Prepare your AWS GameKit backend for production - AWS GameKit

Prepare your AWS GameKit backend for production

As you prepare your game for release, use this guide to help get your AWS GameKit game backend ready for a production-level load.

The solutions that AWS GameKit provides for each of the game features use a combination of AWS services and default configuration values that are best suited for the development and testing stages of a game. When getting your game ready for production, its a good idea to fine tune your backend services. This fine-tuning involves two types of changes—adjusting capacity to support a game in production and adding service features, such as monitoring, to support live players. Some of these changes involve additional costs.

This topic provides detailed instructions and recommendations for the core AWS services that are part of your AWS GameKit backend.

Analyze feature usage patterns

We highly recommend that you analyze the usage and load patterns for each GameKit feature in the development and testing stages. The AWS GameKit GitHub repo includes a starter python script for automating your usage and load tests. Each game has different requirements for backend testing, based on which game features are included and the expected usage patters for each game. For example, if your game uses lots of achievements but stores only a small amount of user gameplay data, you would want to focus more on stressing the backend APIs for Achievementss.

When putting your testing strategy into practice, be sure to activate the built-in AWS GameKit dashboards and use them collect the usage data for each feature. These dashboards are customized to track the key aspects of your game backend.

Set up monitoring dashboards

Enable monitoring dashboards for your test and production environments. Monitoring dashboards are critical for helping you make data-driven decisions about your game's backend on AWS Cloud. Use them to track how usage changes over time and make adjustments for each feature and service to maintain system health and cost efficiency.

AWS GameKit comes with detailed custom Amazon CloudWatch dashboards for each game feature. You can activate or deactivate each game feature dashboard and access them directly in the GameKit plugin. For detailed help on using the dashboards and metric descriptions, see Work with game feature dashboards. When testing or analyzing usage patterns, pay particular attention to these metrics:

AWS Lambda

  • Latency (P99, P95 and P90)

  • Concurrent executions

  • Function errors

Amazon API Gateway

  • Latency (P99, P95 and P90)

  • 4xx and 5xx errors

Amazon DynamoDB

  • Throttle

  • Table request latency

Amazon Cognito

  • Security

We also recommend that you create alarms for each metric that is important to your game. You can create these alarms in CloudWatch that notify you when a metric crosses a threshold. For help setting up alarms, see the Amazon CloudWatch User Guide topic Using Amazon CloudWatch alarms.

Modify your AWS CloudFormation templates

For each AWS GameKit feature that your game uses, make the following pre-production updates to the feature's AWS CloudFormation template. We recommend that you make these proposed changes before you begin deploying resources to the AWS GameKit environment that you plan to use for production (either Production or a custom environment).

To locate AWS CloudFormation templates:

If you haven't yet deployed resources in your production environment:

Make changes to your base AWS CloudFormation templates. When you configure and deploy AWS resources in Production, AWS GameKit automatically uses the updated base templates for your game. To locate your AWS GameKit base templates:

Unreal Engine

In your AWS GameKit plugin install location (see Install the plugin for your game engine:

[install location]\Plugins\AwsGameKit\Resources\cloudResources\cloudformation\

If you've already created AWS resources in your production environment:

The production-specific AWS CloudFormation templates already exist for your game. You must make updates to these existing templates and then redeploy the feature. To locate your production-specific templates:

Unreal Engine

In your Unreal game project files:

[Unreal game project]\[GameKit game title]\[environment]\cloudformation\

To troubleshoot AWS CloudFormation issues:

If you have issues related to AWS CloudFormation templates when deploying your AWS GameKit features, see the AWS CloudFormation User Guide topic Troubleshooting CloudFormation for help with common issues.

Add an IsProduction condition

For each template, add an IsProduction condition.

  • In the template, locate the Parameters section and add a Conditions section below it, as shown in the following example. Then, for other production-specific template updates, include the IsProduction condition.

    ``` Parameters: ... Conditions: # This condition will toggle certain settings on/off for Production IsProduction: !Equals [ { Ref: GameKitEnv }, 'prd' ] ```

Update AWS Lambda settings

All AWS GameKit features use AWS Lambda, each with a different usage pattern. Make the following updates to the Lambda configuration settings in each template. For help with AWS CloudFormation syntax for Lambda, see these AWS CloudFormation User Guide topics: AWS::Lambda::Function and AWS::Lambda::Version.

  • Update MemorySize setting – Depending on your usage pattern, consider increasing memory from the default 128 MB. For example:

    MyLambdaFunction: Type: 'AWS::Lambda::Function' Properties: # Conditionally set the memory size to 256 for Production and 128 elsewhere !If - IsProduction - MemorySize: 256 - MemorySize: 128
  • Add ProvisionedConcurrency setting – This setting initializes a requested number of execution environments so that they are prepared to respond immediately to your function's invocations. Note that configuring provisioned concurrency incurs charges to your AWS account. To configure provisioned concurrency, create a Lambda function version (a versioned copy of a Lambda function), add a ProvisionedConcurrencyConfig section, and set ProvisionedConcurrentExecutions to a value that can handle your production load. For details, see the AWS Lambda Developer Guide topic Lambda function versions. For example:

    MyVersionedLambdaFunction: # This configuration creates a Lambda Version with Provisioned Concurrency for Production Type: 'AWS::Lambda::Version' DependsOn: MyLambdaFunction Properties: FunctionName: !Ref MyLambdaFunctionName Description: My Lambda Function With Provisioned Concurrency ProvisionedConcurrencyConfig: !If - IsProduction - ProvisionedConcurrentExecutions: 4 - Ref: AWS::NoValue

    Make sure to update all references to the function so that they point to the versioned function. You can do this by changing the line ${MyLambdaFunction.Arn} to ${MyLambdaFunction.Arn}:${MyVersionedLambdaFunction.Version}.

Update Amazon Cognito settings

The AWS GameKit feature identity and authentication relies on Amazon Cognito to handle user registration and login workflows. Consider the following updates for production. For help with AWS CloudFormation syntax for Lambda, see these AWS CloudFormation User Guide topics: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html

  • Enable AdvancedSecurityMode feature – This feature provides advanced security risk detection. To enable this feature, modify your AWS CloudFormation template for identity and authentication in the user pool settings as follows:

    GameKitUserPool: Type: 'AWS::Cognito::UserPool' Properties: UserPoolName: !Ref CognitoUserPoolName Schema: ... Policies: ... AutoVerifiedAttributes: ... AliasAttributes: ... LambdaConfig: ... UserPoolAddOns: # Set AdvancedSecurityMode to AUDIT !If - IsProduction - AdvancedSecurityMode: AUDIT - Ref: AWS::NoValue

Update Amazon DynamoDB settings

Several AWS GameKit features use DynamoDB, each with a different usage pattern. Make the following updates to the DynamoDB configuration settings in each template. For help with AWS CloudFormation syntax for DynamoDB, see these AWS CloudFormation User Guide topics: AWS::DynamoDB::Table and AWS::ApplicationAutoScaling::ScalableTarget.

  • Enable automatic scaling – Enable the DynamoDB auto-scaling feature for read and write capacity units. With this feature, your game can handle increased production loads as needed by basing capacity on usage metrics. For more details on DynamoDB auto-scaling, see the Amazon DynamoDB Developer Guide topic Managing Throughput Capacity Automatically with DynamoDB Auto Scaling.

    To enable auto-scaling, create the following new sections for each DynamoDB table that requires it. Provide units and capacities that are appropriate for your expected load.

    • MyTableReadCapacityScalableTarget

    • MyTableReadScalingPolicy

    • MyTableWriteCapacityScalableTarget

    • MyTableWriteScalingPolicy

    For example:

    MyTable: Type: 'AWS::DynamoDB::Table' Properties: ... BillingMode: !If [ IsProduction, PROVISIONED, PAY_PER_REQUEST ] ProvisionedThroughput: !If - IsProduction - ReadCapacityUnits: 20 WriteCapacityUnits: 20 - Ref: AWS::NoValue TableName: !Ref MyTableName MyTableReadCapacityScalableTarget: Type: "AWS::ApplicationAutoScaling::ScalableTarget" DependsOn: MyTable Condition: IsProduction Properties: MaxCapacity: 200 MinCapacity: 20 ResourceId: !Sub table/${MyTableName} RoleARN: !Sub arn:aws:iam::${AWS::AccountId}:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable ScalableDimension: "dynamodb:table:ReadCapacityUnits" ServiceNamespace: dynamodb MyTableReadScalingPolicy: Type: "AWS::ApplicationAutoScaling::ScalingPolicy" DependsOn: MyTable Condition: IsProduction Properties: PolicyName: ReadAutoScalingPolicy PolicyType: TargetTrackingScaling ScalingTargetId: Ref: MyTableReadCapacityScalableTarget TargetTrackingScalingPolicyConfiguration: TargetValue: 70 ScaleInCooldown: 60 ScaleOutCooldown: 60 PredefinedMetricSpecification: PredefinedMetricType: DynamoDBReadCapacityUtilization MyTableWriteCapacityScalableTarget: Type: "AWS::ApplicationAutoScaling::ScalableTarget" DependsOn: MyTable Condition: IsProduction Properties: MaxCapacity: 200 MinCapacity: 20 ResourceId: !Sub table/${MyTableName} RoleARN: !Sub arn:aws:iam::${AWS::AccountId}:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable ScalableDimension: "dynamodb:table:WriteCapacityUnits" ServiceNamespace: dynamodb MyTableWriteScalingPolicy: Type: "AWS::ApplicationAutoScaling::ScalingPolicy" DependsOn: MyTable Condition: IsProduction Properties: PolicyName: WriteAutoScalingPolicy PolicyType: TargetTrackingScaling ScalingTargetId: Ref: MyTablWriteCapacityScalableTarget TargetTrackingScalingPolicyConfiguration: TargetValue: 70 ScaleInCooldown: 60 ScaleOutCooldown: 60 PredefinedMetricSpecification: PredefinedMetricType: DynamoDBWriteCapacityUtilization

    For another example, see the AWS GameKit base template for user gameplay data. This feature has DynamoDB auto-scaling enabled by default for the Production environment.

  • For games with very large workloads with a high number of consumed read units, you might consider using DynamoDB Accelerator. For more information on this feature, see Amazon DynamoDB Accelerator (DAX).

Set up a custom authorizer

If you're using a separate service (custom or third-party) for player login and authentication, you must set up your game backend to use a custom authorizer. Modify the AWS CloudFormation parameters file for the identity and authentication feature (...\Plugins\AwsGameKit\Resources\cloudResources\cloudformation\identity\parameters.yml).

  • Set UseThirdPartyIdentityProvider to TRUE.

  • Provide a value for JwksThirdPartyUri.

You must make these changes in the parameters.yml file for every AWS GameKit feature that your game uses, and they must be made before you deploy AWS resources in your production environment for the identity and authentication feature.

Increase service limits

Depending on your game's expected usage load, you may want to request the following service limit increases. Most AWS services have limits that can potentially impact your game's performance at high usage loads.

  • Amazon API Gateway – Increase the limit "requests per second" (per AWS account per region). For details on API Gateway account-level limits and to request an increase, see this API Gateway Developer Guide topic Amazon API Gateway quotas and important notes.

  • AWS Lambda – Increase the limit "concurrent executions". For details and to request a limit, see Lambda quotas.

  • AWS Key Management Service – Increase the limit "requests-per second". For details and to request a limit, see AWS KMS request quotas.

Customize player registration email

If your game uses the identity and authentication feature with Amazon Cognito pools, Amazon Cognito automatically sends a verification email to new players when they register in your game. You have the option to customize the default text for this email.

To customize your registration verification email for players:

  1. Open the AWS Management Console for Amazon Cognito, and select the option Manage User Pools.

  2. Select the name of the user pool for the production version of your game. For GameKit, user pool names follow the pattern gamekit_[environment]_[game title]_UserPool. For example: gamekit_prod_magicchicken_UserPool.

  3. With the user pool settings displayed, in the left side navigation, choose Message customizations.

  4. Go to the section titled Do you want to customize your email verification message?

  5. In this section, choose the code option, which directs Amazon Cognito to provide a verification code value to your players, and enter a custom email subject line and/or message. Be sure to position the verification code placeholder appropriately in your custom message. For more information, including maximum lengths, see the Amazon Cognito Developer Guide topic Customizing email verification messages.

  6. When you're finished, select Save changes.

Add optional services

Consider taking advantage of the following optional services for your game. These services are not included in the base templates for AWS GameKit features, but you can add them at any time.

Amazon Simple Email Service (SES)

Use Amazon SES to send player registration verification emails from a custom email address instead of the default address used by Amazon Cognito. For details on this option, see the following topics:

AWS Web Application Firewall (AWS WAF)

AWS WAF helps protect against common web-based exploits that affect availability, compromise security, and consume excessive resources. For production deployments, we recommend enabling AWS WAF. Follow these steps before you deploy any other features to the production environment.

To enable AWS WAF:

  1. Update AWS Identity and Access Management permissions. All AWS GameKit users who deploy AWS resources that use AWS WAF must have AWS WAF permissions. Create a new IAM policy with the following syntax, and attach the new policy to each IAM user who needs it. For details on creating permissions policies for AWS GameKit, see Setting up IAM users for AWS GameKit.

    This syntax creates AWS WAF WebACL with the following rules:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "apigateway:SetWebACL", "wafv2:AssociateWebACL", "wafv2:CreateIPSet", "wafv2:CreateRegexPatternSet", "wafv2:CreateRuleGroup", "wafv2:CreateWebACL", "wafv2:DeleteIPSet", "wafv2:DeleteLoggingConfiguration", "wafv2:DeleteRegexPatternSet", "wafv2:DeleteRuleGroup", "wafv2:DeleteWebACL", "wafv2:DisassociateWebACL", "wafv2:GetWebACL", "wafv2:GetWebACLForResource", "wafv2:ListTagsForResource" ], "Resource": "*" } ] }
  2. Update your game's main AWS CloudFormation template. For help with AWS CloudFormation syntax for AWS WAF, see these AWS CloudFormation User Guide topics: AWS::WAFv2::WebACL and AWS::WAFv2::WebACLAssociation.

    See Modify your AWS CloudFormation templates to locate your AWS CloudFormation templates. The main template is ...\cloudformation\main\cloudformation.yml.

    Add the following syntax to the Resources section:

    MainWAFWebAcl: Type: AWS::WAFv2::WebACL Properties: Name: !Sub 'gamekit_${GameKitEnv}_${GameKitGameName}_waf_webacl' Description: !Sub 'GameKit ${GameKitEnv} Main stack WebACL for ${GameKitGameName}' Scope: REGIONAL DefaultAction: Allow: {} VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: !Sub gamekit_${GameKitEnv}_${GameKitGameName}_WAF_WebACL Rules: - Name: AWS-Common-Rule Priority: 1 OverrideAction: Count: {} Statement: ManagedRuleGroupStatement: VendorName: AWS Name: AWSManagedRulesCommonRuleSet VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: !Sub gamekit_${GameKitEnv}_${GameKitGameName}_AWS_Common_Rule - Name: AWS-SQLInjection-Rule Priority: 2 OverrideAction: Count: {} Statement: ManagedRuleGroupStatement: VendorName: AWS Name: AWSManagedRulesSQLiRuleSet VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: !Sub gamekit_${GameKitEnv}_${GameKitGameName}_AWS_SQLInjection_Rule - Name: AWS-IPReputation-Rule Priority: 3 OverrideAction: Count: {} Statement: ManagedRuleGroupStatement: VendorName: AWS Name: AWSManagedRulesAmazonIpReputationList VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: !Sub gamekit_${GameKitEnv}_${GameKitGameName}_AWS_IPReputation_Rule Capacity: 1500 MainWebAclRestAssociation: Type: AWS::WAFv2::WebACLAssociation Properties: ResourceArn: !Sub - 'arn:aws:apigateway:${AWS::Region}::/restapis/${RestApi}/stages/${Stage}' - Stage: !Ref MainDeploymentStage WebACLArn: !GetAtt MainWAFWebAcl.Arn
  3. Deploy or redeploy any AWS GameKit feature. This action automatically redeploys the main stack with your latest AWS WAF changes.

AWS Shield

AWS Shield Standard provides protection at no additional cost against common, most frequently occurring, network and transport layer DDoS attacks that target your web site or application. This protection is enabled by default. AWS Shield Advanced is a paid service that provides additional protection for internet-facing applications that run on Amazon Elastic Compute Cloud (Amazon EC2), Elastic Load Balancing (ELB), Amazon CloudFront, Global Accelerator, and Amazon Route 53. For information on costs, see AWS Shield Pricing.

To enable AWS Shield Advanced, you have two options:

  • Use the AWS Management Console for AWS Shield to configure you coverage.

  • Update your AWS CloudFormation templates as described in the AWS CloudFormation User Guide topic AWS::FMS::Policy (see examples).

Adjust usage of AWS GameKit client API

For the user gameplay data feature, when calling the AWS GameKit API with very large numbers of bundles and/or items (in the order of hundreds), there is the potential for HTTP request timeouts. Ways to mitigate timeout risks include:

  • Make API calls with data in smaller batches.

  • Set up bundles for users at account creation time.

  • Increase the value of ClientTimeoutSeconds in FUserGameplayDataClientSettings.