Building a Cloud Native Bank

Transcript

1. Building a Cloud-Native Bank Matt Heath, Monzo

2. ! ⛅ #

3. Hi, I’m Matt

4. @mattheath

5. None
6. None

7. Nov 2015 Oct 2018 CUSTOMER
 GROWTH

8. $ 1,031,133

9. £4 billion spent %

10. None
11. None
12. None
13. None
14. None
15. None
16. None
17. None

18. #

19. &

20. None

21. '

22. LICENCE WITH RESTRICTIONS WE ARE HERE A UK banking licence

    is authorised by the PRA and regulated by the PRA and FCA1, allowing deposit- taking and balance sheet lending. Once granted, it allows firms to passport across Europe, accessing This is followed by a “mobilisation” phase during which final capital is raised and IT systems are completed, before launching to the public. We received a UK banking licence in August 2016! FEB 2015 JAN 2016 JAN 2017 MAR FEB FEB APR MAR MAR APR MAY JUN JUL MAY APR JUN MAY JUL JUN AUG JUL SEP AUG NOV SEP DEC NOV DEC PRE APPLICATION APPLICATION MOBILISATION LAUNCH LICENCE WITH RESTRICTIONS 50K MAX DEPOSIT WE ARE HERE A UK banking licence is authorised by the PRA and regulated by the PRA and FCA1, allowing deposit- taking and balance sheet lending. Once granted, it allows firms to passport across Europe, accessing This is followed by a “mobilisation” phase during which final capital is raised and IT systems are completed, before launching to the public. We received a UK banking licence in August 2016! JAN 2016 JAN 2017 MAR FEB FEB APR MAR MAR APR MAY JUN JUL MAY APR JUN MAY JUL JUN AUG JUL SEP AUG NOV SEP DEC NOV DEC E APPLICATION APPLICATION MOBILISATION LAUNCH LICENCE WITH RESTRICTIONS WE ARE HERE AUG
 2017 JAN
 2016 Feb
 2015 APR
 2017 A UK banking licence is authorised by the PRA and regulated by the PRA and FCA1, allowing deposit- taking and balance sheet lending. Once granted, it allows firms to passport across Europe, accessing This is followed by a “mobilisation” phase during which final capital is raised and IT systems are completed, before launching to the public. We received a UK banking licence in August 2016! FEB 2015 JAN 2016 JAN 2017 MAR FEB FEB APR MAR MAR APR MAY APR JUN MAY JUL JUN AUG JUL SEP AUG NOV SEP DEC NOV DEC PRE APPLICATION APPLICATION MOBILISATION LICENCE WITH RESTRICTIONS WE ARE HERE

23. Henrik Kniberg

24. None

25. ?

26. ☁

27. ⛈

28. ⛅

29. Henrik Kniberg

30. James Leah Matt

31. James Leah Matt *

32. James Leah Matt +

33. ,

34. None
35. None

36. - - -

37. - - - X X X

38. -

39. % - %

40. .

41. - ☕☕

42. ☕☕ - %

43. ☁

44. EXTENSIBLE SCALABLE RELIABLE SECURE
 CHEAP

45. ?

46. Application

47. Application

48. APPLICATION Application

49. None
50. None
51. None

52. LICENCE WITH RESTRICTIONS WE ARE HERE A UK banking licence

    is authorised by the PRA and regulated by the PRA and FCA1, allowing deposit- taking and balance sheet lending. Once granted, it allows firms to passport across Europe, accessing This is followed by a “mobilisation” phase during which final capital is raised and IT systems are completed, before launching to the public. We received a UK banking licence in August 2016! FEB 2015 JAN 2016 JAN 2017 MAR FEB FEB APR MAR MAR APR MAY JUN JUL MAY APR JUN MAY JUL JUN AUG JUL SEP AUG NOV SEP DEC NOV DEC PRE APPLICATION APPLICATION MOBILISATION LAUNCH LICENCE WITH RESTRICTIONS 50K MAX DEPOSIT WE ARE HERE A UK banking licence is authorised by the PRA and regulated by the PRA and FCA1, allowing deposit- taking and balance sheet lending. Once granted, it allows firms to passport across Europe, accessing This is followed by a “mobilisation” phase during which final capital is raised and IT systems are completed, before launching to the public. We received a UK banking licence in August 2016! JAN 2016 JAN 2017 MAR FEB FEB APR MAR MAR APR MAY JUN JUL MAY APR JUN MAY JUL JUN AUG JUL SEP AUG NOV SEP DEC NOV DEC E APPLICATION APPLICATION MOBILISATION LAUNCH LICENCE WITH RESTRICTIONS WE ARE HERE AUG
 2017 JAN
 2016 Feb
 2015 APR
 2017 A UK banking licence is authorised by the PRA and regulated by the PRA and FCA1, allowing deposit- taking and balance sheet lending. Once granted, it allows firms to passport across Europe, accessing This is followed by a “mobilisation” phase during which final capital is raised and IT systems are completed, before launching to the public. We received a UK banking licence in August 2016! FEB 2015 JAN 2016 JAN 2017 MAR FEB FEB APR MAR MAR APR MAY APR JUN MAY JUL JUN AUG JUL SEP AUG NOV SEP DEC NOV DEC PRE APPLICATION APPLICATION MOBILISATION LICENCE WITH RESTRICTIONS WE ARE HERE

53. A UK banking licence is authorised by the PRA and

    regulated by the PRA and FCA1, allowing deposit- taking and balance sheet lending. Once granted, it allows firms to passport across Europe, accessing This is followed by a “mobilisation” phase during which final capital is raised and IT systems are completed, before launching to the public. We received a UK banking licence in August 2016! FEB 2015 JAN 2016 JAN 2017 MAR FEB FEB APR MAR MAR APR MAY JUN JUL MAY APR JUN MAY JUL JUN AUG JUL SEP AUG NOV SEP DEC NOV DEC PRE APPLICATION APPLICATION MOBILISATION LAUNCH LICENCE WITH RESTRICTIONS 50K MAX DEPOSIT WE ARE HERE A UK banking licence is authorised by the PRA and regulated by the PRA and FCA1, allowing deposit- taking and balance sheet lending. Once granted, it allows firms to passport across Europe, accessing This is followed by a “mobilisation” phase during which final capital is raised and IT systems are completed, before launching to the public. We received a UK banking licence in August 2016! JAN 2016 JAN 2017 MAR FEB FEB APR MAR MAR APR MAY JUN JUL MAY APR JUN MAY JUL JUN AUG JUL SEP AUG NOV SEP DEC NOV DEC E APPLICATION APPLICATION MOBILISATION LAUNCH LICENCE WITH RESTRICTIONS WE ARE HERE AUG
 2017 JAN
 2016 Feb
 2015 APR
 2017 PREPAID
 CARD
 LAUNCH LICENCE WITH RESTRICTIONS WE ARE HERE A UK banking licence is authorised by the PRA and regulated by the PRA and FCA1, allowing deposit- taking and balance sheet lending. Once granted, it allows firms to passport across Europe, accessing This is followed by a “mobilisation” phase during which final capital is raised and IT systems are completed, before launching to the public. We received a UK banking licence in August 2016! FEB 2015 JAN 2016 JAN 2017 MAR FEB FEB APR MAR MAR APR MAY APR JUN MAY JUL JUN AUG JUL SEP AUG NOV SEP DEC NOV DEC PRE APPLICATION APPLICATION MOBILISATION LICENCE WITH RESTRICTIONS WE ARE HERE
54. None
55. None
56. None
57. None

58. ?

59. EC2
 Instance

60. instance instance

61. instance instance instance instance instance instance

62. instance instance instance instance instance instance { { { eu-west-1a

    eu-west-1b eu-west-1c

63. instance instance instance instance instance instance Kubernetes

64. instance instance instance instance instance kubelet

65. kubelet kubelet kubelet kubelet kubelet kubelet

66. kubelet kubelet kubelet kubelet kubelet kubelet Kubernetes Master

67. kubelet kubelet kubelet kubelet kubelet kubelet Kubernetes Master etcd

68. kubelet kubelet kubelet kubelet kubelet kubelet Kubernetes Master etcd

69. etcd

70. etcd etcd etcd

71. etcd etcd etcd etcd etcd etcd etcd etcd etcd

72. etcd etcd etcd etcd etcd etcd etcd etcd etcd quorum

    = 5 or more nodes alive (n/2+1)

73. etcd etcd etcd etcd etcd etcd etcd etcd etcd quorum

    maintained

74. etcd etcd etcd etcd etcd etcd etcd etcd etcd quorum

    maintained '

75. etcd etcd etcd etcd etcd unhealthy machines terminated 0

76. etcd etcd etcd etcd etcd etcd etcd etcd etcd new

    machines automatically reattach EBS, cluster recovers 1

77. etcd ASG 4 etcd ASG 7 etcd ASG 1 etcd

    ASG 5 etcd ASG 8 etcd ASG 2 etcd ASG 3 etcd ASG 6 etcd ASG 0 each etcd node is an autoscaling group of 1, with a fixed identity

78. etcd etcd etcd etcd etcd etcd etcd etcd etcd quorum

    lost 2

79. etcd etcd etcd etcd unhealthy machines terminated 0

80. etcd etcd etcd etcd etcd ASG 7 etcd ASG 1

    etcd ASG 8 etcd ASG 2 etcd ASG 6 autoscaling groups start new instances

81. etcd etcd etcd etcd etcd etcd etcd etcd etcd unhealthy

    machines replaced automatically, EBS reattached, cluster recovers 3

82. Blog

83. kubernetes

84. kubernetes pod pod pod pod pod pod pod pod pod

    pod

85. pod container service

86. pod scratch container go service

87. kubernetes service service service service service service service service service

    service

88. kubernetes service service service service service service service service service

    service

89. kubernetes service service service service service service service service service

    service

90. kubernetes service service service service service service service service service

    service

91. kubernetes service service service service service service service service service

    service service service service

92. kubernetes service service service service service service service service service

    service

93. kubernetes service Prometheus service service Kafka linkerd Kafka service service

    Elasticsearch calico API service

94. 4

95. 1

96. Request Limit

97. CPU Throttling

98. None

99. API

100. API

101. API Gateway API Service API Service API Service API Service

     API Service API Service API Service API Service
102. None
103. None
104. None

105. API Gateway Accounts Cards Pots Feed Payments …

106. API Gateway Accounts Cards Pots Feed Payments … New
 Exciting


     API!! 5

107. Cards Pots Payments … API Gateway Accounts New
 Exciting
 API!!

     0 0 0 0 0 Feed

108. Cards Pots Payments … API Gateway Accounts New
 Exciting
 API!!

     0 0 0 0 0 6 Feed

109. API Gateway Accounts Cards Pots Payments … New
 Exciting
 API!!

     5 6 Feed

110. Service Service

111. Service Service Service Service

112. Service Service Service Service Kubernetes
 Service

113. Service Discovery Load Balancing Timeouts and Expirations Retries Rate Limiting

     Connection Pooling Circuit Breaking Failure Detection Metrics and Tracing Interrupts Context Propagation

114. Service Discovery Load Balancing Timeouts and Expirations Retries Rate Limiting

     Connection Pooling Circuit Breaking Failure Detection Metrics and Tracing Interrupts Context Propagation

115. Service Service Service Service ?

116. Service Service Service Service linkerd

117. Service linkerd

118. Service linkerd service
 discovery

119. Service Service Service Service linkerd service
 discovery

120. Service Service Service Service linkerd

121. Service Service Service Service linkerd

122. Service Service Service Service linkerd

123. Service Service Service Service linkerd

124. kind: DaemonSet metadata: name: linkerd spec: template: spec: containers: -

     name: linkerd image: ecr:linkerd_vXXX - "/etc/linkerd/linkerd.yaml" volumeMounts: - name: linkerd-config mountPath: /etc/linkerd readOnly: true ports: - name: http containerPort: 443 hostPort: 4140 env: - name: POD_IP valueFrom: fieldRef: fieldPath: status.podIP resources: limits: cpu: 4 memory: 2Gi monzo.com/cpu-period: 2500 requests: cpu: 1 memory: 1Gi services send requests to local
 linkerd daemonset linkerd daemonset pods & services
 on other machines
125. None
126. None
127. None

128. Event Driven
 Architecture

129. Service A Service B Load Balancer Edge Gateway API Service

130. API Service Service A Service B Load Balancer Edge Gateway

131. API Service Service A Service B Load Balancer Edge Gateway

     Service D Service E

132. API Service Service A Service B Load Balancer Edge Gateway

     Service C Service D Service E

133. API Service Service A Service B Load Balancer Edge Gateway

     Service C Service D Service E 6

134. API Service Service A Service B Load Balancer Edge Gateway

     Service C Service D Service E 6 7

135. API Service Service A Service B Load Balancer Edge Gateway

     Service C Service D Service E 6 7 7 7 7

136. API Service Service A Service B Load Balancer Edge Gateway

     Service C Service D Service E 6 7 7 7 7 Service D

137. API Service Service A Service B Load Balancer Edge Gateway

     Service C Service D Service E 6 Service D

138. 8

139. API Service API Service Load Balancer Monzo API Gateway API

     Service

140. API Service API Service Load Balancer Monzo API Gateway API

     Service

141. API Service API Service Application Load Balancer (ALB) Monzo API

     Gateway API Service

142. API Service API Service Application Load Balancer (ALB) Monzo API

     Gateway API Service AWS Shield AWS WAF

143. API Service API Service Application Load Balancer (ALB) Monzo API

     Gateway API Service AWS Shield AWS WAF AWS API

144. API Service API Service Application Load Balancer (ALB) Monzo API

     Gateway API Service AWS Shield AWS WAF AWS API

145. API Service API Service Application Load Balancer (ALB) Monzo API

     Gateway API Service AWS Shield AWS WAF AWS API

146. API Service API Service Application Load Balancer (ALB) Monzo API

     Gateway API Service AWS Shield AWS WAF AWS API Reject traffic at ALB Update rules
 via API

147. API Service API Service Application Load Balancer (ALB) Monzo API

     Gateway API Service AWS Shield AWS WAF AWS API Reject traffic at ALB Update rules
 via API

148. API Service API Service Application Load Balancer (ALB) Monzo API

     Gateway API Service AWS Shield AWS WAF 8

149. API Service API Service Application Load Balancer (ALB) Monzo API

     Gateway API Service 8

150. API Service API Service Application Load Balancer (ALB) Monzo API

     Gateway API Service 8 service

151. API Service API Service Application Load Balancer (ALB) Monzo API

     Gateway API Service 8 service &
152. None
153. None

154. API Service API Service Application Load Balancer (ALB) Monzo API

     Gateway API Service 8 service VPC Segregation
 Network ACLs Sec Groups

155. API Service API Service Application Load Balancer (ALB) Monzo API

     Gateway API Service 8 service 8

156. instance instance instance instance instance instance instance instance instance 9

157. instance instance instance instance instance instance instance instance instance 9

     IAM Auditing CloudTrail 8
158. None

159. :

160. None

161. Ship it and iterate
 Make changes small
 Make changes often

     Technical debt as a tool

162. API Gateway Accounts Cards Pots Feed Payments … New
 Exciting


     API!! 5
163. None

164. Production load tests & Shadow Traffic

165. EXTENSIBLE SCALABLE RELIABLE SECURE
 CHEAP

166. Empower teams

167. monzo.com/careers