Applying principles of chaos engineering to serverless (reinvent DVC305)

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Applying Principles of Chaos
Engineering to Serverless
Yan Cui
Principal Engineer
DAZN
D V C 3 0 5

Agenda
What is chaos engineering?
New challenges with serverless
Applying latency injection to serverless
Applying error injection to serverless

After the talk
Slides will be shared on Slideshare
Recording will be posted on YouTube within 48 hours
Find the links on https://theburningmonk.com/reinvent2018

What is chaos engineering?

Chaos engineering is the discipline of experimenting on a distributed system
in order to build confidence in the system’s capability
to withstand turbulent conditions in production.
- principlesofchaos.org

Smallpox
Earliest evidence of disease in third century BC Egyptian mummy
Estimated 400K deaths per year in eighteenth century Europe

History of vaccination
First vaccine was developed in
1798 by Edward Jenner
https://en.wikipedia.org/wiki/Edward_Jenner

WHO certified global eradication
in 1980
https://en.wikipedia.org/wiki/Edward_Jenner

https://en.wikipedia.org/wiki/Vaccine

Vaccination is the most effective method to prevent infectious diseases

Vaccines stimulate the immune system to recognize and destroy the
disease before contracting it for real

Chaos engineering
Use controlled experiments to inject failures into our system

Chaos engineering
Help us learn about our system’s behavior and uncover unknown failure
modes, before they manifest like wildfire in production

Chaos engineering
Lets us build confidence in its ability to withstand turbulent conditions

Chaos engineering is the vaccine to frailties in modern software

Who am I?
Principal engineer at DAZN
AWS Serverless hero
Author of Production-Ready Serverless* course by Manning.
Blogger**, speaker.
* https://bit.ly/production-ready-serverless
** https://theburningmonk.com

About DAZN
Available in seven countries—Austria, Switzerland, Germany,
Japan, Canada, Italy, and USA
Available on 30+ platforms

About DAZN
Around 1,000,000 concurrent viewers at peak

Chaos engineering has an image problem

Too much emphasis is on breaking things

Easy to conflate the action of injecting failures with the payback

The goal is to learn about the system and build confidence

The goal is not to break things

Chaos in practice
Four steps to start running chaos
experiments yourself

STEP 1. Define “steady state”
What does normal, working
condition looks like?

this is not a
steady state

Hypothesize steady state will
continue in both control group
& the experiment group
In other words, you should have a reasonable degree of
confidence the system would handle the failure before you
proceed with the experiment
STEP 2.

Chaos in practice
Explore unknown unknowns away from production

Chaos in practice
Experiments that graduate to production should be carefully
considered and planned
You should have reasonable confidence in the system before
running experiments in production

Chaos in practice
Treat production with the care it deserves

Chaos in practice
If you knew the system would break and you did it anyway,
then it’s not a chaos experiment!
It’s called being irresponsible.

STEP 3. Inject realistic failures
For example, server crash, network
error, HD malfunction, more

Chaos in practice
Netflix’s Simian Army:
https://github.com/Netflix/SimianArmy
Chaos Engineering ebook (O’Reilly): http://oreil.ly/2tZU1Sn

STEP 4. Disprove hypothesis
In other words, look for difference
in steady state

Chaos in practice
Look for evidence that steady state was impacted by the
injected failure

Chaos in practice
Address weaknesses before failures happen for real

Containment
Experiments needs to be controlled

Containment
Ensure everyone knows what you are doing
Don’t surprise your teammates

Containment
Run experiments during office hours

Containment
Avoid important dates

Containment
Make the smallest change necessary to prove or disprove hypothesis

Containment
Have a rollback plan
Stop the experiment right away if things start to go wrong

Containment
Don’t start in production
Can learn a lot by running experiments in staging

by Russ Miles @russmiles
source https://medium.com/russmiles/chaos-engineering-for-the-business-17b723f26361

New challenges with serverless

chaos monkey kills an
Amazon Elastic Cloud
(Amazon EC2) instance
latency monkey induces
artificial delay in APIs
chaos gorilla kills an AWS
Availability Zone
chaos kong kills an entire
AWS region

Serverless challenges
There are no servers that you can access and kill

There is more inherent chaos and complexity in a
serverless architecture.

Smaller units of deployment, but a lot more of them

serverful
serverlessServerless challenges

Every function needs to be correctly configured and secured

Kinesis
?
SNS
CloudWatch
Events
CloudWatch
LogsIoT
Core
DynamoDB
S3 SES

A lot of managed, intermediate services
Each with its own set of failure modes

Unknown failure modes in the infrastructure we don’t control

Often there’s little we can do when an outage occurs in the platform

Common weaknesses

Common weaknesses
Improperly tuned timeouts

Common weaknesses
Missing error handling

Common weaknesses
Missing fallback

Common weaknesses
Missing regional failover

Latency injection with serverless

Defining steady state
What metrics do you use?

Defining steady state
p95/p99 latencies, error count, backlog size, yield*, harvest**
* percentage of requests completed
** completeness of the returned response

API Gateway
Serverless considerations

Serverless considerations
Consider the effect of cold starts
How does it affect your strategy
for handling slow responses

Request timeouts
Strategy should:

Request timeouts
Strategy should:
1. Give requests the best chance to succeed

Request timeouts
Strategy should:
1. Give requests the best chance to succeed
2. Do not allow slow response to timeout the caller function

Request timeouts
Finding the right timeout value is tricky

Request timeouts
Too short: requests not given the best chance to succeed

Request timeouts
Too long: risk timing out the calling function

Request timeouts
Even more complicated when you have multiple integration points

Approach 1: Split invocation time equally
(for example, 3 requests, 6s function timeout = 2s timeout per request)

Approach 2: Every request is given nearly all the invocation time
(for example, 3 requests, 6s function timeout = 5s timeout per request)

Request timeouts
Proposal: set request timeouts dynamically based on
invocation time left

Request timeouts

Set timeout based on remaining invocation time

Recovery steps
Log the timeout with as much context as possible
The API, timeout value, correlation IDs, request object, and more

Recovery steps
Record custom metrics

Recovery steps
Use fallbacks

Recovery steps
Be mindful when you sacrifice precision for availability
User experience is the king

Where to inject latency?

Hypothesis:
Function has appropriate timeout on its HTTP communications
and can degrade gracefully when these requests time out

Should be applied to third-party services too
DynamoDB, Twillio, Auth0 …

Be mindful of the blast radius of the experiment

http client
public-api-a
http client
public-api-b
internal-api

Hypothesis:
All functions have appropriate timeout on their HTTP
communications to this internal API and can degrade
gracefully when requests are timed out

Large blast radius, can cause cascade failures unintentionally

Priming (psychology):
Priming is a technique whereby exposure to one stimulus
influences a response to a subsequent stimulus, without
conscious guidance or intention
It is a technique in psychology used to train a person's
memory both in positive and negative ways

Use failure injection to program your colleagues into
thinking about failure modes early.

Make X% of all requests slow
in the dev environment

Hypothesis:
The client app has appropriate timeout on their HTTP
communication with the server and can degrade gracefully
when requests are timed out

How to inject latency?

Static weavers (such as PostSharp, AspectJ)
Dynamic proxies

https://theburningmonk.com/2015/04/design-for-latency-issues/

Manually crafted wrapper libraries

Configured in SSM Parameter Store

No injected latency

With injected latency

Factory wrapper function
(think bluebird’s promisifyAll function)

Error injection with serverless

Common errors
HTTP 5XX
Amazon DynamoDB provisioned throughput exceeded
Throttled AWS Lambda invocations

Hypothesis:
Function has appropriate error handling on its HTTP communications
and can degrade gracefully when downstream dependencies fail

Where to inject errors?

Hypothesis:
Function has appropriate error handling on DynamoDB operations and
can degrade gracefully when DynamoDB throughputs are exceeded

Where to inject errors?
Induce Lambda throttling by temporarily setting reserve concurrency

Recap

The only way to truly know your system’s
resilience against failures is to test it
through CONTROLLED experiments

The goal of chaos engineering is NOT to
actually break production

CONTAINMENT should be front and
centre of your thinking

There is more inherent chaos and
complexity in a serverless application

Even without servers, you can still inject
CONTROLLED failures at the application level

Thank you!
Yan Cui
@theburningmonk
https://theburningmonk.com

Related breakouts
Wednesday, Nov 28
SRV425-R - Best Practices for Building Multi-Region, Active-Active Serverless Applications
4:00PM – 5:00PM | Venetian, Level 4, Lando 4305
Wednesday, Nov 28
SRV343-R - Best Practices for Safe Deployments on AWS Lambda and Amazon API Gateway
4:45PM – 5:45PM | MGM, Level 1, South Concourse 105
Thursday, Nov 29
ARC308 - Chaos Engineering and Scalability at Audible.com
1:00PM – 2:00PM | Aria West, Level 3, Ironwood 5

Please complete the session
survey in the mobile app.
!

Applying principles of chaos engineering to serverless (reinvent DVC305)

More Related Content

What's hot (9)

Similar to Applying principles of chaos engineering to serverless (reinvent DVC305) (20)

More from Yan Cui (20)

Recently uploaded (20)

Applying principles of chaos engineering to serverless (reinvent DVC305)