Ben Christensen, profile picture
Uploaded byBen Christensen
PDF, PPTX3,213 views

Fault Tolerance in a High Volume, Distributed System

The document discusses strategies for fault tolerance in high-volume distributed systems, emphasizing that no single dependency should cause app failure and proposing methods like fail-fast, fallback, and load shedding. It outlines techniques such as aggressive network timeouts, tryable semaphores, separate threads, and circuit breakers to manage concurrency and reliability. Netflix employs a combination of these strategies to ensure resilience against failures, with specific implementations detailed throughout the text.

Embed presentation

Download as PDF, PPTX
Fault Tolerance in a High Volume, Distributed System Ben Christensen Software Engineer – API Platform at Netflix @benjchristensen http://www.linkedin.com/in/benjchristensen 1
Dozens of dependencies. One going down takes everything down. 99.99%30 = 99.7% uptime 0.3% of 1 billion = 3,000,000 failures 2+ hours downtime/month even if all dependencies have excellent uptime. Reality is generally worse. 2
3
4
5
No single dependency should take down the entire app. Fail fast. Fail silent. Fallback. Shed load. 6
Options Aggressive Network Timeouts Semaphores (Tryable) Separate Threads Circuit Breaker 7
Options Aggressive Network Timeouts Semaphores (Tryable) Separate Threads Circuit Breaker 8
Options Aggressive Network Timeouts Semaphores (Tryable) Separate Threads Circuit Breaker 9
Semaphores (Tryable): Limited Concurrency TryableSemaphore executionSemaphore = getExecutionSemaphore(); // acquire a permit if (executionSemaphore.tryAcquire()) { try { return executeCommand(); } finally { executionSemaphore.release(); } } else { circuitBreaker.markSemaphoreRejection(); // permit not available so return fallback return getFallback(); } 10
Semaphores (Tryable): Limited Concurrency TryableSemaphore executionSemaphore = getExecutionSemaphore(); // acquire a permit if (executionSemaphore.tryAcquire()) { try { return executeCommand(); } finally { executionSemaphore.release(); } } else { circuitBreaker.markSemaphoreRejection(); // permit not available so return fallback return getFallback(); } 11
Semaphores (Tryable): Limited Concurrency TryableSemaphore executionSemaphore = getExecutionSemaphore(); // acquire a permit if (executionSemaphore.tryAcquire()) { try { return executeCommand(); } finally { executionSemaphore.release(); } } else { circuitBreaker.markSemaphoreRejection(); // permit not available so return fallback return getFallback(); } 12
Options Aggressive Network Timeouts Semaphores (Tryable) Separate Threads Circuit Breaker 13
Separate Threads: Limited Concurrency try { if (!threadPool.isQueueSpaceAvailable()) { // we are at the property defined max so want to throw the RejectedExecutionException to simulate // reaching the real max and go through the same codepath and behavior throw new RejectedExecutionException("Rejected command because thread-pool queueSize is at rejection threshold."); } ... define Callable that performs executeCommand() ... // submit the work to the thread-pool return threadPool.submit(command); } catch (RejectedExecutionException e) { circuitBreaker.markThreadPoolRejection(); // rejected so return fallback return getFallback(); } 14
Separate Threads: Limited Concurrency try { if (!threadPool.isQueueSpaceAvailable()) { // we are at the property defined max so want to throw the RejectedExecutionException to simulate // reaching the real max and go through the same codepath and behavior throw new RejectedExecutionException("Rejected command RejectedExecutionException because thread-pool queueSize is at rejection threshold."); } ... define Callable that performs executeCommand() ... // submit the work to the thread-pool return threadPool.submit(command); } catch (RejectedExecutionException e) { circuitBreaker.markThreadPoolRejection(); // rejected so return fallback return getFallback(); } 15
Separate Threads: Limited Concurrency try { if (!threadPool.isQueueSpaceAvailable()) { // we are at the property defined max so want to throw the RejectedExecutionException to simulate // reaching the real max and go through the same codepath and behavior throw new RejectedExecutionException("Rejected command RejectedExecutionException because thread-pool queueSize is at rejection threshold."); } ... define Callable that performs executeCommand() ... // submit the work to the thread-pool return threadPool.submit(command); } catch (RejectedExecutionException e) { circuitBreaker.markThreadPoolRejection(); // rejected so return fallback return getFallback(); } 16
Separate Threads: Timeout Override of Future.get() public K get() throws CancellationException, InterruptedException, ExecutionException { try { long timeout = getCircuitBreaker().getCommandTimeoutInMilliseconds(); return get(timeout, TimeUnit.MILLISECONDS); } catch (TimeoutException e) { // report timeout failure circuitBreaker.markTimeout( System.currentTimeMillis() - startTime); // retrieve the fallback return getFallback(); } } 17
Separate Threads: Timeout Override of Future.get() public K get() throws CancellationException, InterruptedException, ExecutionException { try { long timeout = getCircuitBreaker().getCommandTimeoutInMilliseconds(); return get(timeout, TimeUnit.MILLISECONDS); } catch (TimeoutException e) { // report timeout failure circuitBreaker.markTimeout( System.currentTimeMillis() - startTime); // retrieve the fallback return getFallback(); } } 18
Separate Threads: Timeout Override of Future.get() public K get() throws CancellationException, InterruptedException, ExecutionException { try { long timeout = getCircuitBreaker().getCommandTimeoutInMilliseconds(); return get(timeout, TimeUnit.MILLISECONDS); } catch (TimeoutException e) { // report timeout failure circuitBreaker.markTimeout( System.currentTimeMillis() - startTime); // retrieve the fallback return getFallback(); } } 19
Options Aggressive Network Timeouts Semaphores (Tryable) Separate Threads Circuit Breaker 20
Circuit Breaker if (circuitBreaker.allowRequest()) { return executeCommand(); } else { // short-circuit and go directly to fallback circuitBreaker.markShortCircuited(); return getFallback(); } 21
Circuit Breaker if (circuitBreaker.allowRequest()) { return executeCommand(); } else { // short-circuit and go directly to fallback circuitBreaker.markShortCircuited(); return getFallback(); } 22
Circuit Breaker if (circuitBreaker.allowRequest()) { return executeCommand(); } else { // short-circuit and go directly to fallback circuitBreaker.markShortCircuited(); return getFallback(); } 23
Netflix uses all 4 in combination 24
25
Tryable semaphores for “trusted” clients and fallbacks Separate threads for “untrusted” clients Aggressive timeouts on threads and network calls to “give up and move on” Circuit breakers as the “release valve” 26
27
28
29
Benefits of Separate Threads Protection from client libraries Lower risk to accept new/updated clients Quick recovery from failure Client misconfiguration Client service performance characteristic changes Built-in concurrency 30
Drawbacks of Separate Threads Some computational overhead Load on machine can be pushed too far ... Benefits outweigh drawbacks when clients are “untrusted” 31
32
Visualizing Circuits in Realtime (generally sub-second latency) Video available at https://vimeo.com/33576628 33
Rolling 10 second counter – 1 second granularity Median Mean 90th 99th 99.5th Latent Error Timeout Rejected Error Percentage (error+timeout+rejected)/ (success+latent success+error+timeout+rejected). 34
Netflix DependencyCommand Implementation 35
Netflix DependencyCommand Implementation 36
Netflix DependencyCommand Implementation 37
Netflix DependencyCommand Implementation 38
Netflix DependencyCommand Implementation 39
Netflix DependencyCommand Implementation 40
Netflix DependencyCommand Implementation Fallbacks Cache Eventual Consistency Stubbed Data Empty Response 41
Netflix DependencyCommand Implementation 42
Netflix DependencyCommand Implementation 43
Rolling Number Realtime Stats and Decision Making 44
Request Collapsing Take advantage of resiliency to improve efficiency 45
Request Collapsing Take advantage of resiliency to improve efficiency 46
47
Fail fast. Fail silent. Fallback. Shed load. 48
Questions & More Information Fault Tolerance in a High Volume, Distributed System http://techblog.netflix.com/2012/02/fault-tolerance-in-high-volume.html Making the Netflix API More Resilient http://techblog.netflix.com/2011/12/making-netflix-api-more-resilient.html Ben Christensen @benjchristensen http://www.linkedin.com/in/benjchristensen 49

More Related Content

PDF
Command pattern vs. MVC: Lean Beans (are made of this)
byphilipdurbin
 
PDF
Resilence patterns kr
byJisung Ahn
 
PDF
Postman quick-reference-guide 2021
byJuan De Dios Baudazio Sánchez
 
PDF
Advanced RAC troubleshooting: Network
byRiyaj Shamsudeen
 
PPT
Java util concurrent
byRoger Xia
 
PPT
Threads
byAbhishek Khune
 
PDF
Mvcc Unmasked (Bruce Momjian)
byOntico
 
PDF
Distributed systems at ok.ru #rigadevday
byodnoklassniki.ru
 
Command pattern vs. MVC: Lean Beans (are made of this)
byphilipdurbin
 
Resilence patterns kr
byJisung Ahn
 
Postman quick-reference-guide 2021
byJuan De Dios Baudazio Sánchez
 
Advanced RAC troubleshooting: Network
byRiyaj Shamsudeen
 
Java util concurrent
byRoger Xia
 
Threads
byAbhishek Khune
 
Mvcc Unmasked (Bruce Momjian)
byOntico
 
Distributed systems at ok.ru #rigadevday
byodnoklassniki.ru
 

What's hot

PDF
Performance tuning a quick intoduction
byRiyaj Shamsudeen
 
PDF
你所不知道的Oracle后台进程Smon功能
bymaclean liu
 
PPT
370410176 moshell-commands
bynanker phelge
 
PPT
Tracing Parallel Execution (UKOUG 2006)
byDoug Burns
 
PPT
Introduction to Parallel Execution
byDoug Burns
 
PDF
【Maclean liu技术分享】拨开oracle cbo优化器迷雾,探究histogram直方图之秘 0321
bymaclean liu
 
PDF
Rac introduction
byRiyaj Shamsudeen
 
PDF
pstack, truss etc to understand deeper issues in Oracle database
byRiyaj Shamsudeen
 
PDF
Riyaj real world performance issues rac focus
byRiyaj Shamsudeen
 
PDF
A deep dive about VIP,HAIP, and SCAN
byRiyaj Shamsudeen
 
PDF
Varnish presentation for the Symfony Zaragoza user group
byJorge Nerín
 
PDF
Writing Plugged-in Java EE Apps: Jason Lee
byjaxconf
 
ODP
The Next Step in AS3 Framework Evolution
byFITC
 
PDF
Percona XtraDB 集群文档
byYUCHENG HU
 
PPTX
JavaPerformanceChapter_3
bySaurav Basu
 
PDF
A close encounter_with_real_world_and_odd_perf_issues
byRiyaj Shamsudeen
 
PDF
Virtual machine re building
byMartin Dominguez Alvarez
 
PDF
Xen server 6.0 xe command reference (1.1)
byTimote Lima
 
PDF
Groovy 2.0 - Devoxx France 2012
byGuillaume Laforge
 
KEY
Groovy update - S2GForum London 2011 - Guillaume Laforge
byGuillaume Laforge
 
Performance tuning a quick intoduction
byRiyaj Shamsudeen
 
你所不知道的Oracle后台进程Smon功能
bymaclean liu
 
370410176 moshell-commands
bynanker phelge
 
Tracing Parallel Execution (UKOUG 2006)
byDoug Burns
 
Introduction to Parallel Execution
byDoug Burns
 
【Maclean liu技术分享】拨开oracle cbo优化器迷雾,探究histogram直方图之秘 0321
bymaclean liu
 
Rac introduction
byRiyaj Shamsudeen
 
pstack, truss etc to understand deeper issues in Oracle database
byRiyaj Shamsudeen
 
Riyaj real world performance issues rac focus
byRiyaj Shamsudeen
 
A deep dive about VIP,HAIP, and SCAN
byRiyaj Shamsudeen
 
Varnish presentation for the Symfony Zaragoza user group
byJorge Nerín
 
Writing Plugged-in Java EE Apps: Jason Lee
byjaxconf
 
The Next Step in AS3 Framework Evolution
byFITC
 
Percona XtraDB 集群文档
byYUCHENG HU
 
JavaPerformanceChapter_3
bySaurav Basu
 
A close encounter_with_real_world_and_odd_perf_issues
byRiyaj Shamsudeen
 
Virtual machine re building
byMartin Dominguez Alvarez
 
Xen server 6.0 xe command reference (1.1)
byTimote Lima
 
Groovy 2.0 - Devoxx France 2012
byGuillaume Laforge
 
Groovy update - S2GForum London 2011 - Guillaume Laforge
byGuillaume Laforge
 

Similar to Fault Tolerance in a High Volume, Distributed System

ODP
Concurrent Programming in Java
byRuben Inoto Soto
 
ODP
Java Concurrency, Memory Model, and Trends
byCarol McDonald
 
PDF
Introduction of failsafe
bySunghyouk Bae
 
PDF
Java synchronizers
byts_v_murthy
 
PPTX
Could Virtual Threads cast away the usage of Kotlin Coroutines
byJoão Esperancinha
 
PPTX
Concurrency Programming in Java - 07 - High-level Concurrency objects, Lock O...
bySachintha Gunasena
 
PDF
Java concurrency
byAbhijit Gaikwad
 
PPTX
Concurrency in Java
byAllan Huang
 
KEY
Modern Java Concurrency
byBen Evans
 
PPT
Java multi threading
byRaja Sekhar
 
PPTX
Java concurrency in practice
byMikalai Alimenkou
 
PPTX
Circuit breaker pattern
byAnkit Gubrani
 
PDF
Semaphore in Java with Example.pdf
bySudhanshiBakre1
 
ODP
Java Concurrency
byCarol McDonald
 
PDF
Fault tolerance made easy
byUwe Friedrichsen
 
PDF
Circuit breaker
bybricemciver
 
PDF
Xebia Knowledge Exchange (feb 2011) - Large Scale Web Development
byMichaël Figuière
 
PDF
Reactive mistakes - ScalaDays Chicago 2017
byPetr Zapletal
 
ODP
Pick up the low-hanging concurrency fruit
byVaclav Pech
 
PPTX
JDD 2017: Resilience of the external system call with circuit breaker (Jacek ...
byPROIDEA
 
Concurrent Programming in Java
byRuben Inoto Soto
 
Java Concurrency, Memory Model, and Trends
byCarol McDonald
 
Introduction of failsafe
bySunghyouk Bae
 
Java synchronizers
byts_v_murthy
 
Could Virtual Threads cast away the usage of Kotlin Coroutines
byJoão Esperancinha
 
Concurrency Programming in Java - 07 - High-level Concurrency objects, Lock O...
bySachintha Gunasena
 
Java concurrency
byAbhijit Gaikwad
 
Concurrency in Java
byAllan Huang
 
Modern Java Concurrency
byBen Evans
 
Java multi threading
byRaja Sekhar
 
Java concurrency in practice
byMikalai Alimenkou
 
Circuit breaker pattern
byAnkit Gubrani
 
Semaphore in Java with Example.pdf
bySudhanshiBakre1
 
Java Concurrency
byCarol McDonald
 
Fault tolerance made easy
byUwe Friedrichsen
 
Circuit breaker
bybricemciver
 
Xebia Knowledge Exchange (feb 2011) - Large Scale Web Development
byMichaël Figuière
 
Reactive mistakes - ScalaDays Chicago 2017
byPetr Zapletal
 
Pick up the low-hanging concurrency fruit
byVaclav Pech
 
JDD 2017: Resilience of the external system call with circuit breaker (Jacek ...
byPROIDEA
 

Recently uploaded

PDF
Supervised Machine Learning Approaches for Log-Based Anomaly Detection: A Cas...
byMohammed BEKKOUCHE
 
PDF
The Evolving Role of the CEO in the Age of AI
byPipal Tree Services Executive Search Firm
 
PDF
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
PDF
[BDD 2025 - Artificial Intelligence] Building AI Systems That Users (and Comp...
byWintari Yasmin
 
PDF
Cheryl Hung, Vibe Coding Auth Without Melting Down! isaqb Software Architectu...
byCheryl Hung
 
PDF
Transforming Supply Chains with Amazon Bedrock AgentCore (AWS Swiss User Grou...
byChris Bingham
 
PDF
Lets Build a Serverless Function with Kiro
byChris Bingham
 
PDF
10 Best Automation QA Testing Software Tools in 2025.pdf
byRohitBhandari66
 
PDF
Beyond Basics: How to Build Scalable, Intelligent Imagery Pipelines
bySafe Software
 
PDF
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
PPTX
Connecting the unconnectable: Exploring LoRaWAN for IoT
byasasiraarthur
 
PDF
[BDD 2025 - Mobile Development] Crafting Immersive UI with E2E and AGSL Shade...
byWintari Yasmin
 
PPTX
UFCD 0797 - SISTEMAS OPERATIVOS_Unidade Completa.pptx
byscribddobruno
 
PDF
MuleSoft Meetup: Dreamforce'25 Tour- Vibing With AI & Agents.pdf
byTintu Jacob Shaji
 
PDF
Top 10 AI Development Companies in UK 2025
bycollinmishell2
 
PDF
How Much Does It Cost to Build an eCommerce Website in 2025.pdf
byPixlogix Infotech
 
PDF
Transforming Content Operations in the Age of AI
byEnterprise Knowledge
 
PDF
Mastering Agentic Orchestration with UiPath Maestro | Hands on Workshop
byUiPathCommunity
 
PDF
"DISC as GPS for team leaders: how to lead a team from storming to performing...
byFwdays
 
PPTX
How to Choose the Right Vendor for ADA PDF Accessibility and Compliance in 2026
bydocumenta11y
 
Supervised Machine Learning Approaches for Log-Based Anomaly Detection: A Cas...
byMohammed BEKKOUCHE
 
The Evolving Role of the CEO in the Age of AI
byPipal Tree Services Executive Search Firm
 
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
[BDD 2025 - Artificial Intelligence] Building AI Systems That Users (and Comp...
byWintari Yasmin
 
Cheryl Hung, Vibe Coding Auth Without Melting Down! isaqb Software Architectu...
byCheryl Hung
 
Transforming Supply Chains with Amazon Bedrock AgentCore (AWS Swiss User Grou...
byChris Bingham
 
Lets Build a Serverless Function with Kiro
byChris Bingham
 
10 Best Automation QA Testing Software Tools in 2025.pdf
byRohitBhandari66
 
Beyond Basics: How to Build Scalable, Intelligent Imagery Pipelines
bySafe Software
 
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
Connecting the unconnectable: Exploring LoRaWAN for IoT
byasasiraarthur
 
[BDD 2025 - Mobile Development] Crafting Immersive UI with E2E and AGSL Shade...
byWintari Yasmin
 
UFCD 0797 - SISTEMAS OPERATIVOS_Unidade Completa.pptx
byscribddobruno
 
MuleSoft Meetup: Dreamforce'25 Tour- Vibing With AI & Agents.pdf
byTintu Jacob Shaji
 
Top 10 AI Development Companies in UK 2025
bycollinmishell2
 
How Much Does It Cost to Build an eCommerce Website in 2025.pdf
byPixlogix Infotech
 
Transforming Content Operations in the Age of AI
byEnterprise Knowledge
 
Mastering Agentic Orchestration with UiPath Maestro | Hands on Workshop
byUiPathCommunity
 
"DISC as GPS for team leaders: how to lead a team from storming to performing...
byFwdays
 
How to Choose the Right Vendor for ADA PDF Accessibility and Compliance in 2026
bydocumenta11y
 

Fault Tolerance in a High Volume, Distributed System

  • 1.
    Fault Tolerance ina High Volume, Distributed System Ben Christensen Software Engineer – API Platform at Netflix @benjchristensen http://www.linkedin.com/in/benjchristensen 1
  • 2.
    Dozens of dependencies. One going down takes everything down. 99.99%30 = 99.7% uptime 0.3% of 1 billion = 3,000,000 failures 2+ hours downtime/month even if all dependencies have excellent uptime. Reality is generally worse. 2
  • 3.
  • 4.
  • 5.
  • 6.
    No single dependencyshould take down the entire app. Fail fast. Fail silent. Fallback. Shed load. 6
  • 7.
    Options Aggressive Network Timeouts Semaphores (Tryable) Separate Threads Circuit Breaker 7
  • 8.
    Options Aggressive Network Timeouts Semaphores (Tryable) Separate Threads Circuit Breaker 8
  • 9.
    Options Aggressive Network Timeouts Semaphores (Tryable) Separate Threads Circuit Breaker 9
  • 10.
    Semaphores (Tryable): LimitedConcurrency TryableSemaphore executionSemaphore = getExecutionSemaphore(); // acquire a permit if (executionSemaphore.tryAcquire()) { try { return executeCommand(); } finally { executionSemaphore.release(); } } else { circuitBreaker.markSemaphoreRejection(); // permit not available so return fallback return getFallback(); } 10
  • 11.
    Semaphores (Tryable): LimitedConcurrency TryableSemaphore executionSemaphore = getExecutionSemaphore(); // acquire a permit if (executionSemaphore.tryAcquire()) { try { return executeCommand(); } finally { executionSemaphore.release(); } } else { circuitBreaker.markSemaphoreRejection(); // permit not available so return fallback return getFallback(); } 11
  • 12.
    Semaphores (Tryable): LimitedConcurrency TryableSemaphore executionSemaphore = getExecutionSemaphore(); // acquire a permit if (executionSemaphore.tryAcquire()) { try { return executeCommand(); } finally { executionSemaphore.release(); } } else { circuitBreaker.markSemaphoreRejection(); // permit not available so return fallback return getFallback(); } 12
  • 13.
    Options Aggressive Network Timeouts Semaphores (Tryable) Separate Threads Circuit Breaker 13
  • 14.
    Separate Threads: LimitedConcurrency try { if (!threadPool.isQueueSpaceAvailable()) { // we are at the property defined max so want to throw the RejectedExecutionException to simulate // reaching the real max and go through the same codepath and behavior throw new RejectedExecutionException("Rejected command because thread-pool queueSize is at rejection threshold."); } ... define Callable that performs executeCommand() ... // submit the work to the thread-pool return threadPool.submit(command); } catch (RejectedExecutionException e) { circuitBreaker.markThreadPoolRejection(); // rejected so return fallback return getFallback(); } 14
  • 15.
    Separate Threads: LimitedConcurrency try { if (!threadPool.isQueueSpaceAvailable()) { // we are at the property defined max so want to throw the RejectedExecutionException to simulate // reaching the real max and go through the same codepath and behavior throw new RejectedExecutionException("Rejected command RejectedExecutionException because thread-pool queueSize is at rejection threshold."); } ... define Callable that performs executeCommand() ... // submit the work to the thread-pool return threadPool.submit(command); } catch (RejectedExecutionException e) { circuitBreaker.markThreadPoolRejection(); // rejected so return fallback return getFallback(); } 15
  • 16.
    Separate Threads: LimitedConcurrency try { if (!threadPool.isQueueSpaceAvailable()) { // we are at the property defined max so want to throw the RejectedExecutionException to simulate // reaching the real max and go through the same codepath and behavior throw new RejectedExecutionException("Rejected command RejectedExecutionException because thread-pool queueSize is at rejection threshold."); } ... define Callable that performs executeCommand() ... // submit the work to the thread-pool return threadPool.submit(command); } catch (RejectedExecutionException e) { circuitBreaker.markThreadPoolRejection(); // rejected so return fallback return getFallback(); } 16
  • 17.
    Separate Threads: Timeout Override of Future.get() public K get() throws CancellationException, InterruptedException, ExecutionException { try { long timeout = getCircuitBreaker().getCommandTimeoutInMilliseconds(); return get(timeout, TimeUnit.MILLISECONDS); } catch (TimeoutException e) { // report timeout failure circuitBreaker.markTimeout( System.currentTimeMillis() - startTime); // retrieve the fallback return getFallback(); } } 17
  • 18.
    Separate Threads: Timeout Override of Future.get() public K get() throws CancellationException, InterruptedException, ExecutionException { try { long timeout = getCircuitBreaker().getCommandTimeoutInMilliseconds(); return get(timeout, TimeUnit.MILLISECONDS); } catch (TimeoutException e) { // report timeout failure circuitBreaker.markTimeout( System.currentTimeMillis() - startTime); // retrieve the fallback return getFallback(); } } 18
  • 19.
    Separate Threads: Timeout Override of Future.get() public K get() throws CancellationException, InterruptedException, ExecutionException { try { long timeout = getCircuitBreaker().getCommandTimeoutInMilliseconds(); return get(timeout, TimeUnit.MILLISECONDS); } catch (TimeoutException e) { // report timeout failure circuitBreaker.markTimeout( System.currentTimeMillis() - startTime); // retrieve the fallback return getFallback(); } } 19
  • 20.
    Options Aggressive Network Timeouts Semaphores (Tryable) Separate Threads Circuit Breaker 20
  • 21.
    Circuit Breaker if (circuitBreaker.allowRequest()){ return executeCommand(); } else { // short-circuit and go directly to fallback circuitBreaker.markShortCircuited(); return getFallback(); } 21
  • 22.
    Circuit Breaker if (circuitBreaker.allowRequest()){ return executeCommand(); } else { // short-circuit and go directly to fallback circuitBreaker.markShortCircuited(); return getFallback(); } 22
  • 23.
    Circuit Breaker if (circuitBreaker.allowRequest()){ return executeCommand(); } else { // short-circuit and go directly to fallback circuitBreaker.markShortCircuited(); return getFallback(); } 23
  • 24.
    Netflix uses all4 in combination 24
  • 25.
  • 26.
    Tryable semaphores for“trusted” clients and fallbacks Separate threads for “untrusted” clients Aggressive timeouts on threads and network calls to “give up and move on” Circuit breakers as the “release valve” 26
  • 27.
  • 28.
  • 29.
  • 30.
    Benefits of SeparateThreads Protection from client libraries Lower risk to accept new/updated clients Quick recovery from failure Client misconfiguration Client service performance characteristic changes Built-in concurrency 30
  • 31.
    Drawbacks of SeparateThreads Some computational overhead Load on machine can be pushed too far ... Benefits outweigh drawbacks when clients are “untrusted” 31
  • 32.
  • 33.
    Visualizing Circuits inRealtime (generally sub-second latency) Video available at https://vimeo.com/33576628 33
  • 34.
    Rolling 10 secondcounter – 1 second granularity Median Mean 90th 99th 99.5th Latent Error Timeout Rejected Error Percentage (error+timeout+rejected)/ (success+latent success+error+timeout+rejected). 34
  • 35.
  • 36.
  • 37.
  • 38.
  • 39.
  • 40.
  • 41.
    Netflix DependencyCommand Implementation Fallbacks Cache Eventual Consistency Stubbed Data Empty Response 41
  • 42.
  • 43.
  • 44.
    Rolling Number Realtime Statsand Decision Making 44
  • 45.
    Request Collapsing Take advantageof resiliency to improve efficiency 45
  • 46.
    Request Collapsing Take advantageof resiliency to improve efficiency 46
  • 47.
  • 48.
  • 49.
    Questions & MoreInformation Fault Tolerance in a High Volume, Distributed System http://techblog.netflix.com/2012/02/fault-tolerance-in-high-volume.html Making the Netflix API More Resilient http://techblog.netflix.com/2011/12/making-netflix-api-more-resilient.html Ben Christensen @benjchristensen http://www.linkedin.com/in/benjchristensen 49