Migrating Vital Visitors At Scale with No Downtime — Half 2 | by Netflix Know-how Weblog | Might, 2023

Shyam Gala, Javier Fernandez-Ivern, Anup Rokkam Pratap, Devang Shah

Image your self enthralled by the newest episode of your loved one Netflix sequence, delighting in an uninterrupted, high-definition streaming expertise. Behind these excellent moments of leisure is a fancy mechanism, with quite a few gears and cogs working in concord. However what occurs when this equipment wants a metamorphosis? That is the place large-scale system migrations come into play. Our earlier weblog publish offered replay site visitors testing — an important instrument in our toolkit that permits us to implement these transformations with precision and reliability.

Replay site visitors testing offers us the preliminary basis of validation, however as our migration course of unfolds, we’re met with the necessity for a rigorously managed migration course of. A course of that doesn’t simply reduce danger, but in addition facilitates a steady analysis of the rollout’s affect. This weblog publish will delve into the methods leveraged at Netflix to introduce these modifications to manufacturing.

Canary deployments are an efficient mechanism for validating modifications to a manufacturing backend service in a managed and restricted method, thus mitigating the chance of unexpected penalties that will come up because of the change. This course of entails creating two new clusters for the up to date service; a baseline cluster containing the present model working in manufacturing and a canary cluster containing the brand new model of the service. A small proportion of manufacturing site visitors is redirected to the 2 new clusters, permitting us to observe the brand new model’s efficiency and examine it in opposition to the present model. By amassing and analyzing key efficiency metrics of the service over time, we will assess the affect of the brand new modifications and decide in the event that they meet the supply, latency, and efficiency necessities.

Some product options require a lifecycle of requests between the shopper machine and a set of backend companies to drive the function. For example, video playback performance on Netflix entails requesting URLs for the streams from a service, calling the CDN to obtain the bits from the streams, requesting a license to decrypt the streams from a separate service, and sending telemetry indicating the profitable begin of playback to one more service. By monitoring metrics solely on the degree of service being up to date, we’d miss capturing deviations in broader end-to-end system performance.

Sticky Canary is an enchancment to the standard canary course of that addresses this limitation. On this variation, the canary framework creates a pool of distinctive buyer gadgets after which routes site visitors for this pool persistently to the canary and baseline clusters at some point of the experiment. Other than measuring service-level metrics, the canary framework is ready to hold monitor of broader system operational and buyer metrics throughout the canary pool and thereby detect regressions on your entire request lifecycle stream.

Sticky Canary

You will need to be aware that with sticky canaries, gadgets within the canary pool proceed to be routed to the canary all through the experiment, doubtlessly leading to undesirable conduct persisting via retries on buyer gadgets. Subsequently, the canary framework is designed to observe operational and buyer KPI metrics to detect persistent deviations and terminate the canary experiment if obligatory.

Canaries and sticky canaries are invaluable instruments within the system migration course of. In comparison with replay testing, canaries permit us to increase the validation scope past the service degree. They allow verification of the broader end-to-end system performance throughout the request lifecycle for that performance, giving us confidence that the migration is not going to trigger any disruptions to the shopper expertise. Canaries additionally present a chance to measure system efficiency below totally different load circumstances, permitting us to determine and resolve any efficiency bottlenecks. They allow us to additional fine-tune and configure the system, making certain the brand new modifications are built-in easily and seamlessly.

A/B testing is a widely known technique for verifying hypotheses via a managed experiment. It entails dividing a portion of the inhabitants into two or extra teams, every receiving a distinct therapy. The outcomes are then evaluated utilizing particular metrics to find out whether or not the speculation is legitimate. The business incessantly employs the approach to evaluate hypotheses associated to product evolution and person interplay. It’s also extensively utilized at Netflix to check modifications to product conduct and buyer expertise.

A/B testing can be a invaluable instrument for assessing vital modifications to backend methods. We will decide A/B take a look at membership in both machine utility or backend code and selectively invoke new code paths and companies. Inside the context of migrations, A/B testing allows us to restrict publicity to the migrated system by enabling the brand new path for a smaller proportion of the member base. Thereby controlling the chance of surprising conduct ensuing from the brand new modifications. A/B testing can be a key approach in migrations the place the updates to the structure contain altering machine contracts as effectively.

Canary experiments are usually performed over durations starting from hours to days. Nonetheless, in sure situations, migration-related experiments could also be required to span weeks or months to acquire a extra correct understanding of the affect on particular High quality of Expertise (QoE) metrics. Moreover, in-depth analyses of explicit enterprise Key Efficiency Indicators (KPIs) might require longer experiments. For example, envision a migration state of affairs the place we improve the playback high quality, anticipating that this enchancment will result in extra prospects partaking with the play button. Assessing related metrics throughout a substantial pattern dimension is essential for acquiring a dependable and assured analysis of the speculation. A/B frameworks work as efficient instruments to accommodate this subsequent step within the confidence-building course of.

Along with supporting prolonged durations, A/B testing frameworks supply different supplementary capabilities. This strategy allows take a look at allocation restrictions primarily based on elements resembling geography, machine platforms, and machine variations, whereas additionally permitting for evaluation of migration metrics throughout related dimensions. This ensures that the modifications don’t disproportionately affect particular buyer segments. A/B testing additionally gives adaptability, allowing changes to allocation dimension all through the experiment.

We’d not use A/B testing for each backend migration. As an alternative, we use it for migrations through which modifications are anticipated to affect machine QoE or enterprise KPIs considerably. For instance, as mentioned earlier, if the deliberate modifications are anticipated to enhance shopper QoE metrics, we might take a look at the speculation through A/B testing.

After finishing the varied phases of validation, resembling replay testing, sticky canaries, and A/B checks, we will confidently assert that the deliberate modifications is not going to considerably affect SLAs (service-level-agreement), machine degree QoE, or enterprise KPIs. Nonetheless, it’s crucial that the ultimate rollout is regulated to make sure that any unnoticed and surprising issues don’t disrupt the shopper expertise. To this finish, we’ve got applied site visitors dialing because the final step in mitigating the chance related to enabling the modifications in manufacturing.

A dial is a software program assemble that allows the managed stream of site visitors inside a system. This assemble samples inbound requests utilizing a distribution perform and determines whether or not they need to be routed to the brand new path or saved on the present path. The choice-making course of entails assessing whether or not the distribution perform’s output aligns inside the vary of the predefined goal proportion. The sampling is finished persistently utilizing a set parameter related to the request. The goal proportion is managed through a globally scoped dynamic property that may be up to date in real-time. By rising or reducing the goal proportion, site visitors stream to the brand new path might be regulated instantaneously.


The choice of the particular sampling parameter will depend on the particular migration necessities. A dial can be utilized to randomly pattern all requests, which is achieved by choosing a variable parameter like a timestamp or a random quantity. Alternatively, in situations the place the system path should stay fixed with respect to buyer gadgets, a continuing machine attribute resembling deviceId is chosen because the sampling parameter. Dials might be utilized in a number of locations, resembling machine utility code, the related server part, and even on the API gateway for edge API methods, making them a flexible instrument for managing migrations in advanced methods.

Visitors is dialed over to the brand new system in measured discrete steps. At each step, related stakeholders are knowledgeable, and key metrics are monitored, together with service, machine, operational, and enterprise metrics. If we uncover an surprising difficulty or discover metrics trending in an undesired route throughout the migration, the dial offers us the potential to rapidly roll again the site visitors to the outdated path and handle the difficulty.

The dialing steps may also be scoped on the information heart degree if site visitors is served from a number of information facilities. We will begin by dialing site visitors in a single information heart to permit for a neater side-by-side comparability of key metrics throughout information facilities, thereby making it simpler to look at any deviations within the metrics. The period of how lengthy we run the precise discrete dialing steps may also be adjusted. Working the dialing steps for longer durations will increase the likelihood of surfacing points that will solely have an effect on a small group of members or gadgets and might need been too low to seize and carry out shadow site visitors evaluation. We will full the ultimate step of migrating all of the manufacturing site visitors to the brand new system utilizing the mixture of gradual step-wise dialing and monitoring.

Stateful APIs pose distinctive challenges that require totally different methods. Whereas the replay testing approach mentioned within the earlier a part of this weblog sequence might be employed, further measures outlined earlier are obligatory.

This alternate migration technique has confirmed efficient for our methods that meet sure standards. Particularly, our information mannequin is straightforward, self-contained, and immutable, with no relational elements. Our system doesn’t require strict consistency ensures and doesn’t use database transactions. We undertake an ETL-based dual-write technique that roughly follows this sequence of steps:

  • Preliminary Load via an ETL course of: Information is extracted from the supply information retailer, remodeled into the brand new mannequin, and written to the newer information retailer via an offline job. We use customized queries to confirm the completeness of the migrated information.
  • Steady migration through Twin-writes: We make the most of an active-active/dual-writes technique to migrate the majority of the information. As a security mechanism, we use dials (mentioned beforehand) to regulate the proportion of writes that go to the brand new information retailer. To keep up state parity throughout each shops, we write all state-altering requests of an entity to each shops. That is achieved by choosing a sampling parameter that makes the dial sticky to the entity’s lifecycle. We incrementally flip the dial up as we acquire confidence within the system whereas rigorously monitoring its general well being. The dial additionally acts as a swap to show off all writes to the brand new information retailer if obligatory.
  • Steady verification of information: When a document is learn, the service reads from each information shops and verifies the purposeful correctness of the brand new document if present in each shops. One can carry out this comparability reside on the request path or offline primarily based on the latency necessities of the actual use case. Within the case of a reside comparability, we will return information from the brand new datastore when the information match. This course of offers us an thought of the purposeful correctness of the migration.
  • Analysis of migration completeness: To confirm the completeness of the information, chilly storage companies are used to take periodic information dumps from the 2 information shops and in contrast for completeness. Gaps within the information are crammed again with an ETL course of.
  • Reduce-over and clean-up: As soon as the information is verified for correctness and completeness, twin writes and reads are disabled, any shopper code is cleaned up, and browse/writes solely happen to the brand new information retailer.
Migrating Stateful Techniques

Clear-up of any migration-related code and configuration after the migration is essential to make sure the system runs easily and effectively and we don’t construct up tech debt and complexity. As soon as the migration is full and validated, all migration-related code, resembling site visitors dials, A/B checks, and replay site visitors integrations, might be safely faraway from the system. This consists of cleansing up configuration modifications, reverting to the unique settings, and disabling any momentary elements added throughout the migration. As well as, you will need to doc your entire migration course of and hold information of any points encountered and their decision. By performing an intensive clean-up and documentation course of, future migrations might be executed extra effectively and successfully, constructing on the teachings discovered from the earlier migrations.

We now have utilized a variety of methods outlined in our weblog posts to conduct quite a few giant, medium, and small-scale migrations on the Netflix platform. Our efforts have been largely profitable, with minimal to no downtime or vital points encountered. All through the method, we’ve got gained invaluable insights and refined our methods. It needs to be famous that not the entire methods offered are universally relevant, as every migration presents its personal distinctive set of circumstances. Figuring out the suitable degree of validation, testing, and danger mitigation requires cautious consideration of a number of elements, together with the character of the modifications, potential impacts on buyer expertise, engineering effort, and product priorities. Finally, we goal to attain seamless migrations with out disruptions or downtime.

In a sequence of forthcoming weblog posts, we are going to discover a collection of particular use instances the place the methods highlighted on this weblog sequence had been utilized successfully. They may give attention to a complete evaluation of the Adverts Tier Launch and an intensive GraphQL migration for numerous product APIs. These posts will supply readers invaluable insights into the sensible utility of those methodologies in real-world conditions.