Scaling Webservices

• Where most of your business logic will live.

• consider whether you need them in the first place and what tradeoffs you are willing to make.

• benefits such as

  • promoting reuse

  • higher levels of abstraction

• drawbacks such as

  • higher up-front development costs

  • increased complexity

Designing Web Services

• Need for web services

  • to expose alternative ways to interact with web applications by providing different types of application programming interfaces (APIs)

  • the need for integration and reuse grew with size of applications

  • Different clients/UIs (web/mobile etc) sharing the same logic/apis

Web Services as an Alternative Presentation Layer

• the api is the presentation layer

• To develop web services (monolothic way)

  • to build the web application first and then add web services as an alternative interface to it.

  • your web application is a single unit with extensions built on top of it to allow programmatic access to your data and functionality without the need to process HTML and JavaScript

    • web application is developed, deployed, and executed as a single unit

    • web services would be implemented as a set of additional controllers and views, allowing clients to interact with your system without having to go through html

  • ie first build the ui (html/css etc), and your business logic (mvc framework)

    • After the core functionality was complete, you would then add web services to your web application when a particular need arose

  • Benefits

    • you can add features and make changes to your code at very high speed, especially in early phases of development

      • Not having APIs reduces the number of components, layers, and the overall complexity of the system, which makes it easier to work with

        • reduce integration costs

    • Easy to get MVP out there

    • defer implementation of any web service code until you have proven that your product works and that it is worth further development

    • not every web application needs an API, and designing every web application with a distinct web services layer may be just unnecessary overengineering

    • Good for simplest systems

  • Drawbacks

    • For complex systems not the best

    • Not great for scalability

    • Not great for long term maintenance

    • all of the code in a single application, you now have to develop and host it all together

      • ok for small team working on it, but once the team expands it becomes difficult to work on, merges take longer

      • as everyone needs to understand the whole system and make changes to the same codebase.

    • There will be potential future costs as the product becomes more successful

  • As the applicaiton grows in size

    • flexibility of making quick, ad hoc changes becomes less important

    • the separation of concerns and building higher levels of abstraction become much more important

API First

• implies designing and building your API contract first and then building clients consuming that API and the actual implementation of the web service

  • Does not matter what is built first, the client or server

• a solution to the problem of multiple user interfaces

  • Allows mutliple clinets to access the service via a programmatic interface

• All clients will use a single api to provide the business logic

• API-first is better suited for more mature systems and more stable companies than it is for early phase startups.

• Benefits

  • REduces duplication of logic handled for different clients

    • you only need to maintain one copy of that code, easy to change and add features

  • Encapsulates logic, so clients can focus on their needs

    • changing client code becomes easier

  • Easier to scale

    • use functional partitioning and divide your web services layer into a set of smaller independent web service

    • Different teams can work on different clients and services

    • Decouples layers, easier to understand system and changes will not have affects on other layers

    • can scale services and clients differently to meet their needs

    • different services and clients can use different technologies to better meet their needs

• Drawbacks

  • Difficult to implement

  • over engineering is an issue

  • integration, monitoring and deployments can be an issue (cost, time etc)

  • requires more planning, knowledge about your final requirements, and engineering resources

  • requires more planning, knowledge about your final requirements, and engineering resources

Pragmatic - combination

• think of a web services layer and service-oriented architecture from day one, but implementing it only when you see that it is truly necessary

  • when you see a use case that can be easily isolated into aseparate web service and that will most likely require multiple clients performing the same type of functionality, then you should consider building a web service for it.

  • when you are just testing the waters with very loosely defined requirements, you may be better off by starting small and learning quickly

• Which approach depends

  • Money/funding

  • Stage of development

• if you go for that hybrid approach, you are in for a game of tradeoffs and self-doubt—either you risk overengineering or you make a mess

  • you are likely going to end up with a combination of tightly coupled small web applications of little business value and a set of web services fulfilling more significant and well-defined need

Types of Web services

Function-Centric Services

• is to be able to call functions’ or objects’ methods on remote machines without the need to know how these functions or objects are implemented, in what languages are they written, or what architecture are they running on.

• each function can take arbitrary arguments and produce arbitrary values

• difficult to implement across programming languages, central processing unit (CPU) architectures, and run-time environments, as everyone had to agree on a strict and precise way of passing arguments, converting values, and handling errors

  • Need to handle resource locking, security, network latencies, concurrency, and contracts upgrades.

  • all focusing on client code being able to invoke a function implemented on a remote machine

• Tech examples

  • Common Object Request Broker Architecture (CORBA)

  • Extensible Markup Language – Remote Procedure Call (XML-RPC)

  • Distributed Component Object Model (DCOM)

  • Simple Object Access Protocol (SOAP) (became standard)

    • Good extensibility and backing

    • use of xml to describe and encode messages

    • use of http to transport request and response

    • SOAP’s advanced security and distributed computing features

    • it allowed web services to be discovered and the integration code to be generated based on contract descriptors themselves

    • Implementation example

      • web service provider exposes a set of XML resources, such as Web Service Definition Language (WSDL) files describing methods and endpoints available and definition of data structures being exchanged using XML Schema Definition (XSD) files.

      • These resources become the contract of the web service, and they contain all the information necessary to be able to generate the client code and use the web service.

      • You would use a client library which downloads the contract, convert xml to java classes, handle the network calls deserializations

    • extensibility

      • a lot of ws-specifications were created

      • which lead to integration between different development stacks became more difficult, as different providers had different levels of support for different versions of ws-* specifications.

        -

    • Dynamic language users found it harder to use SOAP web services

      • lack of tooling or support/funding/time to create tooling

      • Led to web tech being excluded from soap

      • Thus creating JSON and use of REST

    • Issues with SOAP

      • cannot use HTTP-level caching (not cached in a reverse proxy)

        • SOAP requests are issued by sending XML documents, where request parameters and method names are contained in the XML

        • Since the uniform resource locator (URL) does not contain all of the information needed to perform the remote procedure call, the response cannot be cached on the HTTP layer based on the URL alone

      • some of the additional ws-* specifications introduce state into the web service protocol, making it stateful.

        • As soon as you begin supporting things like transactions or secure conversation, you forfeit the ability to treat your web service machines as stateless clones

      • Not the best for a start up

      • Complexity

        • Different SOAP services have different conventions

      • SOAP is on the decline, more people moving to REST

        • this also leads to lack of support and fixes

Resource-Centric Services

• each resource can be treated as a type of object, and there are only a few operations that can be performed on these objects

  • CRUD

  • You model your resources in any way you wish, but you interact with them in more standardized ways.

• REST is an example of this type and now defacto standard of web services

• REST services use URLs to uniquely identify resources.

  • Once you know the URL of a resource, you need to decide which of the HTTP methods you want to use.

    • In general, the GET method is used to fetch information about a resource or its children

    • the PUT method is used to replace an entire resource or a list by providing a replacement

    • POST is used to update a resource or add an entry

    • DELETE is used to remove objects

• JSON is defacto standard of REST

• Benefits of REST

  • the structure of REST web services is usually predictable, which also makes it easy to work with, due to limited number of HTTP methods

  • Lightweight

    • It’s basically just an HTTP server with a routing mechanism to map URL patterns to your code

    • Most frameworks make it easy to create

    • dont have to manage complex contracts like WDSL or xsd

  • less sophisticated than SOAP

    • To allow authorized access to REST resources, web services usually require authentication to be performed before using the API.

      • The client would authenticate (ie via OAuth), then provide the authentication token in HTTP headers of each consecutive request

      • Use of TLS in transport ie HTTPs

    • Stateless and GET request can be cached

      • Easier to scale

      • traffic for the most popular resources to be offloaded, ease the load on services

  • Used by most web technologies

    onto reverse proxies

• Drawbacks of REST

  • Less strict

    • allowing nonbreaking changes to be released to the server side without the need to recompile and redeploy the clients

  • Clients will not be able to auto-generate the client code or discover the web service behavior

    • Can have contract testing to warn about this

  • less sophisticated than SOAP

    • can make it harder to integrate with more complex secruity measures ie exactly-once delivery semantics

  • Less mature or feature rich

• if all you need is to expose a web service to your mobile

  clients and some third-party websites, REST is probably a better way

Scaling REST services

• tactics in general

  • slice your web services layer into smaller functional pieces

  • to scale by adding clones

• The key to scalability and efficient resource utilization is to allow each machine to work as independently as possible

  • For a machine to be able to make progress (perform computation or serve requests), it should depend on as few other machines as possible

Keeping Service Machines Stateless

• make all of your web service machines stateless.

• need to push all of the shared state out of your web service machines onto shared data stores like

  • object caches

  • databases

  • message queues

• Benefits of statelessness

  • distribute traffic among your web service machines on a per-request basis.

    • can deploy a load balancer between your web services and their clients, and each request can be sent to any of the available web service machines

    • distributing requests in a round-robin fashion allows for better load distribution and more flexibility

  • As each web service request can be served by any of the web service machines, you can take service machines out of the load balancer pool as soon as they crash.

    • load balancers support heartbeat checks to make sure that web service machines serving the traffic are available.

    • LB can have automatic load sharing, so when heartbeat fails it will send traffic to other clones

      • will remove that host from the load-balancing pool, reducing the capacity of the cluster

      • but preventing clients from timing out or failing to get responses.

    • Allows technical support to look at what is wrong and fix it, or restart a clone

      • modern application/container management (kubentes) will create new clone if there are less then the desired amount required in config

  • can restart and decommission servers at any point in time without worrying about affecting your clients.

  • Allows for maintenance to be done easily without loss of service

    • LB allows for graceful shutdown, ie reducing load on a host until zero

  • able to perform zero-downtime updates of your web services.

    • an roll out your changes to one server at a time by taking it out of rotation, upgrading, and then putting it back into rotation.

    • If your software does not allow you to run two different versions at the same time, you can deploy to an alternative stack and switch all of the traffic at once on the load balancer level

  • able to scale your web services layer by simply adding more clones

    • by adding more machines to the load balancer pool to be able to support more concurrent connections, perform more network I/O, and compute more responses (CPU time).

    • only assumption here is that your data persistence layer needs to be able to scale horizontally

  • Auto scaling can happen

    • Any time a machine crashes, the load balancer will replace it with a new instance

    • any time your servers become too busy, it will spin up additional instances to help with the load

• The only type of state that is safe to keep on your web service machines are cached objects, which do not need to be synchronized or invalidated in any way

  • As cache is disposable and can be rebuilt at any point in time, so server failure does not cause any data loss.

• Any solution that requires consistency to be propagated across your web service machines will increase your latencies or lead to availability issues

  • To avoid, it is safest to allow your web service machines to store only cached objects that expire based on their absolute Time to Live property

  • Such objects can be stored in isolation until they expire without the need for your web services to talk to each other.

• Sharing state amongst webservice clones

  • Always question whether transactions or even locking is necessary

    • alternative

      • making your application handle failures gracefully rather than preventing them at all cost

      • try to lean back on your data store as much as possible using its transactional support (support for Atomic operations)

  • Secruity

    • Clients will likely need some authenticaiton passed alongside it's request (ie token/cookie)

    • That token will have to be validated on the web service side, and client permissions will have to be evaluated in some way to make sure that the user has access to the operation they are attempting to perform.

    • You could cache authentication and authorization details directly on your web service machines, but that could cause problems when changing permissions or blocking accounts, as these objects would need to expire before new permissions could take effect

    • use a shared in-memory object cache and have each web service machine reach out for the data needed at request time. If not present, data could be fetched from the original data store and placed in the object cache.

      • will be able to easily invalidate it when users’ permissions change, as only a single copy

  • Resource Locking

    • can use distributed lock systems like Zookeeper

    • you should avoid resource locks for as long as possible and look for alternative ways to synchronize parallel processes.

    • Distributed locking is challenging, as each lock requires a remote call and creates an opportunity for your service to stall or fail.

      • increases your latency and reduces the number of parallel clients that your web service can serve

    • can sometimes use optimistic concurrency control where you check the state before the final update rather than acquiring locks, instead of resource locks.

    • consider message queues as a way to decouple components and remove the need for resource locking in the first place

    • it is important to acquire locks in a consistent order to prevent deadlocks

      • can prevent deadlocks, and increase availability

    • to strike a balance between having to acquire a lot of fine-grained locks and having coarse locks that block access to large sets of data

      • acquire a lot of fine-grained locks, you increase latency, as you keep sending requests to the distributed locks service.

      • having many fine-grained locks, you also risk increasing the complexity and losing clarity as to how locks are being acquired and from where.

        • Can lead to deadlocks

      • using fewer coarse locks, you may reduce the latency and risk of deadlocks

        • but you can hurt your concurrency at the same time, as multiple web service threads can be blocked waiting on the same resource lock

    • By using locks, all of your machines become interdependent, If one process becomes slow, anyone else waiting for their locks becomes slow.

    • You can use locks in your

      • scheduled batch jobs

      • crons

      • queue workers

    • best to avoid locks in the request–response life cycle of your web services

  • application-level Transactions

    • Transactions can become difficult to implement, especially if you want to expose transactional guarantees in your web service contract and then coordinate higher-level distributed transactions on top of these services

    • A distributed transaction is a set of internal service steps and external web service calls that either complete together or fail entirely.

    • If Transaction fails, everything needs to be rolled back, so that all the actions never happenend in the first place

    • 2 Phase Commit (2PC) algorithm. Common

      • notorious for scalability and availability issues

      • become increasingly difficult to perform as the number of services involved increases and more resources need to be available throughout the time of the transaction

      • the chance of failure increases with each new service

    • away from distributed transactions

    • Alternatives to distrbuted transactions

      • not support them at all

        • Rather have development speed, availability, and scalability

        • As long as core features are not impacted, and minor inconsistencies are ok, have eventual consistency

      • provide a mechanism of compensating transaction

        • A compensating transaction can be used to revert the result of an operation that was issued as part of a larger logical transaction that has failed

        • Each part of transaction is independent, is part 1 passes but part 2 fails, then only part 1 is reverted (some opposite action that returns part 1 to original state).

          • If part 1 fails, then original caller will fail, so part 2 would not be used

        • Benefits

          • web services do not need to wait for one another

          • they do not need to maintain any state or resources for the duration of the overarching transaction

          • Each of the services responds to a single call in isolation

          • Only the coordinating web service becomes responsible for ensuring data consistency among web services

          • can often be processed asynchronously by adding a message into a queue without blocking the client code

Caching Service Responses

• Use of HTTP protocol caching

• The HTTP protocol requires all GET method calls to be read-only. Can cache the response in a proxy/clients and web service calls can be skipped

• Need to make sure GET requests are idempotent and nothing is affected (ie state/db change)

• sometimes business needs prevents caching, as the needs for logs (which are updated when request hits service) are used for business reports

• Can also be affected by object caches on the service, which are updated and another service uses this updated cached object which could be different

• Authentication via tokens in headers

  • Would need to build cache key on url and header token (composite key) to make sure users only see what they should

  • But can be wasteful, if two different users have same authentication for same resource

• make as many of your resources public as possible

• To be able to scale using cache, you would usually deploy reverse proxies between your clients and your web service.

Functional Partitioning

• functional partitioning can be thought of as a way to split a large system into a set of smaller, loosely coupled parts so that they can run across more machines rather than having to run on a single, more powerful server.

  • For web services

    • is a way to split a service into a set of smaller, fairly independent web services, where each web service focuses on a subset of functionality of the overall system

    • isolating subsets of functionality that are closely related, and extracting that subset into an independent subsystem

• Rather than having a single large and potentially closely coupled web service, you would end up with two smaller, more focused, and more independent web services

  • lead to decoupling their infrastructures, their databases, and potentially their engineering teams

• Benefit

  • having two independent subsystems, you could give them at least twice as much hardware

    • esp separate data storage, each subsystem will have it's own db

    • esp good for relational db, as they are difficult to scale

  • development and changes can be made in isolation, affecting only one of the services

    • there is some coupling between services, but not that much

    • allows your technology team to grow

    • no one needs to know the entire system in detail to make chagnes

    • teams can take over one or more services

  • Each service can be scaled independently

    • Access patterns, availability and hardware needs are separated

    • Can scale to meet their own needs

    • no wasted resources for parts of a system like in monoliths

    • Different tech can be used for different services

• Challenge

  • partitioning too early

  • partitioning too much

  • new services that needs data and features from mulitple services

    • partition by what changes (volatility)