Skip to content

Latest commit

 

History

History
219 lines (150 loc) · 17.4 KB

File metadata and controls

219 lines (150 loc) · 17.4 KB

AWS Game Backend Framework

Introduction

The AWS Game Backend Framework allows you to integrate your game clients with AWS backend services, with secure scalable identity management and authentication, and integrations to commonly used game platform identity providers and game engines.

The framework consists of four key components:

  • Custom identity component, that can be deployed with AWS Cloud Development Kit. Supports guest identities, Steam, Sign in with Apple, Google Play, and Facebook.
  • Lightweight game engine SDK:s for Unreal Engine 5, Unity 2021 (and up), and Godot 4
  • Sample backend component templates showcasing simple player data management to get started with backend feature development
  • Backend Features for specific use cases (such as Amazon GameLift integration, WebSocket Chat, Friends Graph, and Databricks Delta Lake integration)
  • SDK support for both REST API and WebSocket integrations between game client and your backend

The currently supported engines include Unity, Unreal Engine 5, and Godot 4, but as the features are exposed as REST API:s or WebSocket connections, you can easily integrate the identity component and custom backend components to any game engine of choice.

The currently supported login options for the identity component include guest identities, Steam, Sign in with Apple, Google Play, and Facebook. Using these integrations as a template, it's possible to add other platforms such as console identity systems and other PC game stores.

If you're looking for quick and easy way to get started, check out the Quick Start. Also check out the Workshop for AWS Game Backend Framework for step-by-step hands-on labs on the different components of the solution.

Note: “The sample code; software libraries; command line tools; proofs of concept; templates; or other related technology (including any of the foregoing that are provided by our personnel) is provided to you as AWS Content under the AWS Customer Agreement, or the relevant written agreement between you and AWS (whichever applies). You should not use this AWS Content in your production accounts, or on production or other critical data. You are responsible for testing, securing, and optimizing the AWS Content, such as sample code, as appropriate for production grade use based on your specific quality control practices and standards. Deploying AWS Content may incur AWS charges for creating or using AWS chargeable resources, such as running Amazon EC2 instances or using Amazon S3 storage.”

Quick Start

If you just want to quickly test the solution and how it integrates with your game engine, all you need is an AWS account. No tool installations needed. Follow the two steps below:

  1. Make sure you're logged in to your AWS Account, open your AWS Management Console, and select the AWS CloudShell icon on the top right to open your cloud shell (if you can't find it, see the docs)
  2. In the CloudShell, run the following commands to set up a simple deployment pipeline in AWS CodeBuild, and then deploy the identity component and the serverless backend component template
wget https://ws-assets-prod-iad-r-iad-ed304a55c2ca1aee.s3.us-east-1.amazonaws.com/086bb355-4fdc-4e63-8ca7-af7cfc45d4f2/deployment_pipeline.yml
aws cloudformation deploy --template-file deployment_pipeline.yml --stack-name AWSGameBackendFrameworkDeploymentPipeline --capabilities CAPABILITY_IAM
aws codebuild start-build --project-name GameBackendCodeBuildProject > output.json
echo 'You can now move on to AWS CodeBuild console to review the ongoing deployment...'

You can now navigate to the AWS CodeBuild management console, select the Project GameBackendCodeBuildProject and select the the ongoing build to review it's progress. Deploying the identity component and serverless backend component template takes about 15 minutes. You can also navigate to the AWS CloudFormation console to see the stacks being deployed.

Once the build is successful, you're all set to test! You can jump right into Test the client integrations and select the relevant Readme for you game engine to start testing. Make sure to follow the Clean up to clean up all your resources afterwards if you don't need them.

Solution components

  • Custom Identity Component (CustomIdentityComponent folder contains Readme):
    • Deployed before any other components
    • Implemented with AWS Cloud Development Kit (CDK)
    • Manages the player identities and authentication tokens
    • Supports refreshing authentications tokens
    • Supports integrating with 3rd party identity providers such as Steam, Sign in with Apple, Google Play, and Facebook
    • See the API Reference for full API details.
  • Backend Component Templates (BackendComponentSamples folder contains Readme)
    • Template backend components that integrate with the custom identity component and the Unreal, Unity and Godot SDK:s
    • Implemented with AWS Cloud Development Kit (CDK)
    • Demonstrate how to get started with serverless and containerized backend development, with authenticated user access
    • Implement best practices such as resource tagging, observability (with distributed tracing), and security guidelines (cdk-nag)
  • Backend Features
  • Unreal Engine 5 Samples with AWS Game SDK (UnrealSample folder contains Readme)
    • Unreal Engine 5 version of the AWS Game SDK and sample levels for integration with different identity providers
    • For SDK details see the Unreal SDK Overview
  • Unity Samples with AWS Game SDK (UnitySample folder contains Readme)
    • Unity 2021 (and up) version of the AWS Game SDK and sample scenes for integration with different identity providers
    • For SDK details see the Unity SDK Overview
  • Godot 4 Samples with AWS Game SDK (GodotSample folder contains Readme)
    • Godot 4 version of the AWS Game SDK and sample scenes for integration with different identity providers
    • For SDK details see the Godot 4 SDK Overview

Note on VPC implementation of the components and features:

All components and features that require a VPC deploy their own, which includes resources such as NAT Gateways that generate cost. This makes it easy to test the features, but you likely want to share a VPC between multiple components and provide that as a parameter to the different CDK applications.

High Level Architecture

High Level Reference Architecture

How does it work?

Once you have the identity component deployed, you can create a new guest user account with (Unity code as a sample):

AWSGameSDKClient.Instance.LoginAsNewGuestUser(this.OnLoginResponse);

After this you can deploy some of the sample backend templates and call them securely with (Unity code as a sample):

AWSGameSDKClient.Instance.BackendGetRequest(this.backendEndpointUrl, "get-player-data", this.OnGetPlayerDataResponse);

Then in the backend code you'll have an authenticated user ID that you can use to access their data. The solution comes with two sample backend components, a serverless API Gateway HTTP API (Python) and a AWS Fargate service (Node.js) to demonstrate the player access authorization and simple backend functionality to store and retrieve player data.

Deploying the solution

Start by cloning the repository. On Windows make sure to have a short path to the repository (like C:\Projects\aws-game-backend-framework containing the source directly) to avoid any path length issues (don't leave the full name of the repository as it will easily hit the path limits):

git clone https://github.com/aws-solutions-library-samples/guidance-for-custom-game-backend-hosting-on-aws.git

1. Deploy the Custom Identity Component

See the Readme for the Custom Identity Component and follow the instructions to deploy the custom identity component.

2. Deploy one of the sample backend components

See the Readme for Sample Backend Components to deploy either the Serverless REST API sample component or the Loadbalanced AWS Fargate sample component that you will use with the Unreal, Unity, and Godot sample integrations to test using an identity from the custom identity component to make authenticated calls to a simple backend to set and get player data.

3. Test the client integrations

To test the client integrations, you can use the Unreal, Unity, or Godot sample projects (UnrealSample, UnitySample and GodotSample), that include a lightweight SDK called AWSGameSDK to interact with the identity component and your backend features.

Unreal Engine 5 SDK and Integration Samples

See the Unreal SDK Readme for details on the Unreal 5 integration SDK and samples

Unity SDK and Integration Samples

See the Unity SDK Readme for details on the Unity integration SDK and samples

Godot 4 SDK and Integration Samples

See the Godot 4 SDK Readme for details on the Godot 4 integration SDK and samples

4. Optional: Deploy some of the Backend Features

After validating your deployment, you can test some of the backend features, such as Amazon GameLift Integration for building global multiplayer game backends and game server hosting, or Simple WebSocket Chat for a WebSocket-based chat implementation.

Governance

All the resources of the solution are deployed as AWS Cloud Development Kit (CDK) stacks. This allows for a consistent and repeatable deployment across multiple environments (dev, test, prod). It's recommended that you'll separate these environments to different AWS accounts under the same AWS Organization, and provide least privilege access based on the environment.

All the CDK stacks implement tags that can also be configured to be used for cost allocation. You can freely modify the specific tags that are applied to all resources by modifying the CDK templates.

An example of the default tagging scheme for the stack resources:

let tags: { [key: string]: string } = {};
tags['Application'] = 'CustomIdentityComponent';
tags['Owner'] = 'MyTeam';
tags['Environment'] = 'Dev';
tags['CostCenter'] = '1000';

Cost estimations and scalability considerations

As the backend component costs depend extensively on customer specific implementations, and the samples are just templates to get started, they have been left out of the cost estimations.

Custom Identity Component Costs

The Custom Identity Component costs can be estimated more easily, and the following breakdown aims to be a pessimistic estimate for 10 000 concurrent users, which can often be mapped roughly to 100k daily users and 1M monthly users.

NOTE: These are rough estimates only, and even though they are calculated with a very pessimistic approach, there can always be some costs that are not fully covered here. You always need to do your own testing and estimates.

Concurrent users: 10 000 (roughly 100k daily and 1M monthly users)

Region: Us-East-1

  • API Gateway requests 667 per minute (clients need to log in or refresh access tokens every 15 minutes)
    • 116.85 USD / month
  • AWS Web Application Firewall: 667 requests per minute, 2 rules (managed rule set and rate limited)
    • 33.40 USD / month
  • AWS Lambda requests 667 per minute (200ms estimated length, 2048MB memory)
    • 193.74 USD / month
  • DynamoDB requests: 10k writes and reads per hour (pessimistic estimation based on both re-logins and new users coming in at 5k per hour)
    • 10.29 USD / month
  • AWS CloudWatch Logs: 10 GB data estimated ingested per month
    • 5.55 USD / month
  • AWS Secrets Manager: 1000 request per hour (very pessimistically estimated for 250 concurrent Lambda invocations)
    • 4.05 USD / month
  • AWS X-Ray: 667 traces per minute, 5% default sampling rate
    • 7.20 USD / month

TOTAL: 371.09 USD / month ($0.037/CCU, roughly $0.00037/MAU)

Scalability considerations

As all components of the identity solution are serverless, and Amazon DynamoDB is configured in on-demand mode allowing scaling based on demand, the solution scales automatically within your accounts soft limits. Though these default limits are sufficient for even relatively large amounts of requests, you should always check all the service quotas for the individual services and API:s from AWS documentation, and make sure you are ready to scale for production by requesting limit increases through AWS Support.

The custom identity component has been tested with 2783 requests/second combining new user creation and existing user login. This test didn't surface any errors outside of very few occasional Lambda execution failures. This transaction amount per second can support around 2.5 million concurrent users (CCU), as users log in or refresh acccess tokens every 15 minutes. P90 reponse time was 160ms. In addition, the containerized Fargate Node.js backend component was tested at 5566 request/per second (get and set player data on each login), and it provided a p90 of 48ms when pre-scaled to 25 Tasks. There's no reason to expect this is the upper limit of the solution, but you always need to validate and load test for your own use case. The default account Lambda concurrency limit of 400 was reached at this scale, but you can request an increase to that limit.

For logging in with 3rd party identity providers like Steam, Apple, Google Play or Facebook, the backend will make requests to their endpoints to validate tokens. These endpoints might have their own limits that you need to validate with the 3rd parties directly. As the solution supports up to 7 days of refreshing an existing access token by default (using the refresh token), this can massively reduce the amount of times you need to log in directly with the game platform identities and reduces the load from these endpoints. You can freely control this limit and allow even longer living refresh tokens, as long as you also extend the keys rotation schedule.

Clean up

To clean up the resources you've deployed:

  1. Open the AWS Management Console and navigate to the AWS CloudFormation console
  2. Delete the stacks you've deployed one by one from top down. This might include: NodeJsFargateApiStack, PythonServerlessHttpApiStack, CustomIdentityComponentStack and DeploymentPipelineStack
  3. Open the CloudWatch management console, select Log groups and delete the /aws/apigateway/CustomIdentityComponentApiLogs log group
  4. We don't generally recommend deleting the CDKToolkit stack as you might deploy other CDK applications later on. But you can delete this too, as long as you empty the S3 buckets and ECR repositories generated by it first.

Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.