Design and Implementation of Microservices
Sam Newman - Technical Consultant, ThoughtWorks
Scott Shaw - Head of Technology, ThoughtWorks
Discover a consistent and reinforcing set of tools and practices rooted in the philosophy of small and simple; this can help you move towards a microservice architecture.
13. 90% of the TCO of an application is incurred post launch
14.
15. IT project-related losses are an embarrassment for the industry fund backers – AustralianSuper, Cbus, HOSTPLUS, HESTA and MTAA Super –
which pride themselves on low fees and improving member services. Illustration: Karl Hilzinger
A group of industry superannuation funds has revealed in accounts lodged with the Australian Securities and
Investments Commission that the cost of implementing a key IT project has blown out by another $43 million.
This means that a project that started in 2008 and was meant to be completed by 2010 will cost super fund members at
least $250 million and will be delivered at least four years late.
Superpartners, a super administration company owned by five industry retirement schemes, posted a $7.4 million loss
on revenues of $257 million for the 12 months ended June 30, after being forced to take a $20.4 million impairment
Superpartners’ botched IT project costs industry
super funds millions
Published 26 November 2013 01:17, Updated 27 November 2013 07:46
Sally Patten
16. we have to rewrite entire ecosystems every few years
17. we have to rewrite entire ecosystems every few years
this doesn’t make many CFO’s happy
31. HR
UI
"Middleware DB"
? ? ?
Data Warehouse
?
canned reports cubes / ad-hoc
UIUI
UI
Finance
UI
Views of
external
Data
Read only
external
data
Read only
external
dataDirect db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
SSO
UI / Service
AD
Direct db access
Direct db access
?
33. HR
UI
"Middleware DB"
? ? ?
Data Warehouse
?
canned reports cubes / ad-hoc
UIUI
UI
Finance
UI
Views of
external
Data
Read only
external
data
Read only
external
dataDirect db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
SSO
UI / Service
AD
Direct db access
Direct db access
?
34. HR
UI
"Middleware DB"
? ? ?
Data Warehouse
?
canned reports cubes / ad-hoc
UIUI
UI
Finance
UI
Views of
external
Data
Read only
external
data
Read only
external
dataDirect db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
SSO
UI / Service
AD
Direct db access
Direct db access
?
35. HR
UI
"Middleware DB"
? ? ?
Data Warehouse
?
canned reports cubes / ad-hoc
UIUI
UI
Finance
UI
Views of
external
Data
Read only
external
data
Read only
external
dataDirect db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
SSO
UI / Service
AD
Direct db access
Direct db access
?
HR
UI
"Middleware DB"
? ? ?
Data Warehouse
?
canned reports cubes / ad-hoc
UIUI
UI
Finance
UI
Views of
external
Data
Read only
external
data
Read only
external
dataDirect db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
SSO
UI / Service
AD
Direct db access
Direct db access
?
HR
UI
"Middleware DB"
? ? ?
Data Warehouse
?
canned reports cubes / ad-hoc
UIUI
UI
Finance
UI
Views of
external
Data
Read only
external
data
Read only
external
dataDirect db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
SSO
UI / Service
AD
Direct db access
Direct db access
?
HR
UI
"Middleware DB"
? ? ?
Data Warehouse
?
canned reports cubes / ad-hoc
Finance
UI
Views of
external
Data
Read only
external
data
Read only
external
dataDirect db access
Direct db access
Direct db access
Direct db access
SSO
UI / Service
AD
Direct db access
?
HR
UI
"Middleware DB"
? ? ?
Data Warehouse
?
canned reports cubes / ad-hoc
UIUI
UI
Finance
UI
Views of
external
Data
Read only
external
data
Read only
external
dataDirect db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
SSO
UI / Service
AD
Direct db access
Direct db access
?
HR
UI
"Middleware DB"
? ? ?
Data Warehouse
?
canned reports cubes / ad-hoc
UIUI
UI
Finance
UI
Views of
external
Data
Read only
external
data
Read only
external
dataDirect db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
SSO
UI / Service
AD
Direct db access
Direct db access
?
HR
UI
"Middleware DB"
? ? ?
Data Warehouse
?
canned reports cubes / ad-hoc
UIUI
UI
Finance
UI
Views of
external
Data
Read only
external
data
Read only
external
dataDirect db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
SSO
UI / Service
AD
Direct db access
Direct db access
?
HR
UI
"Middleware DB"
? ? ?
Data Warehouse
?
canned reports cubes / ad-hoc
Finance
UI
Views of
external
Data
Read only
external
data
Read only
external
dataDirect db access
Direct db access
Direct db access
Direct db access
SSO
UI / Service
AD
Direct db access
?
HR
UI
"Middleware DB"
? ? ?
Data Warehouse
?
canned reports cubes / ad-hoc
UIUI
UI
Finance
UI
Views of
external
Data
Read only
external
data
Read only
external
dataDirect db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
SSO
UI / Service
AD
Direct db access
Direct db access
?
HR
UI
"Middleware DB"
? ? ?
Data Warehouse
?
canned reports cubes / ad-hoc
UIUI
UI
Finance
UI
Views of
external
Data
Read only
external
data
Read only
external
dataDirect db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
SSO
UI / Service
AD
Direct db access
Direct db access
?
HR
UI
"Middleware DB"
? ? ?
Data Warehouse
?
canned reports cubes / ad-hoc
UIUI
UI
Finance
UI
Views of
external
Data
Read only
external
data
Read only
external
dataDirect db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
SSO
UI / Service
AD
Direct db access
Direct db access
?
HR
UI
"Middleware DB"
? ? ?
Data Warehouse
?
canned reports cubes / ad-hoc
Finance
UI
Views of
external
Data
Read only
external
data
Read only
external
dataDirect db access
Direct db access
Direct db access
Direct db access
SSO
UI / Service
AD
Direct db access
?
HR
UI
"Middleware DB"
? ? ?
UIUI
UI
Finance
UI
Views of
external
Data
Read only
external
data
Read only
external
dataDirect db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
UI / Service
Direct db access
Direct db access
HR
UI
"Middleware DB"
? ? ?
UIUI
UI
Finance
UI
Views of
external
Data
Read only
external
data
Read only
external
dataDirect db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
UI / Service
Direct db access
Direct db access
HR
UI
"Middleware DB"
? ? ?
UIUI
UI
Finance
UI
Views of
external
Data
Read only
external
data
Read only
external
dataDirect db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
UI / Service
Direct db access
Direct db access
HR
UI
"Middleware DB"
? ? ?
Finance
UI
Views of
external
Data
Read only
external
data
Read only
external
dataDirect db access
Direct db access
Direct db access
UI / Service
Direct db access
36. HR
UI
"Middleware DB"
? ? ?
Data Warehouse
?
canned reports cubes / ad-hoc
UIUI
UI
Finance
UI
Views of
external
Data
Read only
external
data
Read only
external
dataDirect db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
SSO
UI / Service
AD
Direct db access
Direct db access
?
Logic scattered all over the place
Data scattered all over the place
Difficult to predict the effect of changes
Which system is right?
BI / MI almost impossible to get at
56. Summary
We understand more about building reliable distributed systems
cloud compute and programmable infrastructure has matured
organisations need to adapt and change quickly to survive
we spend too much money on building monoliths
85. • Things to think about:
• Concentrate on the business capabilities
• technical acronyms make us think the
wrong way
• What are the common features?
Integration methods?
• What different types of data live where?
86. it can be a single system and its
component parts or chunking
up to how your systems
integrate with others
and if you can’t remember thats ok too, we don’t want
perfect, just something to work with
87. Summary
do just enough up front
evolutionary architecture is in the gaps
emergent design is in the boxes
107. "The delimited applicability of a
particular model. BOUNDING
CONTEXTS gives team members a
clear and shared understanding of what
has to be consistent and what can
develop independently."
108. A specific responsibility
enforced by explicit
boundaries
!
http://www.sapiensworks.com/blog/post/
2012/04/17/DDD-The-Bounded-Context-
Explained.aspx
139. to build systems is to make trade-offs
throughput vs cost
portability vs deployability
140. to build systems is to make trade-offs
throughput vs cost
portability vs deployability
141. to build systems is to make trade-offs
throughput vs cost
portability vs deployability
replacability vs maintainability
142. to build systems is to make trade-offs
throughput vs cost
portability vs deployability
replacability vs maintainability
evolutionary architecture and emergent design are
approaches that maximise flex
143. you want to maximise the degrees of
freedom of your system
144. The idea of architecture principles is
to try and balance these tradeoffs
145. to try and balance short term gain with longer term strategic goals
The idea of architecture principles is
to try and balance these tradeoffs
146. to try and balance short term gain with longer term strategic goals
The idea of architecture principles is
to try and balance these tradeoffs
147. to try and balance short term gain with longer term strategic goals
Where trade offs have to be made they should be done so
visibility and consciously
The idea of architecture principles is
to try and balance these tradeoffs
148. to try and balance short term gain with longer term strategic goals
Where trade offs have to be made they should be done so
visibility and consciously
The idea of architecture principles is
to try and balance these tradeoffs
149. to try and balance short term gain with longer term strategic goals
Where trade offs have to be made they should be done so
visibility and consciously
They should move you towards a state where the tradeoffs don’t
happen so often or have such large impact
The idea of architecture principles is
to try and balance these tradeoffs
150. to try and balance short term gain with longer term strategic goals
Where trade offs have to be made they should be done so
visibility and consciously
They should move you towards a state where the tradeoffs don’t
happen so often or have such large impact
The idea of architecture principles is
to try and balance these tradeoffs
They should be driven by the goals of the business
151. to try and balance short term gain with longer term strategic goals
Where trade offs have to be made they should be done so
visibility and consciously
They should move you towards a state where the tradeoffs don’t
happen so often or have such large impact
The idea of architecture principles is
to try and balance these tradeoffs
They should be driven by the goals of the business
152. to try and balance short term gain with longer term strategic goals
Where trade offs have to be made they should be done so
visibility and consciously
They should move you towards a state where the tradeoffs don’t
happen so often or have such large impact
The idea of architecture principles is
to try and balance these tradeoffs
They should be driven by the goals of the business
for the next 18-24 months
153. to try and balance short term gain with longer term strategic goals
Where trade offs have to be made they should be done so
visibility and consciously
They should move you towards a state where the tradeoffs don’t
happen so often or have such large impact
The idea of architecture principles is
to try and balance these tradeoffs
They should be driven by the goals of the business
for the next 18-24 months
any longer and you are only fooling yourself
154. and if you don’t know what your business goals are...
155. and if you don’t know what your business goals are...
may we respectfully suggest that you go and
find them out!
156.
157. The idea of constraints is to allow your teams the freedom to make decisions
within a consistent framework
158. The idea of constraints is to allow your teams the freedom to make decisions
within a consistent framework
159. The idea of constraints is to allow your teams the freedom to make decisions
within a consistent framework
this is not about “not allowed to break them”, this is about having a
conversation
160. The idea of constraints is to allow your teams the freedom to make decisions
within a consistent framework
this is not about “not allowed to break them”, this is about having a
conversation
161. The idea of constraints is to allow your teams the freedom to make decisions
within a consistent framework
this is not about “not allowed to break them”, this is about having a
conversation
these work best when backed up by tooling that makes it easy to do the
right thing
162. The idea of constraints is to allow your teams the freedom to make decisions
within a consistent framework
this is not about “not allowed to break them”, this is about having a
conversation
these work best when backed up by tooling that makes it easy to do the
right thing
shall we take a look at some examples?
173. favour choreography over orchestration
don’t share domain code (and physically separate the
codebases to ensure this)
never return directly from a POST
174. favour choreography over orchestration
don’t share domain code (and physically separate the
codebases to ensure this)
scale using processes, not threads
never return directly from a POST
175. favour choreography over orchestration
don’t share domain code (and physically separate the
codebases to ensure this)
scale using processes, not threads
don’t use session state
never return directly from a POST
193. HR
UI
"Middleware DB"
? ? ?
Data Warehouse
?
canned reports cubes / ad-hoc
UIUI
UI
Finance
UI
Views of
External
Data
Read only
data
Read only
data
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
SSO
UI / Service
AD
Direct db access
Direct db access
which is ok until...
and yes, this is a real world example...
194. HR
UI
"Middleware DB"
? ? ?
Data Warehouse
?
canned reports cubes / ad-hoc
UIUI
UI
Finance
UI
Views of
External
Data
Read only
data
Read only
data
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
SSO
UI / Service
AD
Direct db access
Direct db access
changing anything is really really hard
195. HR
UI
"Middleware DB"
? ? ?
Data Warehouse
?
canned reports cubes / ad-hoc
UIUI
UI
Finance
UI
Views of
external
Data
Read only
external
data
Read only
external
dataDirect db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
SSO
UI / Service
AD
Direct db access
Direct db access
?
different types of data are smeared about
196. HR
UI
"Middleware DB"
? ? ?
Data Warehouse
?
canned reports cubes / ad-hoc
UIUI
UI
Finance
UI
Views of
external
Data
Read only
external
data
Read only
external
dataDirect db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
SSO
UI / Service
AD
Direct db access
Direct db access
?
197. systems like this are brittle
HR
UI
"Middleware DB"
? ? ?
Data Warehouse
?
canned reports cubes / ad-hoc
UIUI
UI
Finance
UI
Views of
external
Data
Read only
external
data
Read only
external
dataDirect db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
SSO
UI / Service
AD
Direct db access
Direct db access
?
198. systems like this are brittle
difficult to reason aboutHR
UI
"Middleware DB"
? ? ?
Data Warehouse
?
canned reports cubes / ad-hoc
UIUI
UI
Finance
UI
Views of
external
Data
Read only
external
data
Read only
external
dataDirect db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
SSO
UI / Service
AD
Direct db access
Direct db access
?
199. systems like this are brittle
difficult to reason about
difficult to change
HR
UI
"Middleware DB"
? ? ?
Data Warehouse
?
canned reports cubes / ad-hoc
UIUI
UI
Finance
UI
Views of
external
Data
Read only
external
data
Read only
external
dataDirect db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
SSO
UI / Service
AD
Direct db access
Direct db access
?
200. systems like this are brittle
difficult to reason about
difficult to change
difficult to maintain
HR
UI
"Middleware DB"
? ? ?
Data Warehouse
?
canned reports cubes / ad-hoc
UIUI
UI
Finance
UI
Views of
external
Data
Read only
external
data
Read only
external
dataDirect db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
Direct db access
SSO
UI / Service
AD
Direct db access
Direct db access
?
207. other clients can use the same call as the first
createUser(id, !
firstName, !
lastName,!
address)
208. other clients can use the same call as the first
createUser(id, !
firstName, !
lastName,!
address)
so far so good
209. but what happens when you want to change
how one of the clients calls your service?
210. but what happens when you want to change
how one of the clients calls your service?
maybe I don’t want to use first name
and last name anymore
211. I want to use the ‘fullname’
createUser(id, !
firstName, !
lastName,!
address)
createUserByFullname(!
id, !
fullName,!
address)
212. or I want to specify address individually
createUser(id, !
firstName, !
lastName,!
address)
createUserByFullname(!
id, !
fullName,!
address)
createUserByFullnameAnd
Address(!
id, !
fullName,!
street1,!
street2,!
zipcode)
213. one of two things tends to happen with
systems of this type
214. one of two things tends to happen with
systems of this type
1. you end up with very long service definitions
215. one of two things tends to happen with
systems of this type
1. you end up with very long service definitions
2. coordination of changes to clients becomes
difficult
217. 1. specifications quickly become very very
long and a nightmare to maintain
createUserWithFullname(...)
218. 1. specifications quickly become very very
long and a nightmare to maintain
createUserWithFullname(...)
createUser(...)
219. 1. specifications quickly become very very
long and a nightmare to maintain
createUserWithFullname(...)
createUser(...)
createUserWithFullnameAndAddress
(...)
220. 1. specifications quickly become very very
long and a nightmare to maintain
createUserWithFullname(...)
createUser(...)
createUserWithFullnameAndAddress
(...)
createUserWithAddress(...)
221. 1. specifications quickly become very very
long and a nightmare to maintain
createUserWithFullname(...)
createUser(...)
createUserWithFullnameAndAddress
(...)
createUserWithAddress(...)
every time I want to change some logic, I have to change every
method call
222. 2. you have to coordinate the release
cycles of your clients
createUser(id, !
firstName, !
lastName,!
address)
240. a bit like going back to the 50’s enterprise
(AMC / Associated Press)
241. a bit like going back to the 50’s enterprise
except without the smoking and the rampant misogyny
(AMC / Associated Press)
242. back in the day, if you wanted to book a
holiday, you didn’t go onto your
corporate intranet to do it right?
243. back in the day, if you wanted to book a
holiday, you didn’t go onto your
corporate intranet to do it right?
you went to the cupboard
244. back in the day, if you wanted to book a
holiday, you didn’t go onto your
corporate intranet to do it right?
you went to the cupboard
and you pulled out one of these
245. back in the day, if you wanted to book a
holiday, you didn’t go onto your
corporate intranet to do it right?
you went to the cupboard
and you pulled out one of these
and you filled it in
247. james’ holiday request
form
and then you sent it to the HR department
where it was processed, and eventually you got
another envelope back containing the approval
250. and messaging is a bit like that
asynchronous
after all, you wouldn’t want to block waiting for internal mail right?
251. incidentally, I wasn’t actually there in the 50’s. I just have this on good
authority
and messaging is a bit like that
asynchronous
after all, you wouldn’t want to block waiting for internal mail right?
257. and return them should that be the semantics of the
exchange
258.
259. the documents allowed additive changes to
be made without breaking existing clients
260. the documents allowed additive changes to
be made without breaking existing clients
If you want to add a field, you can do so as long as
clients are late bound to the documents
261. the documents allowed additive changes to
be made without breaking existing clients
If you want to add a field, you can do so as long as
clients are late bound to the documents
and if you want to rename something, you can do
that easily too (add another one with the same name)
296. • Level 1 tackles the question of handling complexity
by using divide and conquer, breaking a large
service endpoint down into multiple resources.
370. @samnewman
Summary
• Split around bounded contexts
• Make small, incremental changes
• Split inside the process boundary before
splitting out services
• Start coarse-grained
374. It is impossible for a distributed computer system
to simultaneously provide all three of the following
guarantees:
http://en.wikipedia.org/wiki/CAP_theorem
• Consistency (all nodes see the same data at the same time)
• Availability (a guarantee that every request receives a response about
whether it was successful or failed)
• Partition tolerance (the system continues to operate despite arbitrary
message loss or failure of part of the system)
375. Partition Tolerance
The system continues to operate despite arbitrary message
loss or failure of part of the system
Typically, we need this - so end up trading off the other two
378. Option 1: Keep Node 2 serving traffic
Node 1
Master DB
Node 2
Slave DB
Load Balancer
Inventory Service
379. Option 1: Keep Node 2 serving traffic
Data is potentially
stale, but, we keep
Node 2 up Node 1
Master DB
Node 2
Slave DB
Load Balancer
Inventory Service
380. Option 1: Keep Node 2 serving traffic
Data is potentially
stale, but, we keep
Node 2 up
We have
sacrificed
consistency for
availability
Node 1
Master DB
Node 2
Slave DB
Load Balancer
Inventory Service
381. Option 2: Remove Node 2 from service
Node 1
Master DB
Node 2
Slave DB
Load Balancer
Inventory Service
382. Option 2: Remove Node 2 from service
Node 1
Master DB
Node 2
Slave DB
Load BalancerNow we have
had to degrade
availability to
ensure
consistency
Inventory Service
404. Web Shop
Master DB
* - http://blogs.msdn.com/b/pathelland/archive/2007/05/15/memories-guesses-and-apologies.aspx
405. Web Shop
Master DB
Let us consider a read
* - http://blogs.msdn.com/b/pathelland/archive/2007/05/15/memories-guesses-and-apologies.aspx
406. Web Shop
Master DB
Let us consider a read
* - http://blogs.msdn.com/b/pathelland/archive/2007/05/15/memories-guesses-and-apologies.aspx
407. Web Shop
Master DB
Let us consider a read
* - http://blogs.msdn.com/b/pathelland/archive/2007/05/15/memories-guesses-and-apologies.aspx
408. Web Shop
Master DB
Is this ‘consistent’?
Let us consider a read
* - http://blogs.msdn.com/b/pathelland/archive/2007/05/15/memories-guesses-and-apologies.aspx
409. Web Shop
Master DB
Is this ‘consistent’?
Let us consider a read
* - http://blogs.msdn.com/b/pathelland/archive/2007/05/15/memories-guesses-and-apologies.aspx
We should see this
data as a memory* - we
see this data as it was,
we can’t (easily ) be
sure what it is now
418. Transaction Club
• The first rule is…don’t!
• If you really, really, really have to, consider
merging services first
419. Summary
• Understand if consistency or availability is
important - and this is normally a business
decision!
• It isn’t all or nothing
• Avoid distributed transactions if you can
470. 82
S/M TestsBuild Large Tests Integration Test
Customer
Service
Customer
Service
v1
Web Shop
v1
Production
471. 82
S/M TestsBuild Large Tests Integration Test
Customer
Service
Customer
Service
v1
Web Shop
v1
Production
Customer
Service
v2
Web Shop
v1
Integration
Test
474. 83
S/M TestsBuild Large TestsWeb Shop
Customer
Service
v1
Web Shop
v1
Production
S/M TestsBuild Large Tests Integration Test
Customer
Service
Customer
Service
v2
475. 83
S/M TestsBuild Large TestsWeb Shop
Customer
Service
v1
Web Shop
v1
Production
S/M TestsBuild Large Tests Integration Test
Customer
Service
Customer
Service
v2
Web Shop
v2
476. 83
S/M TestsBuild Large TestsWeb Shop
Customer
Service
v1
Web Shop
v1
Production
S/M TestsBuild Large Tests Integration Test
Customer
Service
Customer
Service
v2
Web Shop
v2
???
478. 84
S/M TestsBuild Large TestsWeb Shop
S/M TestsBuild Large Tests
Customer
Service
Integration Test
479. 84
S/M TestsBuild Large TestsWeb Shop
S/M TestsBuild Large Tests
Customer
Service
Integration Test
S/M TestsBuild Large Tests
Invoice
Service
480. 84
S/M TestsBuild Large TestsWeb Shop
S/M TestsBuild Large Tests
Customer
Service
Integration Test
S/M TestsBuild Large Tests
Invoice
Service
S/M TestsBuild Large TestsBasket
481. 84
S/M TestsBuild Large TestsWeb Shop
S/M TestsBuild Large Tests
Customer
Service
Integration Test
S/M TestsBuild Large Tests
Invoice
Service
S/M TestsBuild Large TestsBasket
S/M TestsBuild Large TestsFulfilment
529. 100
DB
Machine CI Node
Large Tests Environment
DB
Machine
UAT Environment
Machine
S/M TestsBuild Large Tests UAT ProdLarge Tests UAT
530. 100
DB
Machine CI Node
Large Tests Environment
DB
Machine
UAT Environment
Machine
Master
DB
Machine
Production Environment
Machine Machine Machine
Slave
DB
S/M TestsBuild Large Tests UAT ProdLarge Tests Prod
564. 107
“Machine”
Service
Much Easier To Reason About
Easier To Provision (Or Decommission)
Fewer Side-effects
Cost & Management Overhead!
AWS
Digital Ocean
OpenStack
565. 107
“Machine”
Service
Much Easier To Reason About
Easier To Provision (Or Decommission)
Fewer Side-effects
Cost & Management Overhead!
AWS
Digital Ocean
OpenStack
608. 115
Be aware of - and balance - your test Pyramid
Understand the balance between testing & rapid remediation
609. 115
Be aware of - and balance - your test Pyramid
Understand the balance between testing & rapid remediation
Deploy one thing at a time
610. 115
Be aware of - and balance - your test Pyramid
Understand the balance between testing & rapid remediation
Deploy one thing at a time
Consider consumer-driven contracts over integration tests
611. 115
Be aware of - and balance - your test Pyramid
Understand the balance between testing & rapid remediation
Deploy one thing at a time
Consider consumer-driven contracts over integration tests
Explore image-based deployments to reduce environment differences
641. “Every socket, process, pipe, or remote
procedure call can and will hang. Even
database calls [...]”
M. Nygard,“Release It”
642. Cascading Failures
• Happen when a problem in a service causes
a problem in one or more consumers of
that service
• Become a bigger problem with more
services (cross more process boundaries)
• Can a failure in one back-end application
take down the entire system (including the
parts that don’t depend on that back-end)?
643. Failure Types
• Rejected connections
• Dropped ACKs
• Slow responses (these are the nasty ones!)
652. Fail Fast
• Check (and perhaps reserve) required
resources before processing a request
• Reject immediately if, say, a circuit breaker
has been tripped
• Allow consumers to query state of service
before proceeding (see monitoring later)
695. Summary
• Complexity doesn’t vanish, but with help it
can be more evident
• Monitoring & architectural safety measures
are essential!
• Start with a few services and understand
what your appetite is for this new sort of
complexity
697. "organizations which design systems ... are
constrained to produce designs which are
copies of the communication structures of
these organizations"
- Melvin Conway, Dude
(HBR rejected the original paper as the
thesis wasn’t proved)
698. “If seven people create a compiler, you get a
seven pass compiler”
- Dan North, not quite a dude
715. Splitting Stories
• When splitting, try and synchronise the
work
• Consider re-assigning service ownership
temporarily
• Splitting stories across multiple teams is
painful...
• ...so what about shared services?
720. #123
As a despot when I
press the big red
button I want...
Problems:
721. #123
As a despot when I
press the big red
button I want...
Consistency of XD
Problems:
722. #123
As a despot when I
press the big red
button I want...
Consistency of XD
Sequencing
Problems:
723. #123
As a despot when I
press the big red
button I want...
Consistency of XD
Sequencing
Bottlenecks
Problems:
724. #123
As a despot when I
press the big red
button I want...
Consistency of XD
Sequencing
Bottlenecks
Testing
Problems:
725. #123
As a despot when I
press the big red
button I want...
Consistency of XD
Sequencing
Bottlenecks
TL, QA,
PM
Testing
Problems:
726. Summary
• In general assign services to team...
• ...where team means a co-located group of
people
• Strongly splitting services around
organizational boundaries
• Avoid shared services, instead temporarily
re-assign ownership to reduce the need for
fine-grained orchestration of work
730. Authentication
• Starting point: HTTP Basic
Authentication + SSL/TLS
• It gives us:
• Confidentiality and Integrity
guarantees
• Strong server authentication
731. Why start here?
• Simple and secure
• Stable standards with implementations that
have been battle hardened
• Straightforward interop between platforms
734. Exception 1
• Scenario:All data is 100% public
information
• No need for strict authentication or crypto
• Use API keys to monitor usage. Allows
quotas to be applied if needed
736. Exception 2
• Scenario: I must have strong crypto
guarantees for my authentication
• Use SSL/TLS with client certificates
• Benefit: Strong authentication of client
• Drawback: PITA to manage
738. Exception 3
• Scenario: Some/all of the APIs will be
consumed by native mobile applications
• Consider OAuth 2.0 + SSL/TLS
• Why? OAuth means the mobile app doesn’t
need to store passwords. It instead stores a
token that can be revoked on a per-device
basis.
740. OAuth 2.0 drawbacks
• It’s a “framework”, not a protocol
• Interop isn't guaranteed as not all
implementations support all authorisation
flows and token types
• Security pitfalls with some token types
(bearer) and flows (implicit)
741. At vs inside perimeter
• Services that are only consumed by
services inside the firewall don’t have to
use the same mechanism as services that
are consumed from outside the firewall
• If a service is used both inside and outside
the perimeter, consider two entry points
with different authentication mechanisms
743. Confused deputy
• Fool downstream service into accessing
resource the user shouldn’t have access to
• Harder when lots of services are involved.
• Need to have sufficient authorisation
information available wherever we needed
to make an authorisation decision.
• Usually we make this part of the payload
745. What about SAML?
• Over-complicated
• SOAP focused*
• Some interop problems
• Workable if your organisation already has a
heavy investment
• Authorisation tokens can be used to solve
the confused deputy problem
746. OpenID Connect
• Builds on OAuth 2.0, adds an identity layer
• Reinvents SAML, but HTTP friendly
• Tokens are no longer opaque strings but
can contain claim information
• The future, not today. Ready in 1-2 years.
747. What about S3 Auth?
• HMAC-based, uses “secret key”
• HTTP Authorization header/status code
• Benefit: No server-side state
• Drawbacks: No per service/device
revocation. Requires canonicalisation.
• If you want to use it, clone the AWS spec