Serverless computing

Serverless computing is a cloud service category in which the customer can use different cloud capabilities types without the customer having to provision, deploy and manage either hardware or software resources, other than providing customer application code or providing customer data. Serverless computing represents a form of virtualized computing." according to ISO/IEC 22123-2. ^[1] Function as a Service (FaaS) and serverless databases are examples of serverless computing. However, serverless computing is considered to be broader than these components. ^[2] Sheen Brisals suggests that serverless technology should be viewed as an ecosystem that includes the cloud provider, FaaS, managed services, as well as tools, frameworks, engineers, stakeholders, and other interconnected elements. ^[2]

Overview

Serverless is a misnomer in the sense that servers are still used by cloud service providers to execute code for developers. The definition of serverless computing has evolved over time, leading to varied interpretations. According to Ben Kehoe, serverless represents a spectrum rather than a rigid definition. Emphasis should shift from strict definitions and specific technologies to adopting a serverless mindset, focusing on leveraging serverless solutions to address business challenges. ^[3]

Serverless computing does not eliminate complexity but shifts much of it from the operations team to the development team. However, this shift is not absolute, as operations teams continue to manage aspects such as identity and access management (IAM), networking, security policies, and cost optimization. Additionally, while breaking down applications into finer-grained components can increase management complexity, the relationship between granularity and management difficulty is not strictly linear. There is often an optimal level of modularization where the benefits outweigh the added management overhead. ^[4]^[2]

Serverless code can be used in conjunction with code deployed in traditional styles, such as microservices or monoliths. Alternatively, applications can be written to be purely serverless and use no provisioned servers at all.^[5] This should not be confused with computing or networking models that do not require an actual server to function, such as peer-to-peer (P2P).

According to Yan Cui, serverless should be adopted only when it helps to deliver customer value faster. And while adopting, organizations should take small steps and de-risk along the way.^[6]

Disadvantages

Serverless applications are prone to fallacies of distributed computing. In addition, they are prone to following fallacies:^[7]^[8]

Versioning is simple
Compensating transactions always work
Observability is optional

Resource limits

Serverless computing is not suited to some computing workloads, such as high-performance computing, because of the resource limits imposed by cloud providers, and also because it would likely be cheaper to bulk-provision the number of servers believed to be required at any given point in time.^[9] This makes it challenging to deploy complex applications (such as those with a directed acyclic graph of functions); serverless computing out of the box is most suited for execution of individual stateless functions. Some commercial offerings like AWS Step Functions from Amazon and Azure Durable Functions from Microsoft are meant to ease this challenge.

Monitoring and debugging

Diagnosing performance or excessive resource usage problems with serverless code may be more difficult than with traditional server code, because although entire functions can be timed,^[5] there is typically no ability to dig into more detail by attaching profilers, debuggers, or APM tools.^[10] Furthermore, the environment in which the code runs is typically not open source, so its performance characteristics cannot be precisely replicated in a local environment.

Security

According to OWASP, serverless applications are vulnerable to variations of traditional attacks, insecure code, and some serverless-specific attacks (like Denial of Wallet^[11]). So, the risks have changed and attack prevention requires a shift in mindset.^[12]^[13]

Standards

Serverless computing is covered by International Data Center Authority (IDCA) in their Framework AE360.^[14] However, the part related to portability can be an issue when moving business logic from one public cloud to another, for which the Docker solution was created. Cloud Native Computing Foundation (CNCF) is also working on developing a specification with Oracle.^[15]

Vendor lock-in

Serverless computing is provided as a third-party service. Applications and software that run in the serverless environment are by default locked to a specific cloud vendor. This issue is exacerbated in serverless computing, as with its increased level of abstraction, public vendors only allow customers to upload code to a FaaS platform without the authority to configure underlying environments. More importantly, when considering a more complex workflow that includes Backend-as-a-Service (BaaS), a BaaS offering can typically only natively trigger a FaaS offering from the same provider. This makes the workload migration in serverless computing virtually impossible. Therefore, considering how to design and deploy serverless workflows from a multi-cloud perspective seems promising and is starting to prevail^[when?].^[16]^[17]^[18]

Anti-patterns

The "Grain of Sand Anti-pattern" refers to the creation of excessively small components (e.g., functions) within a system, often resulting in increased complexity, operational overhead, and performance inefficiencies. ^[19] "Lambda Pinball" is a related anti-pattern that can occur in serverless architectures when functions (e.g., AWS Lambda, Azure Functions) excessively invoke each other in fragmented chains, leading to latency, debugging and testing challenges, and reduced observability. ^[20] These anti-patterns are associated with the formation of a distributed monolith.

These anti-patterns are often addressed through the application of clear domain boundaries, which distinguish between public and published interfaces. ^[20] ^[21] Public interfaces are technically accessible interfaces, such as methods, classes, API endpoints, or triggers, but they do not come with formal stability guarantees. In contrast, published interfaces involve an explicit stability contract, including formal versioning, thorough documentation, a defined deprecation policy, and often support for backward compatibility. Published interfaces may also require maintaining multiple versions simultaneously and adhering to formal deprecation processes when breaking changes are introduced. ^[21]

Fragmented chains of function calls are often observed in systems where serverless components (functions) interact with other resources in complex patterns, sometimes described as spaghetti architecture or a distributed monolith. In contrast, systems exhibiting clearer boundaries typically organize serverless components into cohesive groups, where internal public interfaces manage inter-component communication, and published interfaces define communication across group boundaries. This distinction highlights differences in stability guarantees and maintenance commitments, contributing to reduced dependency complexity. ^[20] ^[21]

Additionally, patterns associated with excessive serverless function chaining are sometimes addressed through architectural strategies that emphasize native service integrations instead of individual functions, a concept referred to as the functionless mindset. However, this approach is noted to involve a steeper learning curve, and integration limitations may vary even within the same cloud vendor ecosystem. ^[2]

Principles

Adopting DevSecOps practices can help improve the use and security of serverless technologies. ^[22]

In serverless applications, the distinction between infrastructure and business logic is often blurred, with applications typically distributed across multiple services. To maximize the effectiveness of testing, integration testing is emphasized for serverless applications. ^[6] Additionally, to facilitate debugging and implementation, orchestration is used within the bounded context, while choreography is employed between different bounded contexts. ^[6]

Ephemeral resources are typically kept together to maintain high cohesion. However, shared resources with long spin-up times, such as AWS RDS clusters and landing zones, are often managed in separate repositories, deployment pipeline, and stacks. ^[6]

References

^ "ISO/IEC 22123-2:2023 (E) - Information technology — Cloud computing — Part 2: Concepts". International Standard: 25.
^ ^a ^b ^c ^d Brisals, Sheen. Serverless Development on AWS: Building Enterprise-Scale Serverless Solutions. O'Reilly Media. ISBN 978-1098141936.
^ Serverless as a Game Changer How to Get the Most Out of the Cloud. 2023. ISBN 9780137392551.
^ The Software Architect Elevator: Redefining the Architect's Role in the Digital Enterprise. O'Reilly Media. 2020. ISBN 978-1492077541.
^ ^a ^b MSV, Janakiram (16 July 2015). "PaaS Vendors, Watch Out! Amazon Is All Set To Disrupt the Market". Forbes. Retrieved 10 July 2016.
^ ^a ^b ^c ^d Cui, Yan (2020). Serverless Architectures on AWS (2nd ed.). Manning. ISBN 978-1617295423.
^ Richards, Mark (March 3, 2020). Fundamentals of Software Architecture: An Engineering Approach (1st ed.). O'Reilly Media. ISBN 978-1492043454.
^ Richards, Mark (2021). Software Architecture: The Hard Parts: Modern Trade-Off Analyses for Distributed Architectures (1st ed.). O'Reilly Media. ISBN 978-1492086895.
^ Hellerstein, Joseph; Faleiro, Jose; Gonzalez, Joseph; Schleier-Smith, Johann; Screekanti, Vikram; Tumanov, Alexey; Wu, Chenggang (2019). "Serverless Computing: One Step Forward, Two Steps Back". arXiv:1812.03651. {{cite journal}}: Cite journal requires |journal= (help)
^ Leitner, Philipp; Wittern, Erik; Spillner, Josef; Hummer, Waldemar (2019). "A mixed-method empirical study of Function-as-a-Service software development in industrial practice". Journal of Systems and Software. 149: 340–359. doi:10.1016/j.jss.2018.12.013. hdl:11475/14313. ISSN 0164-1212. S2CID 67775784.
^ Kelly, Daniel; Glavin, Frank G.; Barrett, Enda (2021-08-01). "Denial of wallet—Defining a looming threat to serverless computing". Journal of Information Security and Applications. 60: 102843. arXiv:2104.08031. doi:10.1016/j.jisa.2021.102843. ISSN 2214-2126.
^ "OWASP Serverless Top 10 | OWASP Foundation". owasp.org. Retrieved 2024-05-20.
^ OWASP/Serverless-Top-10-Project, OWASP, 2024-05-02, retrieved 2024-05-20
^ "The Standards Framework for the Application Ecosystem | International Data Center Authority (IDCA)".
^ "CNCF, Oracle Boost Serverless Standardization Efforts". SDxCentral. Retrieved 2018-11-24.
^ Aske, Austin; Zhao, Xinghui (2018-08-13). "Supporting Multi-Provider Serverless Computing on the Edge". Proceedings of the 47th International Conference on Parallel Processing Companion. ICPP Workshops '18. New York, NY, USA: Association for Computing Machinery. pp. 1–6. doi:10.1145/3229710.3229742. ISBN 978-1-4503-6523-9. S2CID 195348799.
^ Baarzi, Ataollah Fatahi; Kesidis, George; Joe-Wong, Carlee; Shahrad, Mohammad (2021-11-01). "On Merits and Viability of Multi-Cloud Serverless". Proceedings of the ACM Symposium on Cloud Computing. SoCC '21. New York, NY, USA: Association for Computing Machinery. pp. 600–608. doi:10.1145/3472883.3487002. ISBN 978-1-4503-8638-8. S2CID 239890130.
^ Zhao, Haidong; Benomar, Zakaria; Pfandzelter, Tobias; Georgantas, Nikolaos (2022-12-06). "Supporting Multi-Cloud in Serverless Computing". 2022 IEEE/ACM 15th International Conference on Utility and Cloud Computing (UCC). pp. 285–290. arXiv:2209.09367. doi:10.1109/UCC56403.2022.00051. ISBN 978-1-6654-6087-3. S2CID 252383217.
^ Richards, Mark (2015). Microservices AntiPatterns and Pitfalls. O'REILLY.
^ ^a ^b ^c "TECHNOLOGY RADAR VOL. 21 An opinionated guide to technology" (PDF). Technology Radar. 21. ThoughtWorks.
^ ^a ^b ^c Fowler, Martin (March–April 2002). "Public versus Published Interfaces" (PDF). IEEE Software.{{cite journal}}: CS1 maint: date and year (link)
^ Katzer, Jason (2020). Learning Serverless: Design, Develop, and Deploy with Confidence. O'Reilly Media. ISBN 978-1492057017.

v t e Cloud computing
Business models	Content as a service Data as a service Desktop as a service Function as a service Infrastructure as a service Integration platform as a service Backend as a service Network as a service Platform as a service Security as a service Software as a service
Technologies	Cloud database Cloud-native computing Cloud storage Cloud storage gateways Data centers Dew computing Distributed file system for cloud Hardware virtualization Internet Mobile cloud computing Native cloud application Networking Personal cloud Security Serverless computing Structured storage Virtual appliance Web APIs Virtual private cloud
Applications	Box Dropbox Google Workspace Drive HP Cloud (closed) IBM Cloud Lark Microsoft Office 365 OneDrive Nextcloud Oracle Cloud Owncloud Proton Drive Rackspace Salesforce Seafile PlateSpin Workday Zoho
Platforms	Alibaba Cloud Amazon Web Services AppScale Box CloudBolt Cloud Foundry Cocaine (PaaS) Creatio Engine Yard Helion GE Predix Google App Engine GreenQloud Heroku IBM Cloud Inktank Jelastic Microsoft Azure MindSphere Netlify Oracle Cloud OutSystems openQRM OpenShift PythonAnywhere RightScale Scalr Force.com SAP Business Technology Platform Splunk Vercel vCloud Air WaveMaker
Infrastructure	Alibaba Cloud Amazon Web Services Abiquo Enterprise Edition CloudStack Citrix Cloud Deft DigitalOcean EMC Atmos Eucalyptus Fujitsu Google Cloud GreenButton GreenQloud IBM Cloud iland Joyent Linode Lunacloud Microsoft Azure Mirantis Netlify Nimbula Nimbus OpenIO OpenNebula OpenStack Oracle Cloud OrionVM Rackspace Cloud Safe Swiss Cloud Zadara libvirt libguestfs OVirt Virtual Machine Manager Wakame-vdc Vercel Virtual Private Cloud OnDemand
Category Commons