The state of serverless in 2017

To check in on the pulse of the serverless/FaaS ecosystem since our report last year, we attended ServerlessConf. This iteration was in Austin, Texas – the apparent new hub of trendy tech events including DockerCon, OSCON and ChefConf. What we observed was, by and large, evidence of the slow but gradual maturation of this ecosystem.

The 451 Take

The serverless ecosystem continues to mature, as exhibited at the latest ServerlessConf. Much as we saw with VMs, OpenStack and containers, new functionality and requirements have driven startups and vendors to enter the space – with security and time to value (frameworks) showing up prominently at this event. We found more growth in enterprise adoption, although those willing to admit to it tend to be on the leading edge, such as gaming and robotics companies. We think the serverless/FaaS approach continues to hold a great deal of promise as an evolution on PaaS for applications and integrations.

The serverless community and corporate ecosystem continues to mature in 2017. In contrast to more established events like the OpenStack Summit, the ServerlessConf audience effectively welcomes product pitches. Why? Because the space is so nascent, even its earliest adopters cannot keep tabs on the rapid changes in offerings and capabilities.

At other events, product overviews would draw boos and walkouts, but at ServerlessConf they're well received. We attended the event to catch up with existing vendors, discover new ones, and focus on enterprise adoption of meaningful applications (as predicted in our 2017 trends).

Customers

AdTechMedia moved to serverless architecture early on. Pre-serverless, it had single-page apps on AWS in early 2014. It then started consuming more high-level AWS services, replacing MySQL with DynamoDB and SQS, then switching to Auth0 for Cognito.

When Lambda came out in late 2014, AdTechMedia migrated its APIs across. In 2015, it began to take a micro-services approach to building apps and open-sourced its DEEP framework, a JavaScript framework for building cloud-native applications on AWS.

It then began using Kinesis and Elasticsearch, and created a CLI for deployments and operations. The company uses a large number of AWS services – Route53 DNS, Cognito, DynamoDB, Elasticsearch, S3, Kinesis and more.

The maker of the Roomba vacuum, iRobot, described its use of AWS Lambda. The company migrated to AWS in 2016, and is a heavy adopter of AWS overall (25 services), and serverless architecture in particular. It went serverless to build faster, operate leaner, avoid pain with learning to scale, and save money.

The iRobot Home production application uses 100+ Lambda functions, 25 AWS services, and zero unmanaged EC2 instances. It has about 50 AWS accounts, growing constantly, and makes thousands of Lambda deploys per day. In support of this, it has a low-single-digit number of FTEs focused on operations.

The company uses red/black deployments with CloudFormation that include a complete application stack – API Gateway, Lambda, CloudFront, Kinesis, etc. Data sources are maintained separately, however, and are protected from accidental modifications and updates.

IRobot monitors and generates alerts on production status with Sumo Logic and AWS CloudWatch. It also uses additional Lambda functions to understand billing – every hour, a timed function runs and ships data to Sumo Logic for further billing investigation. The company looked very closely at the historical service levels of the AWS services it consumes, due to the large number in use, and the fact that downtime in any of them produces business downtime for iRobot.

The biggest downside is the powerless feeling in the event of provider issues. AWS enterprise support is viewed as critical although expensive by iRobot, and it preemptively opens tickets with AWS in the event of any application issues, just in case it turns out to be an issue on Amazon's side.

GreenQ positions itself as the 'internet of garbage.' It focuses on smart waste management, and decided to go serverless for scalability, performance and cost. Because the company wanted the capability to run in on-premises environments and also wanted to consume IBM Watson cognitive services, it chose OpenWhisk. GreenQ has a handful of large customers at this point in Israel, where the company is based, and is looking to expand to the US.

Movivo, a very early serverless adopter, began using Lambda with the goal of reducing maintenance to the absolute minimum. In the past 18 months since Movivo was founded, its total AWS bill over that entire period is less than $5,000. In its view, unit testing is easy with serverless today, but other kinds of testing remain quite difficult.

Rovio (maker of Angry Birds) spoke about its journey of migrating Toons.tv to serverless. Toons.tv averages 312 million monthly views of cartoons hosted on its platform, primarily consumed from mobile devices. It had problems with legacy systems, slow development, high cost and a small team responsible for all of it. It built five proofs of concept (POCs) to test the value of serverless:

  • Identity with Cognito user pools and Lambda
  • Session configuration with DynamoDB and Lambda
  • Transcoding with Elastic Transcoder and Lambda
  • Image resizing with API Gateway with binary response and Lambda
  • Content with S3 and Lambda

Going serverless was a challenge for the company, but between AWS training, the POCs and weekly internal workshops, it made the shift. Rovio found using managed services very helpful in speeding development cycles.

Infor spoke about its adoption of Lambda and Step Functions for managing hours-long deployment processes of ERP software that it moved to AWS. The challenge here was that Lambda functions can only run for five minutes. It initially used the AWS Simple Workflow Service (SWF), but had issues with complexity, latency, cost, retries, dead time and debugging.

When Step Functions was announced, Infor saw a lot of promise. In four weeks, it replaced SWF with Step Functions, which was far simpler, cheaper and faster. Deployment time went down from about 130 minutes to less than 30 minutes.

Adobe spoke about Adobe.io and OpenWhisk, which it jointly contributed to the Apache foundation with IBM. One of its primary motivations for getting involved in the serverless world was its own developers, especially those building cloud-based services. Adobe is involved in many open-source communities like Cordova, Brackets, many other Java projects, and even fonts, so this comes as no surprise from the open-source angle.

Accenture spoke on transitioning its cloud platform to serverless, which we previously covered. Along with Capital One, it served as one of the top-level enterprise sponsors supporting the current and ongoing importance of FaaS.

Market trends

At the event, FaaS startup StdLib open-sourced FaaSlang, which it calls an open specification that defines semantics for FaaS development, documentation, deployment and execution. It has support from employees at Small Wins (Brian Leroux, one of the main people behind PhoneGap) and, most importantly, Microsoft, so we recommend watching for whether it gets uptake within and beyond Microsoft and its other contributors.

Security is a big question with serverless architectures, so security vendor Snyk presented on the topic. FaaS has many advantages from a security perspective, such as the need for users to focus on securing the underlying servers, dealing with denial-of-service attacks (which become financial DoS because users still pay for requests), and less need to worry about long-lived compromised servers.

FaaS apps still need to store data, however, and that data can still be stolen or tampered with. The data cannot be kept 'on the same machine' because of the nature of FaaS, which expands the footprint of the attack surface. Snyk recommended encrypting all sensitive persistent data, all sensitive state data, minimizing functions that can access each data store, using separate database credentials per function, and monitoring which functions access which data.

However, it showed that application dependencies, and vulnerabilities in them, remain a security issue. A 19-line code sample pulled in more than 191,000 lines of code in dependencies. Snyk's offering will connect to a serverless or PaaS runtime (Lambda and Heroku today) and monitor functions for vulnerabilities.

While serverless creates no new problems, it does mean more independent services, flexible interfaces and the use of third-party services (thus securing data in transit). Each function becomes its own perimeter that needs to be secured, with its input sanitized.

AWS's Tim Wagner closed out the show in classic fashion – he's known for destroying servers during his talks to emphasize how customers no longer need to purchase and maintain their own hardware. This time, the theme was Will it Blend? (with server components) – and indeed, it did.

He also touched on an important area, the serverless ecosystem beyond the runtimes, and in particular how to more quickly and productively create applications.

Frameworks for building serverless apps include Apex, Chalice, Claudia.js, Serverless, Sparta and Zappa. As these frameworks continue to mature and gain adoption, more and more enterprises will find it easier to adopt new architectural approaches like serverless, whether or not it runs on their own servers.

New Alert Set

"My Alert"

Failed to Set Alert

"My Alert"