managing failure modes in microservice
play

Managing Failure Modes in Microservice Architectures Adrian - PowerPoint PPT Presentation

Apr 01, 2024 •179 likes •745 views

Managing Failure Modes in Microservice Architectures Adrian Cockcroft @adrianco AWS VP Cloud Architecture Strategy Datacenter to cloud migrations are under-way for the most business and safety critical workloads AWS and our partners are

  1. Managing Failure Modes in Microservice Architectures Adrian Cockcroft @adrianco AWS VP Cloud Architecture Strategy

  2. Datacenter to cloud migrations are under-way for the most business and safety critical workloads AWS and our partners are developing patterns, solutions and services for customers in all industries including travel, finance, healthcare, manufacturing…

  3. Resilience Present Past Future Disaster Chaos Continuous recovery engineering Resilience

  4. “If we change the name from chaos engineering to continuous resilience, will you let us do it all the time in production?”

  5. You can only be as strong as your weakest link Dedicated teams are needed to find weaknesses before they take you out!

  6. Availability, Safety and Security have similar characteristics Hard to measure near misses Hard to model complex dependencies Catastrophic failure modes

  7. Availability, Safety and Security have similar mitigations Layered defense in depth Bulkheads to contain blast radius Minimize dependencies/privilege

  8. Availability, Safety and Security Break Each Other Security breaks availability Availability breaks safety Etc.

  9. What should Stop? your system do when something fails? Carry on with reduced functionality? Collapse horribly?

  10. Permissive failure, what’s What should If a permissions the real cost your system do look up fails, of continuing? when should you stop or something fails? continue? See Memories, Guesses, and Apologies by Pat Helland

  11. If a permissions Do you have How often do you look up fails, failover apps to it? a backup should you stop or datacenter? continue? How often do you failover the whole datacenter at once? “Availability Theater”

  12. A fairy tale… Once upon a time, in theory, if everything works perfectly, we have a plan to survive the How did that work disasters we thought of in advance. out?

  13. Forgot to renew domain name… SaaS vendor Didn’t update security certificate and it expired… Entertainment site Datacenter flooded in hurricane Sandy… Finance company, Jersey City Whoops! YOU, tomorrow

  14. Drift into Failure Sydney Dekker Everyone can locally optimize for the right outcome at every step, and you may still get a catastrophic failure as a result… We need to capture and learn from near misses, test and measure the safety margins, before things go wrong.

  15. Chaos People architecture Application Tools Tools Four layers Chaos Security Two teams Switching Engineering Red An attitude — Team Team Infrastructure Find the weakest link

  16. Defense In Depth Experienced staff Robust applications Dependable switching fabric Redundant service foundation

  17. “You can’t legislate against failure, focus on fast detection and response.” — Chris Pinkham

  18. Monitorama Keynote by @adrianco May 2014 https://www.slideshare.net/adriancockcroft/monitorama-please-no-more

  19. Monitorama Keynote by @adrianco May 2014 https://www.slideshare.net/adriancockcroft/monitorama-please-no-more

  20. Kalman, 1961 paper On the general theory of control systems A system is observable If the behavior of the entire system can be determined by only Observability looking at its inputs and outputs Physical and software control systems are based on models, remember all models are wrong, but some models are useful…

  21. Engineering a Safer World Systems Thinking Applied to Safety Nancy G. Leveson STPA – Systems Theoretic Process Analysis STAMP – Systems Theoretic Accident Model & Processes http://psas.scripts.mit.edu for handbook and talks

  22. Observability STPA Model (System Theoretic Process Analysis)

  23. Throughput Observability Control Plane STPA Model Understand Hazards that could disrupt successful Data Plane application processing Financial Services App Customer Completed requests actions

  24. Throughput STPA Hazards Human Control Action: Not provided Control Plane Unsafe action Safe but too early Safe but too late Wrong sequence Stopped too soon Data Plane Applied too long Financial Services App Conflicts Customer Completed Coordination problems requests actions Degradation over time

  25. Throughput STPA Hazards Sensor Metrics: Missing updates Control Plane Zeroed Overflowed Corrupted Out of order Updates too rapid Data Plane Updates infrequent Financial Services App Updates delayed Customer Completed Coordination problems requests actions Degradation over time

  26. Throughput STPA Hazards Model problems: Model mismatch Control Plane Missing inputs Missing updates Updates too rapid Updates infrequent Updates delayed Data Plane Coordination problems Financial Services App Degradation over time Customer Completed requests actions

  27. Pilot STPA Hazards Model problems: Model mismatch Anti-Stall System Missing inputs Coordination problems Pilots were not trained on the new anti-stall Aircraft algorithm Boeing 737 MAX8 Airspeed Elevator

  28. How do we usually calculate risk? Severity * Probability = Risk Assumes that we can determine severity and probability Assumes we always detect the failure when it occurs Basic model for financial and economic risk analysis

  29. Failure Modes and Effects Analysis (FMEA) Engineering oriented risk analysis Severity * Probability * Detectability = Risk Add observability to mitigate silent failures Discuss and record component level failure modes Prioritize mitigation work where it will do most good

  30. FMEA for Web Services - Layered Responsibility Product Managers and Developers – unique business logic Software Platform Team – standard components and services Infrastructure Platform Team – resources, regions and networks Resilience Engineering – observability and incident management FMEA Spreadsheets: github.com/adrianco/slides

  31. FMEA Severity Mapped to Infrastructure Effect SEVERITY of Effect Ranking Hazardous without Earthquake or meteorite destroys datacenter building, no warning, people injured 10 warning Hazardous with warning Hurricane or tornado destroys datacenter building, several days warning, people 9 injured Very High Datacenter flooded, compute and storage systems destroyed, building ok 8 High Fire in datacenter, suppression system saves building, partial permanent 7 compute and storage loss Moderate Hardware failure, CPU, disk, or power supply needs replacement. Often occurs 6 after power or cooling failures. Low Power cut, cooling failure or network partition. Compute and storage returns 5 when power, cooling and network are restored Very Low System operable with significant degradation of performance 4 Minor System operable with some degradation of performance 3 Very Minor System operable with minimal interference 2 None No effect 1

  32. FMEA Probability Per Service Request Guess to start with, then measure in production PROBABILITY of Failure Failure Prob Ranking 10 Very High: Failure is almost inevitable >1 in 2 9 1 in 3 8 High: Repeated failures 1 in 8 7 1 in 20 6 Moderate: Occasional failures 1 in 80 5 1 in 400 4 1 in 2,000 3 Low: Relatively few failures 1 in 15,000 2 1 in 150,000 1 Remote: Failure is unlikely <1 in 1,500,000

  33. FMEA Detectability Needs an observable monitoring alert to detect a failure Detection Likelihood of DETECTION by Design Control Ranking Absolute Uncertainty Design control cannot detect potential cause/mechanism and subsequent failure 10 mode Very Remote Very remote chance the design control will detect potential 9 cause/mechanism and subsequent failure mode Remote Remote chance the design control will detect potential cause/mechanism 8 and subsequent failure mode Very Low Very low chance the design control will detect potential cause/mechanism 7 and subsequent failure mode Low Low chance the design control will detect potential cause/mechanism and 6 subsequent failure mode Moderate Moderate chance the design control will detect potential cause/mechanism 5 and subsequent failure mode Moderately High Moderately High chance the design control will detect potential 4 cause/mechanism and subsequent failure mode High High chance the design control will detect potential cause/mechanism and 3 subsequent failure mode Very High Very high chance the design control will detect potential cause/mechanism 2 and subsequent failure mode Almost Certain Design control will detect potential cause/mechanism and subsequent failure 1 mode

  34. FMEA Example – Application Level Customer is trying to obtain an IP address for a service what could go wrong? Lookup service? DNS No response…

  35. FMEA Example – Application Level Customer is trying to make a request to a service what could go wrong? Connect to host No route

  36. FMEA Example – Application Level Customer is trying to make a request to a service what could go wrong? Connect to host Undeliverable

  37. FMEA Example – Application Level Customer is trying to make a request to a service what could go wrong? Connect to host Connect to host Connected Retry Timeout 100ms

  38. FMEA Example – Application Level See full spreadsheets github.com/adrianco/slides for more failure modes

  39. FMEA Example – Application Level Customer is trying to make a request to a service what could go wrong? Hi, I’m user123 Auth failure Log: 25ms user123 Auth failure

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Mechanical Failure Modes Fracture Fatigue Creep An oil tanker that fractured in a

Mechanical Failure Modes Fracture Fatigue Creep An oil tanker that fractured in a

Kasetsart University 213211: Mechanical Failure Mechanical Failure Modes Fracture Fatigue Creep An oil tanker that fractured in a brittle manner by crack propagation around its girth. 144 Dr.Peerapong Triyacharoen Department of

573 views • 12 slides
Failure Modes and Effects Analysis (FMEA) Failure Modes and Effects Analysis (FMEA) to Outcomes

Failure Modes and Effects Analysis (FMEA) Failure Modes and Effects Analysis (FMEA) to Outcomes

Department of Department of Electrical and Computer Engineering Electrical and Computer Engineering Adapting Adapting Failure Modes and Effects Analysis (FMEA) Failure Modes and Effects Analysis (FMEA) to Outcomes Assessment to Outcomes

488 views • 13 slides
BCG Failure: Defining Failure and Managing Difficult Patients Don Lamm, MD Clinical Professor of

BCG Failure: Defining Failure and Managing Difficult Patients Don Lamm, MD Clinical Professor of

BCG Failure: Defining Failure and Managing Difficult Patients Don Lamm, MD Clinical Professor of Urology University of Arizona, Bladder Cancer, Genitourinary Oncology, Phoenix AZ Perspectives in Urology, PCP. Scottsdale, November 14, 2019

486 views • 11 slides
Failure Modes and Failure Modes and Effects Analysis Effects Analysis Supported by the Ontario

Failure Modes and Failure Modes and Effects Analysis Effects Analysis Supported by the Ontario

Patient Safety Support Service &amp; Patient Safety Support Service &amp; Medication Safety Support Service Medication Safety Support Service Workshop Workshop Failure Modes and Failure Modes and Effects Analysis Effects Analysis Supported

813 views • 79 slides
Detailed Task Analysis and Failure Modes and Effects Analysis HFE Requirements Development

Detailed Task Analysis and Failure Modes and Effects Analysis HFE Requirements Development

Detailed Task Analysis and Failure Modes and Effects Analysis HFE Requirements Development Sources Customer Subject Matter Experts Users, operators Existing, similar systems Brainstorming Task Analysis Goals

700 views • 25 slides
Enterprise Microservice Platform and Operation

Enterprise Microservice Platform and Operation

Enterprise Microservice Platform and Operation Experience Sharing Ivan Hsieh P .1 Agenda Microservice Architecture How to break a Monolith into Microservices

519 views • 36 slides
Performance Testing What are the most common or typical failure modes in a packaging system, not

Performance Testing What are the most common or typical failure modes in a packaging system, not

Design Flaws and Performance Testing What are the most common or typical failure modes in a packaging system, not only the sterile barrier system but within the entire packaging system? 1 Accreditations &amp; Certification &amp; Membership

1.45k views • 31 slides
The case study of the multiple seismic failure modes for SPRA DongWon Lee a * a Korea Institute of

The case study of the multiple seismic failure modes for SPRA DongWon Lee a * a Korea Institute of

Transactions of the Korean Nuclear Society Virtual Spring Meeting July 9-10, 2020 The case study of the multiple seismic failure modes for SPRA DongWon Lee a * a Korea Institute of Nuclear Safety, 62 Gwahak-Ro, Yuseong-Gu, Daejeon, 34142 *

70 views • 3 slides
FREE FALL LIFEBOAT LAUNCHING RISK ASSESSMENT USING FAILURE MODES AND EFFECTS ANALYSIS METHOD

FREE FALL LIFEBOAT LAUNCHING RISK ASSESSMENT USING FAILURE MODES AND EFFECTS ANALYSIS METHOD

FREE FALL LIFEBOAT LAUNCHING RISK ASSESSMENT USING FAILURE MODES AND EFFECTS ANALYSIS METHOD TEUKU IRMANSYAH 4212101020 TAUFIK FAJAR NUGROHO, ST. M.SC. DR. ENG. M. BADRUS ZAMAN, S.T., M.T. OUTLINE BACKGROUND OBJECTIVE Research

212 views • 19 slides
managing frailty in patients with Heart Failure Zviad Kipiani MD. Ph.D. F.E.S.C. MSc (London

managing frailty in patients with Heart Failure Zviad Kipiani MD. Ph.D. F.E.S.C. MSc (London

I have a Frail HF Patient managing frailty in patients with Heart Failure Zviad Kipiani MD. Ph.D. F.E.S.C. MSc (London School of Economics and political Science) Heart Failure Specialist (University of Zurich ) Head Of Cardiology

676 views • 13 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (9/28/04) I E S R C E O V U

UMBC A B M A L T F O U M B C I M Y O R T 1 (9/28/04) I E S R C E O V U

VLSI Design Verification and Test Defects CMPE 646 Failures in Integrated Circuits Failure mode is used in reference to the manifestation of a &quot;defect&quot; at the elec- trical level . Failure modes are modeled as faults at logic or

402 views • 16 slides
DMR and Digital Voice Modes DMR and Digital Voice Modes DMR and Digital Voice Modes DMR and

DMR and Digital Voice Modes DMR and Digital Voice Modes DMR and Digital Voice Modes DMR and

DMR and Digital Voice Modes DMR and Digital Voice Modes DMR and Digital Voice Modes DMR and Digital Voice Modes Presented by N7MOT Lenny Gemar Amateur radio began with spark gap transmitters, evolving to Morse code and analog voice

442 views • 20 slides
EXAMINING RISK FAILURE MODES EFFECT ANALYSIS (FMEA) LYNNE SLIVOVSKY CPE 450 W2016 1 Source:

EXAMINING RISK FAILURE MODES EFFECT ANALYSIS (FMEA) LYNNE SLIVOVSKY CPE 450 W2016 1 Source:

1/11/16 EXAMINING RISK FAILURE MODES EFFECT ANALYSIS (FMEA) LYNNE SLIVOVSKY CPE 450 W2016 1 Source: http://www.petzl.com/de/en/outdoor/headlamps/batteries RISK IN A NUTSHELL 5 Risk

634 views • 12 slides
PRACTICAL MTLS Ying Li @cyli PROBLEM TYPICAL MICROSERVICE ARCHITECTURE VPC S1 DB S2 S1 S3

PRACTICAL MTLS Ying Li @cyli PROBLEM TYPICAL MICROSERVICE ARCHITECTURE VPC S1 DB S2 S1 S3

MINIMIZING THE WINDOW OF COMPROMISE PRACTICAL MTLS Ying Li @cyli PROBLEM TYPICAL MICROSERVICE ARCHITECTURE VPC S1 DB S2 S1 S3 PROBLEM VLAN-TASTIC MICROSERVICE ARCHITECTURE S1 DB S2 S1 S3 PROBLEM CORRECT MICROSERVICE ARCHITECTURE

736 views • 61 slides
Practical Microservice Security Laura Bell Practical Microservice security Laura Bell Founder

Practical Microservice Security Laura Bell Practical Microservice security Laura Bell Founder

Practical Microservice Security Laura Bell Practical Microservice security Laura Bell Founder and Lead Consultant - SafeStack @lady_nerd laura@safestack.io http:/ /safestack.io caution: fast paced field ahead watch for out of date

1.06k views • 66 slides
Data Distribution and Exploitation in a Global Microservice Arteract Observatory Panagiotis

Data Distribution and Exploitation in a Global Microservice Arteract Observatory Panagiotis

Data Distribution and Exploitation in a Global Microservice Arteract Observatory Panagiotis Gkikopoulos, PhD student and research assistant, ZHAW and UNINE, Switzerland The Microservice Pattern An increasingly prevalent approach to

300 views • 15 slides
Verifying the CPA Networking Stack using SPIN/Promela Kevin Chalmers and Jon Kerridge Edinburgh

Verifying the CPA Networking Stack using SPIN/Promela Kevin Chalmers and Jon Kerridge Edinburgh

Verifying the CPA Networking Stack using SPIN/Promela Kevin Chalmers and Jon Kerridge Edinburgh Napier University Breakdown Introduction and Motivation CPA Networking Stack Architecture Operation SPIN Model of the CPA

468 views • 26 slides
A Successful Example of a Layered Architecture Based Embedded Development with Ada 83 for

A Successful Example of a Layered Architecture Based Embedded Development with Ada 83 for

A Successful Example of a Layered Architecture Based Embedded Development with Ada 83 for Standard-Missile Control Kelly L. Spicer Raytheon Missile Systems Missile Software Engineering Center Tucson, Arizona 520-663-7020

755 views • 38 slides
Polytechnique December 2017 Polytechnique December 2017 Introducing LTTng Scope Content

Polytechnique December 2017 Polytechnique December 2017 Introducing LTTng Scope Content

Polytechnique December 2017 Polytechnique December 2017 Introducing LTTng Scope Content Content Project goals User experience design goals User interface design Architecture Current status Demo Roadmap

394 views • 24 slides
TUT1151 Simplifying AI Applications with containers and Kubernetes Glyn Bowden, Chief

TUT1151 Simplifying AI Applications with containers and Kubernetes Glyn Bowden, Chief

TUT1151 Simplifying AI Applications with containers and Kubernetes Glyn Bowden, Chief Architect, AI &amp; Data Science Practice SUSECON 2019 The world is replacing programming with training 23 million developers worldwide 4 in 10 companies

443 views • 21 slides
A Component Architecture for an Extensible, Highly Integrated Context-Aware Computing

A Component Architecture for an Extensible, Highly Integrated Context-Aware Computing

A Component Architecture for an Extensible, Highly Integrated Context-Aware Computing Infrastructure William G. Griswold, Robert Boyer, Steven W. Brown, and Tan Minh Truong University of California, San Diego ICSE 2003 - Portland, Oregon

753 views • 18 slides
FreningsSparbanken Gert Engman Group EVP and Chief Information Officer 2 IT-costs and EMU

FreningsSparbanken Gert Engman Group EVP and Chief Information Officer 2 IT-costs and EMU

FreningsSparbanken Gert Engman Group EVP and Chief Information Officer 2 IT-costs and EMU preparations 3 IT-costs FSPA group % SEK M 2 600 19,5 2 400 19,0 2 200 18,5 2 000 18,0 1 800 17,5 1 600 17,0 1 400 16,5 1 200 16,0 1

282 views • 13 slides
Berkeley-DB for Text/Multimedia Retrieval Chun Jin Language Technologies Institute School of

Berkeley-DB for Text/Multimedia Retrieval Chun Jin Language Technologies Institute School of

Berkeley-DB for Text/Multimedia Retrieval Chun Jin Language Technologies Institute School of Computer Science Carnegie Mellon University Motivation Recent advance in text/multimedia retrieval: good algorithms Scalability issue

522 views • 17 slides
Optimizing the cost of vaccine deliveries a model- costed determination of key levers that

Optimizing the cost of vaccine deliveries a model- costed determination of key levers that

Optimizing the cost of vaccine deliveries a model- costed determination of key levers that influence vaccine delivery costs in Kano, Nigeria. Oluwaleke Jegede Muyi Aina Uchenna Igbokwe Chimelu Okongwu Solina Center for International

709 views • 22 slides

More recommend