Web Sites
  • Dynamo DB
  • Cognito
  • Use of Access Keys

The tutorial uses a config.json file configured with suitable credentials (an access key id and secret access key) to give permission to the supplied Node.js scripts to create the resources for the project. In the Architecting course we talk about the use of passwords for Console access, and access keys for the use of CLI and SDK. So this is an example of using keys along with the AWS SDK.

The tutorial assets are downloaded from GitHub. Most of the tutorial involves using supplied Node.js scripts to create and configure the resources.

At the end of the tutorial, you click on the S3 Static Web site URL:

Clicking on the red handle spins the wheels and invokes the Lambda function, which selects images to display at random. The names of the images come from a Dynamo DB table, and the actual images from S3.

Pre-requistes for the tutorial are:

  • Install Node.js on your computer to run various scripts that help set up the resources
  • Install the AWS SDK for JavaScript on your computer to run the setup scripts.

If you don’t want to install these on your computer you could use Cloud9

Its fairly easy to get started with Cloud9, and it already has Node.js installed.

The tutorial guides you through the following:

Create an Amazon S3 bucket to store all the browser assets. These include the HTML file, all graphics files, and the CSS file. The bucket is configured as a static website.

The JavaScript code in the browser, a snippet of which you see in the slide above, needs authentication to access AWS services. Within web pages, you typically use Amazon Cognito Identity to do this authentication.

The Architecting course covers Cognito at a very high level. This is the course slide on Cognito:

Elsewhere I have a post about another project called “WildRydes”. That project also used a browser and a Lambda function, but the browser made a call to API Gateway which then invoked Lambda. The browser gained permission to invoke API Gateway by getting a token from a Cognito User Pool after signing up and logging in and then providing that token to API gateway. That scenario did not require Identity Pools.

In this tutorial, Cognito User Pools are not used. Instead, Identity Pools are used. In this tutorial, the user dosn’t have to login. Identity Pools can support unauthenticated identities by providing a unique identifier and AWS credentials for users who do not authenticate with an identity provider. This is typically used to allow Guest access to an application. The identity pool is configured to allow the browser to assume a Role with permissions to invoke the Lambda function. The javascript running within the browser supplies a Cognito Identity Pool Id.

Next we create an execution role for the Lambda function.

Next we create and populate the Dynamo DB table.

Next we edit the supplied Lambda function to reference the role and the bucket, create a zip file of the Lambda function and upload it to the Lambda service.

Finally, we access the S3 static web site URL to test the application.

Some “gotchas”:

Most of the tutorial uses Node.js scripts to create, configure and populate resources, but sometimes the required command is not explicitly supplied, because the command can vary depending if you are using Linux, Mac, Windows. For example, once we have edited the Lambda function to customise it, to create a zip file of the Lambda function:

zip slotpull.js.zip slotpull.js

Also, the instructions to copy some of the assets to the S3 bucket were missing. I downloaded the assets to my local windows machine, and then used the S3 console to copy the relevant files.

The tutorial dosn’t ask you to change the region in the various scripts. You can use any region as long as you are careful to spot any references to a region and edit the files.

To tear down, delete all the resources as usual. Alternatively, as it is all serverless, you could leave it in place.

 

 

Global Accelerator Part 2

In November 2019 AWS launched a new 5 day course “Architecting on AWS Accelerator” which includes content from the “Advanced Architecting on AWS” course.

It covers Global Accelerator, so I am revisiting it for the scenario where it is used in front of Load Balancers.

The above slide shows the current model without Global Accelerator.

The problem with it is caching.

Say a user browses to www.example.com and is returned the IP of the LB in us-east-1. Then the LB in us-east-1 goes down for some reason. It will be replaced and its IP will change. The old IP has a high likelihood of being cached either locally or at a DNS cache.

The user browses to www.example.com

When we configure Global Accelerator we receive 2 static IPs.

We create a record set in Route 53 with these 2 IPs.

The browser will try to make a connection to one of the IPs.

Global Accelerator will typically direct the user to the LB nearest the user. In addition, the user will be routed via the nearest edge location, and from their the traffic will traverse the AWS network rather than the internet.

From the Global Accelerator home page:

To improve the user experience, AWS Global Accelerator directs user traffic to the nearest application endpoint to the client, thus reducing internet latency and jitter. It routes the traffic to the closest edge location via Anycast, then by routing it to the closest regional endpoint over the AWS global network. AWS Global Accelerator quickly reacts to changes in network performance to improve your users’ application performance.

Global Accelerator is also using health checks. In this scenario, rather than use its own health checks, it relies on the health checks of the LB.

To set this scenario up:

As a prerequisite I set up the following:

An instance in us-east-1 with a simple web page identifying its region eg “Hello from us-east-1”

An ALB in us-east-1 targeting the single instance.

I repeated the above for eu-west-1.

I tested access to the two ALB’s by browsing to their DNS names.

Now for the Global Accelerator part.

From the Global Accelerator console, create a Global Accelerator. Give it a name.

Add a Listener on TCP/80.

Add an Endpoint Group, choose us-east-1 from a drop down. Repeat for eu-west-1.

Add Endpoint for us-east-1, of type ALB, and choose the ARN of the ALB from a drop down.

Repeat for eu-west-1.

It takes about 5 minutes to deploy, and you receive 2 static IPs.

Put either one of them in a browser. You should see the web page of the instance in your closest region.

Stop that instance.

Wait until the target group indicates that the instance is unhealthy.

Refresh the browser. You should see the web page of the instance in the other region.

If you have a Route 53 hosted zone, create a record set. I used ga.thetrainit.com. Add the 2 static IPs of the GA.

Browse to ga.thetrainit.com to test it.

Start the stopped instance, wait for the target group to indicate that it is healthy and test again.

Some further notes:

If I do an nslookup on ga.thetrainit.com it returns the two IPs in a fairly unpredictable order.

From the FAQ:

If one static IP address becomes unavailable due to IP blocking, or unreachable networks, AWS Global Accelerator will provide fault tolerance to client applications by rerouting to a healthy static IP address from the other isolated network zone….With AWS Global Accelerator there is no reliance on IP address caching settings of client devices. The change propagation time is a matter of seconds, thereby reducing downtime of your applications.

To clean up:

Disable the Accelerator, which only took a few seconds for me.

Delete the Accelerator.

Delete the Route 53 record set.

In each region, delete the ALB, Target Group, and terminate the instance.

Some snippets from the FAQ

Q: How does AWS Global Accelerator work with Elastic Load Balancing (ELB)?

If you have workloads that cater to a global client base, we recommend that you use AWS Global Accelerator. If you have workloads hosted in a single AWS Region and used by clients in and around the same AWS Region, you could use an Application Load Balancer or Network Load Balancer to manage such resources.

Q: How is AWS Global Accelerator different from Amazon CloudFront?

Global Accelerator and CloudFront are two separate services that use the AWS global network and its edge locations around the world. CloudFront improves performance for both cacheable (e.g., images and videos) and dynamic content (e.g., APIs acceleration and dynamic site delivery). Global Accelerator improves performance for a wide range of applications over TCP or UDP by proxying packets at the edge to applications running in a single or multiple AWS Regions. Global Accelerator is a good fit for non-HTTP use cases, such as gaming (UDP), IoT (MQTT) or Voice of IP, as well as for HTTP use cases that specifically require static IP addresses or deterministic fast regional failover. Both services integrate with AWS Shield for DDoS protection.

Macie Part 2

Revisiting the Macie console after leaving it running for a month or so, I see the locations from which my account has been accessed. As it happens, these are the locations I have been working in recently.

From the docs:

AWS CloudTrail provides you with a history of AWS API calls for your account, including API calls made using the AWS Management Console, the AWS SDKs, the command line tools, and higher-level AWS services. AWS CloudTrail also enables you to identify which users and accounts called AWS APIs for services that support CloudTrail, the source IP address that the calls were made from, and when the calls occurred.

X-Ray

In the “Security Engineering on AWS” course there are two slides on X-Ray.

From the course notes:

AWS X-Ray is a service that collects data about requests that your application serves, and provides tools you can use to view, filter, and gain insights into that data to identify issues and opportunities for optimization. For any traced request to your application, you can see detailed information not only about the request and response, but also about calls that your application makes to downstream AWS resources, microservices, databases and HTTP web APIs.

There is a very cool sample application to get started.

From the X-Ray console, click “Launch a sample application (Node.js)”

It will take a few minutes. It uses Cloud Formation to create an Elastic Beanstalk application, and Elastic Beanstalk creates a second stack.

When both stacks are complete, in the Elastic Beanstalk click on the Elastic Beanstalk application URL to see the sample application:

Click on the sign-up form and supply a Name and Email address (it dosn’t have to be real). This will be a POST request to the application.

In the X-Ray console, click on “Service Map”, to see a screen similar to this:

The leftmost circle represents the HTTP requests to the web page. The other circles are:

  • A call to the metadata service to retrieve the security credentials supplied by the Instance Profile, used to make the Dynamo DB and SNS API calls.
  • A Dynamo DB table. The application is writing the users details to a Dynamo DB table. If you go to the Dynamo DB console you will see it.
  • An SNS Topic. The application is publishing the users details to an SNS topics. If you go the SNS console, you will see an unconfirmed subscription to the email address you used, and a confirmed subscription from an SQS queue.

In the X-Ray console, click “Traces” to see the URLs accessed by the client.

It will include the initial GET to the web application and a POST to the signup page.

You may also see a GET to the favicon, with a 404 not found.

“A favicon /ˈfæv.ɪˌkɒn/ (short for favorite icon), also known as a shortcut icon, website icon, tab icon, URL icon, or bookmark icon, is a file containing one or more small icons, associated with a particular website or web page.”

Drill down to the details of the trace for the signup page.

You see a timeline including the total time for the POST.

This is broken down into the DynamoDB putitem followed by the SNS Publish with the times for each.

You may also see the calls to the metadata service to retrieve security credentials.

Back in the application, click “Start” and leave it for 2 minutes to make about 10 automated signups per minute. Now we start to see average figures for each of the circles in the service map.

The application intentionally includes signups with a duplicate email address, which causes Dynamo DB to return a 400 error, and the POST to return a 409 error. These errors can be seen in the traces.

“An HTTP 400 status code indicates a problem with your request, such as authentication failure, missing required parameters, or exceeding a table’s provisioned throughput”

Just for fun, I removed the sns:publish permission from the policy attached to the Role that the instance is using.

The service map starts to display orange circles, and you can drill down the traces to see the detail:

AuthorizationError: User: arn:aws:sts: <output ommitted> is not authorized to perform: SNS:Publish on resource: arn:aws:sns:<output omiited>

The POST returns a 500 error.

In summary, X-Ray is helping us to indentify both latency issues and intermittent errors returned by a service.

To clean up, delete the X-ray cloud formation stack, which will in turn delete the Elastic Beanstalk stack.

 

 

 

EC2 Auto Scaling Purchasing Options

In the “Architecting on AWS” course there is a slide on Autoscaling Purchasing Options.

From the course notes:

Amazon EC2 Auto Scaling supports multiple purchasing options within the same Auto Scaling group (ASG). You can include Spot, On-Demand, and Reserved Instances (RIs) within a single ASG, allowing you to save up to 90% on compute costs.

The following walk through only takes a few minutes to try.

I keep it minimal to demonstrate the basic features and get started quickly, leaving you to try out the many further options.

In order to demonstrate using a mixture of On-Demand and Spot pricing, I will use a steady state Auto Scaling Group of 4:4:4, that is Minimum, Maximum and Desired all of 4. I aim to have a 50%/50% mix of On-Demand and Spot, that is 2 of each.

Another options is to have always have a certain number of On-Demand Base instances as part of the mix, but I will leave that Base number at zero.

When configuring Launch Templates and Auto Scaling Groups there is no reference to Reserved Instances. That part is automatically dealt with by matching your Reserved Instance choices, if any, with your actual running instances across the account, and then billing at the Reserved Instance price.

Everything that follows is done from the EC2 console.

This use case requires the use of a Launch Template.

Create a Launch Template. Give it a name. At a minimum, when the Launch Template will be used by an ASG, you must supply and AMI and Instance Type. I choose an AMZ Linux 2 AMI and t2.micro Instance Type.

Leave all rest as defaults. Note that expanding Advanced Details shows that you can request Spot instances here, but you must not tick this if the use case is to have a mix of On-Demand and Spot within and ASG.

Create an Auto Scaling Group and select the Launch Template. Select “Combine purchase options and instances”.

For Instance Distribution, clear “Use the default” and then choose “On-Demand Percentage” above base=50%, leaving everything else at default.

Choose to  Start with 4 instances. This is the desired number to start with. If you use Auto Scaling policies, then when scaling in and out, this the staring desired number and then it changes dynamically.

Select a subnet. In production it would be recommended to use more than one.

On the next screen, choose “No scaling policies”. To keep it simple, and to avoid needing to run some kind of simulated stress, we will keep it to a steady state group of 4 instances.

After a few seconds, you should see 4 instances launching.

We will want to verify the mix of On-Demand and Spot.

It is not possible to see the purchasing options from the instance details. Instead, you can go to EC2, Spot Requests to see 2 active spot requests, both fulfilled.

Alternatively, using CLI, the following will show details of the 2 Spot Instances.

aws ec2 describe-spot-instance-requests

If you select EC2, Spot Requests and click “Savings Summary” you can see A high-level summary of your savings across all of your running and recently terminated Spot Instances

To clean up:

Delete the ASG and Launch Configuration. The instances will be terminated, and in a few minutes you will see that the spot requests are closed.

The docs are here

Auto Scaling Groups with Multiple Instance Types and Purchase Options

and here

Introducing the capacity-optimized allocation strategy for Amazon EC2 Spot Instances

and for information about how the spot pricing model has changed recently

New Amazon EC2 Spot pricing model: Simplified purchasing without bidding and fewer interruptions