You are currently viewing content for use with Unreal Engine software. See all AWS GameKit documentation
Prepare your AWS GameKit backend for production
As you prepare your project for release, use this guide to help get your AWS GameKit backend ready for production-level loads.
The AWS GameKit solutions for each game feature use a selection of AWS services and default configuration values that are best suited for project development and testing stages. When getting ready for production, its a good idea to fine tune your backend services. In particular, consider adjusting capacity to support a product in production and adding service features to support live players (such as monitoring). Some of these changes involve additional costs.
This topic provides recommendations and instructions for optimizing the core AWS services of your AWS GameKit backend.
Analyze feature usage patterns
We highly recommend that you analyze the usage and load patterns for each AWS GameKit
feature in the development and testing stages. The AWS GameKit GitHub repo includes a starter
python script
When putting your testing strategy into practice, get the usage data collected in the custom AWS GameKit dashboards for each feature.
Set up monitoring dashboards
Activate monitoring dashboards in your test and production environments. Monitoring dashboards are critical for helping you make data-driven decisions about your game's backend on AWS Cloud. Use them to track how usage changes over time and make adjustments to maintain system health and cost efficiency.
AWS GameKit comes with detailed custom Amazon CloudWatch dashboards for each cloud feature. You can activate or deactivate each feature dashboard and access them directly from the AWS GameKit settings in your game engine. For help with using the dashboards, see Work with game feature dashboards. When testing or analyzing usage patterns, pay particular attention to these metrics:
AWS Lambda
-
Latency (P99, P95 and P90)
-
Concurrent executions
-
Function errors
Amazon API Gateway
Latency (P99, P95 and P90)
4xx and 5xx errors
Amazon DynamoDB
Throttle
Table request latency
Amazon Cognito
Security
We also recommend that you create alarms for any metrics that are important to your game. You can create these alarms in CloudWatch that notify you when a metric crosses a threshold. For help setting up alarms, see the Amazon CloudWatch User Guide topic Using Amazon CloudWatch alarms.
Modify your AWS CloudFormation templates
For each AWS GameKit feature that your game uses, make the following pre-production updates to the feature's AWS CloudFormation template. We recommend that you make these proposed changes before you begin deploying resources to the AWS GameKit environment that you plan to use for production (either Production or a custom environment).
To locate AWS CloudFormation templates:
If you haven't yet deployed resources in your production environment:
Make changes to the base AWS CloudFormation templates. Then, when you configure and create new AWS resources in a production environment, AWS GameKit automatically uses the updated base templates for your game. To locate the AWS GameKit base templates:
In your AWS GameKit plugin for Unreal install location:
[install location]\Plugins\AwsGameKit\Resources\cloudResources\cloudformation\In your Unity project files:
[Unity project]Packages\com.amazonaws.gamekit\Editor]CloudResources\.BaseFiles
If you've already created AWS resources in your production environment:
Project-specific AWS CloudFormation templates already exist. Make updates to these existing templates and then redeploy each updated feature. To locate your project-specific templates:
-
In your Unreal game project files:
[Unreal project]\[GameKit game title]\[environment]\cloudformation\ -
In your Unity project files:
[Unity project]\Packages\com.amazonaws.gamekit\Editor]CloudResources\InstanceFiles[GameKit project alias ]\[environment]\[region]\
To troubleshoot AWS CloudFormation issues:
If you have issues related to AWS CloudFormation templates when deploying your AWS GameKit features, see the AWS CloudFormation User Guide topic Troubleshooting CloudFormation for help with common issues.
Add an IsProduction condition
For each template, add an IsProduction condition.
In the template, locate the
Parameterssection and add aConditionssection below it, as shown in the following example. Then, for other production-specific template updates, include theIsProductioncondition.``` Parameters: ... Conditions: # This condition will toggle certain settings on/off for Production IsProduction: !Equals [ { Ref: GameKitEnv }, 'prd' ] ```
Update AWS Lambda settings
All AWS GameKit features use AWS Lambda, each with a different usage pattern. Make the following updates to the Lambda configuration settings in each template. For help with AWS CloudFormation syntax for Lambda, see these AWS CloudFormation User Guide topics: AWS::Lambda::Function and AWS::Lambda::Version.
-
Update
MemorySizesetting – Depending on your usage pattern, consider increasing memory from the default 128 MB. For example:MyLambdaFunction: Type: 'AWS::Lambda::Function' Properties: # Conditionally set the memory size to 256 for Production and 128 elsewhere !If - IsProduction - MemorySize: 256 - MemorySize: 128 -
Add
ProvisionedConcurrencysetting – This setting initializes a requested number of execution environments so that they're prepared to respond to your function's invocations. Configuring provisioned concurrency incurs charges to your AWS account. To configure provisioned concurrency, create a Lambda function version (a versioned copy of a Lambda function), add aProvisionedConcurrencyConfigsection, and setProvisionedConcurrentExecutionsto a value that can handle your production load. For details, see the AWS Lambda Developer Guide topic Lambda function versions. For example:MyVersionedLambdaFunction: # This configuration creates a Lambda Version with Provisioned Concurrency for Production Type: 'AWS::Lambda::Version' DependsOn: MyLambdaFunction Properties: FunctionName: !Ref MyLambdaFunctionName Description: My Lambda Function With Provisioned Concurrency ProvisionedConcurrencyConfig: !If - IsProduction - ProvisionedConcurrentExecutions: 4 - Ref: AWS::NoValueMake sure to update all references to the function so that they point to the versioned function. You can do this by changing the line
${MyLambdaFunction.Arn}to${MyLambdaFunction.Arn}:${MyVersionedLambdaFunction.Version}.
Update Amazon Cognito settings
The AWS GameKit feature identity and authentication relies on Amazon Cognito to handle user registration and login workflows. Consider the following updates for production. For help with AWS CloudFormation syntax for Lambda, see these AWS CloudFormation User Guide topics: AWS::Cognito::UserPool.
Turn on AdvancedSecurityMode feature – This feature provides advanced security risk detection. To use this feature, modify your AWS CloudFormation template for identity and authentication in the user pool settings as follows:
GameKitUserPool: Type: 'AWS::Cognito::UserPool' Properties: UserPoolName: !Ref CognitoUserPoolName Schema: ... Policies: ... AutoVerifiedAttributes: ... AliasAttributes: ... LambdaConfig: ... UserPoolAddOns: # Set AdvancedSecurityMode to AUDIT !If - IsProduction - AdvancedSecurityMode: AUDIT - Ref: AWS::NoValue
Update Amazon DynamoDB settings
Several AWS GameKit features use DynamoDB, each with a different usage pattern. Make the following updates to the DynamoDB configuration settings in each template. For help with AWS CloudFormation syntax for DynamoDB, see these AWS CloudFormation User Guide topics: AWS::DynamoDB::Table and AWS::ApplicationAutoScaling::ScalableTarget.
-
Turn on automatic scaling – Use the DynamoDB autoscaling feature for read and write capacity units. With this feature, your product can handle increased production loads as needed by adjusting capacity based on usage metrics. For more details on DynamoDB autoscaling, see the Amazon DynamoDB Developer Guide topic Managing Throughput Capacity Automatically with DynamoDB Auto Scaling.
To use autoscaling, create the following new sections for each DynamoDB table that requires it. Provide units and capacities that are appropriate for your expected load.
-
MyTableReadCapacityScalableTarget -
MyTableReadScalingPolicy -
MyTableWriteCapacityScalableTarget -
MyTableWriteScalingPolicy
For example:
MyTable: Type: 'AWS::DynamoDB::Table' Properties: ... BillingMode: !If [ IsProduction, PROVISIONED, PAY_PER_REQUEST ] ProvisionedThroughput: !If - IsProduction - ReadCapacityUnits: 20 WriteCapacityUnits: 20 - Ref: AWS::NoValue TableName: !Ref MyTableName MyTableReadCapacityScalableTarget: Type: "AWS::ApplicationAutoScaling::ScalableTarget" DependsOn: MyTable Condition: IsProduction Properties: MaxCapacity: 200 MinCapacity: 20 ResourceId: !Sub table/${MyTableName} RoleARN: !Sub arn:aws:iam::${AWS::AccountId}:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable ScalableDimension: "dynamodb:table:ReadCapacityUnits" ServiceNamespace: dynamodb MyTableReadScalingPolicy: Type: "AWS::ApplicationAutoScaling::ScalingPolicy" DependsOn: MyTable Condition: IsProduction Properties: PolicyName: ReadAutoScalingPolicy PolicyType: TargetTrackingScaling ScalingTargetId: Ref: MyTableReadCapacityScalableTarget TargetTrackingScalingPolicyConfiguration: TargetValue: 70 ScaleInCooldown: 60 ScaleOutCooldown: 60 PredefinedMetricSpecification: PredefinedMetricType: DynamoDBReadCapacityUtilization MyTableWriteCapacityScalableTarget: Type: "AWS::ApplicationAutoScaling::ScalableTarget" DependsOn: MyTable Condition: IsProduction Properties: MaxCapacity: 200 MinCapacity: 20 ResourceId: !Sub table/${MyTableName} RoleARN: !Sub arn:aws:iam::${AWS::AccountId}:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable ScalableDimension: "dynamodb:table:WriteCapacityUnits" ServiceNamespace: dynamodb MyTableWriteScalingPolicy: Type: "AWS::ApplicationAutoScaling::ScalingPolicy" DependsOn: MyTable Condition: IsProduction Properties: PolicyName: WriteAutoScalingPolicy PolicyType: TargetTrackingScaling ScalingTargetId: Ref: MyTablWriteCapacityScalableTarget TargetTrackingScalingPolicyConfiguration: TargetValue: 70 ScaleInCooldown: 60 ScaleOutCooldown: 60 PredefinedMetricSpecification: PredefinedMetricType: DynamoDBWriteCapacityUtilizationFor another example, see the AWS GameKit base template for user gameplay data. This feature has DynamoDB autoscaling enabled by default for the Production environment.
-
-
For games with large workloads and a high number of consumed read units, consider using DynamoDB Accelerator. For more information on this feature, see Amazon DynamoDB Accelerator (DAX)
.
Set up a custom authorizer
If you're using a separate service (custom or third-party) for player login and
authentication, set up your AWS GameKit backend to use a custom authorizer. Modify the AWS CloudFormation
parameters file for the identity and authentication feature ([GameKit cloud
templates]\identity\parameters.yml
-
Set
UseThirdPartyIdentityProvidertoTRUE. -
Provide a value for
JwksThirdPartyUri.
Make these changes in the parameters.yml file for every AWS GameKit
feature that your game uses. You must make these changes before you deploy AWS resources
in your production environment for the identity and authentication feature.
Increase service quotas
Depending on your game's expected usage load, consider requesting the following service quota increases. Most AWS services have quotas, which might impact your game's performance at high usage loads.
Amazon API Gateway – Increase "requests per second" (per AWS account per region). For details on API Gateway account-level limits and to request an increase, see this API Gateway Developer Guide topic Amazon API Gateway quotas and important notes.
AWS Lambda – Increase "concurrent executions". For details and to request an increase, see Lambda quotas.
AWS Key Management Service – Increase "requests-per second". For details and to request an increase, see AWS KMS request quotas.
Customize player registration email
If your game uses the identity and authentication feature with Amazon Cognito pools, Amazon Cognito automatically sends a verification email to new players when they register in your game. You have the option to customize the default text for this email.
To customize your registration verification email for players:
Open the AWS Management Console for Amazon Cognito, and select the option Manage User Pools.
Select the name of the user pool for the production version of your game. For GameKit, user pool names follow the pattern
gamekit_. For example:[environment]_[game title]_UserPoolgamekit_prod_magicchicken_UserPool.With the user pool settings displayed, in the left side navigation, choose Message customizations.
-
Go to the section titled Do you want to customize your email verification message?
-
In this section, choose the code option, which directs Amazon Cognito to provide a verification code value to your players, and enter a custom email subject line and message. Be sure to position the verification code placeholder appropriately in your custom message. For more information, including maximum lengths, see the Amazon Cognito Developer Guide topic Customizing email verification messages.
When you're finished, select Save changes.
Add optional services
Consider taking advantage of the following optional services for your project. These services aren't included in the base templates for AWS GameKit features, but you can add them at any time.
Amazon Simple Email Service
Use Amazon Simple Email Service (Amazon SES) to send player registration verification emails from a custom email address instead of the default address used by Amazon Cognito. For details, see the following topics:
Authorizing Amazon Cognito to send Amazon SES email on your behalf, Amazon Cognito Developer Guide
AWS Web Application Firewall
AWS Web Application Firewall (AWS WAF) helps protect against common web-based exploits that affect availability, compromise security, and consume excessive resources. For production deployments, we recommend enabling AWS WAF. Follow these steps before you deploy any other features to the production environment.
To add AWS WAF:
-
Update IAM permissions for AWS GameKit users. Users who deploy AWS resources that use AWS WAF must have AWS WAF permissions. Create a new permission policy with the following syntax, and attach the new policy to IAM user groups. For details on creating permissions policies for AWS GameKit, see Set up a user with AWS GameKit access.
This syntax creates AWS WAF WebACL with the following rules:
Core rule set (CRS) (see Baseline rule groups, AWS WAF Developer Guide
SQL injection rule set (see Use-case specific rule groups, AWS WAF Developer Guide
IP reputation rule set (see IP reputation rule groups, AWS WAF Developer Guide
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "apigateway:SetWebACL", "wafv2:AssociateWebACL", "wafv2:CreateIPSet", "wafv2:CreateRegexPatternSet", "wafv2:CreateRuleGroup", "wafv2:CreateWebACL", "wafv2:DeleteIPSet", "wafv2:DeleteLoggingConfiguration", "wafv2:DeleteRegexPatternSet", "wafv2:DeleteRuleGroup", "wafv2:DeleteWebACL", "wafv2:DisassociateWebACL", "wafv2:GetWebACL", "wafv2:GetWebACLForResource", "wafv2:ListTagsForResource" ], "Resource": "*" } ] } Update your game's main AWS CloudFormation template. For help with AWS CloudFormation syntax for AWS WAF, see these AWS CloudFormation User Guide topics: AWS::WAFv2::WebACL and AWS::WAFv2::WebACLAssociation.
To locate your AWS CloudFormation templates, see Modify your AWS CloudFormation templates. The main template is
[GameKit cloud templates]\main\cloudformation.ymlAdd the following syntax to the
Resourcessection:MainWAFWebAcl: Type: AWS::WAFv2::WebACL Properties: Name: !Sub 'gamekit_${GameKitEnv}_${GameKitGameName}_waf_webacl' Description: !Sub 'GameKit ${GameKitEnv} Main stack WebACL for ${GameKitGameName}' Scope: REGIONAL DefaultAction: Allow: {} VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: !Sub gamekit_${GameKitEnv}_${GameKitGameName}_WAF_WebACL Rules: - Name: AWS-Common-Rule Priority: 1 OverrideAction: Count: {} Statement: ManagedRuleGroupStatement: VendorName: AWS Name: AWSManagedRulesCommonRuleSet VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: !Sub gamekit_${GameKitEnv}_${GameKitGameName}_AWS_Common_Rule - Name: AWS-SQLInjection-Rule Priority: 2 OverrideAction: Count: {} Statement: ManagedRuleGroupStatement: VendorName: AWS Name: AWSManagedRulesSQLiRuleSet VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: !Sub gamekit_${GameKitEnv}_${GameKitGameName}_AWS_SQLInjection_Rule - Name: AWS-IPReputation-Rule Priority: 3 OverrideAction: Count: {} Statement: ManagedRuleGroupStatement: VendorName: AWS Name: AWSManagedRulesAmazonIpReputationList VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: !Sub gamekit_${GameKitEnv}_${GameKitGameName}_AWS_IPReputation_Rule Capacity: 1500 MainWebAclRestAssociation: Type: AWS::WAFv2::WebACLAssociation Properties: ResourceArn: !Sub - 'arn:aws:apigateway:${AWS::Region}::/restapis/${RestApi}/stages/${Stage}' - Stage: !Ref MainDeploymentStage WebACLArn: !GetAtt MainWAFWebAcl.ArnDeploy or redeploy any AWS GameKit feature. This action automatically redeploys the main stack with your latest AWS WAF changes.
AWS Shield
AWS Shield Standard provides protection against the most frequently occurring network and
transport layer DDoS attacks that target a web site or application. This protection is on by
default. AWS Shield Advanced is a paid service that provides additional protection for
internet-facing applications that run on Amazon Elastic Compute Cloud (Amazon EC2), Elastic Load Balancing (ELB), Amazon CloudFront,
Global Accelerator, and Amazon Route 53. For information on costs, see AWS Shield Pricing
To turn on AWS Shield Advanced, you have two options:
-
Use the AWS Management Console for AWS Shield to configure you coverage.
-
Update your AWS CloudFormation templates as described in the AWS CloudFormation User Guide topic AWS::FMS::Policy (see examples).
Adjust usage of AWS GameKit client API
For the user gameplay data feature, when calling the AWS GameKit API with large numbers of bundles or items (in the order of hundreds), there is the potential for HTTP request timeouts. Ways to mitigate timeout risks include:
Make API calls with data in smaller batches.
Set up bundles for users at account creation time.
Increase the value of
ClientTimeoutSecondsinFUserGameplayDataClientSettings.
