Resiliency and Availability Design Patterns

© 2019, Amazon Web Services, Inc. or its Affiliates. All
rights reserved. Amazon Confidential and Trademark Resiliency and Availability Design Patterns Adrian Hornsby Sr. Technical Evangelist Amazon Web Services @adhorn

© 2018, Amazon Web Services, Inc. or its affiliates. All
rights reserved. Looks familiar?

rights reserved. Distributed Systems are hard Amazon Twitter Netflix

rights reserved. Resiliency: Ability for a system to handle and eventually recover from unexpected conditions

rights reserved. Partial failure mode

rights reserved. How do we build resilient software systems?

rights reserved. People Application Network & Data Infrastructure

rights reserved. Let’s talk about isolation and containment

rights reserved.

rights reserved. Typical service application Compute Cell Storage

rights reserved. Cell-based architecture Compute Cell 0 Compute Cell n Regional Service Storage Compute Cell 1 Storage Storage

rights reserved. REGIONAL SERVICE Zone A Zone B Zone C Zone A Zone B Zone C Zone A Zone B Zone C Z O N A L S E R V I C E Z O N A L S E R V I C E Z O N A L S E R V I C E S E R V I C E C E L L S E R V I C E C E L L S E R V I C E C E L L Zone A Zone B Zone C S E R V I C E C E L L S E R V I C E C E L L S E R V I C E C E L L S E R V I C E C E L L S E R V I C E C E L L S E R V I C E C E L L S E R V I C E C E L L S E R V I C E C E L L S E R V I C E C E L L W I T H O U T C E L L S W I T H C E L L S

rights reserved. System properties Cell 0 Service Cell 1 Cell n • Workload isolation • Failure containment • Scale-out vs. scale-up • Testability • Manageability Cell n+1

rights reserved. Let’s talk about blast radius

rights reserved.

rights reserved. X X X X X X X X ♤ ♡ ♢ ⚀ ⚁ ⚂ ⚃ ♧ ♢

rights reserved. Cell-based architecture X X ♤ ♡ ♢ ⚀ ⚁ ⚂ ⚃ ♧ ♢

rights reserved. Shuffle sharding X X ♤ ♡ ♢ ⚀ ⚁⚂ ⚃ ♡ ♤ ♧ ♢ ⚀⚂ ♧ ⚁⚃ ♢ ♢ ♡ ♧ ♢

rights reserved. Shuffle sharding Nodes = 8 Shard size = 2 Combinations = 28 Overlap % customers 0 53.6% 1 42.8% 2 3.6%

rights reserved. Shuffle sharding Nodes = 100 Shard size = 5 Combinations = 75 million! Overlap % customers 0 77% 1 21% 2 1.8% 3 0.06% 4 0.0006% 5 0.0000013%

rights reserved. Shuffle sharding

rights reserved. Better to react without reacting

rights reserved. Region Availability zone a Availability zone b Availability zone c Application Lets take an application …

rights reserved. Region Availability zone a Availability zone b Availability zone c Application Requires 8 Instances or containers

rights reserved. Overload Failures

rights reserved. Region Availability zone a Availability zone b Availability zone c Application

rights reserved. Region Availability zone a Availability zone b Availability zone c Application Requires 6 Instances or Containers

rights reserved. Let’s talk about timeouts, backoff & retries.

rights reserved.

https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-properties.html

rights reserved. User 1 App DB Conn Pool INSERT Timeout client side = 10s Timeout backend side = default Retry INSERT Retry INSERT ERROR: Failed to get connection from pool Retry

rights reserved. Set the timeouts through inheritance Timeout backend = Timeout client – time elapsed

rights reserved. User 1 DB Conn Pool INSERT Timeout client side = 10s Timeout backend side = 10s – time elapsed Wait 2s before Retry Wait 4s before Retry Wait 8s before Retry Wait 16s before Retry Backoff between retries Backoff

rights reserved. No jitter With jitter https://aws.amazon.com/blogs/architecture/exponential-backoff-and-jitter/ Simple Exponential Backoff is not enough: Add Jitter

rights reserved. Adding Jitter

rights reserved. Circuit Breaker • Wrap a protected function call in a circuit breaker object, which monitors for failures. • If failures reach a certain threshold, the circuit breaker trips. Producer Circuit Breaker Consumer Connection Monitoring Timeouts Breaking Circuit

rights reserved. Let’s talk about load shedding.

rights reserved.

rights reserved. Cheaply reject excess work

rights reserved.

rights reserved. Degrade & prioritize traffic with queues Worker Instance Worker Instance API Instance API Instance API Instance High Priority Queue Low Priority Queue

rights reserved. Let’s talk about databases.

rights reserved. Read / Write separation DB Instance DB instance read replica DB instance read replica DB instance read replica Instance Instance Instance Supports degradation through Read-Only mode

rights reserved. Service Degradation & Fallbacks

https://twitter.com/redditstatus/status/1116204502703493120

rights reserved. Transient state does not belong in the database.

rights reserved. Let’s talk about chaos engineering.

rights reserved. Fire Drills

rights reserved. GameDay at Amazon Creating Resiliency Through Destruction https://www.youtube.com/watch?v=zoz0ZjfrQ9s

rights reserved. Chaos engineering https://github.com/Netflix/SimianArmy

rights reserved. Failure injection • Start small & build confidence • Application level • Host failure • Resource attacks (CPU, memory, …) • Network attacks (dependencies, latency, …) • Region attacks • People attack https://www.gremlin.com https://github.com/Netflix/SimianArmy https://chaostoolkit.org

rights reserved. "Chaos engineering is NOT about breaking things randomly without a purpose, chaos engineering is about breaking things in a controlled environment and through well- planned experiments in order to build confidence in your application to withstand turbulent conditions.”

rights reserved. And before we go.

rights reserved. DON’T blame people for failure…

© 2019, Amazon Web Services, Inc. or its Affiliates. All
rights reserved. Amazon Confidential and Trademark Thanks you! @adhorn https://medium.com/@adhorn https://speakerdeck.com/adhorn/patterns-for-building-resilient-software-systems-2019

Resiliency and Availability Design Patterns

Resiliency and Availability Design Patterns

More Decks by Adrian Hornsby

Other Decks in Programming

Featured

Transcript