How to avoid cascading failures in a distributed system 💣💥🔥

00:00

hi everyone we are back with a new

00:01

system design video on rate-limiting

00:03

specifically the problem that we are

00:05

trying to solve is that of the turn

00:06

during hood so if you can imagine a huge

00:08

group of bison charging towards you

00:10

crushing everything in their path that's

00:12

what it feels like many on the server

00:14

side and there's a ton of requests

00:15

coming in from users they're just going

00:18

to crush our servers and crush your

00:19

system completely so to avoid this

00:22

problem what we do on the server side is

00:25

something called rate limiting and let's

00:27

just try to understand the scenario

00:29

first let's say you have four servers

00:31

and let's say you have a request range

00:34

from 1 to 400 so every server is load

00:36

balanced to serve a range of 100

00:39

requests now let us assume that you have

00:44

s1 crashing because for some reason

00:47

maybe some internal issue s1 crashed

00:51

resulting in s4 s3 and s2 taking

00:54

additional load so s1 had the range from

00:58

1 to 100 the load balance is going to be

01:00

smart about this and assign them loads

01:03

let's say 1 to 1 1 to 23 this is going

01:07

to get an additional request range from

01:11

34 to 67 and this is going to get an

01:14

additional range from 68 to 100 ok so s1

01:20

caching did not affect the rest of the

01:23

servers because or rather did not affect

01:25

the users because the rest of the

01:27

servers are now able to serve their

01:28

requests however there's a implicit

01:32

assumption over here and the assumption

01:35

is that each of these servers can handle

01:36

the new load ok let us assume that s4

01:40

did not have that much compute power it

01:41

was barely surviving with request range

01:44

of 100 and by adding to that range that

01:48

it needs to serve now s4 is completely

01:50

exhausted and the requests are taking

01:53

too much time the too many timeouts s4

01:55

crashes so s1 was already dead s4 is now

02:01

dead and as you can expect somebody

02:04

needs to actually answer so somebody

02:06

needs to take these requests from this

02:09

range so I'm going to give these

02:12

additional ranges now 4 s 4 which is 3 0

02:16

1 2 3 50 and also the additional range

02:20

over here which is let's say 1 2 17 and

02:24

now we have this serve also serving some

02:28

range 351 - 418 - 23 you're probably

02:36

getting an idea now these ranges are

02:38

pretty big initially s3 was serving half

02:42

of what it is serving right now as a

02:43

request range and there's a good chance

02:45

that s 3 will also crash

02:49

so if s3 crashes it was serving 200% of

02:53

the load that it could maybe just had

02:55

50% additional and it crashes which

02:58

means s2 has to serve around 400 percent

03:01

of its original load approximately and

03:04

there's a very good chance that s 2 will

03:05

also crash resulting in the whole system

03:08

crashing all of your users being upset

03:10

and this is something that we really

03:12

want to avoid so this problem is called

03:15

the cascading failure problem and that's

03:19

the first problem that we try to

03:21

mitigate as you can see this cascading

03:30

failure is a race against time when s1

03:34

had crashed there's that Delta that

03:36

small pine gap that you have for

03:38

bringing in the new server before s4

03:40

takes that much load and crashes so it

03:43

is a race against time one of the things

03:46

that you could do is have a really smart

03:48

load balance or have some seamless sort

03:51

of new server bring in but we should

03:55

assume the worst and there are some

03:57

possible let's say workarounds and one

04:00

real solution to this problem one

04:02

workaround of course is to just stop

04:05

something requests for all users having

04:06

requests IDs 1 to 100 yeah that's that's

04:09

not really a solution but if you see

04:12

that the other services can't take in

04:14

more load it's better to be available to

04:17

some users than to be available to none

04:19

of the users and now we are out of

04:22

workarounds so the real solution

04:26

what we should do is take a cue and put

04:31

our requests in this queue what's going

04:35

to happen here is that every server can

04:37

have a request queue and they can decide

04:40

on answering or not answering a request

04:42

so what I'm going to do is give each of

04:46

these servers a particular capacity

04:48

right compute capacity so s1 has 100

04:53

compute capacity which for me one unit

04:56

of compute capacity means it can handle

04:57

one request per second so 100 requests

05:00

per second

05:01

300 requests per second 400 degrees per

05:04

second 200 requests per second okay

05:07

now let's say s1 clashes looking at the

05:11

node s4 what we need to do is we need to

05:14

see 300 is the maximum number of

05:16

requests it can take so this queue is

05:18

going to keep expanding till it hits 300

05:21

if the 300 first request comes in what

05:25

we are going to do is we are going to

05:26

ignore that request we are going to just

05:28

say no so when we return a failed

05:34

response to the client at least this

05:38

server is not being overloaded and also

05:41

the client is now aware that ok this

05:43

request fail

05:44

maybe after five minutes I should try

05:46

again so the user experience is going to

05:48

be bad of course this user who made that

05:50

request and fail is not going to be

05:51

happy but again going by the principle

05:54

that serving some users is better than

05:56

serving no users we are going to start

05:59

dumping requests one small thing to

06:02

remember here is that the client

06:03

shouldn't be stupid if the request fails

06:06

and if the client is bombarding the

06:08

server suddenly that on America's not my

06:10

request this is going to be bad so there

06:12

are some types of errors that you can

06:14

send the client one is temporary and one

06:17

is permanent right these are just types

06:20

of errors that you can send if you say

06:22

permanent it means that there's some

06:23

serious mistake in the request you sent

06:25

and there's a logical error temporary

06:28

means that you should try in some time

06:29

maybe there's some internal server issue

06:31

going on maybe the database is too slow

06:33

or maybe there's too much load so try

06:35

after some time and the client can

06:38

play messages accordingly but the

06:40

general idea of course is to limit the

06:42

number of requests you can take on the

06:44

server side so that you can handle the

06:46

load till the scaling bit comes in till

06:49

you can thing in the new service all

06:52

right so this is the first problem the

06:55

second problem that you can face is if

06:58

you go viral or if there's some sort of

07:01

an event let's say Black Friday you know

07:05

sales go up on Black Friday so might be

07:08

an issue well when you have an event one

07:12

of the things you can do is because you

07:14

have prior knowledge you can scale

07:16

beforehand you know if you have four

07:19

servers and you assume that on Black

07:21

Friday you're going to have 50% more

07:22

users get 6 hours so that's the first

07:26

solution which is pre scale however if

07:32

you are not very sure about the number

07:33

of servers you'll need during the during

07:36

the event one thing that you could do is

07:39

auto scale and please don't quote this

07:42

video if you spend too much money auto

07:44

scaling but yeah I mean auto scaling is

07:48

something that is provided as a solution

07:49

by cloud services you know if you if you

07:53

host your service on the cloud you can

07:55

probably ask them taught to scale your

07:57

service and you know what is scaling is

08:00

not a very bad idea usually because the

08:02

increased number of traffic is probably

08:06

meaning that you're going to make more

08:07

money out of that traffic so yeah that's

08:10

one solution how about if you go viral

08:14

but if you go viral you can just fall

08:17

back to the old solution of rate

08:19

limiting so if you do rate limiting you

08:28

will be stopping the maximum number of

08:29

uses that you can actually serve and

08:31

yeah

08:32

and of course auto scaling and free

08:34

scaling is a good idea but going viral

08:36

is something that you can't predict so

08:38

pre scaling is not really a solution

08:39

these two other solutions the third

08:42

problem is a real server-side problem

08:44

and that is job scheduling

08:48

so often is not rewrite cron jobs which

08:52

run on some point in time I mean we we

08:55

decide when it's going to run but

08:57

imagine a cron job which is supposed to

08:59

send email notifications to all users

09:01

wishing them a happy new year on the 1st

09:03

of January what could happen if you do

09:06

this in a naive way is that you send all

09:08

of the emails together when the clock

09:11

hits first of January which means that

09:13

if you have a million users you're going

09:15

to send one million email notifications

09:17

and that's of course like a huge herd of

09:20

bison coming towards you so the way you

09:22

avoid this is to break the job into

09:26

smaller pieces let's say 1 million users

09:29

so you have 1 million news IDs the first

09:32

thousand users are broken I mean the

09:35

users are broken into chunks the first

09:37

thousand users are going to get the

09:38

email in the first minute the second

09:40

thousand users are going to get in the

09:42

second minute

09:42

and so on and so forth 1 million by

09:44

1,000 is going to take 1000 minutes and

09:48

with this what's happening is that you

09:51

have divided the work that you hide on

09:53

the server into smaller chunks which it

09:55

can consume you know one minute 1000 is

09:58

something which is not a tremendous load

09:59

so it's going to survive and your users

10:02

don't really care I mean if they don't

10:04

get the email notification

10:05

auto-generated email notification at the

10:07

first minute of new year they don't

10:09

really care so yeah it's something that

10:12

you can do of course if they do care

10:13

then you have to bring it down you have

10:15

to bring this range down from 1,000

10:17

minutes to whatever you like but you see

10:19

that you can decide all right so batch

10:22

processing is something that you should

10:23

definitely do the fourth problem is as

10:27

interesting as the other problems

10:28

actually it's when someone popular post

10:32

something or if a post goes like if a

10:37

post becomes really popular if a lot of

10:38

people liking it sharing it subscribing

10:41

to it like you guys should but popular

10:45

post let's say a user like PewDiePie

10:49

post something on YouTube then you need

10:51

to send it to all of their followers if

10:53

you do it a knive way the same issue of

10:55

you know job scheduling will come in

10:58

there's too many users and a very small

11:00

Delta so what you could do is batch

11:03

processing over there you know send

11:04

users in chunks of 1,000 but something

11:08

that YouTube does really smartly is

11:10

adding jitter in which case if you have

11:15

a lot of followers what's going to

11:17

happen is the notifications are going to

11:19

go to them in the in a batch processing

11:21

way but if they start hitting the page

11:23

let's say the video page then there is

11:26

some content the video content which is

11:29

core to YouTube but there is a lot of

11:32

data which actually doesn't matter if

11:34

you think of it that's the number of

11:36

views the number of likes number of

11:41

comments and so on and so forth now if

11:43

you have a very popular user like

11:45

PewDiePie actually posting a video the

11:48

number of views are going to be changing

11:49

dramatically so what you could do is to

11:53

faithfully display that or you could do

11:56

it in the smart way so let's say in the

11:57

first hour we get 1,000 views then in

12:03

the second hour if there's a lot of

12:06

users who are asking the number of views

12:07

in this video I'm going to be smart and

12:10

I'm just going to say 1,000 in 21.5 is

12:14

the total number of views now so that's

12:16

1,500 yeah but maybe the total number of

12:20

views in reality was 1700 so there's a

12:23

mismatch between reality and what is

12:25

being displayed but we don't care

12:28

because this is metadata this is

12:31

something which is not code to the video

12:32

so we are going to display some number

12:34

which may or may not be true it's an

12:37

approximation and do the users really

12:39

care not really they want a general idea

12:41

of what's going on and of course this

12:44

seems like a really big difference but

12:46

YouTube can be smart about this they can

12:48

figure out how the views change over

12:51

time and if it's this is the first hour

12:54

and this is the second hour instead of

12:56

finding out the total number of views in

12:58

this video they can just run through

13:01

this graph and figure out where it

13:02

should lie okay

13:05

YouTube must be much much smarter than

13:07

this but I am just giving the general

13:08

area of approximation instead of showing

13:11

people the truth approximate and save a

13:15

lot of load on your service

13:17

potentially this could save a lot of

13:18

database queries that you are making to

13:20

get the metadata of a post right okay so

13:25

that's the fourth smart solution and

13:26

that is now the fifth smart solution

13:29

which is approximate statistics

13:32

apart from these solutions of course

13:34

there's some good practices in the

13:37

server side to avoid a thundering hood

13:39

the first one is the most common one

13:41

which is caching so if you're getting a

13:46

lot of common requests then the response

13:48

is going to be the same and you can just

13:51

cash those requests and I mean basically

13:54

cache the responses for those requests

13:56

so those are key value pairs and this is

14:01

going to save a lot of queries that

14:03

you'll be making on the database in turn

14:05

that will be improving the performance

14:07

of your system and also you can handle

14:09

more load then another thing that you

14:11

can do is of course gradual deployments

14:14

most of the issues that people get in

14:18

the server side is when they're

14:19

deploying the service so there's a lot

14:21

of stories about you know site

14:24

reliability engineers who are fighting

14:26

deployments and the developers want to

14:28

deploy more because they want to get

14:29

more features out and the reliability

14:32

engineers want to stop the province as

14:33

much as they can because that makes the

14:35

system more stable so it's it's an

14:37

interesting tug-of-war and what you want

14:40

to do essentially is deploy so gradual

14:43

deployments in this what happens is you

14:45

don't deploy let's say if you have a

14:47

total of 100 so as you don't deploy them

14:49

together you deploy the first thing you

14:51

have a look at what's going on and then

14:54

you deploy the next 10 and so on and so

14:56

forth this won't be possible in certain

14:59

scenarios when there's a breaking change

15:01

so to speak but we are getting into too

15:03

much detail and gradual deployment is a

15:06

good idea

15:07

deploy 10 10 10 10 together unless there

15:10

is absolutely no choice that you haven't

15:12

you have to deploy in parallel and the

15:14

final point that I'm going to make of

15:15

course is going to be controversial it's

15:18

with

15:19

star and that's called coupling so to

15:24

improve performance sometimes what you

15:26

need to do is you need to store data

15:27

which is very similar to caching but let

15:32

us assume that you have a service which

15:34

for every request that gets asks an

15:37

authentication service to authenticate

15:39

the user first to authenticate this

15:41

request and then serves the request

15:44

let's say that this network call is too

15:47

much for you

15:47

maybe it's an external service what you

15:50

could do is you could cache the users

15:53

username and token or password or

15:57

whatever you like and now what you can

16:00

do is you can see that if the username

16:02

password worked once in the past one

16:05

hour then maybe the password hasn't

16:07

changed and we are going to assume that

16:09

this user is authenticated to make that

16:10

like you know to call this service and

16:13

we are going to go ahead instead of

16:14

talking to authentication service and

16:16

verifying whether it's true or not it's

16:19

good in a way that it's not you know

16:22

querying the authentication service all

16:24

the time so reducing the load

16:25

authentication service improving

16:27

performance improving user experience

16:31

except that if this is a financial

16:34

system and the password has changed and

16:36

if there's a person who's hacked into

16:39

their account and then using this

16:40

password then you're big trouble aren't

16:42

you

16:42

so if this is a double-edged sword in

16:45

fact it seems like a really bad idea in

16:47

most cases so you should only couple

16:50

systems which is actually keeping data

16:52

in the cache sensitive data or or

16:56

important data in the cache that should

16:57

be avoided however if you have some data

17:01

like you know the profile picture or

17:03

something you can keep that for one hour

17:05

or two hours that's why there's a star

17:07

over here you want to take this

17:10

case-by-case and understand that keeping

17:12

some data for an external service in

17:15

your own service whether that's a good

17:17

idea or not and that will improve

17:19

performance and in turn that will help

17:22

you handle more requests so the problem

17:25

of the Thundering Herd will be slightly

17:27

mitigated but really this is

17:30

like performance improvement and

17:31

probably we should put another star over

17:34

here just to be sure that's it for this

17:36

discussion on the thundering herd

17:38

we often have discussions on system

17:40

design so if you want notifications for

17:41

that you can subscribe and of course if

17:43

you have any doubts or comments on this

17:45

discussion then you can leave them in

17:47

the comments below I'll see you next

17:49

time

17:54

stuff like the views the number of views

17:57

but the number of legs number of

18:00

comments these things are not critical

18:03

to a video