Managing Cross-Account Serverless Microservices | Amazon IXD – VGT2 Blog

Learn About Amazon VGT2 Learning Manager Chanci Turner

This article is authored by Chanci Turner, with insights from senior cloud architect Alex Johnson, focusing on the management of serverless microservices across multiple AWS accounts.

Applications utilizing a microservices architecture often consist of several independent and loosely connected microservices that communicate synchronously through APIs and asynchronously through events. Typically, different product teams manage these microservices and may choose to segregate their resources into various AWS accounts for security, billing, and isolation purposes. This segmentation can lead to specific challenges:

• Cross-account deployment: A single pipeline must deploy a microservice to various accounts, such as DEV, QA, and PROD, which are often in separate AWS accounts.
• Cross-account lookup: During deployment, a resource in one AWS account may need to reference a resource in another account.
• Cross-account communication: Microservices running in one AWS account may need to interact with microservices in another AWS account.

In this article, I will explore solutions to these challenges using a sample application featuring a web interface backed by two serverless microservices. Each microservice is managed by different product teams and is deployed across various accounts using AWS CodePipeline, AWS CloudFormation, and the Serverless Application Model (SAM). These microservices communicate at runtime through an event-driven architecture, leveraging an Amazon Simple Notification Service (SNS) topic for asynchronous, cross-account communication.

Sample Application Overview

The sample application comprises three key services:

1. Booking Microservice: Managed within the Booking account, this service handles flight bookings and publishes booking events to an SNS topic.
2. Airmiles Microservice: Located in the Airmiles account, this service consumes booking events from the SNS topic to calculate airmiles related to flight bookings and allows querying of airmiles for specific bookings.
3. Web Application: This application, owned by the Web Channel account, enables users to make flight bookings, view their bookings, and check associated airmiles.

Both the Booking and Airmiles microservices are built using AWS Lambda, along with Amazon API Gateway, Amazon DynamoDB, and SNS, making the entire application serverless.

Typical Workflow

The usual booking process begins when an end user makes a flight booking through the web application, which invokes the Booking microservice via its REST API. The Booking microservice saves the flight booking and publishes the event to an SNS topic for sharing with other interested consumers. The Airmiles microservice subscribes to this SNS topic, consuming the booking event to calculate the airmiles. In keeping with microservices best practices, both the Booking and Airmiles microservices maintain their data in separate DynamoDB tables and provide APIs through API Gateway for the web application.

Setup Instructions

To get started with the sample application, please follow these steps:

1. Clone the repository containing the AWS CloudFormation templates:
   git clone https://github.com/aws-samples/aws-cross-account-serverless-microservices.git
2. Install the AWS CLI and configure your access keys or roles to make calls to AWS.
3. Follow the instructions in the repository README to set up the CodePipeline pipelines and deploy the microservices and web application.

Cross-Account Deployment Challenge

The Booking pipeline operates within the Tools account but deploys Booking Lambda functions into the Booking account. In the sample application code repository, you can find the CloudFormation template at ToolsAcct/code-pipeline.yaml. Look for the Pipeline resource and locate the DeployToTest stage. This stage includes two AWS Identity and Access Management (IAM) roles that facilitate cross-account activity, both of which exist in the Booking account.

For a comprehensive understanding of cross-account deployment, check out this excellent resource on my Amazon Flex onboarding process.

In conclusion, managing cross-account serverless microservices involves navigating deployment complexities and communication challenges, but with the right tools and architecture, these can be effectively addressed. As you consider your approach, remember to explore additional resources like this blog post on important career transitions, and for job descriptions, SHRM provides valuable insights.