Architecture Weekly #149 - 16th October 2023
Sponsor: Do you build complex software systems? See how NServiceBus makes it easier to design, build, and manage software systems that use message queues to achieve loose coupling. Get started for free.
Welcome to the new week!
Let’s start with an invitation; on Wednesday 25th we’ll run the next webinar for our community.
This time, a special guest Mateusz Jendza, with the topic: Why Verified Credentials is the Future of Digital Identity!
Verifiable Credentials are an intriguing topic, something like Blockchain but without Blockchain (luckily!). They are an open standard for digital credentials. They can represent information found in physical credentials, such as a passport or license, and new things with no physical equivalent, such as bank account ownership. They can be used to verify our identity by trusted providers and do it securely as they're digitally signed, which makes them tamper-resistant and instantaneously verifiable.
Mateusz is a Principal Technical Architect at SoftwareOne. In the last few years, he has focused on helping companies use Identity Management solutions correctly (with a focus on Entra ID and Azure AD B2C). He’s also a member of our community, my friend and a go-to person for me on those topics.
Feel invited, become paid subscribers and join us live. Click here to see all the details.
I think I mentioned that already, but I dislike the split between "domain" and "integration" events. The split is highly misleading. All of them should be domain events and represent business facts.
I prefer to split them into internal and external (or, as Nick Tune, into private and public). That helps to understand that those events are just understandable in different contexts:
- Internal/Private in the inner module context,
- External/Public in the whole system context.
Understanding this split is essential in defining the event-driven API. Yes, API. Events should be treated as such.
I wrote longer on how to tackle this topic:
If you’re searching for other resources, check Marc Klefter talk:
He explained it in a calm, systematic way. The only asterisk I’d add is that I prefer Summary Event over Event-State Carried Transfer. But besides that, really good explanations of whys and hows.
Marc’s talk was recorded at the Axon Conference, and I saw that live as I joined as a guest. Typically, product conferences are mostly about selling stuff and overfocusing on the product details. This conference was different and had good talks showing the wider picture.
The best talk and the highlight for me were:
I encourage you to watch it even if you’re not interested in Privacy, Event Sourcing or Axon. It’s an intriguing case study showing how to make proper buy vs build decisions (e.g. instead of writing their own case management tool, they just used an off-the-shelf product). Plus, it also nicely shows how research works like:
And incorporate them into the product. Plus, the talk was well delivered.
Some say Serverless is dead, but those reports are greatly exaggerated. Serverless is here to stay, and as with each technology, we get complaints when it’s getting mature. Wrong usage, mishaps and lessons learned are part of the adoption curve. The trick is whether we learn from them or will blindly repeat past mistakes.
The best way to learn is to see successful attempts and analyse them. So let’s bring them in!
Serverless is a great approach if we need to evaluate the idea quickly, aren’t sure about the expected usage characteristics or can charge clients per usage.
Also, we should remember that we don’t have to choose the architecture style for a lifetime. We can pivot when our initial environment changes (e.g. we learned more about the actual usage and can drive other decisions from it).
Speaking on learning the right usage and busting the wrong explanation. That’s precisely what I did on the webinar last week explaining the details of modelling in Event Sourcing.
I redid my DDDEU talk, explaining again why adding temporal aspects to your event model will improve it (e.g. using Accounting Month instead of Account as your domain model). Even if you saw this talk already, I encourage you to check the recording, as in the end, we had a longer Q&A part.
All of the biggest cloud providers faced the biggest DDoS attack so far. It was based on the zero-day vulnerability in the HTTP/2 protocol, termed the “HTTP/2 Rapid Reset”. This exploit leverages a feature in HTTP/2 where attackers continuously send and then promptly cancel requests, causing servers to become overwhelmed and resulting in a denial of service.
This exploit targets the HTTP/2’s stream cancellation function, emphasizing the importance of understanding and securing web infrastructure. In light of these revelations, companies like Cloudflare, Google, AWS, and Microsoft wrote summaries of how they dealt with it. Read more in:
Cloudflare - HTTP/2 Zero-Day vulnerability results in record-breaking DDoS attacks
Google - Google mitigated the largest DDoS attack to date, peaking above 398 million rps
Microsoft Response to Distributed Denial of Service (DDoS) Attacks against HTTP/2
All of them are intriguing and in-depth case studies. It’s also interesting that all companies openly wrote about it simultaneously. I complained a few times about companies delaying the threat report, but here, all looks fair.
Sharding and partitioning are one of the most foundational tools for scaling systems. Some techniques can be applied on the application level by properly grouping logically your features, yet some have to be provided by your tooling, for instance, databases. Check the latest episode of .NET Rocks, Oren Eini goes deep into explaining the challenges and potential solutions:
If you’re curious how and why it can become complex in a cloud environment, it’s definitely a must-listen.
Check also other links!
Oskar
p.s. I invite you to join the paid version of Architecture Weekly. It already contains the exclusive Discord channel for subscribers (and my GitHub sponsors), monthly webinars, etc. It is a vibrant space for knowledge sharing. Don’t wait to be a part of it!
p.s.2. Ukraine is still under brutal Russian invasion. A lot of Ukrainian people are hurt, without shelter and need help. You can help in various ways, for instance, directly helping refugees, spreading awareness, and putting pressure on your local government or companies. You can also support Ukraine by donating, e.g. to the Ukraine humanitarian organisation, Ambulances for Ukraine or Red Cross.
Architecture
Oskar Dudycz - Internal and external events, or how to design event-driven API
Oskar Dudycz - Keep your streams short! Or how to model event-sourced systems efficiently
Cloudflare - HTTP/2 Zero-Day vulnerability results in record-breaking DDoS attacks
Google - Google mitigated the largest DDoS attack to date, peaking above 398 million rps
Yan Cui - How I built an affiliate tracking system in a weekend with serverless
Marc Klefter - Powering Event-Driven APIs with Event Sourcing
Bart Wullems - Gall’s law and how it applies to software architecture
DevOps
Databases
API
AWS
JVM
.NET
Jamie Maguire - Handling Database Migrations in Mature Applications with Fluent Migrator
Anthony Simmon - Preventing breaking changes in .NET class libraries
Coding Life
Management
Industry
TechCrunch - Atlassian to acquire former unicorn Loom for $975M
Harvard Business Review - When Blind Hiring Advances DEI — and When It Doesn’t
The Register - Largest local government body in Europe goes under amid Oracle disaster
The Register - Excel recruitment time bomb makes top trainee doctors 'unappointable'