BlogNovember 30, 2018
It's Time to Embrace Serverless
The buzzword "serverless" is new, but the concept is not.
Organizations have been moving towards serverless for years without naming it as such. On-premise email servers, for example, have largely been replaced by popular serverless offerings - serverless simply means the vendor operates the servers, such as Gmail and Microsoft Exchange Online. Operators didn't decommission email servers because they heard a new buzzword, they did it because of a simple value proposition:
The operating costs of the servers combined with the cost of labor to maintain them was greater than the cost offered by a third party provider operating on economies of scale.
Not only was the cost reduced by switching from self-managed to serverless, but it became easier to manage and understand the exact cost of the service. Furthermore, these service providers were regarded as being expert email and security providers.
As computing has grown cheaper and networking faster, it has become easier to outsource technical capabilities to internet-based third-party services. These capabilities have long included internal operations such as employee email, and have now grown to serve application needs including payment processing. More and more organizations are choosing these services to offload common technical needs due to the clear value proposition.
The growth of these services over the past decade has provided a wealth of opportunity to reduce cost, and place more focus on business logic as the industry shifts more IT infrastructure into managed cloud services. These services have matured to the point where an organization can operate their own application without having to manage a single server. This is known as Serverless Architecture and enables startups and enterprises alike to operate faster and with lower overhead than ever before.
FaaS - Functions-as-a-Service
FaaS has brought the Serverless concept into the limelight because it addresses the final use of a server in a modern IT organization - executing application code.
A FaaS service allows a user to upload an arbitrary set of code or a function that can be triggered to run at any time in effective infinite parallel scale as required. Instead of a traditional pay-by-month model, the user pays for the number of times the function is executed and the time each execution takes. If you aren't using it, you aren't paying for it.
The potential to run any application without having to manage a single server at any scale is now possible. In the four years since FaaS was introduced by AWS Lambda, it has matured to the point where large companies are operating fully on Serverless architectures with FaaS at the core.
More than FaaS
FaaS is a key aspect of serverless but just one part of the larger picture. Serverless architecture is a modern approach to building software. You also need to consider other application components that would traditionally require servers:
- Storing data
- Sending email and text messages
- Operating message queues
Thankfully there are many serverless services available to perform these common tasks; these often have simple integrations with FaaS implementations. Remember that the key philosophy of serverless architecture is to reduce scope to just business logic.
When containers became the new standard for application architecture, we decomposed monolith functionality into microservices. This concept remains true when migrating into FaaS-based architectures as we further decompose microservices into functions. While performing this exercise today, there is more opportunity to replace common application functionality with managed services. Search services, authentication, and managed centralized logging services are some great examples.
When choosing to use managed services not only is the functionality provided by a third party but the upkeep, bug fixing, and general maintenance is also provided. These services are generally feature-rich and provide new opportunities to enhance applications. Choosing managed services over custom built and maintained services further reduces the scope of an IT organization's concerns.
Serverless Is Agile
It is unrealistic to think an entire code base can be rewritten overnight to operate without servers. However the nature of Serverless makes it easy to get quick wins. Highly reduced operational overhead makes the time-to-market pipeline much smaller.
Start small. Accomplish new tasks using fully Serverless technology to demonstrate the power without having to worry about provisioning new infrastructure. Rewrite smaller applications on FaaS platforms and decommission the servers they used to run on. Small wins are key to getting buy-in to not just a set of technologies but a new frame in which to approach your applications. Taking advantage of more serverless components leads to greater agility and competitive advantage.
Serverless Is Cost Effective
Serverless architectures can greatly reduce both operational and development cost. As serverless services are priced on usage, applications with wide variance in usage will benefit immensely. If an application has minimal usage late at night but spikes of usage throughout the day, serverless will provide significant cost savings over operating servers to handle peak load at all times. Traditional virtual server scaling can achieve a similar effect. However this requires managing complex scaling policies, and cannot handle large spikes in traffic nearly as well.
It is trivial to compare operating costs between traditional server architectures and serverless based architectures. Determining the value of a developer's ability to deploy production-ready code in minutes is more challenging. The time spent sizing resources and considering scaling is eliminated, the concerns of configuring server security are removed, the procurement of virtual or physical hardware and associated paperwork is not needed either - just to mention a few less-tangible areas of savings.
The intangibles tend to include the largest savings, yet when considering operational cost alone, most companies find a significant cost reduction by shifting to FaaS based architectures.
Serverless Is Secure
The most competitive race between cloud providers is one that goes unnoticed by most. It's the race to build the biggest, longest, webpage of security compliances and certifications. These security showcases demonstrate the dedication to security and the cloud providers' expertise in best security practices that surpasses even the most competent of IT enterprises. FaaS allows for even more fine-grained expert vendor security than traditional virtual cloud servers. When using cloud functions, users can feel safe that the servers their code is executing on are frequently restarted, patched, and updated.
The Human Angle
In a world where companies are more worried about software developers than capital, it is key to deploy resources effectively. Choosing serverless can drastically reduce the headache and immense cost of hiring and retaining technical talent. Reduced scope means reduced need for developers, system admins, technical support, and more.
Serverless also maximizes available developer resources. With less to maintain, debug and monitor, developers can spend more time building new features and improving business logic. Additionally, using powerful cloud native services increases the impact a developer has while building an application, leading to increased developer satisfaction and productivity.
What Serverless Won't Fix
The benefits of serverless architecture are innumerable, but like all shiny new technologies it is not a magic bullet. For starters, serverless will not fix the quality and security of your code. Most security threats are the result of code vulnerabilities. Injection (SQL, XML Parser, etc.) remains the number one vulnerability, according to the 2017 OWASP Top 10 Web Application Security Risks. This is the same top vulnerability as indicated in the 2010 version of the same report. Injection can only be fixed in code by sanitizing user input. Many of the top 10 security risks fall into the same category - e.g., using components with known vulnerabilities. While server security is no longer your concern in a serverless world, code security remains paramount.
Serverless architecture is still young. Best practices are still being defined, and it may not make sense to attempt to migrate more complex workloads. Every sufficiently complex application or workload needs to be considered individually for viability on serverless architecture, it may not always make sense to migrate given the youth of serverless tooling and developer knowledge. It is time, however, to start experimenting with serverless - to start witnessing the power firsthand. Web applications such as static websites and REST APIs are excellent candidates for straightforward fully serverless architectures. Remember, start small, demonstrate potential, and earn buy-in.
While serverless may not always be the answer, it is an incredibly powerful component of the modern architecture toolkit.
Serverless Is Here to Stay
We are in the sweet spot of an emerging technology and new approach to applications. Serverless is not finished growing but has reached a clear critical mass. Serverless and FaaS are not just buzzwords anymore but the next evolution in modern application architecture.
Serverless allows users to be more comfortable in both the security of their applications and the knowledge that money is not wasted on unused server capacity and fruitless developer hours. It allows for maximization of both profit and developer potential in a time where talent is at a premium. Serverless frees users to solely focus on building, innovating, and growing products.
It's time to embrace serverless.