mirror of https://github.com/hashicorp/consul
Browse Source
Discuss available strategies for improving server-level and infrastructure-level fault tolerance in Consul.pull/12893/head
Jared Kirschner
3 years ago
2 changed files with 143 additions and 0 deletions
@ -0,0 +1,139 @@
|
||||
--- |
||||
layout: docs |
||||
page_title: Improving Consul Resilience |
||||
description: >- |
||||
Fault tolerance is the ability of a system to continue operating without interruption |
||||
despite the failure of one or more components. Consul's resilience, or fault tolerance, |
||||
is determined by the configuring of its voting server agents. Recommended strategies for |
||||
increasing Consul's fault tolerance include using 3 or 5 voting server agents, spreading |
||||
server agents across infrastructure availability zones, and using Consul Enterprise |
||||
redundancy zones to enable backup voting servers to automatically replace lost voters. |
||||
--- |
||||
|
||||
# Improving Consul Resilience |
||||
|
||||
Fault tolerance is the ability of a system to continue operating without interruption |
||||
despite the failure of one or more components. |
||||
The most basic production deployment of Consul has 3 server agents and can lose a single |
||||
server without interruption. |
||||
|
||||
As you continue to use Consul, your circumstances may change. |
||||
Perhaps a datacenter becomes more business critical or risk management policies change, |
||||
necessitating an increase in fault tolerance. |
||||
The sections below discuss options for how to improve Consul's fault tolerance. |
||||
|
||||
## Fault Tolerance in Consul |
||||
|
||||
Consul's fault tolerance is determined by the configuration of its voting server agents. |
||||
|
||||
Each Consul datacenter depends on a set of Consul voting server agents. |
||||
The voting servers ensure Consul has a consistent, fault-tolerant state |
||||
by requiring a majority of voting servers, known as a quorum, to agree upon any state changes. |
||||
Examples of state changes include: adding or removing services, |
||||
adding or removing nodes, and changes in service or node health status. |
||||
|
||||
Without a quorum, Consul experiences an outage: |
||||
it cannot provide most of its capabilities because they rely on |
||||
the availability of this state information. |
||||
If Consul has an outage, normal operation can be restored by following the |
||||
[outage recovery guide](https://learn.hashicorp.com/tutorials/consul/recovery-outage). |
||||
|
||||
If Consul is deployed with 3 servers, the quorum size is 2. The deployment can lose 1 |
||||
server and still maintain quorum, so it has a fault tolerance of 1. |
||||
If Consul is instead deployed with 5 servers, the quorum size increases to 3, so |
||||
the fault tolerance increases to 2. |
||||
To learn more about the relationship between the |
||||
number of servers, quorum, and fault tolerance, refer to the |
||||
[concensus protocol documentation](/docs/architecture/consensus#deployment_table). |
||||
|
||||
Effectively mitigating your risk is more nuanced than just increasing the fault tolerance |
||||
metric described above. You must consider: |
||||
|
||||
### Correlated Risks |
||||
|
||||
Are you protected against correlated risks? Infrastructure-level failures can cause multiple servers to fail at the same time. This means that a single infrastructure-level failure could cause a Consul outage, even if your server-level fault tolerance is 2. |
||||
|
||||
### Mitigation Costs |
||||
|
||||
What are the costs of the mitigation? Different mitigation options present different trade-offs for operational complexity, computing cost, and Consul request performance. |
||||
|
||||
## Strategies to Increase Fault Tolerance |
||||
|
||||
The following sections explore several options for increasing Consul's fault tolerance. |
||||
|
||||
HashiCorp recommends all production deployments consider: |
||||
- [Spreading Consul servers across availability zones](#spread-servers-across-infrastructure-availability-zones) |
||||
- <EnterpriseAlert inline /><a href="#use-backup-voting-servers-to-replace-lost-voters">Using backup voting servers to replace lost voters</a> |
||||
|
||||
### Spread Servers Across Infrastructure Availability Zones |
||||
|
||||
The cloud or on-premise infrastructure underlying your [Consul datacenter](/docs/install/glossary#datacenter) |
||||
may be split into several "availability zones". |
||||
An availability zone is meant to share no points of failure with other zones by: |
||||
- Having power, cooling, and networking systems independent from other zones |
||||
- Being physically distant enough from other zones so that large-scale disruptions |
||||
such as natural disasters (flooding, earthquakes) are very unlikely to affect multiple zones |
||||
|
||||
Availability zones are available in the regions of most cloud providers and in some on-premise installations. |
||||
If possible, spread your Consul voting servers across 3 availability zones |
||||
to protect your Consul datacenter from a single zone-level failure. |
||||
For example, if deploying 5 Consul servers across 3 availability zones, place no more than 2 servers in each zone. |
||||
If one zone fails, at most 2 servers are lost and quorum will be maintained by the 3 remaining servers. |
||||
|
||||
To distribute your Consul servers across availability zones, modify your infrastructure configuration with your infrastructure provider. No change is needed to your Consul server’s agent configuration. |
||||
|
||||
Additionally, you should leverage resources that can automatically restore your compute instance, |
||||
such as autoscaling groups, virtual machine scale sets, or compute engine autoscaler. |
||||
The autoscaling resources can be customized to re-deploy servers into specific availability zones |
||||
and ensure the desired numbers of servers are available at all time. |
||||
|
||||
### Add More Voting Servers |
||||
|
||||
For most production use cases, we recommend using either 3 or 5 voting servers, |
||||
yielding a server-level fault tolerance of 1 or 2 respectively. |
||||
|
||||
Even though it would improve fault tolerance, |
||||
adding voting servers beyond 5 is **not recommended** because it decreases Consul's performance— |
||||
it requires Consul to involve more servers in every state change or consistent read. |
||||
|
||||
Consul Enterprise provides a way to improve fault tolerance without this performance penalty: |
||||
[using backup voting servers to replace lost voters](#use-backup-voting-servers-to-replace-lost-voters). |
||||
|
||||
### <EnterpriseAlert inline /> Use Backup Voting Servers to Replace Lost Voters |
||||
|
||||
Consul Enterprise [redundancy zones](/docs/enterprise/redundancy) |
||||
can be used to improve fault tolerance without the performance penalty of increasing the number of voting servers. |
||||
|
||||
Each redundancy zone should be assigned 2 or more Consul servers. |
||||
If all servers are healthy, only one server per redundancy zone will be an active voter; |
||||
all other servers will be backup voters. |
||||
If a zone's voter is lost, it will be replaced by: |
||||
- A backup voter within the same zone, if any. Otherwise, |
||||
- A backup voter within another zone, if any. |
||||
|
||||
Consul can replace lost voters with backup voters within 30 seconds in most cases. |
||||
Because this replacement process is not instantaneous, |
||||
redundancy zones do not improve immediate fault tolerance— |
||||
the number of healthy voting servers that can fail at once without causing an outage. |
||||
Instead, redundancy zones improve optimistic fault tolerance: |
||||
the number of healthy active and back-up voting servers that can fail gradually without causing an outage. |
||||
|
||||
The relationship between these two types of fault tolerance is: |
||||
|
||||
_Optimistic fault tolerance = immediate fault tolerance + the number of healthy backup voters_ |
||||
|
||||
For example, consider a Consul datacenter with 3 redundancy zones and 2 servers per zone. |
||||
There will be 3 voting servers (1 per zone), meaning a quorum size of 2 and an immediate fault tolerance of 1. |
||||
There will also be 3 backup voters (1 per zone), each of which increase the optimistic fault tolerance. |
||||
Therefore, the optimistic fault tolerance is 4. |
||||
This provides performance similar to a 3 server setup with fault tolerance similar to a 7 server setup. |
||||
|
||||
We recommend associating each Consul redundancy zone with an infrastructure availability zone |
||||
to also gain the infrastructure-level fault tolerance benefits provided by availability zones. |
||||
However, Consul redundancy zones can be used even without the backing of infrastructure availability zones. |
||||
|
||||
For more information on redundancy zones, refer to: |
||||
- [Redundancy zone documentation](/docs/enterprise/redundancy) |
||||
for a more detailed explanation |
||||
- [Redundancy zone tutorial](https://learn.hashicorp.com/tutorials/consul/redundancy-zones?in=consul/enterprise) |
||||
to learn how to use them |
||||
Loading…
Reference in new issue