Step 4 โ Application Services & Serverless
Modern AWS architectures rarely wire services together directly. Queues, event buses, CDNs, and serverless compute let you build loosely coupled systems that scale independently. This step covers the glue that holds cloud applications together.
AWS Lambda โ Serverless Compute
Lambda runs your code without you managing any servers. You upload a function, define what triggers it, and AWS handles everything else โ provisioning, scaling, patching, and billing.
How Lambda Works
Trigger โโโบ Lambda Function โโโบ Action โ (your code) โ โ โโโ Runtime: Python 3.12, Node 20, Java 21, etc. โ โโโ Memory: 128 MB โ 10,240 MB โ โโโ Timeout: max 15 minutes โ โโโ Ephemeral storage: /tmp up to 10 GB โTriggers: โโโ API Gateway (HTTP request) โโโ S3 event (file uploaded) โโโ DynamoDB Stream (item changed) โโโ SQS message โโโ EventBridge rule โโโ CloudWatch Events (scheduled) โโโ SNS notificationLambda Pricing
Pay only for:
- Requests: $0.20 per 1 million (first 1M free)
- Duration: $0.0000166667 per GB-second (first 400,000 GB-seconds/month free)
A function using 512 MB running for 100ms costs $0.0000083334 per invocation. For most workloads, Lambda is dramatically cheaper than keeping an EC2 instance running.
Lambda Concurrency
Concurrency = number of function instances running simultaneously.
Default burst limit: 3,000 concurrent executions (varies by region)Default account limit: 1,000 concurrent executions
Reserved Concurrency: guarantee minimum, and cap maximum for a functionProvisioned Concurrency: pre-warm instances โ eliminates cold startsCold start problem: When Lambda needs a new instance, it downloads your code and initializes your runtime. This adds 100msโ2s latency. Use Provisioned Concurrency for latency-sensitive APIs. Lambda SnapStart (Java) reduces cold starts by taking snapshots after initialization.
Lambda with VPC
Lambda functions run outside your VPC by default. To access resources in a private subnet (RDS, ElastiCache), configure Lambda to use a VPC. AWS now uses hyperplane ENIs โ VPC Lambda no longer has the slow cold start penalty it had before 2020.
API Gateway
API Gateway is the front door for your Lambda functions and HTTP backends. It handles authentication, rate limiting, HTTPS, request transformation, and versioning.
REST API vs HTTP API vs WebSocket
REST API (v1) โ Full features: usage plans, API keys, request validation, caching, X-Ray. Higher cost.HTTP API (v2) โ 71% cheaper than REST API. JWT authorizers, AWS services proxy. Missing: API keys, usage plans, caching.WebSocket API โ Bidirectional persistent connection. Chat apps, real-time feeds.2026 recommendation: Use HTTP API unless you need REST APIโs advanced features (caching, per-method throttling, API keys for third-party monetization).
Deployment Stages and Throttling
Every API Gateway deployment targets a stage (dev, staging, prod). Each stage has its own URL, settings, and can be rolled back independently.
Throttling defaults: 10,000 requests per second (RPS) per region, 5,000 burst. Configure method-level throttling to protect backend Lambda or ECS from overload.
Caching: REST API stages can cache responses (0.5 GBโ237 GB). Reduces backend calls and latency. Cache TTL default is 300 seconds.
SQS โ Simple Queue Service
SQS is the messaging backbone for decoupled architectures. A producer sends a message to the queue; one or more consumers poll and process it.
Standard vs FIFO Queues
Standard Queue FIFO Queueโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโAt-least-once delivery Exactly-once processingBest-effort ordering Strict ordering guaranteedNearly unlimited TPS 300 TPS (3,000 with batching)Best for: high-throughput tasks Best for: financial transactions, order processingKey SQS Concepts
Visibility Timeout: After a consumer picks up a message, it becomes invisible to other consumers for this duration (default 30s, max 12h). If the consumer doesnโt delete the message before timeout, it reappears โ enabling retry on failure.
Dead Letter Queue (DLQ): Messages that fail processing N times are moved to a DLQ for inspection. Every production SQS queue should have a DLQ.
Long Polling: Instead of polling continuously (and paying per empty request), set WaitTimeSeconds=20. The queue holds the connection open up to 20 seconds until a message arrives. Reduces cost and latency.
Message Retention: 4 days default, up to 14 days.
SNS โ Simple Notification Service
SNS is a publish/subscribe service. Publishers send to a topic; all subscribed endpoints receive a copy simultaneously. This fan-out pattern is the primary reason SNS and SQS are used together.
SNS + SQS Fan-Out Pattern
S3 Upload Event โโโบ SNS Topic "new-uploads" โโโโบ SQS Queue A โโโบ Lambda: Generate thumbnail โโโโบ SQS Queue B โโโบ Lambda: Virus scan โโโโบ SQS Queue C โโโบ Lambda: Update database
Result: S3 event triggers three independent processes in parallel. Each queue has its own retry/DLQ logic. Services are fully decoupled.SNS Subscription types: SQS, Lambda, HTTP/HTTPS, Email, SMS, Mobile Push (iOS/Android/Windows).
SNS FIFO Topics โ Paired with SQS FIFO queues for strict ordering in fan-out. Each subscription gets messages in order.
SNS Message Filtering โ Subscribers can set a filter policy so they only receive messages matching specific attributes. Reduces noise and processing cost.
Amazon EventBridge
EventBridge is the next-generation event bus โ more powerful than SNS for routing events from AWS services, custom apps, and SaaS providers to targets.
Event Sources: EventBridge Bus: Targets:โโโโโโโโโโโโโ โโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโAWS services (EC2, S3, etc.) โโโบ Default Bus โโโบ LambdaCustom applications โโโบ Custom Bus โโโบ Step FunctionsSaaS apps (Salesforce, etc.) โโโบ Partner Bus โโโบ SQS / SNS โโโบ API Gateway โโโบ ECS TaskEventBridge Rules โ Pattern matching on event content. Route โEC2 instance state changed to terminatedโ to a Lambda that sends a Slack alert. Far more flexible than CloudWatch Events (which EventBridge replaced).
EventBridge Pipes โ Point-to-point integrations with filtering, enrichment, and transformation. Connect SQS to Lambda with filtering in between โ no custom code for the routing layer.
Scheduled Expressions โ Replace cron jobs: rate(5 minutes) or cron(0 12 * * ? *).
CloudFront โ Content Delivery Network
CloudFront is AWSโs CDN: it caches content at 450+ edge locations globally, reducing latency for end users and reducing load on your origin.
How CloudFront Works
User (Tokyo) โโโบ CloudFront Edge (Tokyo) โ โโโ Cache HIT? โโโบ Return cached response (fast) โ โโโ Cache MISS โโโบ Fetch from Origin โโโบ Cache + Return
Origins: โโโ S3 Bucket (static content, SPA) โโโ ALB (dynamic content) โโโ EC2 instance โโโ Custom HTTP server (on-premises)CloudFront Key Features
Origin Access Control (OAC) โ Restricts S3 bucket access so only CloudFront can read it. Replaces the older Origin Access Identity (OAI). Exam: โserve S3 content only through CloudFront, block direct S3 accessโ โ OAC.
Signed URLs and Signed Cookies โ Control who can access content. Signed URL for single file access (e.g., premium video download). Signed Cookies for multiple files (e.g., entire subscriber content library).
CloudFront Functions vs Lambda@Edge โ Both run code at edge locations, but differ in capability and latency:
CloudFront Functions โ Sub-millisecond. Viewer request/response only. Header manipulation, URL rewrites, A/B testing.Lambda@Edge โ Milliseconds. All four event types. Dynamic content generation, authentication, complex logic.HTTPS and SSL/TLS โ CloudFront provides free SSL certificates via ACM. Custom domains + HTTPS requires certificate in us-east-1 (this is tested).
Route 53 โ DNS and Traffic Routing
Route 53 is AWSโs DNS service and can do sophisticated traffic routing based on health, geography, latency, and weight.
Routing Policies
Simple โ One record, no health checks.Weighted โ Split traffic by percentage. A/B testing, blue/green.Latency-Based โ Route to Region with lowest latency to user.Geolocation โ Route based on user's country or continent.Geoproximity โ Route based on geographic location + bias factor (requires Traffic Flow).Failover โ Primary/secondary. Routes to secondary if primary health check fails.Multi-Value โ Returns multiple healthy IPs. Not a substitute for ELB.IP-Based โ Route based on client's CIDR block. New in 2023.Health Checks โ Route 53 monitors endpoints and can trigger failover routing. Three types: endpoint, calculated (aggregates other health checks), and CloudWatch alarm.
Alias Records โ Like a CNAME but free of charge for AWS resources and works at the zone apex (e.g., example.com without www). Always use Alias over CNAME for AWS resources (ELB, CloudFront, S3 website).
Route 53 Resolver
Inbound Endpoints โ Allow on-premises DNS servers to query Route 53 for Private Hosted Zone records.
Outbound Endpoints โ Allow VPC resources to query on-premises DNS servers. Essential for hybrid architectures.
Exam Patterns
| Scenario | Answer |
|---|---|
| Decouple producer from consumer, allow retry | SQS |
| Notify multiple services when an event occurs | SNS topic with SQS subscriptions |
| React to AWS service events (EC2 launch, S3 upload) | EventBridge |
| Serve static website globally with HTTPS | S3 + CloudFront + ACM (us-east-1) |
| Route users to the closest AWS region | Route 53 Latency routing |
| Primary/secondary site failover | Route 53 Failover policy + health checks |
| HTTP API without managing servers | API Gateway + Lambda |
| Lambda cold starts must be eliminated | Provisioned Concurrency |