Patterns for building resilient software systems - 2019

© 2018, Amazon Web Services, Inc. or its Affiliates. All
rights reserved. Amazon Confidential and Trademark © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Adrian Hornsby Sr. Technical Evangelist Amazon Web Services @adhorn Patterns for Building Resilient Software Systems

© 2018, Amazon Web Services, Inc. or its affiliates. All
rights reserved. Complex systems Amazon Twitter Netflix

rights reserved. Partial failure mode

rights reserved. Resiliency: Ability for a system to handle and eventually recover from unexpected conditions

rights reserved. How do we build resilient software systems?

rights reserved. Amazon Confidential and Trademark …

rights reserved. “Quality is not an act, it is a habit” Aristotle, some time around 350BC

rights reserved. The Famous 9s of availability Availability Downtime per year 99% (2-nines) 3 days 15 hours 99.9% (3-nines) 8 hours 45 minutes 99.99% (4-nines) 52 minutes 99.999% (5-nines) 5 minutes 99.9999% (6-nines) 31 seconds

rights reserved. Availability in parallel A = 1 – (1 – Ax)2 Part X Part X

rights reserved. Availability in parallel Component Availability Downtime X 99% (2-nines) 3 days 15 hours Two X in parallel 99.99% (4-nines) 52 minutes Three X in parallel 99.9999% (6-nines) 31 seconds

rights reserved. AWS Region and availability zones Region Availability zone a Availability zone b Availability zone c data center data center data center data center data center data center data center data center data center n data centers per AZ (1 or more) n AZs per region (typically 3+)

rights reserved. Pattern 1: Multi-AZ architecture Region Availability zone a Availability zone b Availability zone c Instances Instances Instances DB Instance DB instance standby

rights reserved. Multi-AZ architecture Region Availability zone a Availability zone b Availability zone c Instances Instances Instances DB Instance DB instance standby X

rights reserved. Multi-AZ architecture Region Availability zone a Availability zone b Availability zone c Instances Instances Instances DB Instance X

rights reserved. Multi-AZ architecture • Enables fault-tolerant applications • AWS regional services designed to withstand AZ failures • Leveraged by most AWS regional services (S3, DynamoDB, ELBs, …)

rights reserved. Zonal services • Amazon EC2 instances • Amazon EBS volumes • Amazon EMR clusters • AWS CloudHSM instances • NAT gateways • etc. Regional services • Amazon S3 • Amazon DynamoDB • Amazon EFS • Amazon Aurora Serverless • Amazon API Gateway • AWS Fargate • AWS Lambda • Amazon Kinesis • Amazon SQS • Etc.

rights reserved. Availability zone failure Zone a Zone a

rights reserved. Theoretical blast radius Zone a Zone a

rights reserved.

rights reserved. Cell-based architecture

rights reserved. Typical service application Compute Cell Storage

rights reserved. Pattern 2: Cell-based architecture Compute Cell 0 Compute Cell n Regional Service Storage Compute Cell 1 Storage Storage

rights reserved. Cells and Availability zones Zone a Zone a

rights reserved. Theoretical blast radius Zone a Zone a

rights reserved. Cells and Availability Zones – zonal services Zone a Zone a

rights reserved. Availability zone failure Zone a Zone a

rights reserved. Partial availability zone failure Zone a Zone a

rights reserved. System properties Cell 0 Service Cell 1 Cell n • Workload isolation • Failure containment • Scale-out vs. scale-up • Testability • Manageability X

rights reserved. System properties Cell 0 Service Cell 1 Cell n • Workload isolation • Failure containment • Scale-out vs. scale-up • Testability • Manageability Cell n+1

rights reserved.

rights reserved. X X X X X X X X ♤ ♡ ♢ ⚀ ⚁ ⚂ ⚃ ♧ ♢

rights reserved. Cascading Failures

rights reserved. Cell-based architecture X X ♤ ♡ ♢ ⚀ ⚁ ⚂ ⚃ ♧ ♢

rights reserved. Pattern 3: Shuffle sharding X X ♤ ♡ ♢ ⚀ ⚁⚂ ⚃ ♡ ♤ ♧ ♢ ⚀⚂ ♧ ⚁⚃ ♢ ♢ ♡ ♧ ♢

rights reserved. Shuffle sharding Nodes = 8 Shard size = 2 Combinations = 28 Overlap % customers 0 53.6% 1 42.8% 2 3.6%

rights reserved. Shuffle sharding Nodes = 100 Shard size = 5 Combinations = 75 million! Overlap % customers 0 77% 1 21% 2 1.8% 3 0.06% 4 0.0006% 5 0.0000013%

rights reserved. Shuffle sharding

rights reserved. Auto-Scaling Fixed Variable

rights reserved. Availability zone 1 Auto Scaling group AWS Region Availability zone 2 Pattern 4: Auto-scaling for self-healing X

rights reserved. Process A Process B Process A Process B Synchronous Asynchronous Waiting Working Continues get or fetch result Get result Pattern 5: Decoupling with async pattern

rights reserved. API: {DO foo} PUT JOB: {JobID: 0001, Task: DO foo} API: {JobID: 0001} GET JOB: {JobID: 0001, Task: DO foo} {JobID: 0001, Result: bar} Cache node Worker Instance Worker Instance Queue API Instance API Instance API Instance

rights reserved. Push Notification User Worker Instance Worker Instance Queue API Instance API Instance Cache node Fetch results API Instance

rights reserved. Degrade & prioritize traffic with queues Worker Instance Worker Instance API Instance API Instance API Instance High Priority Queue Low Priority Queue

rights reserved. Let’s talk about timeouts & retries!

rights reserved. Users App DB Conn Pool INSERT INSERT INSERT INSERT What happens if the DB “slows down”? Timeout client side Timeout backend side ? ?

rights reserved. User 1 App DB Conn Pool INSERT Timeout client side = 10s Timeout backend side = default = Infinite Retry INSERT Retry INSERT ERROR: Failed to get connection from pool Retry

http://docs.python-requests.org/en/master/user/advanced/#timeouts

https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-properties.html

rights reserved. @timeout_decorator.timeout(5, timeout_exception=StopIteration) def timed_get(url): return requests.get(url) https://pypi.org/project/timeout-decorator/

rights reserved. Pattern 6: Set the timeouts!

rights reserved. How else could we have prevented the error? User 1 DB Conn Pool INSERT Retry INSERT Retry INSERT Retry ERROR: Failed to get connection from pool

rights reserved. User 1 DB Conn Pool INSERT Timeout client side = 10s Timeout backend side = 10s Wait 2s before Retry INSERT INSERT Wait 4s before Retry Wait 8s before Retry Wait 16s before Retry Pattern 7: Backing off between retries Releasing connections Backoff

rights reserved. No jitter With jitter https://aws.amazon.com/blogs/architecture/exponential-backoff-and-jitter/ Simple Exponential Backoff is not enough: Add Jitter

rights reserved. Example: add jitter 0-1000ms def get_item(self, url, n=1): MAX_TRIES = 12 try: res = requests.get(url) except: if n > MAX_TRIES: return None n += 1 time.sleep((2 ** n) + (random.randint(0, 1000) / 1000.0)) return self.get_item(url, n) else: return res

rights reserved. @backoff.on_exception(backoff.full_jitter, max_time=60) def poll_for_message(queue): return queue.get() https://pypi.org/project/backoff/ As of version 1.2, the default jitter function backoff.full_jitter implements the ‘Full Jitter’ algorithm as defined in the AWS Architecture Blog’s Exponential Backoff And Jitter post.

rights reserved. Idempotent operation No additional effect if it is called more than once with the same input parameters.

rights reserved. Auto Scaling group Service A Availability zone 1 Auto Scaling group AWS Region Service A Availability zone 2 Service B Service B database Email Probing for health Cluster

rights reserved. Shallow health check Instance Cache node Email database Cluster Are you healthy? yes

rights reserved. Deep health check Instance Cache node Email database Cluster Are you healthy? yes Are you healthy? yes yes yes yes

rights reserved. Deep health check Instance Cache node Email database Cluster Are you healthy? no Are you healthy? no yes yes yes

rights reserved. Service Degradation & Fallbacks

rights reserved. Pattern 8: Circuit Breaker • Wrap a protected function call in a circuit breaker object, which monitors for failures. • If failures reach a certain threshold, the circuit breaker trips. Producer Circuit Breaker Consumer Connection Monitoring Timeouts Breaking Circuit

rights reserved. Let’s talk about databases!

rights reserved. Database Federation Users DB Products DB Instance Instance Instance DB Instance DB instance read replica DB Instance DB instance read replica

rights reserved. Database Sharding User ShardID 002345 A 002346 B 002347 C 002348 B 002349 A C B A Instance Instance Instance DB Instance DB instance read replica DB Instance DB instance read replica DB Instance DB instance read replica

rights reserved. Pattern 9: Read / Write separation DB Instance DB instance read replica DB instance read replica DB instance read replica Instance Instance Instance Supports degradation through Read-Only mode

rights reserved. Transient state does not belong in the database. Pattern 9+

rights reserved. Fire Drills

rights reserved. GameDay at Amazon Creating Resiliency Through Destruction https://www.youtube.com/watch?v=zoz0ZjfrQ9s

rights reserved. Chaos engineering https://github.com/Netflix/SimianArmy

rights reserved. “Chaos Engineering is the discipline of experimenting on a distributed system in order to build confidence in the system’s capability to withstand turbulent conditions in production.” http://principlesofchaos.org

rights reserved. Pattern 10: Failure injection • Start small & build confidence • Application level • Host failure • Resource attacks (CPU, memory, …) • Network attacks (dependencies, latency, …) • Region attacks • “Paul” attack

rights reserved. Plan for the worst, prepare for the unexpected.

rights reserved. Amazon Confidential and Trademark © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Thanks you! @adhorn https://medium.com/@adhorn

Patterns for building resilient software systems - 2019

Patterns for building resilient software systems - 2019

More Decks by Adrian Hornsby

Other Decks in Programming

Featured

Transcript