O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×

Top 10 Lessons Learned from the Netflix API - OSCON 2014


Confira estes a seguir

1 de 87 Anúncio

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Quem viu também gostou (20)


Semelhante a Top 10 Lessons Learned from the Netflix API - OSCON 2014 (20)


Mais recentes (20)

Top 10 Lessons Learned from the Netflix API - OSCON 2014

  1. 1. Daniel Jacobson • @daniel_jacobson • http://www.linkedin.com/in/danieljacobson • http://www.slideshare.net/danieljacobson Sangeeta Narayanan • @sangeetan • http://www.linkedin.com/in/sangeetanarayanan/
  2. 2. I have added more detail in the notes field for each slide to provide additional context
  3. 3. Strategy Lessons Implementation Lessons
  4. 4. Know Your Audience Target Audience Dictates Everything Else
  5. 5. The target audience should be the single biggest influence on your API design
  6. 6. Small Set of Known Developers SSKDs
  7. 7. Large Set of Unknown Developers LSUDs
  8. 8. Both SSKDs and LSUDs
  9. 9. No matter what… Figure this out first!
  10. 10. Target Audience Influence • Team Identity • Staffing Decisions • System Architecture • SLAs • Development Velocity • Security Needs
  11. 11. Netflix API : Key Responsibilities 2008 • Broker data between internal services and public developers • Grow community of public developers • Optimize design for reusability
  12. 12. Evangelists Partner Engagement and Support API Engineers Technical Writer QA Specialists
  13. 13. Private API Public API < 0.3% of total API traffic * * 11 years worth of public API requests = one day of private API requests
  14. 14. Netflix API : Key Responsibilities Today • Broker data between services and devices • System resiliency • Scaling the system • High velocity development • Insights
  15. 15. The consumers of the API are now Netflix subscribers We are now responsible for ensuring subscribers can stream
  16. 16. Application Engineers Platform Engineers Technical Writer Tools and Automation Engineers
  17. 17. Team is now 6x its size from 2010
  18. 18. Separation of Concerns
  19. 19. Primary Responsibilities of APIs • Data Gathering – Retrieving the requested data from one or many local or remote data sources • Data Formatting – Preparing a structured payload to the requesting agent • Data Delivery – Delivering the structured payload to the requesting agent
  20. 20. There are two players in APIs
  21. 21. API Provider API Consumer
  22. 22. API Provider PROVIDES API Consumer CONSUMES Traditional API Interactions
  23. 23. API Provider PROVIDES EVERYTHING API Consumer CONSUMES Everything means, API Provider does: • Data Gathering • Data Formatting • Data Delivery • (among other things) Traditional API Interactions
  24. 24. Why do most API providers provide everything? • Many APIs have a large set of unknown and external developers • Generic API design tends to be easier for teams closer to the source • Centralized API functions makes them easier to support
  25. 25. Why do most API providers provide everything? • Many APIs have a large set of unknown and external developers • Generic API design tends to be easier for teams closer to the source • Centralized API functions makes them easier to support
  26. 26. Data Gathering Data Formatting Data Delivery API Consumer Don’t care how data is gathered, as long as it is gathered Each consumer cares a lot about the format for that specific use Each consumer cares a lot about how payload is delivered API Provider Care a lot about how the data is gathered Only cares about the format to the extent it is easy to support Only cares that the delivery method is easy to support Separation of Concerns To be a better provider, the API should address the separation of concerns of the three core functions
  27. 27. One Size Doesn’t Fit All Embrace the Differences
  28. 28. Data Gathering Data Formatting Data Delivery API Consumer Don’t care how data is gathered, as long as it is gathered Each consumer cares a lot about the format for that specific use Each consumer cares a lot about how payload is delivered API Provider Care a lot about how the data is gathered Only cares about the format to the extent it is easy to support Only cares that the delivery method is easy to support Separation of Concerns
  29. 29. Screen Real Estate Controllers Technical Capabilities
  30. 30. Resource-Based API vs. Experience-Based API
  31. 31. Resource-Based Requests • /users/<id>/ratings/title • /users/<id>/queues • /users/<id>/queues/instant • /users/<id>/recommendations • /catalog/titles/movie • /catalog/titles/series • /catalog/people
  33. 33. Experience-Based Requests • /ps3/homescreen
  35. 35. Be Pragmatic, Not Dogmatic
  36. 36. Common API Debates • XML / JSON • REST / SOAP • OAuth / Other • Versioning • Hypermedia
  37. 37. Who Cares!?!?
  38. 38. Just Solve Problems for your Audience
  39. 39. Embrace Change Impermanence and Versionless APIs
  40. 40. v1.0 v1.5 v2.0
  41. 41. Versioning for APIs 1.0 1.5 2.0 3.0? 4.0? 5.0? 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020
  42. 42. Eliminate Versioning? 1.0 1.5 2.0 New Architecture 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020
  44. 44. Act Fast, React Fast Favor Velocity Over Completeness
  45. 45. Delivery Using Buckets
  46. 46. Testing
  47. 47. Production Traffic Old Code (Baseline) New Code (Canary) ~1% Traffic
  48. 48. Deployments
  49. 49. Old Code New Code Production Traffic
  50. 50. Enable Others to Act Fast, React Fast
  52. 52. Dynamically deployed endpoints
  53. 53. Statically deployed libraries Dynamically deployed endpoints
  54. 54. Dependency Canaries
  55. 55. Personalization Service API • Build • Test • Deploy Service • Release Lib Pers. Lib • Integrate Lib • Build • Test • Deploy Service UI Script Iterations in Hours or Days Access Data
  56. 56. Personalization Service API • Build • Test • Deploy Service • Release Lib • Publish to API Pers. Lib UI Script Iterations in Minutes? Access Data • Integrate Lib • Build • Test • Deploy Service
  57. 57. Internal Developers Need Engagement Too
  58. 58. Documentation
  59. 59. Tools REPL:
  60. 60. Trainings
  61. 61. Failure is Inevitable
  62. 62. ~5,000,000,000 Requests per day ~35 Dependencies ~600 Libraries
  63. 63. Things will break!
  64. 64. Scale at All Costs
  65. 65. - 10 20 30 40 50 60 June, 2010 June, 2011 June, 2012 RequestsinBillions API Requests Per Month
  66. 66. Incoming Traffic
  67. 67. Predictive Auto Scaling
  68. 68. Predicted vs. Actual RPS
  69. 69. Reactive + Predictive Autoscaling No. of instances
  70. 70. 1. Know Your Audience 2. Separation of Concerns 3. One Size Doesn’t Fit All 4. Be Pragmatic, Not Dogmatic 5. Embrace Change 1. Act Fast, React Fast 2. Enable Others to Act Fast, React Fast 3. Internal Developers Need Engagement Too 4. Failure is Inevitable 5. Scale at All Costs
  71. 71. http://github.com/Netflix
  72. 72. Daniel Jacobson • @daniel_jacobson • http://www.linkedin.com/in/danieljacobson • http://www.slideshare.net/danieljacobson Sangeeta Narayanan • @sangeetan • http://www.linkedin.com/in/sangeetanarayanan/

Notas do Editor

  • The lessons that we discuss in these slides fall into two buckets: strategy and implementation.
  • In some cases, the audience will be a small set of known developers (SSKDs). These developers are generally engineers within your company or one with whom you are partnering.
  • In other cases, the audience may be a large set of unknown developers. This audience is typically associated with public APIs.
  • And in some cases, the API will target both audience types.
  • This is a short list of the things that the target audience will influence.
  • For Netflix, we started out with a public API, with the audience being a large set of unknown developers. There were no internal use cases at launch.
  • Based on the target audience of unknown developers, we staffed accordingly. The team was relatively small, with skills around development, evangelism, partnering, testing and documentation.
  • As streaming became more critical to the company, we started having devices use the API. Our first mistake was that we were probably too late to pivot our architecture based on our change in target audience. At the time, we had many devices call into our REST API, the same one that we used for the unknown developers.
  • But eventually, the data demonstrated that the architectural change was needed. This chart shows that the private API completely drarfs the public API in terms of requests. The private API does about five billion requests per day while the public API does between one and two million. This disparity clearly demonstrates the need for us to target the API to the small set of known developers – Netflix’s UI engineers – who build the vast majority of the experiences on Netflix devices.
  • Given the shift in responsibilities, we positioned the team accordingly, hiring for skills mostly around engineering.
  • And the team size grew by about 6x in the last few years. If the target audience was still the public API, it is likely that the team size would have grown, but less significantly (perhaps 2x) in that time frame.
  • API consumers care a lot about data formatting and delivery, but each consumer, in such a diverse ecosystem, cares about them differently. For some devices, they may want an XML payload delivered as a complete document, while others may need JSON, protobuffer or some other format, potentially delivered as streamed bits. Because of these diverse needs, we need to separate out the concerns to better enable the consumers to get what they need.
  • Most companies focus on a small handful of device implementations, most notably Android and iOS devices.
  • At Netflix, we have more than 1,000 different device types that we support. Across those devices, there is a high degree of variability. As a result, we have seen inefficiencies and problems emerge across our implementations. Those issues also translate into issues with the API interaction.
  • For example, screen size could significantly affect what the API should deliver to the UI. TVs with bigger screens that can potentially fit more titles and more metadata per title than a mobile phone. Do we need to send all of the extra bits for fields or items that are not needed, requiring the device itself to drop items on the floor? Or can we optimize the deliver of those bits on a per-device basis? Different devices have different controllers as well. Some, like the iPad, allow for fast swipe interactions so the content needs to be there for the entire row. Other devices, like smart TVs or game some game consoles have LRUD controllers, so it at least gives the opportunity to fetch the data as the row gets navigated. And the technical capabilities of the devices will influence the interactions as well. Some have more computing power or memory which will influence how much data you can process on the device vs. how much needs to be gathered in real-time.
  • We evolved our discussion towards what ultimately became a discussion between resource-based APIs and experience-based APIs.
  • The original one-size-fits-all API was very resource oriented with granular requests for specific data, delivering specific documents in specific formats.
  • The interaction model looked basically like this, with (in this example) the PS3 making many calls across the network to the OSFA API. The API ultimately called back to dependent services to get the corresponding data needed to satisfy the requests.
  • We have decided to pursue an experience-based approach instead. Rather than making many API requests to assemble the PS3 home screen, the PS3 will potentially make a single request to a custom, optimized endpoint.
  • In an experience-based interaction, the PS3 can potentially make a single request across the network border to a scripting layer (currently Groovy), in this example to provide the data for the PS3 home screen. The call goes to a very specific, custom endpoint for the PS3 or for a shared UI. The Groovy script then interprets what is needed for the PS3 home screen and triggers a series of calls to the Java API running in the same JVM as the Groovy scripts. The Java API is essentially a series of methods that individually know how to gather the corresponding data from the dependent services. The Java API then returns the data to the Groovy script who then formats and delivers the very specific data back to the PS3.
  • Our original REST API had granular endpoints and generic interaction models. This leads to different versions when significant changes are made. The REST API had three primary version before our move to the experience-based API.
  • If we persisted in the REST API, we very likely could have continued to add versions while needing to support the old ones. The need to support prior versions stems from older device implementations that may not be able to updated or retired, thus forcing us to maintain these endpoints for a long time (perhaps as long as 10 years).
  • Our target with the experience-based API was to build an architecture that allowed us to be versionless. Through SSKDs, separation of concerns, abstraction layers, and interaction optimizations, we are able move to a deprecation model.
  • The primary goal is to limit versioning in the device-to-server interaction. Ideally, we can deprecate effectively in the server interactions as well, but that is sometimes more difficult. Back to our architecture view, the data can now flow from the services into the Java APIs. We expose granular methods (think data elements rather than resources) to the scripting tier. If a method needs to change, we can add a new method and then work closely with the SSKDs to migrate the calling scripts, enabling us to deprecate the old method. If we are not able to move the scripts, we can insulate the devices from the change either in the Java layer or in the scripting tier.
  • Several years ago, we were deploying changes roughly every two weeks. We would accumulate changes over that time and then drop them into production all at once. Think of it as gathering water in a bucket.
  • What we found was that our releases were unpredictable, sometimes resulting in outages, broken functionality, or incomplete work. Accordingly, we decided to slow down, changing our release cycles to three weeks. We figured that would give us more time to test our work. In other words, we got a larger bucket.
  • Over time, however, we learned that the longer release cycle didn’t improve predictability or quality. Instead, it just slowed us down. In response, we moved aggressively towards continuous delivery. Instead of delivering water in buckets, we had a steady stream of water from a hose. This enabled us to have smaller changes, more isolated and testable, pushed to production instead of having bigger releases with more complexity.
  • This is how code flows through the system. We have multiple canary releases per day. Internal envs are deployed ~8 times/day in 3 AWS regions. Prod deployments happen 2-3 times/week and can be triggered on demand.
  • This dashboard lets us track the status of our master branch at any time. Builds that fail at any step in the pipeline are stopped from going further.
  • A quick word on Testing. We follow the ‘Operate what you Build’ model where developers are responsible for shepherding their changes all the way through to production. We provide them with the tools necessary to help them gain confidence in the quality of their code. One such tool is the automated Canary Analyzer.
  • Canary Analysis is the process wherein a small percent of traffic is routed to the new code and its performance is compared against the old code based on 1000s of metrics.
  • A detailed report gives further insight into potential problem areas. In this case, our canary gives a score of 87%, which means it is likely not ready for release.
  • In tandem with canaries, we use Red/Black deployments as well.
  • The Red/Black process allows us to run production code in one cluster while we spin up the new code in a second one. As the new code proves itself, we can route all traffic to it and eventually shut down the old. It also allows us to have a fast, automated rollback in the even that the new code is seeing problems.
  • Our architecture enables us to move faster because of the scripting tier. But this also put us in position to help our consuming teams and dependency teams to move faster as well.
  • Let’s peek under the hood of the API Server. Client teams deploy endpoints dynamically based on their own schedule. Their cycles are completely asynchronous of server deployments. Newly deployed endpoints are live and ready to take traffic within minutes.
  • Endpoint Activity Dashboard shows recent deployment activity. Rollbacks can be performed in a matter of minutes as well.
  • Our dependent services provide to us client libraries that get compiled into our JVM upon deployment. These libraries typically expose static interfaces, which means changes to the interfaces require coding and deployments without our contain. Similar to the dynamic endpoints, we also have opportunity to improve the nimbleness and velocity around these libraries.
  • One such improvement is dependency canaries, where we are evaluating our new code against the dependencies. This is a dashboard the provides insights into these canaries.
  • Making the interaction with the consumers of the API dynamic has led to increased agility on the UI side. We are also exploring ways to increase the speed of iteration on the dependencies side. The current interaction model uses static domain models and client libraries to handle the data flow through the API. This results in long iteration cycles for even the simplest of use cases. We are actively pursuing an approach where our dependencies will be able to expose new data by using dynamic pass-through model using a Dictionary of key values.
  • The idea is that this model will avoid the static update cycle on the API end, thereby resulting in shorter iteration cycles. This will require investment in things like safety checks and discoverability of the API. We are instrumenting the API layer to inspect traffic at runtime and provide insights into API usage.
  • One of the early mistakes that we made in this new architecture was not treating internal developers like we did public developers. We don’t need the same degree of evangelism, but we do need to maintain strong communications with the client teams while providing robust tools and systems to help them be better developers in our system. An example of us being late to this is represented by our endpoint dashboard. One of our teams went from having about 30 scripts to about 500 in a matter of weeks. Each of these scripts are dynamically compiled into the JVM, occupying permgen space. As the script count shot up, we hit limits in our permgen which resulted in an outage. And an outage in our layer means people cannot stream Netflix. Of course, there is nothing like an outage to kickstart new behaviors. As a result, we immediately set up alerts and then focused more heavily on building tools to support the developers.
  • Included in that effort is comprehensive documentation.
  • We built an array of tools as well, including this REPL.
  • And prepared frequent trainings and videos.
  • Nobody has a 100% SLA, so things will fail
  • In fact, a few years ago, we have many failures on a routine basis.
  • Many of those failures were a result of failures in a dependent service that we did a poor job of protecting against. Because we are the last step before delivering content to the customers, we have a unique opportunity to help protect customers from such failures.
  • Hystrix allows us to be resilient to failure by implementing the bulk-heading and circuit breaker patterns. Hystrix is open source and available at our github repository.
  • Failure Simulation and Game Day exercises are a key part of the overall story. The Simian army is a fleet of monkeys who are simulate failures and alert us to non-conformities in an automated manner. Chaos Monkey periodically terminates AWS instances in production to see how the system responds to the instance disappearing. Latency Monkey introduces latencies and errors into a service to see how it responds and lets us assess the customer quality of experience. Conformity monkey alerts us to variations in versions of application across regions. The monkeys are also available in our open source github repository
  • Because of our pivot to the private API and the explosion of devices consuming it, our traffic grew tremendously in a few years (and continues to grow at very fast rates). Scaling our systems to support this growth is absolutely critical to the success of the company. Techniques, such as throttling are not an option because that only serves to limit the interactions from our streaming subscribers. Instead, we need to be able to handle any load that our devices throw at us. This manifests in many ways, but the following is a detail on one of them – instance scaling.
  • Let’s go back to the traffic chart. The pattern is predictable with higher peaks on the weekends
  • To offset these limitations, we created Scryer (not yet open sourced, but in production at Netflix). Scryer evaluates needs based on historical data (week over week, month over month metrics), adjusts instance minimums based on algorithms, and relies on Amazon Auto Scaling for unpredicted events
  • This graph shows that Scryer’s predictions are in line with actual RPS. In production, Scryer allows us to get instances into production prior to the need (which is different than Amazon’s reactive autoscaling engine which triggers the ramp up based on immediate need, only needing to wait until server start-up is complete). Because the instances are there in advance, Scryer smooths out load averages and response times, which in turn improves the customer experience.
  • This is an example of what Scryer looks like during an outage. When actual traffic dropped because of an outage, the reactive autoscaling engine would have downsized the farm. In this case, Scryer kept the farm sized correctly so that we were able to deal with the traffic spike after the recovery.
  • As a side benefit (not the initial intent), Scryer also allows us to be more precise with our instance counts, reducing inefficiencies.