Netflix's Edge Gateway Using Zuul

Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/


Zuul @ NetflixBy Mikey Cohen - Manager Cloud Gateway, Netflix

@moldfarm

1

Mike Cohen

picture here

Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 2


Global Streaming of TV Shows and Movies

3


Over 42 Billion Hours of Streaming in 2015

4


Over 83 Million Subscribers

In nearly every country5


The Gateway : From the Internet to Services in the Cloud

GatewayGatewayGATEWAY

Origin (API)Origin (API)

API


Website

6


Our Gateway (Zuul) @ Netflix

• Handles most netflix.com hosts• More than 1000 device types

– Hundreds of permutations of protocols and device versions

• Fronted by over 50 elbs • Handling tens of billions of requests per day• 3 AWS regions• Over 20 production Zuul clusters• Fronting about 10 “Origin” systems

7


• Evolution• Scale• Success• Failure

Our Journey to Zuul

8


Why Have a Gateway?

9

Daniel Jacobson

great image. do you provide attribution for the images used?

Mike Cohen

All images I used are open license without restriction

Daniel Jacobson

ok, great. just to be sure, you mean they dont even require or request attribution?


Why have a Gateway?

10


Isn’t (fill-in-the-blank) Good Enough?

11


Netflix’s Idea of a Gateway●Deeply rooted in Microservice ecosystem●Dynamic routing logic●Deep Insights●Load balancing●Availability focused●Service protection●Quality assurance tool

12


Evolving to a Gateway...Evolving to the Cloud

13


Netflix’s Public API (2008)

14


...The world was a simpler place...

15


A Public Developer’s Gateway

• Simple static rule-based routing• API portal• Access Control• Request authentication (OAuth)• Throttling - request caps• Basic Monitoring and Analytics• Caching• 3rd Party managed and developed• Weeks and months development cycles

16


Streaming Devices using public API

• Early Streaming Devices - 2009 – Windows Media Center– XBox– PS3

17


Migration to AWS - 2010

• Apigee• Device traffic, not

public• Controlling DC ->

cloud migration• Running in AWS• Netflix controlled

18


2011 - Streaming Success / General Instability

• Massive Growth• Rapid device

expansion• Pushing AWS limits• Netflix Nascent in

AWS

19


Instability makes way for Innovation

20


Shortcomings of what we had

• Ecosystem Mismatch• Static configuration• Deployment time - Hours• Manual deployment - Error prone• Critical bugs go through vendor• Automated testing not possible

21

Daniel Jacobson

getting to this point, i am now thinking more that you dont need the deep history stuff. you just need enough to express the pains that trigger changes in our approach.


Netflix’s Microservice Ecosystem

Netflix Platform (Karyon, Hystrix)

Data Pipeline (Kafka, etc)

Discovery (Eureka)

Real-time analytics(Mantis)

Monitoring(Atlas)

Dynamic Properties (ARCHAIS)

Deployment Pipeline

AWS

EC2 S3

CryptoAuthentication Database (Cassandra)

Micro Service(Zuul)

22


Spring Platform Microservice Ecosystem

Spring Platform (Karyon, Hystrix)

Discovery (Eureka)

Monitoring(Atlas)

Dynamic Properties (ARCHAIS)

Deployment Pipeline

AWS

EC2 S3

Micro Service(Zuul)

23


2012 - Zuul Created

24


Zuul in a Nutshell

25


Request Lifecycle of a Request

26


Example Filterclass DeviceDelayFilter extends ZuulFilter { def static Random rand = new Random() @Override String filterType() { return 'pre' } @Override int filterOrder() { return 5 } @Override boolean shouldFilter() { return RequestContext.getRequest().getParameter("deviceType")?equals("BrokenDevice"):false } @Override Object run() { sleep(rand.nextInt(20000)) //Sleep for a random number of seconds between [0-20] }}

27


What Zuul Got Us:

• Handle Edge Cases• React quickly• Service Resiliency• Move fast• Microservice Insights

28


What Engineers Saw:• Handle Edge Cases

• React quickly!• Service Resiliency

• Move fast! ←• Microservice Insights

29


Zuul : Early Successes!

• Easy and convenient• Instant results• High adoption• Happy customers

30


Zuul - A Victim of Success

• Business logic in Zuul• Affects system

resiliency • Gateway team in

critical path

31


Creating a Gateway Strategy

32


Principles of Netflix’s Gateway Strategy • Creative Routing• Dynamic Routing• Delivery Focused• Traffic Shaping• React Fast • Insights

33


Creative Routing - Subclusters with Purpose

GatewayGateway

Gateway

Origin (API)

v1

v2

test

debug

Instrumented

squeeze

“sticky” canarybaseline

“sticky” baseline

v1

v2

test

debug

baseline canary

“sticky” canary

“sticky” baselineFIT

Instrumented

squeeze

34


Red / Green Deployments

GatewayGateway

Gateway

Origin (API)

v1

v2

test

debug

canary

Instrumented

squeeze



v1

v2

test

debug

baseline canary

“sticky” canary


InstrumentedInstrumented

squeezesqueeze

35


Developer Test Branches

GatewayGateway

Gateway

Origin (API)

v1

v2

test

debug

canary

Instrumented

squeeze



v1

v2

test

debug

baseline canary

“sticky” canary


InstrumentedInstrumented

squeezesqueeze

36


Instrumented Clusters (Trickling traffic)

GatewayGateway

Gateway

Origin (API)

v1

v2

test

debug

canary

Instrumented

squeeze



v1

v2

test

debug

baseline canary

“sticky” canary


Instrumented

squeezesqueeze

37


Squeeze Testing

GatewayGateway

Gateway

Origin (API)

v1

v2

test

debug

canary

Instrumented

squeeze



v1

v2

test

debug

baseline canary

“sticky” canary


Instrumented

squeeze

38


Targeted Routing

GatewayGateway

Gateway

Origin (API)

v1

v2

test

debug

canary

Instrumented

squeeze



v1

v2

test

debug

baseline canary

“sticky” canary


Instrumented

squeeze

39


Service “Canarying”

GatewayGateway

Gateway

Origin (API)

v1

v2

test

debug

canary

Instrumented

squeeze



v1

v2

test

debug

baseline canary“sticky” canary


Instrumented

squeezesqueeze

40


“Sticky” Canary

GatewayGateway

Gateway

Origin (API)

v1

v2

test

debug

canary

Instrumented

squeeze



v1

v2

test

debug

baseline canary

“sticky” canary


Instrumented

squeezesqueeze

41


Failure Injection Testing

GatewayGateway

Gateway

Origin (API)

v1

v2

test

debug

Instrumented

squeeze



v1

v2

test

debug

baseline canary

“sticky” canary


Instrumented

squeezesqueeze

42


Degraded Experience Testing

GatewayGateway

Gateway

Origin (API)

v1

v2

test

debug

Instrumented

squeeze



v1

v2

test

debug

baseline canary

“sticky” canary


Instrumented

squeezesqueeze

43


Gateway Features of Deployment Pipeline

Gateway Features Completing the Continuous Delivery Pipeline

Version Control Build Unit

TestsFunctional TestingDeploy Service

Canary

Sticky Canary

Failure Injection Testing

Squeeze Testing

Instrumented Servers

Production Push

44


Traffic Shaping

45


A Global Cloud Deployment

Persistence Tier

Business services Tier

Presentation Tier

Network Tier

Websites API

Zuul

DB

Persistence Tier


Presentation Tier

Network Tier

Websites API

Zuul

DB

Persistence Tier


Presentation Tier

Network Tier

Websites API

Zuul

DB

US-West-2

US-East-1 EU-West-1

46


Global Cloud Routing

Persistence Tier


Presentation Tier

Network Tier

Websites API

Proxy

DB

Persistence Tier


Presentation Tier

Network Tier

Websites API

Proxy

DB

Persistence Tier


Presentation Tier

Network Tier

Websites API

Proxy

DB

Zuul

Zuul

Zuul

US-West-2

US-East-1 EU-West-1

47


A Failing Region

Persistence Tier


Presentation Tier

Network Tier

Websites API

Proxy

DB

Persistence Tier


Presentation Tier

Network Tier

Websites API

Proxy

DB

Persistence Tier


Presentation Tier

Network Tier

Websites API

Proxy

DB

Zuul

Zuul

Zuul

US-West-2

US-East-1 EU-West-1

48


Gateway routing to other regions

Persistence Tier


Presentation Tier

Network Tier

Websites API

Proxy

DB

Persistence Tier


Presentation Tier

Network Tier

Websites API

Proxy

DB

Persistence Tier


Presentation Tier

Network Tier

Websites API

Proxy

DB

Zuul

Zuul

Zuul

US-West-2

US-East-1 EU-West-1

49


Attack Detection & Prevention

GatewayGateway

Gateway


API


Website

50


Other Zuul Responsibilities @ Netflix• Top Level request context

– Geolocation– Cookie / Token decryption

• Authentication– Hand off to Authentication Services

• Request/Response “normalization”– Device specific “weirdness”

• Chunked Encoding• Header truncations• URL fixes

• Testing / Debug support– Verbose Headers

– Geolocation overrides– Error Context

51


Smart Load Balancing

GatewayGateway

Gateway

Origin (API)

52


Smart Load Balancing - Bad Nodes

GatewayGateway

Gateway

Origin (API)

53


Gateway Backoff and Blacklists Bad Nodes

GatewayGateway

Gateway

Origin (API)

54


Zone Failure - Blacklist the Zone automatically

GatewayGateway

Gateway

Origin (API)

55


React Quickly - Runtime Filter changes

GatewayGateway

Gateway


API


Website

Runtime Filter Injection

56


A Room with a View - Insights

GatewayGateway

Gateway


API


Website

Insights

57


What’s new on with Zuul

58


Zuul 2!!

• Zuul 2.0– Netty (non-blocking, async)– RxJava chained filters– Coming to OSS soon.

59


Why Zuul 2?

• 100M+ Persistent connections– Push notifications– Events

• Transport protocol agnostic– HTTP/2– Websocket– HTTP– etc..

60


Async Non-blocking vs Blocking

61


What’s Next?

• Auto-remediation • Gateway as a service

–Self-service dynamic routing / route validation

–Control APIs for special routing functions

62


Top Lessons Learned

63


Ask Why?

64


Build for handling Failures

65


Take Advantage of your Microservice Ecosystem

66


Use Routing Creatively

67


Shard to Reduce Blast Radius

68


Devices are WeirdProtocols are Weird

69


Devices are ForeverProtocols are Forever

70


Keep Business Logic out of your Gateway

71



Learn More. Stay Connected.

Mikey Cohen - @moldfarm

https://github.com/Netflix/zuulhttp://techblog.netflix.com

@springcentralspring.io/blog

@pivotalpivotal.io/blog

@pivotalcfhttp://engineering.pivotal.io

72

https://github.com/Netflix/zuul

http://techblog.netflix.com/

Technology

Netflix's Edge Gateway Using Zuul