Serverless computing: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 21:52, 14 October 2024 edit WikiCleanerBot (talk \| contribs) Bots 1,007,735 edits m v2.05b - Bot T21 CW#557 - Fix errors for CW project (Missing whitespace before a link) Tag: WPCleaner ← Previous edit		Latest revision as of 09:44, 27 August 2025 edit undo Citation bot (talk \| contribs) Bots 5,866,691 edits Add: doi, pages, issue, volume, date, article-number, publisher, authors 1-2. Removed parameters. Some additions/deletions were parameter name changes. \| Use this bot. Report bugs. \| Suggested by Headbomb \| Linked from Wikipedia:WikiProject_Academic_Journals/Journals_cited_by_Wikipedia/Sandbox \| #UCB_webform_linked 411/967
(31 intermediate revisions by 13 users not shown)
Line 1: {{Short description\|Cloud computing model}} ~~{{Tone\|section\|date=June 2024\|talk=Tone}}~~ '''Serverless computing''' is "a cloud service category in which the customer can use different cloud capability types without the customer having to provision, deploy and manage either hardware or software resources, other than providing customer application code or providing customer data. Serverless computing represents a form of virtualized computing." according to [[International Organization for Standardization\|ISO]]/IEC 22123-2.<ref name=":1">{{Cite journal \|title=ISO/IEC 22123-2:2023 (E) - Information technology — Cloud computing — Part 2: Concepts \|journal=International Standard \|pages=25}}</ref> Serverless computing is a broad ecosystem that includes the cloud provider, [[Function as a service\|Function as a Service]] (FaaS), managed services, tools, frameworks, engineers, stakeholders, and other interconnected elements, according to Sheen Brisals.<ref name=":2">{{Cite book \|last=Brisals \|first=Sheen \|title=Serverless Development on AWS: Building Enterprise-Scale Serverless Solutions \|publisher=O'Reilly Media \|isbn=978-1098141936}}</ref> '''Serverless computing''' is a [[cloud computing]] [[execution model]] in which the cloud provider allocates machine [[Computing resource\|resources]] on demand, taking care of the [[Server (computing)\|servers]] on behalf of their customers. ''Serverless'' is a [[misnomer]] in the sense that servers are still used by cloud service providers to execute code for [[Developer (software)\|developers]]. However, developers of serverless [[Application (computing)\|applications]] are not concerned with [[capacity planning]], configuration, management, maintenance, [[fault tolerance]], or scaling of containers, [[virtual machine]]s, or physical servers. When an app is not in use, there are no computing resources allocated to the app. Pricing is based on the actual amount of resources consumed by an application.<ref name="techcrunch-lambda">{{cite web\|url=https://techcrunch.com/2015/11/24/aws-lamda-makes-serverless-applications-a-reality/\|title=AWS Lambda Makes Serverless Applications A Reality\|last=Miller\|first=Ron\|website=[[TechCrunch]]\| date=24 Nov 2015\|access-date=10 July 2016}}</ref> It can be a form of [[utility computing]]. == Overview == One proposed definition for serverless computing that encompasses these ideas is that serverless computing is a "cloud computing paradigm encompassing a class of cloud computing platforms that allow one to develop, deploy, and run applications (or components thereof) in the cloud without allocating and managing [[Virtual private server\|virtualized servers]] and resources or being concerned about other operational aspects. The responsibility for operational aspects, such as [[fault tolerance]] or the [[Autoscaling\|elastic scaling]] of computing, storage, and communication resources to match varying application demands, is offloaded to the cloud provider. Providers apply utilization-based billing: they charge cloud users with fine granularity, in proportion to the resources that applications actually consume from the cloud infrastructure, such as computing time, [[Computer memory\|memory]], and [[Computer storage\|storage]] space."<ref name="serverless computing">{{cite web\|url=https://cacm.acm.org/article/serverless-computing/\|title=Serverless Computing: What It Is, and What It Is Not?\|last=Kounev\|first=Samuel\|website=[[Communications of ACM]]\| date=23 August 2023\|access-date=4 April 2024}}</ref> Note the definition of serverless has stretched over time. According to Ben Kehoe, serverless is a spectrum; one should not fixate on a strict definition of serverless nor any specific serverless technology. Instead, one should focus on serverless mindset: how to use serverless to solve one's business problems.<ref>{{Cite book \|title=Serverless as a Game Changer How to Get the Most Out of the Cloud \|year=2023 \|isbn=9780137392551}}</ref> ''Serverless'' is a [[misnomer]] in the sense that servers are still used by cloud service providers to execute code for [[Developer (software)\|developers]]. The definition of serverless computing has evolved over time, leading to varied interpretations. According to Ben Kehoe, serverless represents a spectrum rather than a rigid definition. Emphasis should shift from strict definitions and specific technologies to adopting a serverless mindset, focusing on leveraging serverless solutions to address business challenges.<ref>{{Cite book \|last1=Emison \|first1=Joseph \|title=Serverless as a Game Changer How to Get the Most Out of the Cloud \|year=2023 \|publisher=Addison-Wesley Professional \|isbn=9780137392551}}</ref> Serverless computing can simplify the process of [[software deployment\|deploying code]] into [[Production environment\|production]]. It does not entirely remove the complexity, but mainly shifts it from the operations team to development team. And the more fine grained the application, the harder it is to manage it.{{clarify\|date=June 2024}} <ref>{{Cite book \|title=The Software Architect Elevator: Redefining the Architect's Role in the Digital Enterprise \|publisher=O'Reilly Media \|year=2020 \|isbn=978-1492077541}}</ref> Serverless computing does not eliminate complexity but shifts much of it from the operations team to the development team. However, this shift is not absolute, as operations teams continue to manage aspects such as identity and access management (IAM), networking, security policies, and cost optimization. Additionally, while breaking down applications into finer-grained components can increase management complexity, the relationship between granularity and management difficulty is not strictly linear. There is often an optimal level of modularization where the benefits outweigh the added management overhead.<ref>{{Cite book \|title=The Software Architect Elevator: Redefining the Architect's Role in the Digital Enterprise \|publisher=O'Reilly Media \|year=2020 \|isbn=978-1492077541}}</ref><ref name=":2" /> Serverless code can be used in conjunction with code deployed in traditional styles, such as [[microservices]] or [[Monolithic application\|monoliths]]. Alternatively, applications can be written to be purely serverless and use no provisioned servers at all.<ref name="lambda-api-gateway" /> This should not be confused with computing or networking models that do not require an actual server to function, such as [[peer-to-peer]] (P2P). According to Yan Cui, serverless should be adopted only when it helps to deliver customer value faster. And while adopting, organizations should take small steps and de-risk along the way.<ref name=":0">{{Cite book \|last=Cui \|first=Yan \|title=Serverless Architectures on AWS \|publisher=Manning \|year=2020 \|isbn=978-1617295423 \|edition=2nd}}</ref> == ~~Serverless runtimes~~Challenges == Serverless applications are prone to [[fallacies of distributed computing]]. In addition, they are prone to the following fallacies:<ref>{{Cite book \|last=Richards \|first=Mark \|title=Fundamentals of Software Architecture: An Engineering Approach \|publisher=O'Reilly Media \|date=March 3, 2020 \|isbn=978-1492043454 \|edition=1st}}</ref><ref>{{Cite book \|last=Richards \|first=Mark \|title=Software Architecture: The Hard Parts: Modern Trade-Off Analyses for Distributed Architectures \|publisher=O'Reilly Media \|year=2021 \|isbn=978-1492086895 \|edition=1st}}</ref>▼ Serverless vendors offer compute runtimes that execute application logic but do not store data. Common runtime models are ''[[function as a service]]'' (FaaS) and ''[[Containerization (computing)\|container]] as a service''. Common languages supported by serverless runtimes are [[Java (programming language)\|Java]], [[Python (programming language)\|Python]], and [[PHP]]. Generally, the functions run within isolation boundaries, such as [[Linux container]]s. ~~== Commercial offerings ==~~ The first pay-as-you-go code execution platform was [[Zimki]], released in 2006, but it was not commercially successful.<ref>{{Cite web\|url=https://www.theregister.co.uk/2007/09/25/zimki_fotango_shut/\|title=Fotango to smother Zimki on Christmas Eve\|last=Williams\|first=Christopher\|website=[[The Register]]\|access-date=2017-06-11}}</ref> In 2008, [[Google]] released [[Google App Engine]], which featured metered billing for applications that used a custom Python framework, but could not execute arbitrary code.<ref>{{Cite web\|url=https://code.google.com/appengine/docs/python/runtime.html\|title=Python Runtime Environment {{!}} App Engine standard environment for Python {{!}} Google Cloud Platform\|website=Google Cloud Platform\|language=en\|access-date=2017-06-11}}</ref> PiCloud, released in 2010, offered FaaS support for Python. Google App Engine, introduced in 2008, was the first abstract serverless computing offering.<ref>{{cite web \|last1=Evans \|first1=Jon \|title=Whatever Happened to PaaS? \|date=11 April 2015 \|url=https://techcrunch.com/2015/04/11/whatever-happened-to-paas/ \|publisher=TechCrunch \|access-date=17 December 2020}}</ref> App Engine included HTTP functions with a 60-second timeout and a blob store and data store with their own timeouts. No in-memory persistence was allowed. All operations had to be executed within these limits, but this allowed apps built in App Engine to scale near-infinitely and was used to support early customers including [[Snapchat]], as well as many external and internal Google apps. Language support was limited to Python using native Python modules, as well as a limited selection of Python modules in C that were chosen by Google. Like later serverless platforms, App Engine also used pay-for-what-you-use billing.<ref>{{cite web \|last1=Kincaid \|first1=Jason \|title=Google App Engine Offers Pricing Plan Beyond Quotas; Grab A Free I/O Ticket To Celebrate \|url=https://techcrunch.com/2009/02/25/google-app-engine-offers-pricing-plan-beyond-quotas-grab-a-free-io-ticket-to-celebrate/ \|website=TechCrunch \|date=25 February 2009 \|access-date=17 December 2020}}</ref> [[AWS Lambda]], introduced by Amazon in 2014,<ref name="techcrunch-lambda-launch">{{cite web\|url=https://techcrunch.com/2014/11/13/amazon-launches-lambda-an-event-driven-compute-service/\|title=Amazon Launches Lambda, An Event-Driven Compute Service\|date=13 Nov 2014\|access-date=10 July 2016\|last=Miller\|first=Ron\|website=[[TechCrunch]]}}</ref> popularized the abstract serverless computing model. It is supported by a number of additional AWS serverless tools such as AWS Serverless Application Model (AWS SAM) [[Amazon CloudWatch]], and others. [[Google Cloud Platform]] created a second serverless offering, [[Google Cloud Functions]], in 2016.<ref name="vb-gcf">{{cite web\|url=https://venturebeat.com/2016/02/09/google-has-quietly-launched-its-answer-to-aws-lambda/\|title=Google has quietly launched its answer to AWS Lambda\|date=9 February 2016\|access-date=10 July 2016\|last=Novet\|first=Jordan\|website=[[VentureBeat]]}}</ref> Oracle Cloud Functions is a serverless platform offered on [[Oracle Cloud Infrastructure]], and is based on the open-source Fn Project so developers can create applications that can be ported to other cloud and on-premise environments. It supports code in [[Python (programming language)\|Python]], [[Go (programming language)\|Go]], [[Java (programming language)\|Java]], [[Ruby (programming language)\|Ruby]], and [[Node.js\|Node]].<ref>{{Cite web \|title=How to choose a cloud serverless platform \|url=https://www.arnnet.com.au/article/686673/how-choose-cloud-serverless-platform/ \|access-date=2022-03-23 \|website=www.arnnet.com.au\|date=3 March 2021 }}</ref> ~~== Serverless databases ==~~ Several serverless [[Distributed data store\|databases]] have emerged to extend the serverless execution model to the [[RDBMS]], eliminating the need to provision or scale [[Hardware virtualization\|virtualized]] or physical database hardware. [[Nutanix]] offers a solution named Era which turns an existing RDBMS such as [[Oracle Database\|Oracle]], [[MariaDB]], [[PostgreSQL]], or [[Microsoft SQL Server]] into a serverless service.<ref>{{Cite web\|url=https://www.nutanix.com/products/era/\|title = One-click Database Administration & Automation \| Nutanix Era}}</ref> [[Amazon Aurora]] offers a serverless version of its databases, based on MySQL and PostgreSQL, providing on-demand, auto-scaling configurations.<ref>{{Cite web\|url=https://aws.amazon.com/rds/aurora/serverless/\|title=Amazon Aurora Serverless - On-demand, Auto-scaling Relational Database - AWS\|website=Amazon Web Services, Inc.\|language=en-US\|access-date=2019-08-08}}</ref> [[Azure Data Lake]] is a highly scalable data storage and analytics service. The service is hosted in [[Microsoft Azure\|Azure]], Microsoft's public cloud. [[Azure Data Lake\|Azure Data Lake Analytics]] provides a distributed infrastructure that can dynamically allocate or de-allocate resources so customers pay for only the services they use. [[Oracle Cloud]] offers a serverless version of its Oracle Autonomous Database, which is the Autonomous Transaction Processing service. The serverless service also includes a JSON edition.<ref>{{Cite web \|title=Oracle brings the Autonomous Database to JSON \|url=https://www.zdnet.com/article/oracle-brings-the-autonomous-database-to-json/ \|access-date=2022-03-23 \|website=ZDNet \|language=en}}</ref> [[Firebase]], also owned by Google,<ref>{{Cite web\|url=https://techcrunch.com/2014/10/21/google-acquires-firebase-to-help-developers-build-better-realtime-apps/\|title=Google Acquires Firebase To Help Developers Build Better Real-Time Apps {{!}} TechCrunch\|last=Lardinois\|first=Frederic\|date=21 October 2014 \|access-date=2017-06-11}}</ref> includes a [[hierarchical database]] and is available via fixed and pay-as-you-go plans.<ref>{{Cite web\|url=https://gigaom.com/2013/06/20/firebase-gets-5-6m-to-launch-its-paid-product-and-fire-up-its-base/\|title=Firebase gets $5.6M to launch its paid product and fire up its base\|last=Darrow\|first=Barb\|date=2013-06-20\|website=gigaom.com\|language=en-US\|access-date=2017-06-11}}</ref> ~~== Advantages ==~~ ~~=== Cost ===~~ Serverless can be more cost-effective than renting or purchasing a fixed quantity of servers,<ref name="Everybody is talking about serverless architecture" /> which generally involves significant periods of underusage or idle time.<ref name='techcrunch-lambda'/> It can even be more cost-efficient than provisioning an [[autoscaling\|autoscaling group]], due to more efficient [[Bin packing problem\|bin-packing]] of the underlying machine resources. This can be described as pay-as-you-go computing<ref name="Everybody is talking about serverless architecture" /> or bare-code,<ref name="Everybody is talking about serverless architecture" /> as one is charged based solely upon the time and memory allocated to run ones code, without associated fees for idle time.<ref name="Everybody is talking about serverless architecture" /> A useful analogy here is between rental car (traditional cloud Virtual Machines) versus ride share apps like Uber or Lyft (serverless computing). Immediate cost benefits are related to the lack of operating costs, including: licenses, installation, dependencies, and personnel cost for maintenance, support, or patching.<ref name="Everybody is talking about serverless architecture" /> Due to infinite scalability, developers may experience [[bill shock]] as a result of faulty code or a [[Denial-of-service attack]]. This is however often refunded, at the expense of the service provider.<ref>{{Cite web \|last=Anderson \|first=Tim \|date=2020-12-10 \|title=Google Cloud (over)Run: How a free trial experiment ended with a $72,000 bill overnight \|url=https://www.theregister.com/2020/12/10/google_cloud_over_run/ \|url-status=live \|access-date=2024-10-09 \|website=The Register}}</ref> ~~=== Elasticity versus scalability ===~~ ~~{{See also\|Scalability\|Elasticity (cloud computing)}}~~ In addition, a serverless architecture means that developers and operators do not need to spend time setting up and tuning autoscaling policies or systems; the cloud provider is responsible for scaling the capacity to the demand.<ref name="techcrunch-lambda" /><ref name="techcrunch-azure">{{cite web \|last=Miller \|first=Ron \|date=31 March 2016 \|title=Microsoft answers AWS Lambda's event-triggered serverless apps with Azure Functions \|url=https://techcrunch.com/2016/03/31/microsoft-answers-aws-lambdas-event-triggered-serverless-apps-with-azure-functions/ \|website=[[TechCrunch]] \|access-date=10 July 2016}}</ref><ref name="Everybody is talking about serverless architecture">{{cite web\|url=http://www.bcs.org/content/conWebDoc/58491\|title=Losing the server? Everybody is talking about serverless architecture\|date=4 September 2017\|last= Jamieson\|first=Frazer}}</ref> As Google puts it: "from prototype to production to planet-scale."<ref name="Everybody is talking about serverless architecture" /> ~~As cloud native systems inherently scale down as well as up, these systems are known as elastic rather than scalable.~~ Small teams of developers are able to run code themselves without the dependence upon teams of infrastructure and support engineers; more developers are becoming [[DevOps]]-skilled and distinctions between being a software developer or hardware engineer are blurring.<ref name="Everybody is talking about serverless architecture" /> ~~=== Productivity ===~~ With [[function as a service]], the units of code exposed to the outside world are simple event-driven [[subroutine\|functions]]. This means that typically, the programmer does not have to worry about [[multithreading (software)\|multithreading]] or directly handling [[HTTP]] requests in their code, simplifying the task of back-end software development. ~~== Disadvantages ==~~ ▲Serverless applications are prone to [[fallacies of distributed computing]]. In addition, they are prone to following fallacies:<ref>{{Cite book \|last=Richards \|first=Mark \|title=Fundamentals of Software Architecture: An Engineering Approach \|publisher=O'Reilly Media \|date=March 3, 2020 \|isbn=978-1492043454 \|edition=1st}}</ref><ref>{{Cite book \|last=Richards \|first=Mark \|title=Software Architecture: The Hard Parts: Modern Trade-Off Analyses for Distributed Architectures \|publisher=O'Reilly Media \|year=2021 \|isbn=978-1492086895 \|edition=1st}}</ref> * [[Version control\|Versioning]] is simple * [[Compensating transaction]]s always work * [[Observability (software)\|Observability]] is optional === Performance ===▼ Infrequently-used serverless code may suffer from greater response [[latency (engineering)\|latency]] than code that is continuously running on a dedicated server, virtual machine, or container. This is because, unlike with autoscaling, the cloud provider typically ''spins down'' the serverless code completely when not in use. This means that if the runtime (for example, the [[Java (programming language)\|Java]] runtime) requires a significant amount of time to start up, it will create additional latency.<ref name="vanEykIosup2018">{{cite book\|last1=van Eyk\|first1=Erwin\|last2=Iosup\|first2=Alexandru\|last3=Abad\|first3=Cristina L.\|last4=Grohmann\|first4=Johannes\|last5=Eismann\|first5=Simon\|title=Companion of the 2018 ACM/SPEC International Conference on Performance Engineering\|chapter=A SPEC RG Cloud Group's Vision on the Performance Challenges of FaaS Cloud Architectures\|year=2018\|pages=21–24\|doi=10.1145/3185768.3186308\|chapter-url=https://research.vu.nl/ws/files/87100942/A_SPEC_RG_cloud_group_s_vision_on_the_performance_challenges_of_FaaS_cloud_architectures.pdf\|hdl=1871.1/8aa529e9-f8f9-4305-8073-91dd1a9451fb\|isbn=9781450356299\|s2cid=4718290\|hdl-access=free}}</ref> This is referred to as ''cold start'' in serverless computing. ~~=== Resource limits ===~~ Serverless computing is not suited to some computing workloads, such as [[high-performance computing]], because of the resource limits imposed by cloud providers, and also because it would likely be cheaper to bulk-provision the number of servers believed to be required at any given point in time.<ref name="hellersteinFaleiro2019">{{cite journal\|last1=Hellerstein\|first1=Joseph\|last2=Faleiro\|first2=Jose\|last3=Gonzalez\|first3=Joseph\|last4=Schleier-Smith\|first4=Johann\|last5=Screekanti\|first5=Vikram\|last6=Tumanov\|first6=Alexey\|last7=Wu\|first7=Chenggang\|title=Serverless Computing: One Step Forward, Two Steps Back\|year=2019\|arxiv=1812.03651}}</ref> This makes it challenging to deploy complex applications (such as those with a [[directed acyclic graph]] of functions); serverless computing out of the box is most suited for execution of individual stateless functions. Some commercial offerings like AWS Step Functions from Amazon and Azure Durable Functions from Microsoft are meant to ease this challenge. === Monitoring and debugging === Monitoring and debugging serverless applications can present unique challenges due to their distributed, event-driven nature and proprietary environments. Traditional tools may fall short, making it difficult to track execution flows across services. However, modern solutions such as distributed tracing tools (e.g., AWS X-Ray, Datadog), centralized logging, and cloud-agnostic observability platforms are mitigating these challenges. Emerging technologies like OpenTelemetry, AI-powered anomaly detection, and serverless-specific frameworks are further improving visibility and root cause analysis. While challenges persist, advancements in monitoring and debugging tools are steadily addressing these limitations.<ref>{{Cite book \|title=Distributed Tracing in Practice: Instrumenting, Analyzing, and Debugging Microservice \|publisher=O'Reilly Media \|isbn=978-1492056638}}</ref><ref>{{Cite book \|title=Cloud-Native Observability with OpenTelemetry: Learn to gain visibility into systems by combining tracing, metrics, and logging with OpenTelemetry \|isbn=978-1801077705}}</ref> Diagnosing performance or excessive resource usage problems with serverless code may be more difficult than with traditional server code, because although entire functions can be timed,<ref name='lambda-api-gateway'>{{cite web\|url=https://www.forbes.com/sites/janakirammsv/2015/07/16/paas-vendors-watch-out-amazon-is-all-set-to-disrupt-the-market/\|title=PaaS Vendors, Watch Out! Amazon Is All Set To Disrupt the Market\|last=MSV\|first=Janakiram\|website=[[Forbes]]\|date=16 July 2015\|access-date=10 July 2016}}</ref> there is typically no ability to dig into more detail by attaching [[profiling (computer programming)\|profilers]], [[debugger]]s, or [[Application Performance Management\|APM]] tools.<ref name="LeitnerWittern2019">{{cite journal\|last1=Leitner\|first1=Philipp\|last2=Wittern\|first2=Erik\|last3=Spillner\|first3=Josef\|last4=Hummer\|first4=Waldemar\|title=A mixed-method empirical study of Function-as-a-Service software development in industrial practice\|journal=Journal of Systems and Software\|volume=149\|year=2019\|pages=340–359\|issn=0164-1212\|doi=10.1016/j.jss.2018.12.013\|hdl=11475/14313\|s2cid=67775784\|hdl-access=free}}</ref> Furthermore, the environment in which the code runs is typically not open source, so its performance characteristics cannot be precisely replicated in a [[Deployment environment#Development\|local environment]]. === Security === According to [[OWASP]], serverless applications are vulnerable to variations of traditional attacks, insecure code, and some serverless-specific attacks (like Denial of Wallet<ref>{{Cite journal \|~~last~~last1=Kelly \|~~first~~first1=Daniel \|last2=Glavin \|first2=Frank G. \|last3=Barrett \|first3=Enda \|date=2021-08-01 \|title=Denial of wallet—Defining a looming threat to serverless computing \|url=https://linkinghub.elsevier.com/retrieve/pii/S221421262100079X \|journal=Journal of Information Security and Applications \|volume=60 \|~~pages~~article-number=102843 \|doi=10.1016/j.jisa.2021.102843 \|issn=2214-2126\|arxiv=2104.08031 }}</ref>). So, the risks have changed and attack prevention requires a shift in mindset.<ref>{{Cite web \|title=OWASP Serverless Top 10 {{!}} OWASP Foundation \|url=https://owasp.org/www-project-serverless-top-10/ \|access-date=2024-05-20 \|website=owasp.org \|language=en}}</ref><ref>{{Citation \|title=OWASP/Serverless-Top-10-Project \|date=2024-05-02 \|url=https://github.com/OWASP/Serverless-Top-10-Project \|access-date=2024-05-20 \|publisher=OWASP}}</ref> === Vendor lock-in ===▼ Serverless is sometimes mistakenly considered as more secure than traditional architectures. While this is true to some extent because OS vulnerabilities are taken care of by the cloud provider, the total attack surface is significantly larger as there are many more components to the application compared to traditional architectures, and each component is an entry point to the serverless application. Moreover, the security solutions that customers used to have to protect their cloud workloads become irrelevant as customers cannot control and install anything on the [[endpoint security\|endpoint]] and [[Network security\|network]] level such as an [[intrusion detection system\|intrusion detection/prevention system]] (IDS/IPS).<ref>{{cite web \| url=https://www.puresec.io/serverless-security-top-12-csa-puresec \| title=Cloud Workload Protection (CWP) \| CWPP }}</ref> Serverless computing is provided as a third-party service. Applications and software that run in the serverless environment are by default locked to a specific cloud vendor. This issue is exacerbated in serverless computing, as with its increased level of abstraction, public vendors only allow customers to upload code to a FaaS platform without the authority to configure underlying environments. More importantly, when considering a more complex workflow that includes Backend-as-a-Service (BaaS), a BaaS offering can typically only natively trigger a FaaS offering from the same provider. This makes the workload migration in serverless computing virtually impossible. Therefore, considering how to design and deploy serverless workflows from a [[multi-cloud]] perspective seems promising and is starting to prevail{{When\|date=June 2024}}.<ref>{{Cite book \|last1=Aske \|first1=Austin \|last2=Zhao \|first2=Xinghui \|title=Proceedings of the 47th International Conference on Parallel Processing Companion \|chapter=Supporting Multi-Provider Serverless Computing on the Edge \|date=2018-08-13 \|chapter-url=https://doi.org/10.1145/3229710.3229742 \|series=ICPP Workshops '18 \|___location=New York, NY, USA \|publisher=Association for Computing Machinery \|pages=1–6 \|doi=10.1145/3229710.3229742 \|isbn=978-1-4503-6523-9\|s2cid=195348799 }}</ref><ref>{{Cite book \|last1=Baarzi \|first1=Ataollah Fatahi \|last2=Kesidis \|first2=George \|last3=Joe-Wong \|first3=Carlee \|last4=Shahrad \|first4=Mohammad \|title=Proceedings of the ACM Symposium on Cloud Computing \|chapter=On Merits and Viability of Multi-Cloud Serverless \|date=2021-11-01 \|chapter-url=https://doi.org/10.1145/3472883.3487002 \|series=SoCC '21 \|___location=New York, NY, USA \|publisher=Association for Computing Machinery \|pages=600–608 \|doi=10.1145/3472883.3487002 \|isbn=978-1-4503-8638-8\|s2cid=239890130 }}</ref><ref>{{Cite book \|last1=Zhao \|first1=Haidong \|last2=Benomar \|first2=Zakaria \|last3=Pfandzelter \|first3=Tobias \|last4=Georgantas \|first4=Nikolaos \|title=2022 IEEE/ACM 15th International Conference on Utility and Cloud Computing (UCC) \|chapter=Supporting Multi-Cloud in Serverless Computing \|date=2022-12-06 \|chapter-url=https://ieeexplore.ieee.org/document/10061782/references#references \|pages=285–290 \|doi=10.1109/UCC56403.2022.00051\|arxiv=2209.09367 \|isbn=978-1-6654-6087-3 \|s2cid=252383217 }}</ref>▼ ▲=== High Performance =Computing == This is intensified by the mono-culture properties of the entire server network. (A single flaw can be applied globally.) According to Protego, the "solution to secure serverless apps is close partnership between developers, DevOps, and AppSec, also known as DevSecOps. Find the balance where developers don't own security, but they aren't absolved from responsibility either. Take steps to make it everyone's problem. Create cross-functional teams and work towards tight integration between security specialists and development teams. Collaborate so your organization can resolve security risks at the speed of serverless."<ref>{{Cite web\|url=https://www.protego.io/serverless-computing-security-risks-challenges/\|title=Serverless Computing Security Risks & Challenges\|last=Solow\|first=Hillel\|date=2019-02-05\|website=protego.io\|language=en-US\|access-date=2019-03-20}}</ref> Serverless computing may not be ideal for certain [[high-performance computing]] (HPC) workloads due to resource limits often imposed by cloud providers, including maximum memory, CPU, and runtime restrictions. For workloads requiring sustained or predictable resource usage, bulk-provisioned servers can sometimes be more cost-effective than the pay-per-use model typical of serverless platforms. However, serverless computing is increasingly capable of supporting specific HPC workloads, particularly those that are highly parallelizable and event-driven, by leveraging its scalability and elasticity. The suitability of serverless computing for HPC continues to evolve with advancements in cloud technologies.<ref>{{Cite book \|title=Serverless Computing: Principles and Paradigms \|date=12 May 2023 \|publisher=Springer \|isbn=978-3031266324}}</ref><ref>{{Cite book \|last1=Foster \|first1=Ian \|last2=Gannon \|first2=Dennis B. \|title=Cloud Computing for Science and Engineering (Scientific and Engineering Computation) \|date=29 September 2017 \|publisher=MIT Press \|isbn=978-0262037242}}</ref><ref name="hellersteinFaleiro2019">{{Citation\|last1=Hellerstein \|first1=Joseph \|last2=Faleiro \|first2=Jose \|last3=Gonzalez \|first3=Joseph \|last4=Schleier-Smith \|first4=Johann \|last5=Screekanti \|first5=Vikram \|last6=Tumanov \|first6=Alexey \|last7=Wu \|first7=Chenggang \|year=2019 \|title=Serverless Computing: One Step Forward, Two Steps Back \|arxiv=1812.03651}}</ref> ==~~=Privacy=~~ Anti-patterns == The "Grain of Sand Anti-pattern" refers to the creation of excessively small components (e.g., functions) within a system, often resulting in increased complexity, operational overhead, and performance inefficiencies.<ref name=":5">{{Cite book \|last=Richards \|first=Mark \|title=Microservices AntiPatterns and Pitfalls \|date=2015 \|publisher=O'REILLY \|publication-date=2015}}</ref> "Lambda Pinball" is a related anti-pattern that can occur in serverless architectures when functions (e.g., AWS Lambda, Azure Functions) excessively invoke each other in fragmented chains, leading to latency, debugging and testing challenges, and reduced observability.<ref name=":3">{{Cite journal \|title=TECHNOLOGY RADAR VOL. 21 An opinionated guide to technology \|url=https://www.thoughtworks.com/content/dam/thoughtworks/documents/radar/2019/11/tr_technology_radar_vol_21_en.pdf \|journal=Technology Radar \|publisher=ThoughtWorks \|volume=21}}</ref> These anti-patterns are associated with the formation of a distributed monolith. Many serverless function environments are based on [[Proprietary software\|proprietary]] public cloud environments. Here, some [[privacy]] implications have to be considered, such as [[shared resource]]s and access by external employees. However, serverless computing can also be done on private cloud environment or even on-premises, using for example the [[Kubernetes]] platform. This gives companies full control over privacy mechanisms, just as with hosting in traditional server setups. These anti-patterns are often addressed through the application of clear ___domain boundaries, which distinguish between public and published interfaces.<ref name=":3" /><ref name=":4">{{Cite journal \|last=Fowler \|first=Martin \|date=March–April 2002 \|title=Public versus Published Interfaces \|url=https://martinfowler.com/ieeeSoftware/published.pdf \|journal=IEEE Software \|volume=19 \|issue=2 \|pages=18–19 \|doi=10.1109/52.991326 }}</ref> Public interfaces are technically accessible interfaces, such as methods, classes, API endpoints, or triggers, but they do not come with formal stability guarantees. In contrast, published interfaces involve an explicit stability contract, including formal versioning, thorough documentation, a defined deprecation policy, and often support for backward compatibility. Published interfaces may also require maintaining multiple versions simultaneously and adhering to formal deprecation processes when breaking changes are introduced.<ref name=":4" /> ~~=== Standards ===~~ Serverless computing is covered by International Data Center Authority (IDCA) in their Framework AE360.<ref>{{Cite web\|url=https://www.idc-a.org/ae360\|title=The Standards Framework for the Application Ecosystem \| International Data Center Authority (IDCA)}}</ref> However, the part related to portability can be an issue when moving business logic from one public cloud to another, for which the [[Docker (software)\|Docker]] solution was created. [[Cloud Native Computing Foundation]] (CNCF) is also working on developing a specification with [[Oracle Corporation\|Oracle]].<ref>{{Cite news\|url=https://www.sdxcentral.com/articles/news/cncf-oracle-boost-serverless-standardization-efforts/2018/05/\|title=CNCF, Oracle Boost Serverless Standardization Efforts\|work=SDxCentral\|access-date=2018-11-24\|language=en-US}}</ref> Fragmented chains of function calls are often observed in systems where serverless components (functions) interact with other resources in complex patterns, sometimes described as spaghetti architecture or a distributed monolith. In contrast, systems exhibiting clearer boundaries typically organize serverless components into cohesive groups, where internal public interfaces manage inter-component communication, and published interfaces define communication across group boundaries. This distinction highlights differences in stability guarantees and maintenance commitments, contributing to reduced dependency complexity.<ref name=":3" /><ref name=":4" /> ▲=== Vendor lock-in === ▲Serverless computing is provided as a third-party service. Applications and software that run in the serverless environment are by default locked to a specific cloud vendor. This issue is exacerbated in serverless computing, as with its increased level of abstraction, public vendors only allow customers to upload code to a FaaS platform without the authority to configure underlying environments. More importantly, when considering a more complex workflow that includes Backend-as-a-Service (BaaS), a BaaS offering can typically only natively trigger a FaaS offering from the same provider. This makes the workload migration in serverless computing virtually impossible. Therefore, considering how to design and deploy serverless workflows from a [[multi-cloud]] perspective seems promising and is starting to prevail{{When\|date=June 2024}}.<ref>{{Cite book \|last1=Aske \|first1=Austin \|last2=Zhao \|first2=Xinghui \|title=Proceedings of the 47th International Conference on Parallel Processing Companion \|chapter=Supporting Multi-Provider Serverless Computing on the Edge \|date=2018-08-13 \|chapter-url=https://doi.org/10.1145/3229710.3229742 \|series=ICPP Workshops '18 \|___location=New York, NY, USA \|publisher=Association for Computing Machinery \|pages=1–6 \|doi=10.1145/3229710.3229742 \|isbn=978-1-4503-6523-9\|s2cid=195348799 }}</ref><ref>{{Cite book \|last1=Baarzi \|first1=Ataollah Fatahi \|last2=Kesidis \|first2=George \|last3=Joe-Wong \|first3=Carlee \|last4=Shahrad \|first4=Mohammad \|title=Proceedings of the ACM Symposium on Cloud Computing \|chapter=On Merits and Viability of Multi-Cloud Serverless \|date=2021-11-01 \|chapter-url=https://doi.org/10.1145/3472883.3487002 \|series=SoCC '21 \|___location=New York, NY, USA \|publisher=Association for Computing Machinery \|pages=600–608 \|doi=10.1145/3472883.3487002 \|isbn=978-1-4503-8638-8\|s2cid=239890130 }}</ref><ref>{{Cite book \|last1=Zhao \|first1=Haidong \|last2=Benomar \|first2=Zakaria \|last3=Pfandzelter \|first3=Tobias \|last4=Georgantas \|first4=Nikolaos \|title=2022 IEEE/ACM 15th International Conference on Utility and Cloud Computing (UCC) \|chapter=Supporting Multi-Cloud in Serverless Computing \|date=2022-12-06 \|chapter-url=https://ieeexplore.ieee.org/document/10061782/references#references \|pages=285–290 \|doi=10.1109/UCC56403.2022.00051\|arxiv=2209.09367 \|isbn=978-1-6654-6087-3 \|s2cid=252383217 }}</ref> Additionally, patterns associated with excessive serverless function chaining are sometimes addressed through architectural strategies that emphasize native service integrations instead of individual functions, a concept referred to as the functionless mindset. However, this approach is noted to involve a steeper learning curve, and integration limitations may vary even within the same cloud vendor ecosystem.<ref name=":2" /> Reporting on serverless databases presents challenges, as retrieving data for a reporting service can either break the [[Domain-driven design\|bounded contexts]], reduce the timeliness of the data, or do both. This applies regardless of whether data is pulled directly from databases, retrieved via HTTP, or collected in batches. Mark Richards refers to this as the "''Reach-in Reporting Antipattern"''.<ref name=":5" /> A possible alternative to this approach is for databases to asynchronously push the necessary data to the reporting service instead of the reporting service pulling it. While this method requires a separate contract between services and the reporting service and can be complex to implement, it helps preserve bounded contexts while maintaining a high level of data timeliness.<ref name=":5" /> ~~== Best practices ==~~ Following [[DevSecOps]] practices can help one to use and to secure serverless technologies more effectively.<ref>{{Cite book \|last=Katzer \|first=Jason \|title=Learning Serverless: Design, Develop, and Deploy with Confidence \|publisher=O'Reilly Media \|year=2020 \|isbn=978-1492057017}}</ref> In serverless applications, the line between the infrastructure and business logic is blurred and the apps are usually spread across various services. According to Yan Cui, to get the most value from testing efforts, serverless applications should to be tested mainly for their integrations, and arguably, unit tests should be used only if there is a complex business logic. Also, to make debugging and implementation of serverless applications easier, developers should use [[Orchestration (computing)\|orchestration]] within the [[Domain-driven design\|bounded context]] of a [[microservice]], and should use [[Service choreography\|choreography]] between the bounded-contexts.<ref name=":0">{{Cite book \|last=Cui \|first=Yan \|title=Serverless Architectures on AWS \|publisher=Manning \|year=2020 \|isbn=978-1617295423 \|edition=2nd}}</ref> == Principles == According to Yan Cui, ephemeral resources should be kept together to achieve a high [[Cohesion (computer science)\|cohesion]]. However, shared resources that have a long spin-up time (e.g. [[AWS RDS]] cluster) and landing zone should have their own separate [[Repository (version control)\|repository]], [[deployment pipeline]] and stack. <ref name=":0" />▼ Adopting [[DevSecOps]] practices can help improve the use and security of serverless technologies.<ref>{{Cite book \|last=Katzer \|first=Jason \|title=Learning Serverless: Design, Develop, and Deploy with Confidence \|publisher=O'Reilly Media \|year=2020 \|isbn=978-1492057017}}</ref> In serverless applications, the distinction between infrastructure and business logic is often blurred, with applications typically distributed across multiple services. To maximize the effectiveness of testing, integration testing is emphasized for serverless applications.<ref name=":0" /> Additionally, to facilitate debugging and implementation, [[Orchestration (computing)\|orchestration]] is used within the [[Domain-driven design\|bounded context]], while [[Service choreography\|choreography]] is employed between different bounded contexts.<ref name=":0" /> ~~== Uses/functions ==~~ Serverless functions can be used for:<ref>{{Cite web \|date=2021-12-13 \|title=What Is Serverless Computing? \|url=https://www.itprotoday.com/serverless-computing/what-serverless-computing \|access-date=2022-03-23 \|website=ITPro Today \|language=en}}</ref> ▲~~According to Yan Cui, ephemeral~~Ephemeral resources ~~should~~are betypically kept together to ~~achieve a~~maintain high [[Cohesion (computer science)\|cohesion]]. However, shared resources ~~that have a~~with long spin-up ~~time~~times, ~~(e.g.~~such as [[AWS RDS]] ~~cluster)~~clusters and landing ~~zone~~zones, ~~should~~are ~~have~~often ~~their~~managed ~~own~~in separate ~~[[Repository (version control)\|repository]]~~repositories, [[deployment pipeline]], and ~~stack~~stacks. <ref name=":0" /> * Data analytics * Streaming video processing * CI/CD operations * File conversions * Log aggregation and restructuring * Support for dynamic website content == See also ==