Prepare your AWS GameKit backend for production - AWS GameKit

You are currently viewing content for use with Unreal Engine software. See all AWS GameKit documentation

Prepare your AWS GameKit backend for production

As you prepare your project for release, use this guide to help get your AWS GameKit backend ready for production-level loads.

The AWS GameKit solutions for each game feature use a selection of AWS services and default configuration values that are best suited for project development and testing stages. When getting ready for production, its a good idea to fine tune your backend services. In particular, look at adjusting capacity to support a product in production and adding service features to support live players (such as monitoring). Some of these changes involve additional costs.

This topic provides recommendations and instructions for optimizing the core AWS services of your AWS GameKit backend.

Analyze feature usage patterns

We highly recommend that you analyze the usage and load patterns for each AWS GameKit feature in the development and testing stages. The AWS GameKit GitHub repo includes a starter python script for automating usage and load tests. Each game has different requirements for backend testing, based on the project's included AWS GameKit features and expected usage patterns. For example, if your project uses a lot of achievements but stores a small amount of user gameplay data, you probably want to focus on stressing the backend APIs for achievements.

When putting your testing strategy into practice, get the usage data collected in the custom AWS GameKit dashboards for each feature.

Set up monitoring dashboards

Activate monitoring dashboards in your test and production environments. Monitoring dashboards are critical for helping you make data-driven decisions about your game's backend on AWS Cloud. Use them to track how usage changes over time and make adjustments to maintain system health and cost efficiency.

AWS GameKit comes with detailed custom Amazon CloudWatch dashboards for each cloud feature. You can activate or deactivate each feature dashboard and access them directly from the AWS GameKit settings in your game engine. For help with using the dashboards, see Work with game feature dashboards. When testing or analyzing usage patterns, pay particular attention to these metrics:

AWS Lambda

  • Latency (P99, P95 and P90)

  • Concurrent executions

  • Function errors

Amazon API Gateway

  • Latency (P99, P95 and P90)

  • 4xx and 5xx errors

Amazon DynamoDB

  • Throttle

  • Table request latency

Amazon Cognito

  • Security

We also recommend that you create alarms for any metrics that are important to your game. You can create these alarms in CloudWatch that notify you when a metric crosses a threshold. For help setting up alarms, see the Amazon CloudWatch User Guide topic Using Amazon CloudWatch alarms.

Modify your AWS CloudFormation templates

For each AWS GameKit feature that your game uses, make the following pre-production updates to the feature's AWS CloudFormation template. We recommend that you make these proposed changes before you begin deploying resources to the AWS GameKit environment that you plan to use for production (either Production or a custom environment).

To locate AWS CloudFormation templates:

If you haven't yet deployed resources in your production environment:

Make changes to the base AWS CloudFormation templates. Then, when you configure and create new AWS resources in a production environment, AWS GameKit automatically uses the updated base templates for your game. To locate the AWS GameKit base templates:

  • In your AWS GameKit plugin install location (see Install the plugin:

    [install location]\Plugins\AwsGameKit\Resources\cloudResources\cloudformation\
  • In your Unity project files:

    [Unity project]Packages\com.amazonaws.gamekit\Editor]CloudResources\.BaseFiles

If you've already created AWS resources in your production environment:

Project-specific AWS CloudFormation templates already exist. Make updates to these existing templates and then redeploy each updated feature. To locate your project-specific templates:

  • In your Unreal game project files:

    [Unreal project]\[GameKit game title]\[environment]\cloudformation\
  • In your Unity project files:

    [Unity project]\Packages\com.amazonaws.gamekit\Editor]CloudResources\InstanceFiles[GameKit project alias ]\[environment]\[region]\

To troubleshoot AWS CloudFormation issues:

If you have issues related to AWS CloudFormation templates when deploying your AWS GameKit features, see the AWS CloudFormation User Guide topic Troubleshooting CloudFormation for help with common issues.

Add an IsProduction condition

For each template, add an IsProduction condition.

  • In the template, locate the Parameters section and add a Conditions section below it, as shown in the following example. Then, for other production-specific template updates, include the IsProduction condition.

    ``` Parameters: ... Conditions: # This condition will toggle certain settings on/off for Production IsProduction: !Equals [ { Ref: GameKitEnv }, 'prd' ] ```

Update AWS Lambda settings

All AWS GameKit features use AWS Lambda, each with a different usage pattern. Make the following updates to the Lambda configuration settings in each template. For help with AWS CloudFormation syntax for Lambda, see these AWS CloudFormation User Guide topics: AWS::Lambda::Function and AWS::Lambda::Version.

  • Update MemorySize setting – Depending on your usage pattern, consider increasing memory from the default 128 MB. For example:

    MyLambdaFunction: Type: 'AWS::Lambda::Function' Properties: # Conditionally set the memory size to 256 for Production and 128 elsewhere !If - IsProduction - MemorySize: 256 - MemorySize: 128
  • Add ProvisionedConcurrency setting – This setting initializes a requested number of execution environments so that they're prepared to respond to your function's invocations. Configuring provisioned concurrency incurs charges to your AWS account. To configure provisioned concurrency, create a Lambda function version (a versioned copy of a Lambda function), add a ProvisionedConcurrencyConfig section, and set ProvisionedConcurrentExecutions to a value that can handle your production load. For details, see the AWS Lambda Developer Guide topic Lambda function versions. For example:

    MyVersionedLambdaFunction: # This configuration creates a Lambda Version with Provisioned Concurrency for Production Type: 'AWS::Lambda::Version' DependsOn: MyLambdaFunction Properties: FunctionName: !Ref MyLambdaFunctionName Description: My Lambda Function With Provisioned Concurrency ProvisionedConcurrencyConfig: !If - IsProduction - ProvisionedConcurrentExecutions: 4 - Ref: AWS::NoValue

    Make sure to update all references to the function so that they point to the versioned function. You can do this by changing the line ${MyLambdaFunction.Arn} to ${MyLambdaFunction.Arn}:${MyVersionedLambdaFunction.Version}.

Update Amazon Cognito settings

The AWS GameKit feature identity and authentication relies on Amazon Cognito to handle user registration and login workflows. Consider the following updates for production. For help with AWS CloudFormation syntax for Lambda, see these AWS CloudFormation User Guide topics: AWS::Cognito::UserPool.

  • Turn on AdvancedSecurityMode feature – This feature provides advanced security risk detection. To use this feature, modify your AWS CloudFormation template for identity and authentication in the user pool settings as follows:

    GameKitUserPool: Type: 'AWS::Cognito::UserPool' Properties: UserPoolName: !Ref CognitoUserPoolName Schema: ... Policies: ... AutoVerifiedAttributes: ... AliasAttributes: ... LambdaConfig: ... UserPoolAddOns: # Set AdvancedSecurityMode to AUDIT !If - IsProduction - AdvancedSecurityMode: AUDIT - Ref: AWS::NoValue

Update Amazon DynamoDB settings

Several AWS GameKit features use DynamoDB, each with a different usage pattern. Make the following updates to the DynamoDB configuration settings in each template. For help with AWS CloudFormation syntax for DynamoDB, see these AWS CloudFormation User Guide topics: AWS::DynamoDB::Table and AWS::ApplicationAutoScaling::ScalableTarget.

  • Turn on automatic scaling – Use the DynamoDB autoscaling feature for read and write capacity units. With this feature, your product can handle increased production loads as needed by adjusting capacity based on usage metrics. For more details on DynamoDB autoscaling, see the Amazon DynamoDB Developer Guide topic Managing Throughput Capacity Automatically with DynamoDB Auto Scaling.

    To use autoscaling, create the following new sections for each DynamoDB table that requires it. Provide units and capacities that are appropriate for your expected load.

    • MyTableReadCapacityScalableTarget

    • MyTableReadScalingPolicy

    • MyTableWriteCapacityScalableTarget

    • MyTableWriteScalingPolicy

    For example:

    MyTable: Type: 'AWS::DynamoDB::Table' Properties: ... BillingMode: !If [ IsProduction, PROVISIONED, PAY_PER_REQUEST ] ProvisionedThroughput: !If - IsProduction - ReadCapacityUnits: 20 WriteCapacityUnits: 20 - Ref: AWS::NoValue TableName: !Ref MyTableName MyTableReadCapacityScalableTarget: Type: "AWS::ApplicationAutoScaling::ScalableTarget" DependsOn: MyTable Condition: IsProduction Properties: MaxCapacity: 200 MinCapacity: 20 ResourceId: !Sub table/${MyTableName} RoleARN: !Sub arn:aws:iam::${AWS::AccountId}:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable ScalableDimension: "dynamodb:table:ReadCapacityUnits" ServiceNamespace: dynamodb MyTableReadScalingPolicy: Type: "AWS::ApplicationAutoScaling::ScalingPolicy" DependsOn: MyTable Condition: IsProduction Properties: PolicyName: ReadAutoScalingPolicy PolicyType: TargetTrackingScaling ScalingTargetId: Ref: MyTableReadCapacityScalableTarget TargetTrackingScalingPolicyConfiguration: TargetValue: 70 ScaleInCooldown: 60 ScaleOutCooldown: 60 PredefinedMetricSpecification: PredefinedMetricType: DynamoDBReadCapacityUtilization MyTableWriteCapacityScalableTarget: Type: "AWS::ApplicationAutoScaling::ScalableTarget" DependsOn: MyTable Condition: IsProduction Properties: MaxCapacity: 200 MinCapacity: 20 ResourceId: !Sub table/${MyTableName} RoleARN: !Sub arn:aws:iam::${AWS::AccountId}:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable ScalableDimension: "dynamodb:table:WriteCapacityUnits" ServiceNamespace: dynamodb MyTableWriteScalingPolicy: Type: "AWS::ApplicationAutoScaling::ScalingPolicy" DependsOn: MyTable Condition: IsProduction Properties: PolicyName: WriteAutoScalingPolicy PolicyType: TargetTrackingScaling ScalingTargetId: Ref: MyTablWriteCapacityScalableTarget TargetTrackingScalingPolicyConfiguration: TargetValue: 70 ScaleInCooldown: 60 ScaleOutCooldown: 60 PredefinedMetricSpecification: PredefinedMetricType: DynamoDBWriteCapacityUtilization

    For another example, see the AWS GameKit base template for user gameplay data. This feature has DynamoDB autoscaling enabled by default for the Production environment.

  • For games with large workloads and a high number of consumed read units, consider using DynamoDB Accelerator. For more information on this feature, see Amazon DynamoDB Accelerator (DAX).

Set up a custom authorizer

If you're using a separate service (custom or third-party) for player login and authentication, set up your AWS GameKit backend to use a custom authorizer. Modify the AWS CloudFormation parameters file for the identity and authentication feature ([GameKit cloud templates]\identity\parameters.yml).

  • Set UseThirdPartyIdentityProvider to TRUE.

  • Provide a value for JwksThirdPartyUri.

Make these changes in the parameters.yml file for every AWS GameKit feature that your game uses. You must make these changes before you deploy AWS resources in your production environment for the identity and authentication feature.

Increase service quotas

Depending on your game's expected usage load, consider requesting the following service quota increases. Most AWS services have quotas, which might impact your game's performance at high usage loads.

  • Amazon API Gateway – Increase "requests per second" (per AWS account per region). For details on API Gateway account-level limits and to request an increase, see this API Gateway Developer Guide topic Amazon API Gateway quotas and important notes.

  • AWS Lambda – Increase "concurrent executions". For details and to request an increase, see Lambda quotas.

  • AWS Key Management Service – Increase "requests-per second". For details and to request an increase, see AWS KMS request quotas.

Customize player registration email

If your game uses the identity and authentication feature with Amazon Cognito pools, Amazon Cognito automatically sends a verification email to new players when they register in your game. You have the option to customize the default text for this email.

To customize your registration verification email for players:

  1. Open the AWS Management Console for Amazon Cognito, and select the option Manage User Pools.

  2. Select the name of the user pool for the production version of your game. For GameKit, user pool names follow the pattern gamekit_[environment]_[game title]_UserPool. For example: gamekit_prod_magicchicken_UserPool.

  3. With the user pool settings displayed, in the left side navigation, choose Message customizations.

  4. Go to the section titled Do you want to customize your email verification message?

  5. In this section, choose the code option, which directs Amazon Cognito to provide a verification code value to your players, and enter a custom email subject line and message. Be sure to position the verification code placeholder appropriately in your custom message. For more information, including maximum lengths, see the Amazon Cognito Developer Guide topic Customizing email verification messages.

  6. When you're finished, select Save changes.

Add optional services

Consider taking advantage of the following optional services for your project. These services aren't included in the base templates for AWS GameKit features, but you can add them at any time.

Amazon Simple Email Service

Use Amazon Simple Email Service (Amazon SES) to send player registration verification emails from a custom email address instead of the default address used by Amazon Cognito. For details, see the following topics:

AWS Web Application Firewall

AWS Web Application Firewall (AWS WAF) helps protect against common web-based exploits that affect availability, compromise security, and consume excessive resources. For production deployments, we recommend enabling AWS WAF. Follow these steps before you deploy any other features to the production environment.

To add AWS WAF:

  1. Update IAM permissions. All AWS GameKit users who deploy AWS resources that use AWS WAF must have AWS WAF permissions. Create a new IAM policy with the following syntax, and attach the new policy to IAM users or user groups. For details on creating permissions policies for AWS GameKit, see Set up a user with AWS GameKit access.

    This syntax creates AWS WAF WebACL with the following rules:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "apigateway:SetWebACL", "wafv2:AssociateWebACL", "wafv2:CreateIPSet", "wafv2:CreateRegexPatternSet", "wafv2:CreateRuleGroup", "wafv2:CreateWebACL", "wafv2:DeleteIPSet", "wafv2:DeleteLoggingConfiguration", "wafv2:DeleteRegexPatternSet", "wafv2:DeleteRuleGroup", "wafv2:DeleteWebACL", "wafv2:DisassociateWebACL", "wafv2:GetWebACL", "wafv2:GetWebACLForResource", "wafv2:ListTagsForResource" ], "Resource": "*" } ] }
  2. Update your game's main AWS CloudFormation template. For help with AWS CloudFormation syntax for AWS WAF, see these AWS CloudFormation User Guide topics: AWS::WAFv2::WebACL and AWS::WAFv2::WebACLAssociation.

    To locate your AWS CloudFormation templates, see Modify your AWS CloudFormation templates. The main template is [GameKit cloud templates]\main\cloudformation.yml.

    Add the following syntax to the Resources section:

    MainWAFWebAcl: Type: AWS::WAFv2::WebACL Properties: Name: !Sub 'gamekit_${GameKitEnv}_${GameKitGameName}_waf_webacl' Description: !Sub 'GameKit ${GameKitEnv} Main stack WebACL for ${GameKitGameName}' Scope: REGIONAL DefaultAction: Allow: {} VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: !Sub gamekit_${GameKitEnv}_${GameKitGameName}_WAF_WebACL Rules: - Name: AWS-Common-Rule Priority: 1 OverrideAction: Count: {} Statement: ManagedRuleGroupStatement: VendorName: AWS Name: AWSManagedRulesCommonRuleSet VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: !Sub gamekit_${GameKitEnv}_${GameKitGameName}_AWS_Common_Rule - Name: AWS-SQLInjection-Rule Priority: 2 OverrideAction: Count: {} Statement: ManagedRuleGroupStatement: VendorName: AWS Name: AWSManagedRulesSQLiRuleSet VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: !Sub gamekit_${GameKitEnv}_${GameKitGameName}_AWS_SQLInjection_Rule - Name: AWS-IPReputation-Rule Priority: 3 OverrideAction: Count: {} Statement: ManagedRuleGroupStatement: VendorName: AWS Name: AWSManagedRulesAmazonIpReputationList VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: !Sub gamekit_${GameKitEnv}_${GameKitGameName}_AWS_IPReputation_Rule Capacity: 1500 MainWebAclRestAssociation: Type: AWS::WAFv2::WebACLAssociation Properties: ResourceArn: !Sub - 'arn:aws:apigateway:${AWS::Region}::/restapis/${RestApi}/stages/${Stage}' - Stage: !Ref MainDeploymentStage WebACLArn: !GetAtt MainWAFWebAcl.Arn
  3. Deploy or redeploy any AWS GameKit feature. This action automatically redeploys the main stack with your latest AWS WAF changes.

AWS Shield

AWS Shield Standard provides protection against the most frequently occurring network and transport layer DDoS attacks that target a web site or application. This protection is on by default. AWS Shield Advanced is a paid service that provides additional protection for internet-facing applications that run on Amazon Elastic Compute Cloud (Amazon EC2), Elastic Load Balancing (ELB), Amazon CloudFront, Global Accelerator, and Amazon Route 53. For information on costs, see AWS Shield Pricing.

To turn on AWS Shield Advanced, you have two options:

  • Use the AWS Management Console for AWS Shield to configure you coverage.

  • Update your AWS CloudFormation templates as described in the AWS CloudFormation User Guide topic AWS::FMS::Policy (see examples).

Adjust usage of AWS GameKit client API

For the user gameplay data feature, when calling the AWS GameKit API with large numbers of bundles or items (in the order of hundreds), there is the potential for HTTP request timeouts. Ways to mitigate timeout risks include:

  • Make API calls with data in smaller batches.

  • Set up bundles for users at account creation time.

  • Increase the value of ClientTimeoutSeconds in FUserGameplayDataClientSettings.