The document discusses Netflix's gateway architecture, emphasizing its evolution from a simple proxy to a sophisticated gateway handling billions of requests daily. It highlights key features such as dynamic routing, load balancing, and the importance of insights, while also noting the challenges and lessons learned throughout the transition. Additionally, it details strategic principles for managing service traffic and ensuring system resiliency under varying conditions.

1. A Cloud Gateway -
A Large Scale Company’s First Line
of Defense
Mikey Cohen
Manager - Edge Gateway
Netflix

2. Today, more than 36% of
North America’s internet
traffic is controlled by
systems in the Amazon
Cloud

4. Global Streaming of TV Shows and
Movies

5. Nearly 70 Million Subscribers
In over 80 Countries

6. Netflix accounts for over 36% of
Downstream Traffic in North
America

7. From the Internet to Services in the Cloud
Gateway
Gateway
?????
Origin (API)
Origin (API)
API
Origin (API)
Origin (API)
Website

8. Our Edge Gateway @ Netflix
Handles most netflix.com hosts
Over 20 production Zuul clusters
~ 50 elbs
Gateway handles ~10 origin services

9. Netflix Gateway Scale
Tens of billions of requests per day
3 AWS regions
Over 1000 device types
Hundreds of permutations of protocols and
device versions

10. Success
Evolution
Scale
Failure
Our Journey

11. So What!? - Change your perspective!!

12. Traditional Cloud Proxy Mission
Simple static rule-based routing
API portal
Request authentication
Throttling - request caps
Monitoring
Caching

13. The Gateway - a grown-up proxy!
●Dynamic routing
●Deep Insights
●Load balancing
●Availability focused
●Service protection
●Quality assurance tool

14. Evolving to a Gateway

15. Netflix’s Public API
Late 2008
Mashery
Datacenter

16. Streaming Devices using public API
Early Streaming Devices - 2009
Windows Media Center
XBox
PS3

17. Migration to AWS
2010
Sonoa / Apigee proxy
Device traffic, not public
Controlling DC -> cloud
migration
Running in AWS
Under Netflix control

18. Streaming Success
2011
Chaos
Complexity
Failure
Success
Leveraging
Cloud benefits

19. Anti-patterns of most cloud proxies
Static configurations
Service push needed to
change behavior
Limited range of
functionality
Limited to HTTP

20. Zuul Created
2012
Dynamically injected and compiled filters
Manipulate requests and responses
Headers / Body / etc
Change routing
Add metrics and other functions
Built on Netflix’s OSS stack
Open Sourced

21. Zuul - A Victim of Success
Easy and convenient
Instant results
High adoption
Happy customers
Business logic in proxy
Affects system resiliency
Zuul team in critical path

22. Creating a Gateway
Strategy

23. Principles of Netflix’s Gateway Strategy
Creative Routing
Dynamic Routing
Delivery Focused
Traffic Shaping
React Fast
Insights

24. Creative Routing - Subclusters with Purpose
Gateway
Gateway
Gateway
Origin (API)
v1
v2
test
debug
Instrumented
squeeze
“sticky”
canarybaseline
“sticky”
baseline
v1
v2
test
debug
baseline canary
“sticky”
canary
“sticky”
baselineFIT
Instrumented
squeeze

25. Red / Green Deployments
Gateway
Gateway
Gateway
Origin (API)
v1
v2
test
debug
canary
Instrumented
squeeze
“sticky”
canarybaseline
“sticky”
baseline
v1
v2
test
debug
baseline canary
“sticky”
canary
“sticky”
baselineFIT
Instrumented
Instrumented
squeeze
squeeze

26. Developer Test Branches
Gateway
Gateway
Gateway
Origin (API)
v1
v2
test
debug
canary
Instrumented
squeeze
“sticky”
canarybaseline
“sticky”
baseline
v1
v2
test
debug
baseline canary
“sticky”
canary
“sticky”
baselineFIT
Instrumented
Instrumented
squeeze
squeeze

27. Instrumented Clusters
Gateway
Gateway
Gateway
Origin (API)
v1
v2
test
debug
canary
Instrumented
squeeze
“sticky”
canarybaseline
“sticky”
baseline
v1
v2
test
debug
baseline canary
“sticky”
canary
“sticky”
baselineFIT
Instrumented
squeeze
squeeze

28. Squeeze Testing
Gateway
Gateway
Gateway
Origin (API)
v1
v2
test
debug
canary
Instrumented
squeeze
“sticky”
canarybaseline
“sticky”
baseline
v1
v2
test
debug
baseline canary
“sticky”
canary
“sticky”
baselineFIT
Instrumented
squeeze

29. Targeted Routing
Gateway
Gateway
Gateway
Origin (API)
v1
v2
test
debug
canary
Instrumented
squeeze
“sticky”
canarybaseline
“sticky”
baseline
v1
v2
test
debu
g
baseline canary
“sticky”
canary
“sticky”
baselineFIT
Instrumented
squeeze

30. Service “Canarying”
Gateway
Gateway
Gateway
Origin (API)
v1
v2
test
debug
canary
Instrumented
squeeze
“sticky”
canarybaseline
“sticky”
baseline
v1
v2
test
debug
baseline canary
“sticky”
canary
“sticky”
baselineFIT
Instrumented
squeeze
squeeze

31. “Sticky” Canary
Gateway
Gateway
Gateway
Origin (API)
v1
v2
test
debug
canary
Instrumented
squeeze
“sticky”
canarybaseline
“sticky”
baseline
v1
v2
test
debug
baseline canary
“sticky”
canary
“sticky”
baselineFIT
Instrumented
squeeze
squeeze

32. Failure Injection Testing
Gateway
Gateway
Gateway
Origin (API)
v1
v2
test
debug
Instrumented
squeeze
“sticky”
canarybaseline
“sticky”
baseline
v1
v2
test
debug
baseline canary
“sticky”
canary
“sticky”
baselineFIT
Instrumented
squeeze
squeeze

33. Degraded Experience Testing
Gateway
Gateway
Gateway
Origin (API)
v1
v2
test
debug
Instrumented
squeeze
“sticky”
canarybaseline
“sticky”
baseline
v1
v2
test
debug
baseline canary
“sticky”
canary
“sticky”
baselineFIT
Instrumented
squeeze
squeeze

34. Traffic Shaping

35. A Global Cloud Deployment
Persistence Tier
Business
services Tier
Presentation
Tier
Network Tier
Websites
API
Proxy
DB
Persistence Tier
Business
services Tier
Presentation
Tier
Network Tier
Websites
API
Proxy
DB
Persistence Tier
Business
services Tier
Presentation
Tier
Network Tier
Websites
API
Proxy
DB

36. Global Cloud Routing
Persistence Tier
Business
services Tier
Presentation
Tier
Network Tier
Websites
API
Proxy
DB
Persistence Tier
Business
services Tier
Presentation
Tier
Network Tier
Websites
API
Proxy
DB
Persistence Tier
Business
services Tier
Presentation
Tier
Network Tier
Websites
API
Proxy
DB

37. A Failing region
Persistence Tier
Business
services Tier
Presentation
Tier
Network Tier
Websites
API
Proxy
DB
Persistence Tier
Business
services Tier
Presentation
Tier
Network Tier
Websites
API
Proxy
DB
Persistence Tier
Business
services Tier
Presentation
Tier
Network Tier
Websites
API
Proxy
DB

38. Gateway routing to other regions
Persistence Tier
Business
services Tier
Presentation
Tier
Network Tier
Websites
API
Proxy
DB
Persistence Tier
Business
services Tier
Presentation
Tier
Network Tier
Websites
API
Proxy
DB
Persistence Tier
Business
services Tier
Presentation
Tier
Network Tier
Websites
API
Proxy
DB

39. Attack prevention
Gateway
Gateway
Gateway
Origin (API)
Origin (API)
API
Origin (API)
Origin (API)
Website

40. Smart Load Balancing
Gateway
Gateway
Gateway
Origin (API)

41. Smart Load Balancing - Bad Nodes
Gateway
Gateway
Gateway
Origin (API)

42. Gateway Backoff and Blacklists Bad Nodes
Gateway
Gateway
Gateway
Origin (API)

43. Zone Failure - Blacklist the Zone automatically
Gateway
Gateway
Gateway
Origin (API)

44. React Quickly - Runtime Filter changes
Gateway
Gateway
Gateway
Origin (API)
Origin (API)
API
Origin (API)
Origin (API)
Website
Runtime Policy
Injection

45. A Room with a View - Insights
Gateway
Gateway
Gateway
Origin (API)
Origin (API)
API
Origin (API)
Origin (API)
Website
Insights

46. What’s Next for Netflix’s Gateway?
Gateway as a service
Self-service dynamic routing / route validation
Control APIs for special routing functions
Netty Based Zuul (using RxNetty)
Handling persistent connections
non-blocking, async
Transport protocol agnostic routing
Reactive Socket http://reactivesocket.io/

47. Top Ten Lessons Learned

48. Build for handling
Failures

49. Expect the Unexpected

50. Using Routing Creatively

51. Shard to Reduce Blast
Radius

52. Devices are Weird
Protocols are Weird

53. Devices are Forever
Protocols are Forever

54. It will be built “wrong”

55. Keep Business Logic out
of your Gateway

56. For More Info...
Zuul OSS
Netflix Tech Blog
RxNetty
Jobs