why care about a cdn?

1

Workshops and Conference: May 9-11, 2016

2016

Stockholm

Let us know

what you think!

Click “Engage”to rate a session.If you rate 12 sessionsyou get a cool GOTO prize!

Why the fuck care about a CDN? Artur Bergman, CEO/Founder, Fastly

© 2016 All rights reservedGoto Stockholm 2016

• CEO && Founder • Wikia CTO• SixApart/LiveJournal• Velocity conference• Opensource developer• From Stockholm!

• @crucially

Artur Bergman


2008 @ Wikia


• 5 years old• San Francisco HQ• London, Tokyo, New York, Denver• 270 employees

Fastly


HTTP? use a CDN


CDN??


"Any sufficiently advanced technology is indistinguishable from magic." -- Arthur C Clarke


"Any sufficiently advanced technology is indistinguishable from magic." -- Arthur C Clarke

"Any technology that is indistinguishable from magic for you is one you don't understand"

-- Artur Bergman


No Magic


• nginx• haproxy• squid• varnish• apache mod_proxy• apache traffic server• ELB• F5 (terrible)

Reverse proxy


• offloads TLS• load balances• long running connections• rule based dispatch

Reverse proxy

Client Reverse proxy

App server

App server

App server


CDN

Client

Reverse proxy

App server

App server

App server

Reverse proxy

Reverse proxy

Reverse proxy

Reverse proxy

Reverse proxy


Client

App server


• offloads TLS• load balances• long running connections• rule based dispatch• cache (pass through)

Caching reverse proxy

Client Reverse proxy

App server

App server

App serverBig awesome cache


Client

App server


• 2x 2697v4 18+18 cores • 768 GB RAM (12 TB)• 48 TB of SSD (786 TB)• 40 Gbit/ethernet (640 Gbit)

• 16 per rack

Big awesome cache

Love the future


User

DNS

CDN Pop

Origin


User

DNS

CDN Pop

Origin

Cache miss


User

DNS

CDN Pop

Origin

Cache hit


• Like memcache/redis• Except

• Outside your datacenter• Passthrough• Close to user

Inside-out cache


• My content is• Private• Unique• Un-cacheable• Special snow flake

But but but



But but butYeah right!

Don’t worry


Why?


Performance Security

Availability


Latency is a measure of time delay experienced in a system, the precise definition of which depends on the system and the time being measured. In communications, the lower limit of latency is determined by the medium being used for communications.

AKA waiting for shit.

Latency is the little-death that bring total obliteration


299 792 458 m / s


Fastly

Cache it locally



Availability


?????


160 Gbps DDOS


• Layer 3/4 DDOS protection• UDP/ICMP/SYN

• Layer 7 DDOS protection• Inspect http traffic• Block/Redirect

• Instant visibility in edge traffic• Edge firewall rules

Security


SYNfromChina!


• Outsource your emotional burden• More capacity than attacker is all that matters• Distributed capacity• Largest seen

• > 200 million packets per second• > 400 Gbps

• If it is cached, its easy to serve very high request rate

A word on DDOS



Availability


DDOS?


Prince died :(


Prince died :( 140k rps

16k rps


Prince died :( 140k rps

16k rps

autoscale lol!


• CDN handles entire spike• news sites• download sites• cache it and it doesn’t matter

• stale-if-error• stale-while-revalidate

No origin load


• Fastly• Telia• NTT• Cogent• Comcast• Level3• + Peering

CDNs have many ISPs


• “Faster than the internet”• “Route around problems”

• Continuously choose the best path • Between customer and us• Between us and origin

CDNs have many ISPs


• Beat speed of light• Move data close to the user• Personalize the data close to the user• Defend against attacks close to the attacker

• DDOS is ever growing thread

• Only way to expand into new markets without significant capital or operational outlay and risk

Do things at the edge


you use all the time


• Python Software Foundation• NPM• Ruby Core• Ruby Gems• Metacpan• MIT Scratch• kernel.org

opensource

http://kernel.org


• Hashicorp• New Relic• Maven• Github• Package cloud

• Check your build systems firewall log :)

developer tools


why do you care? about future of CDN



But but butYeah right!

Don’t worry


Dynamic Site Acceleration • Not just magic lies

• TCP• HTTP• TLS


SYN 100 ms


SYN 100 msSYNACK 100 ms


SYN 100 msSYNACK 100 msTLS HS 100 ms


SYN 100 msSYNACK 100 msTLS HS 100 msTLS HS 100 ms


SYN 100 msSYNACK 100 msTLS HS 100 msTLS HS 100 msRequest 100 ms


SYN 100 msSYNACK 100 msTLS HS 100 msTLS HS 100 msRequest 100 msResponse 100 ms



Total 600 ms to slow start



Request 100 msResponse 100 ms



Request 100 msResponse 100 ms

Total 320 ms and no slow start


• Location based• Time based• Changes based on user or machine input

• Separate public and private APIs• Reuse on mobile and progressive web apps

Usually cacheable


• Instant purge (cache-invalidation)• Instant configuration• Instant stats• Instant logs• Edge dictionaries

• Very large edge caches == higher hit rate

Key developer friendly features


curl -X PURGE https://www.fastly.com/

• 150 ms to purge world wide• dramatically changes what you can cache if you can invalidate

Instant purge

https://www.fastly.com/


Instant purge• News articles• Inventory data• Sport scores• Wikis• Blogs• API metadata


Surrogate-Key invalidationSurrogate-Key: tag1 tag2 tag3

• Purge by tag• All objects matching tag gets wipe

• let us handle the cache dependencies (secondary index)• track collections by objects that went into them


Instant config• Varnish VCL• 100% API accesible• Deploy around the world in 5 seconds

• Load balancing rules• IP blocks• Custom edge logic


Instant logfiles• Streaming log files (1-2 seconds delay)

• syslog• S3/GCS• Fluentd• Splunk• elk

• We don’t store any logs on a permanent basis


Instant stats• Realtime stream• Hook into your alerting for instant notice on bad deploys


Programmatic edge• Load balance between cloud providers

• (get rid of your load balancers)• Route to different services based on any attribute in the

request• Handle failover• Edge authentication using edge dictionaries (key-value store)• Offload offload offload


Client Fastly


Client Fastly

Authentication service


Client Fastly


Segmentation Service

Authentication headers provided


Client Fastly




Client Fastly



API service

Authentication + Segmentation headers provided


Client Fastly



API service


Client Fastly



API service

Cacheable

Cacheable


Client Fastly



API service

Second request


Client Fastly



API service

Revoke access Send surrogate-key purge for user


HOW??


1. The network is reliable.2. Latency is zero.3. Bandwidth is infinite.4. The network is secure.5. Topology doesn't change.6. There is one administrator.7. Transport cost is zero.8. The network is homogeneous.

Fallacies of distributed systems

http://en.wikipedia.org/wiki/Computer_network

http://en.wikipedia.org/wiki/Latency_(engineering)

http://en.wikipedia.org/wiki/Throughput

http://en.wikipedia.org/wiki/Computer_security

http://en.wikipedia.org/wiki/Network_topology

http://en.wikipedia.org/wiki/Network_administrator


1. The network is reliable.2. Latency is zero.3. Bandwidth is infinite.4. The network is secure.5. Topology doesn't change.6. There is one administrator.7. Transport cost is zero.8. The network is homogeneous.

At Fastly

http://en.wikipedia.org/wiki/Computer_network

http://en.wikipedia.org/wiki/Latency_(engineering)

http://en.wikipedia.org/wiki/Throughput

http://en.wikipedia.org/wiki/Computer_security

http://en.wikipedia.org/wiki/Network_topology

http://en.wikipedia.org/wiki/Network_administrator


• Very little off the shelf software works for us• Most software written for 2-3 nearby datacenter• No virtualization

• Most things not written for our scale (up)

• Apparently few people continuously push 20 Gbps/server

Technologies


• haproxy (TLS termination)• h2o (http2)• varnish (caching)• bird (bgp daemon)• knot (dns daemon)• ubuntu linux

• C / Go / Ruby mix

Technologies


• Hate specific built hardware• Routers• Load balancers• Firewalls

• Arista / Cumulus • Linux on a switch with an API• BGP on the caches themselves• Treat it all as code

Networking


• Purging based on bimodal multicast• Other services rely on purging

• Example config push => purge => fetch of new config

• Need to be extremely resilient in face of the internet

Coordination Technologies


• Physical hardware for forwarding plane

• Google Bigtable/Bigquery for analytics• AWS for control plane• Datadog for monitoring

Providers


• Varnish on AWS around the world• Route53 to send to closest user

• You have a simple CDN!

Just! build your own


EITHER WAY USE ONE


Thank you!

=

103

Workshops and Conference: May 9-11, 2016

2016

Stockholm

Please remember torate this session

...Thank You!

why care about a cdn?

Technology