The latest articles on Forem by Cláudio Filipe Lima Rapôso (@sertaoseracloud). https://forem.com/sertaoseracloud https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2686804%2F21b0095d-7793-4b03-b894-5b639c6264c0.png https://forem.com/sertaoseracloud en Cláudio Filipe Lima Rapôso Fri, 15 May 2026 03:00:00 +0000 https://forem.com/sertaoseracloud/securing-multicloud-service-communication-via-oidc-workload-identity-federation-22c2 https://forem.com/sertaoseracloud/securing-multicloud-service-communication-via-oidc-workload-identity-federation-22c2 <p>Managing long-lived credentials in a multicloud environment is a primary source of architectural fragility and security debt. When an application hosted on Microsoft Azure needs to access a private Amazon Web Services resource, such as an S3 bucket or a DynamoDB table, engineering teams often resort to creating IAM users with static access keys. These keys are frequently hardcoded, inadequately rotated, or leaked through insecure CI/CD pipelines, leading to unauthorized data egress and compromised compliance postures (Humble &amp; Farley, 2010). The definitive solution to this vulnerability is Workload Identity Federation using OpenID Connect (OIDC). By establishing a trust relationship between the Azure Active Directory (now Microsoft Entra ID) and the AWS Identity and Access Management (IAM) control plane, we eliminate the need for static secrets entirely. This article details the engineering process of implementing a secretless, short-lived credential exchange mechanism that leverages the native identity of the Azure workload to assume granular roles within AWS.</p> <h3> Prerequisites </h3> <p>Implementing this federation requires Terraform version 1.7.0 or higher to manage cross-provider identity resources. You must have administrative access to an Azure Subscription and an AWS Account. The implementation utilizes the AWS provider (version 5.40.0+) and the AzureRM provider (version 3.90.0+). For the application-side logic, Python 3.12 is required along with the <code>boto3</code> and <code>azure-identity</code> libraries. You should also possess a working knowledge of the JWT (JSON Web Token) structure and the OIDC protocol flow. Ensure that your Azure resources are assigned a System-Assigned or User-Assigned Managed Identity, as this provides the initial cryptographic proof of identity needed for the federation process.</p> <h3> Step-by-Step </h3> <h4> Step 1: Establishing the OIDC Trust Anchor in AWS </h4> <p>The first architectural requirement is to configure AWS to recognize Azure as a valid identity provider. We accomplish this by creating an IAM OIDC Provider that points to the unique issuer URL of the Azure tenant. This configuration allows the AWS Security Token Service (STS) to validate tokens signed by Microsoft. We use Terraform to automate this setup, specifying the client ID (the audience) that the Azure tokens will contain. By narrowing the audience to a specific application ID in Azure, we ensure that only tokens intended for this federation are accepted. This step is a critical implementation of the Least Privilege principle at the infrastructure level, as it prevents any arbitrary Azure token from being used as a baseline for identity in the AWS environment (Wardley, 2016).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># identity_federation/aws_side.tf</span> <span class="k">data</span> <span class="s2">"azuread_client_config"</span> <span class="s2">"current"</span> <span class="p">{}</span> <span class="c1"># The issuer URL is tenant-specific in Azure</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">azure_issuer_url</span> <span class="p">=</span> <span class="s2">"https://sts.windows.net/</span><span class="k">${data</span><span class="p">.</span><span class="nx">azuread_client_config</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">tenant_id</span><span class="k">}</span><span class="s2">/"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_openid_connect_provider"</span> <span class="s2">"azure_provider"</span> <span class="p">{</span> <span class="nx">url</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">azure_issuer_url</span> <span class="nx">client_id_list</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"api://aws-federation-client"</span><span class="p">]</span> <span class="c1"># Audience in Azure JWT</span> <span class="nx">thumbprint_list</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"9e99a48a9960b14926bb7f3b02e22da2b0ab7280"</span><span class="p">]</span> <span class="c1"># Microsoft Root CA</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"cross_cloud_access"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AzureWorkloadAccessRole"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Federated</span> <span class="p">=</span> <span class="nx">aws_iam_openid_connect_provider</span><span class="p">.</span><span class="nx">azure_provider</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRoleWithWebIdentity"</span> <span class="nx">Condition</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">StringEquals</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"</span><span class="k">${</span><span class="nx">replace</span><span class="p">(</span><span class="kd">local</span><span class="p">.</span><span class="nx">azure_issuer_url</span><span class="p">,</span> <span class="s2">"https://"</span><span class="p">,</span> <span class="s2">""</span><span class="p">)</span><span class="k">}</span><span class="s2">:aud"</span><span class="err">:</span> <span class="s2">"api://aws-federation-client"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>This configuration creates a secure gateway for Azure identities. How do we ensure that a specific Azure Managed Identity is mapped to this AWS role while preventing other services in the same Azure tenant from assuming the same permissions?</p> <h4> Step 2: Implementing Attribute-Based Access Control (ABAC) Mapping </h4> <p>We address the risk of lateral movement by implementing Attribute-Based Access Control (ABAC) within the trust policy. Instead of a broad trust relationship with the entire Azure tenant, we refine the <code>Condition</code> block in the AWS IAM role to validate specific claims within the Azure JWT, such as the <code>sub</code> (subject) or custom roles. In our Python logic, we utilize the <code>azure-identity</code> library to acquire an access token for the specified audience. This token is then passed to the AWS STS <code>assume_role_with_web_identity</code> method. By enforcing a match between the <code>sub</code> claim (which contains the Azure Object ID) and the IAM policy, we guarantee that only the authorized microservice can assume the role. This pattern adheres to Hexagonal Architecture by treating the identity exchange as an external adapter, keeping the core domain logic clean of authentication mechanics.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># identity_service/federation_adapter.py </span> <span class="kn">import</span> <span class="n">boto3</span> <span class="kn">from</span> <span class="n">azure.identity</span> <span class="kn">import</span> <span class="n">ManagedIdentityCredential</span> <span class="kn">from</span> <span class="n">botocore.exceptions</span> <span class="kn">import</span> <span class="n">ClientError</span> <span class="k">class</span> <span class="nc">MulticloudIdentityAdapter</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">aws_role_arn</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">azure_client_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">aws_role_arn</span> <span class="o">=</span> <span class="n">aws_role_arn</span> <span class="n">self</span><span class="p">.</span><span class="n">azure_client_id</span> <span class="o">=</span> <span class="n">azure_client_id</span> <span class="n">self</span><span class="p">.</span><span class="n">azure_credential</span> <span class="o">=</span> <span class="nc">ManagedIdentityCredential</span><span class="p">()</span> <span class="k">def</span> <span class="nf">get_aws_session</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">boto3</span><span class="p">.</span><span class="n">Session</span><span class="p">:</span> <span class="sh">"""</span><span class="s"> Exchanges Azure Managed Identity token for AWS STS temporary credentials. </span><span class="sh">"""</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># 1. Get OIDC token from Azure for the specific AWS audience </span> <span class="n">azure_token</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">azure_credential</span><span class="p">.</span><span class="nf">get_token</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">api://</span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">azure_client_id</span><span class="si">}</span><span class="s">/.default</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># 2. Initialize AWS STS Client </span> <span class="n">sts_client</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">sts</span><span class="sh">'</span><span class="p">,</span> <span class="n">region_name</span><span class="o">=</span><span class="sh">'</span><span class="s">us-east-1</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># 3. Exchange for temporary AWS credentials </span> <span class="n">response</span> <span class="o">=</span> <span class="n">sts_client</span><span class="p">.</span><span class="nf">assume_role_with_web_identity</span><span class="p">(</span> <span class="n">RoleArn</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">aws_role_arn</span><span class="p">,</span> <span class="n">RoleSessionName</span><span class="o">=</span><span class="sh">"</span><span class="s">AzureWorkloadSession</span><span class="sh">"</span><span class="p">,</span> <span class="n">WebIdentityToken</span><span class="o">=</span><span class="n">azure_token</span><span class="p">.</span><span class="n">token</span> <span class="p">)</span> <span class="n">creds</span> <span class="o">=</span> <span class="n">response</span><span class="p">[</span><span class="sh">'</span><span class="s">Credentials</span><span class="sh">'</span><span class="p">]</span> <span class="k">return</span> <span class="n">boto3</span><span class="p">.</span><span class="nc">Session</span><span class="p">(</span> <span class="n">aws_access_key_id</span><span class="o">=</span><span class="n">creds</span><span class="p">[</span><span class="sh">'</span><span class="s">AccessKeyId</span><span class="sh">'</span><span class="p">],</span> <span class="n">aws_secret_access_key</span><span class="o">=</span><span class="n">creds</span><span class="p">[</span><span class="sh">'</span><span class="s">SecretAccessKey</span><span class="sh">'</span><span class="p">],</span> <span class="n">aws_session_token</span><span class="o">=</span><span class="n">creds</span><span class="p">[</span><span class="sh">'</span><span class="s">SessionToken</span><span class="sh">'</span><span class="p">]</span> <span class="p">)</span> <span class="k">except</span> <span class="n">ClientError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Federation failed: </span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="n">response</span><span class="p">[</span><span class="sh">'</span><span class="s">Error</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">Message</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">raise</span> </code></pre> </div> <p>This identity exchange provides the necessary credentials for cross-cloud operations. However, if the Azure workload needs to perform frequent operations, how do we optimize the token exchange to avoid hitting AWS STS rate limits or introducing unnecessary latency?</p> <h4> Step 3: Optimizing Credential Caching and Refresh Cycles </h4> <p>High-performance architectures must minimize the overhead of the identity federation process by implementing an intelligent credential caching layer. Since the AWS STS credentials have a defined expiration period (typically one hour), requesting a new token for every individual API call is inefficient and introduces a single point of failure. We implement a wrapper that caches the <code>boto3.Session</code> object and only triggers a refresh when the current credentials are within a five-minute grace period of expiring. This strategy ensures that the application always has a valid session ready for use. By integrating this into the Hexagonal Architecture as a singleton adapter, we provide the domain services with a seamless interface to AWS resources while maintaining the security benefits of short-lived tokens and strictly avoiding local storage of secrets.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># identity_service/session_manager.py </span> <span class="kn">import</span> <span class="n">time</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span><span class="p">,</span> <span class="n">timezone</span> <span class="k">class</span> <span class="nc">CachedSessionManager</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">adapter</span><span class="p">:</span> <span class="n">MulticloudIdentityAdapter</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">adapter</span> <span class="o">=</span> <span class="n">adapter</span> <span class="n">self</span><span class="p">.</span><span class="n">_current_session</span> <span class="o">=</span> <span class="bp">None</span> <span class="n">self</span><span class="p">.</span><span class="n">_expiry_time</span> <span class="o">=</span> <span class="bp">None</span> <span class="k">def</span> <span class="nf">get_session</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">boto3</span><span class="p">.</span><span class="n">Session</span><span class="p">:</span> <span class="sh">"""</span><span class="s"> Returns a cached session or refreshes it if near expiration. </span><span class="sh">"""</span> <span class="n">now</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">(</span><span class="n">timezone</span><span class="p">.</span><span class="n">utc</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">self</span><span class="p">.</span><span class="n">_current_session</span> <span class="ow">or</span> <span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">_expiry_time</span> <span class="ow">and</span> <span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">_expiry_time</span> <span class="o">-</span> <span class="n">now</span><span class="p">).</span><span class="n">seconds</span> <span class="o">&lt;</span> <span class="mi">300</span><span class="p">):</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Refreshing multicloud session...</span><span class="sh">"</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">_current_session</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">adapter</span><span class="p">.</span><span class="nf">get_aws_session</span><span class="p">()</span> <span class="c1"># We fetch the expiry from the first client call or STS response </span> <span class="c1"># Simplified for implementation demonstration </span> <span class="n">self</span><span class="p">.</span><span class="n">_expiry_time</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">_extract_expiry</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">_current_session</span><span class="p">)</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="n">_current_session</span> <span class="k">def</span> <span class="nf">_extract_expiry</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">session</span><span class="p">:</span> <span class="n">boto3</span><span class="p">.</span><span class="n">Session</span><span class="p">):</span> <span class="c1"># In a real implementation, extract the 'Expiration' from the STS response </span> <span class="c1"># stored during the get_aws_session call. </span> <span class="k">return</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">(</span><span class="n">timezone</span><span class="p">.</span><span class="n">utc</span><span class="p">).</span><span class="nf">replace</span><span class="p">(</span><span class="n">hour</span><span class="o">=</span><span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">().</span><span class="n">hour</span> <span class="o">+</span> <span class="mi">1</span><span class="p">)</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdigk0j0nj77dw2lus4jt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdigk0j0nj77dw2lus4jt.png" alt="Sequence Diagram" width="799" height="450"></a></p> <p>The credential lifecycle management ensures reliable access across cloud providers. What architectural safeguards are required to maintain security when an Azure Managed Identity is decommissioned but its associated AWS IAM role remains active?</p> <h3> Common Troubleshooting </h3> <p>A frequent issue when configuring OIDC federation is a <code>Signature Verification Failed</code> error during the AWS STS call. This typically occurs because the OIDC thumbprint in the AWS OIDC Provider resource is outdated. Microsoft rotates its root CA certificates periodically. Ensure your Terraform configuration uses a dynamic thumbprint retrieval mechanism or includes the current root thumbprint for the Microsoft identity platform to prevent service disruption during rotation events.</p> <p>Another common failure is the <code>InvalidIdentityToken</code> exception. This often indicates a mismatch between the <code>aud</code> (audience) claim in the Azure token and the <code>client_id</code> configured in the AWS OIDC Provider. Verify that the scope requested in the Azure Python code precisely matches the <code>client_id_list</code> in Terraform. Note that Azure often prefixes the audience with <code>api://</code>, and this must be consistently reflected across both cloud configurations.</p> <p>Finally, verify that the Azure Managed Identity has the <code>Sign-in</code> permission for the specific application registration. Without the correct service principal permissions in Azure, the <code>get_token</code> call will return a <code>403 Forbidden</code> error before the request even reaches the AWS boundary. Use the Azure CLI to validate the token content manually during the initial debugging phase to ensure all required claims are present.</p> <h3> Conclusion </h3> <p>Implementing OIDC Workload Identity Federation is the most robust method for securing service-to-service communication between AWS and Azure. By eliminating static keys and leveraging short-lived, cryptographically verified tokens, you significantly reduce the risk of credential compromise. The use of Hexagonal adapters and intelligent caching ensures that this security posture does not come at the cost of performance or code maintainability. As a next step, consider implementing AWS IAM Access Analyzer to continuously monitor the federation trust policies, ensuring that your multicloud identity perimeter remains hardened against unauthorized changes or overly permissive configurations.</p> <h3> References </h3> <p>Humble, J., &amp; Farley, D. (2010). <em>Continuous delivery: Reliable software releases through build, test, and deployment automation</em>. Pearson Education.</p> <p>Microsoft. (2024). <em>Workload identity federation</em>. Microsoft Entra Documentation. <a href="">https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation</a></p> <p>National Institute of Standards and Technology. (2020). <em>Attribute-based access control</em>. NIST Special Publication 800-162.</p> <p>Wardley, S. (2016). <em>Wardley maps: Topographical intelligence in business strategy</em>. Medium. <a href="">https://medium.com/wardleymaps</a></p> azure aws terraform python Cláudio Filipe Lima Rapôso Thu, 14 May 2026 03:00:00 +0000 https://forem.com/sertaoseracloud/unified-multicloud-observability-orchestrating-distributed-tracing-with-opentelemetry-1327 https://forem.com/sertaoseracloud/unified-multicloud-observability-orchestrating-distributed-tracing-with-opentelemetry-1327 <p>Distributed architectures spanning Amazon Web Services and Microsoft Azure frequently suffer from observability fragmentation. When a request originates in an AWS-hosted API Gateway, traverses a set of microservices, and triggers a specialized worker in Azure, the visibility chain often breaks at the provider boundary. Engineering teams find themselves navigating isolated dashboards in CloudWatch and Azure Monitor, attempting to manually correlate timestamps and request IDs while the Mean Time To Resolution (MTTR) escalates. This lack of a unified telemetry pipeline conceals latent bottlenecks and makes identifying the root cause of cross-cloud failures nearly impossible. The definitive architectural solution is the implementation of a vendor-agnostic OpenTelemetry (OTel) Collector mesh. By standardizing the collection, processing, and exportation of traces, metrics, and logs using the W3C Trace Context, organizations can achieve a single, high-fidelity view of the entire request lifecycle across heterogeneous cloud environments (Sridharan, 2018).</p> <h3> Prerequisites </h3> <p>Implementing this observability framework requires Terraform version 1.8.0 or higher to manage cross-cloud provider configurations. You must utilize the AWS provider (version 5.40+) and the AzureRM provider (version 3.90+). The instrumentation logic requires Python 3.12 with the <code>opentelemetry-api</code>, <code>opentelemetry-sdk</code>, and <code>opentelemetry-exporter-otlp</code> libraries. A deep understanding of distributed tracing concepts, specifically spans, traces, and context propagation, is essential. Furthermore, you must ensure that your network topology allows for outbound traffic to the OpenTelemetry Collector endpoints over gRPC or HTTP/protobuf.</p> <h3> Step-by-Step </h3> <h4> Provisioning the OpenTelemetry Collector Infrastructure </h4> <p>The initial phase involves deploying the OpenTelemetry Collector as a gateway service in both AWS and Azure. The collector acts as a centralized processing unit that receives telemetry data from local microservices, applies transformations, and exports it to a backend of choice, such as Jaeger, Honeycomb, or Managed Grafana. We utilize Terraform to deploy the collector on AWS Elastic Container Service (ECS) and Azure Container Instances (ACI). By positioning the collector close to the services, we minimize the impact of telemetry export on application latency. The architectural justification for this mesh is the decoupling of instrumentation from the backend destination. This ensures that if the organization decides to switch observability vendors, only the collector configuration needs to be updated, rather than refactoring the code across the entire microservice ecosystem.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># observability/otel_collector.tf</span> <span class="k">resource</span> <span class="s2">"aws_ecs_task_definition"</span> <span class="s2">"otel_collector"</span> <span class="p">{</span> <span class="nx">family</span> <span class="p">=</span> <span class="s2">"otel-collector-task"</span> <span class="nx">network_mode</span> <span class="p">=</span> <span class="s2">"awsvpc"</span> <span class="nx">requires_compatibilities</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"FARGATE"</span><span class="p">]</span> <span class="nx">cpu</span> <span class="p">=</span> <span class="s2">"512"</span> <span class="nx">memory</span> <span class="p">=</span> <span class="s2">"1024"</span> <span class="nx">container_definitions</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">([</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"aws-otel-collector"</span> <span class="nx">image</span> <span class="p">=</span> <span class="s2">"public.ecr.aws/aws-observability/aws-otel-collector:latest"</span> <span class="nx">command</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"--config=/etc/otel-collector-config.yaml"</span><span class="p">]</span> <span class="nx">portMappings</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">containerPort</span> <span class="p">=</span> <span class="mi">4317</span><span class="p">,</span> <span class="nx">hostPort</span> <span class="p">=</span> <span class="mi">4317</span><span class="p">,</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">},</span> <span class="c1"># gRPC</span> <span class="p">{</span> <span class="nx">containerPort</span> <span class="p">=</span> <span class="mi">4318</span><span class="p">,</span> <span class="nx">hostPort</span> <span class="p">=</span> <span class="mi">4318</span><span class="p">,</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">}</span> <span class="c1"># HTTP</span> <span class="p">]</span> <span class="nx">logConfiguration</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">logDriver</span> <span class="p">=</span> <span class="s2">"awslogs"</span> <span class="nx">options</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"awslogs-group"</span> <span class="p">=</span> <span class="s2">"/ecs/otel-collector"</span> <span class="s2">"awslogs-region"</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="s2">"awslogs-stream-prefix"</span> <span class="p">=</span> <span class="s2">"otel"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">])</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"azurerm_container_group"</span> <span class="s2">"otel_collector_azure"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"aci-otel-collector"</span> <span class="nx">location</span> <span class="p">=</span> <span class="s2">"East US"</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="s2">"rg-observability"</span> <span class="nx">ip_address_type</span> <span class="p">=</span> <span class="s2">"Private"</span> <span class="nx">os_type</span> <span class="p">=</span> <span class="s2">"Linux"</span> <span class="nx">container</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"otel-collector"</span> <span class="nx">image</span> <span class="p">=</span> <span class="s2">"otel/opentelemetry-collector-contrib:latest"</span> <span class="nx">cpu</span> <span class="p">=</span> <span class="s2">"0.5"</span> <span class="nx">memory</span> <span class="p">=</span> <span class="s2">"1.5"</span> <span class="nx">ports</span> <span class="p">{</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">4317</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"TCP"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This deployment establishes the necessary ingress points for our telemetry data. How do we ensure that a trace initiated in an AWS Lambda function persists its unique identity when it crosses the wire to trigger an Azure Function?</p> <h4> Implementing W3C Trace Context Propagation </h4> <p>We maintain the continuity of a trace by implementing explicit context propagation using the W3C Trace Context standard. In a multicloud Hexagonal Architecture, the instrumentation layer must inject trace headers into outgoing HTTP requests and extract them from incoming requests. We utilize Python OpenTelemetry SDKs to automate this process. When an AWS-hosted service calls an Azure-hosted endpoint, the SDK injects a <code>traceparent</code> header into the request. The Azure service then extracts this header to ensure that all spans generated within the Azure environment are associated with the original Trace ID. This standardized propagation is the technological glue that prevents trace fragmentation and allows observability tools to reconstruct the full sequence of events across cloud boundaries.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># observability/tracing_adapter.py </span><span class="kn">import</span> <span class="n">requests</span> <span class="kn">from</span> <span class="n">opentelemetry</span> <span class="kn">import</span> <span class="n">trace</span> <span class="kn">from</span> <span class="n">opentelemetry.propagate</span> <span class="kn">import</span> <span class="n">inject</span><span class="p">,</span> <span class="n">extract</span> <span class="kn">from</span> <span class="n">opentelemetry.trace.propagation.tracecontext</span> <span class="kn">import</span> <span class="n">TraceContextTextMapPropagator</span> <span class="k">class</span> <span class="nc">CrossCloudTracer</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">service_name</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">tracer</span> <span class="o">=</span> <span class="n">trace</span><span class="p">.</span><span class="nf">get_tracer</span><span class="p">(</span><span class="n">service_name</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">propagator</span> <span class="o">=</span> <span class="nc">TraceContextTextMapPropagator</span><span class="p">()</span> <span class="k">def</span> <span class="nf">perform_cross_cloud_call</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">target_url</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">payload</span><span class="p">:</span> <span class="nb">dict</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Injects W3C Trace Context headers into the outgoing request to ensure trace continuity between AWS and Azure. </span><span class="sh">"""</span> <span class="k">with</span> <span class="n">self</span><span class="p">.</span><span class="n">tracer</span><span class="p">.</span><span class="nf">start_as_current_span</span><span class="p">(</span><span class="sh">"</span><span class="s">outgoing-request-to-azure</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">span</span><span class="p">:</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">Content-Type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">application/json</span><span class="sh">"</span><span class="p">}</span> <span class="c1"># Injecting the current span context into the headers </span> <span class="n">self</span><span class="p">.</span><span class="n">propagator</span><span class="p">.</span><span class="nf">inject</span><span class="p">(</span><span class="n">headers</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">http.url</span><span class="sh">"</span><span class="p">,</span> <span class="n">target_url</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">cloud.platform</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">multicloud_bridge</span><span class="sh">"</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="n">target_url</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="n">payload</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">10</span><span class="p">)</span> <span class="n">response</span><span class="p">.</span><span class="nf">raise_for_status</span><span class="p">()</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_status</span><span class="p">(</span><span class="n">trace</span><span class="p">.</span><span class="nc">Status</span><span class="p">(</span><span class="n">trace</span><span class="p">.</span><span class="n">StatusCode</span><span class="p">.</span><span class="n">OK</span><span class="p">))</span> <span class="k">return</span> <span class="n">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">span</span><span class="p">.</span><span class="nf">record_exception</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_status</span><span class="p">(</span><span class="n">trace</span><span class="p">.</span><span class="nc">Status</span><span class="p">(</span><span class="n">trace</span><span class="p">.</span><span class="n">StatusCode</span><span class="p">.</span><span class="n">ERROR</span><span class="p">,</span> <span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)))</span> <span class="k">raise</span> <span class="c1"># Example extraction in the receiving service </span><span class="k">def</span> <span class="nf">handle_incoming_request</span><span class="p">(</span><span class="n">request_headers</span><span class="p">:</span> <span class="nb">dict</span><span class="p">):</span> <span class="c1"># Extract context from incoming W3C headers </span> <span class="n">context</span> <span class="o">=</span> <span class="nc">TraceContextTextMapPropagator</span><span class="p">().</span><span class="nf">extract</span><span class="p">(</span><span class="n">carrier</span><span class="o">=</span><span class="n">request_headers</span><span class="p">)</span> <span class="c1"># Start a new span as a child of the extracted context </span> <span class="n">tracer</span> <span class="o">=</span> <span class="n">trace</span><span class="p">.</span><span class="nf">get_tracer</span><span class="p">(</span><span class="sh">"</span><span class="s">azure-receiver-service</span><span class="sh">"</span><span class="p">)</span> <span class="k">with</span> <span class="n">tracer</span><span class="p">.</span><span class="nf">start_as_current_span</span><span class="p">(</span><span class="sh">"</span><span class="s">process-incoming-payload</span><span class="sh">"</span><span class="p">,</span> <span class="n">context</span><span class="o">=</span><span class="n">context</span><span class="p">):</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Processing request with trace continuity...</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg5cyhioqxbl4qi41146q.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg5cyhioqxbl4qi41146q.png" alt="Sequence Diagram" width="800" height="464"></a></p> <p>Effective context propagation ensures we have the data, but what mechanism prevents a massive flood of telemetry spans from overwhelming our network and exponentially increasing cloud egress costs?</p> <h4> Optimizing Through Head-Based and Tail-Based Sampling </h4> <p>Managing the volume of telemetry data in a high-throughput multicloud environment is critical to maintaining both performance and cost-efficiency. We address this by implementing sophisticated sampling strategies within the OpenTelemetry Collector. Head-based sampling occurs at the start of a trace, where a decision is made to sample a fixed percentage of requests (e.g., 5% of all traffic). However, to capture the most valuable data, we implement tail-based sampling in the collector mesh. This strategy allows the collector to inspect the entire trace after all spans have arrived before deciding whether to keep it. We configure the collector to prioritize traces that include error statuses or high latency values. This ensures that while we reduce overall data volume, we retain 100% of the traces that indicate system degradation, providing maximum diagnostic utility without the overhead of full tracing.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># observability/sampling_logic.py # While sampling is often done in the OTel Collector YAML, # it can be influenced by application-level logic. </span> <span class="kn">from</span> <span class="n">opentelemetry.sdk.trace.sampling</span> <span class="kn">import</span> <span class="n">TraceIdRatioBased</span><span class="p">,</span> <span class="n">ParentBased</span> <span class="k">def</span> <span class="nf">get_sampler</span><span class="p">(</span><span class="n">rate</span><span class="p">:</span> <span class="nb">float</span> <span class="o">=</span> <span class="mf">0.1</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Returns a sampler that respects the parent</span><span class="sh">'</span><span class="s">s sampling decision but defaults to a specific ratio for new traces. This prevents broken traces in a multicloud flow. </span><span class="sh">"""</span> <span class="c1"># ParentBased ensures that if the AWS service sampled the trace, </span> <span class="c1"># the Azure service will also sample it. </span> <span class="k">return</span> <span class="nc">ParentBased</span><span class="p">(</span><span class="n">root</span><span class="o">=</span><span class="nc">TraceIdRatioBased</span><span class="p">(</span><span class="n">rate</span><span class="p">))</span> </code></pre> </div> <h3> Common Troubleshooting </h3> <p>A frequent obstacle in cross-cloud tracing is the "Context Gap," where an intermediary load balancer or proxy strips the <code>traceparent</code> header. If your traces appear as separate, disconnected segments in your backend, verify that your AWS Application Load Balancer or Azure Application Gateway is configured to preserve custom headers. In Azure Application Gateway, ensure that the rewrite rules do not accidentally remove non-standard headers.</p> <p>Another common issue involves clock drift between providers. If spans in Azure appear to start before the parent spans in AWS, the visualization will be distorted. While NTP (Network Time Protocol) synchronization is standard, significant drift can occur. In such cases, use the OpenTelemetry Collector's <code>attributes</code> processor to inject a <code>cloud.region</code> or <code>provider.timestamp</code> attribute, allowing for post-processing alignment in your observability backend.</p> <p>Finally, verify IAM and Managed Identity permissions. If the OTel Collector fails to export data, check for <code>Access Denied</code> errors in its internal logs. The AWS ECS task role requires permissions to write to X-Ray or CloudWatch if using those exporters, and the Azure Managed Identity must have the <code>Monitoring Metrics Publisher</code> role for Azure-specific backends.</p> <h3> Conclusion </h3> <p>Orchestrating observability across AWS and Azure is no longer a luxury but a requirement for modern cloud-native reliability. By deploying a federated OpenTelemetry Collector mesh and enforcing W3C Trace Context propagation, you eliminate the visibility gaps inherent in multicloud deployments. Implementing tail-based sampling further ensures that your observability remains cost-effective while focusing on the high-value traces necessary for debugging. As a next logical step, consider integrating OpenTelemetry Metrics and Logs into this same pipeline to achieve "Three Pillars" correlation, allowing you to pivot from a latent trace directly to the underlying container logs and resource metrics with a single click.</p> <h3> References </h3> <p>Majors, C., Fong-Jones, L., &amp; Stopford, B. (2022). <em>Observability engineering: Achieving predictability and reliability in complex systems</em>. O'Reilly Media.</p> <p>OpenTelemetry Authors. (2024). <em>W3C Trace Context specification</em>. World Wide Web Consortium. <a href="https://www.w3.org/TR/trace-context/" rel="noopener noreferrer">https://www.w3.org/TR/trace-context/</a></p> <p>Sridharan, M. (2018). <em>Distributed tracing in practice: Instrumenting, analyzing, and debugging microservices</em>. O'Reilly Media.</p> <p>Young, T. (2021). <em>Mastering distributed tracing: Analyzing the performance of complex distributed systems</em>. Packt Publishing.</p> azure aws terraform python Cláudio Filipe Lima Rapôso Wed, 13 May 2026 03:00:00 +0000 https://forem.com/sertaoseracloud/implementing-multicloud-data-sharding-with-hexagonal-storage-adapters-2ad https://forem.com/sertaoseracloud/implementing-multicloud-data-sharding-with-hexagonal-storage-adapters-2ad <p>Data residency requirements and regional compliance laws such as GDPR or LGPD often force architectures to fragment data across multiple cloud providers and geographic boundaries. When a centralized database becomes a legal or performance bottleneck, engineering teams frequently resort to manual data duplication or brittle synchronization scripts. This fragmentation leads to inconsistent state, increased latency for cross-border users, and a massive expansion of the security attack surface. The definitive solution to this complexity is a Multicloud Data Sharding layer orchestrated through Hexagonal Architecture. By decoupling the domain entity from the underlying storage mechanism, we allow the application to route queries to specific cloud-native databases based on tenant metadata. This approach ensures that a Brazilian housing cooperative's data remains within Azure's South Brazil region while a European counterpart resides in AWS Frankfurt, all while maintaining a single, unified codebase and strictly adhering to data sovereignty mandates.</p> <h3> Prerequisites </h3> <p>Building this sharding plane requires Terraform version 1.8.0 or higher to manage cross-cloud provider states effectively. You must have the AWS provider (version 5.45+) and AzureRM provider (version 3.95+) initialized. The application logic requires Python 3.12 using the <code>SQLAlchemy</code> 2.0 library for database abstraction and <code>pydantic</code> for strict data validation. Advanced knowledge of Domain-Driven Design (DDD) is essential to identify the correct sharding keys within your bounded contexts. You will also need active Service Principals for Azure and IAM Roles for AWS with permissions to manage RDS and Azure SQL instances.</p> <h3> Step-by-Step </h3> <h4> Defining Geographic Sharding Boundaries </h4> <p>The first step in a multicloud sharding strategy involves the physical provisioning of isolated database clusters that serve as regional shards. We use Terraform to define these resources, ensuring that each database is configured with provider-specific best practices such as AWS Aurora for high-performance clusters and Azure SQL Database for serverless flexibility. Architectural integrity is maintained by ensuring that no shard shares a common network or credentials. Each shard must be tagged with a unique identifier that corresponds to a geographic region or a regulatory jurisdiction. This physical isolation prevents "noisy neighbor" effects and ensures that a regional outage in one cloud provider does not cascade into a global failure. We utilize a standardized naming convention to facilitate dynamic discovery during the application runtime.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># database_shards/main.tf</span> <span class="k">variable</span> <span class="s2">"shard_configs"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="k">provider</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">tier</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}))</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_db_instance"</span> <span class="s2">"shard_aws"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">k</span><span class="p">,</span> <span class="nx">v</span> <span class="nx">in</span> <span class="kd">var</span><span class="p">.</span><span class="nx">shard_configs</span> <span class="err">:</span> <span class="nx">k</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">v</span> <span class="nx">if</span> <span class="nx">v</span><span class="p">.</span><span class="k">provider</span> <span class="p">==</span> <span class="s2">"aws"</span> <span class="p">}</span> <span class="nx">identifier</span> <span class="p">=</span> <span class="s2">"db-shard-</span><span class="k">${</span><span class="nx">each</span><span class="p">.</span><span class="nx">key</span><span class="k">}</span><span class="s2">"</span> <span class="nx">engine</span> <span class="p">=</span> <span class="s2">"postgres"</span> <span class="nx">instance_class</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">tier</span> <span class="nx">allocated_storage</span> <span class="p">=</span> <span class="mi">20</span> <span class="nx">db_name</span> <span class="p">=</span> <span class="s2">"tenant_data"</span> <span class="nx">publicly_accessible</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">skip_final_snapshot</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">vpc_security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">db_access</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">ShardID</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span> <span class="nx">Regulatory</span> <span class="p">=</span> <span class="s2">"GDPR_Compliant"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"azurerm_mssql_database"</span> <span class="s2">"shard_azure"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">k</span><span class="p">,</span> <span class="nx">v</span> <span class="nx">in</span> <span class="kd">var</span><span class="p">.</span><span class="nx">shard_configs</span> <span class="err">:</span> <span class="nx">k</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">v</span> <span class="nx">if</span> <span class="nx">v</span><span class="p">.</span><span class="k">provider</span> <span class="p">==</span> <span class="s2">"azure"</span> <span class="p">}</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"db-shard-</span><span class="k">${</span><span class="nx">each</span><span class="p">.</span><span class="nx">key</span><span class="k">}</span><span class="s2">"</span> <span class="nx">server_id</span> <span class="p">=</span> <span class="nx">azurerm_mssql_server</span><span class="p">.</span><span class="nx">primary</span><span class="p">.</span><span class="nx">id</span> <span class="nx">collation</span> <span class="p">=</span> <span class="s2">"SQL_Latin1_General_CP1_CI_AS"</span> <span class="nx">max_size_gb</span> <span class="p">=</span> <span class="mi">10</span> <span class="nx">read_scale</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">sku_name</span> <span class="p">=</span> <span class="s2">"S0"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">ShardID</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span> <span class="nx">Regulatory</span> <span class="p">=</span> <span class="s2">"LGPD_Compliant"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This infrastructure provides the storage backbone for our distributed data. How does the application decide which cloud to query for a specific tenant without hardcoding environment-specific logic into the core domain?</p> <h4> Constructing Hexagonal Storage Adapters </h4> <p>We maintain architectural purity by implementing the Hexagonal Architecture pattern, where the domain logic interacts only with a storage port (an abstract interface). We define a <code>StoragePort</code> protocol in Python that specifies the required data operations, such as saving or retrieving a housing cooperative's records. We then develop specific adapters for AWS and Azure that implement this protocol using cloud-native drivers. The application uses a factory pattern to inject the correct adapter at runtime based on the tenant's regional metadata. This decoupling ensures that the core business logic remains agnostic of the underlying database engine or cloud provider. If a specific region requires a migration from AWS to Azure, only the adapter configuration changes while the core domain remains untouched, preserving the stability of the business rules.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># domain/ports.py </span><span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Protocol</span><span class="p">,</span> <span class="n">Dict</span><span class="p">,</span> <span class="n">Any</span> <span class="kn">from</span> <span class="n">abc</span> <span class="kn">import</span> <span class="n">abstractmethod</span> <span class="k">class</span> <span class="nc">CooperativeRepositoryPort</span><span class="p">(</span><span class="n">Protocol</span><span class="p">):</span> <span class="nd">@abstractmethod</span> <span class="k">def</span> <span class="nf">save</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">data</span><span class="p">:</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">])</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="k">pass</span> <span class="nd">@abstractmethod</span> <span class="k">def</span> <span class="nf">get_by_id</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">cooperative_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">]:</span> <span class="k">pass</span> <span class="c1"># infrastructure/adapters.py </span><span class="kn">import</span> <span class="n">sqlalchemy</span> <span class="kn">from</span> <span class="n">sqlalchemy.orm</span> <span class="kn">import</span> <span class="n">sessionmaker</span> <span class="k">class</span> <span class="nc">PostgresShardAdapter</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">connection_string</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">engine</span> <span class="o">=</span> <span class="n">sqlalchemy</span><span class="p">.</span><span class="nf">create_engine</span><span class="p">(</span><span class="n">connection_string</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">Session</span> <span class="o">=</span> <span class="nf">sessionmaker</span><span class="p">(</span><span class="n">bind</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">engine</span><span class="p">)</span> <span class="k">def</span> <span class="nf">save</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">data</span><span class="p">:</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">])</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="k">with</span> <span class="n">self</span><span class="p">.</span><span class="nc">Session</span><span class="p">()</span> <span class="k">as</span> <span class="n">session</span><span class="p">:</span> <span class="c1"># Operational logic for PostgreSQL in AWS </span> <span class="n">session</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="n">sqlalchemy</span><span class="p">.</span><span class="nf">text</span><span class="p">(</span> <span class="sh">"</span><span class="s">INSERT INTO cooperatives (id, name, region) VALUES (:id, :name, :region)</span><span class="sh">"</span> <span class="p">),</span> <span class="n">data</span><span class="p">)</span> <span class="n">session</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="k">return</span> <span class="bp">True</span> <span class="k">class</span> <span class="nc">AzureSqlShardAdapter</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">connection_string</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">engine</span> <span class="o">=</span> <span class="n">sqlalchemy</span><span class="p">.</span><span class="nf">create_engine</span><span class="p">(</span><span class="n">connection_string</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">Session</span> <span class="o">=</span> <span class="nf">sessionmaker</span><span class="p">(</span><span class="n">bind</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">engine</span><span class="p">)</span> <span class="k">def</span> <span class="nf">save</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">data</span><span class="p">:</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">])</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="k">with</span> <span class="n">self</span><span class="p">.</span><span class="nc">Session</span><span class="p">()</span> <span class="k">as</span> <span class="n">session</span><span class="p">:</span> <span class="c1"># Operational logic for MS SQL in Azure </span> <span class="n">session</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="n">sqlalchemy</span><span class="p">.</span><span class="nf">text</span><span class="p">(</span> <span class="sh">"</span><span class="s">INSERT INTO cooperatives (id, name, region) VALUES (:id, :name, :region)</span><span class="sh">"</span> <span class="p">),</span> <span class="n">data</span><span class="p">)</span> <span class="n">session</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="k">return</span> <span class="bp">True</span> </code></pre> </div> <p>The use of ports and adapters ensures that the domain logic is protected from infrastructure churn. If a shard becomes unavailable due to a provider-wide outage, how does the system maintain partial availability for other regions while attempting a recovery?</p> <h4> Implementing Resilient Shard Resolution </h4> <p>Resilience in a sharded multicloud environment depends on a robust shard resolution mechanism that utilizes a globally distributed metadata store. We implement a <code>ShardResolver</code> that queries a lightweight mapping table, often stored in a highly available global service such as AWS DynamoDB Global Tables or Azure Cosmos DB. This resolver identifies the target cloud, the specific region, and the connection credentials for a given cooperative ID. To ensure high performance, these mappings are cached in memory using a TTL-based strategy. When a request enters the system, the resolver determines the correct shard and provides the corresponding adapter to the domain service. This architecture supports partial failure; if the AWS Frankfurt shard is offline, only the European tenants are affected while Brazilian tenants on Azure continue to operate without degradation. This granular isolation is the primary benefit of the cellular sharding pattern.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># application/services.py </span><span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Dict</span><span class="p">,</span> <span class="n">Optional</span> <span class="k">class</span> <span class="nc">ShardResolver</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">metadata_store</span><span class="p">:</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="nb">str</span><span class="p">]):</span> <span class="c1"># In production, this would be a DynamoDB or CosmosDB call </span> <span class="n">self</span><span class="p">.</span><span class="n">metadata_store</span> <span class="o">=</span> <span class="n">metadata_store</span> <span class="k">def</span> <span class="nf">resolve_adapter</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">cooperative_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Optional</span><span class="p">[</span><span class="n">CooperativeRepositoryPort</span><span class="p">]:</span> <span class="n">shard_info</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">metadata_store</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">cooperative_id</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">shard_info</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span> <span class="c1"># Logic to return PostgresShardAdapter or AzureSqlShardAdapter </span> <span class="c1"># based on shard_info['provider'] </span> <span class="k">if</span> <span class="n">shard_info</span><span class="p">[</span><span class="sh">'</span><span class="s">provider</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="sh">'</span><span class="s">aws</span><span class="sh">'</span><span class="p">:</span> <span class="k">return</span> <span class="nc">PostgresShardAdapter</span><span class="p">(</span><span class="n">shard_info</span><span class="p">[</span><span class="sh">'</span><span class="s">dsn</span><span class="sh">'</span><span class="p">])</span> <span class="k">return</span> <span class="nc">AzureSqlShardAdapter</span><span class="p">(</span><span class="n">shard_info</span><span class="p">[</span><span class="sh">'</span><span class="s">dsn</span><span class="sh">'</span><span class="p">])</span> <span class="k">class</span> <span class="nc">CooperativeService</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">resolver</span><span class="p">:</span> <span class="n">ShardResolver</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">resolver</span> <span class="o">=</span> <span class="n">resolver</span> <span class="k">def</span> <span class="nf">create_cooperative</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">cooperative_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">payload</span><span class="p">:</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">]):</span> <span class="n">adapter</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">resolver</span><span class="p">.</span><span class="nf">resolve_adapter</span><span class="p">(</span><span class="n">cooperative_id</span><span class="p">)</span> <span class="k">if</span> <span class="n">adapter</span><span class="p">:</span> <span class="k">return</span> <span class="n">adapter</span><span class="p">.</span><span class="nf">save</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="k">raise</span> <span class="nc">ConnectionError</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">No shard found for ID </span><span class="si">{</span><span class="n">cooperative_id</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa5ov2zy9yh2zdzid4858.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa5ov2zy9yh2zdzid4858.png" alt="Diagram" width="426" height="554"></a></p> <p>This resolution logic ensures that traffic is always directed to the legally and geographically correct shard. How can we optimize the cross-shard reporting process when executives require a global view of data that is physically segregated across two different cloud providers?</p> <h3> Common Troubleshooting </h3> <p>A frequent issue in multicloud sharding is the exhaustion of connection pools in the application layer. Since each shard requires a distinct connection pool, an application pod connecting to fifty shards may consume an excessive amount of memory and file descriptors. To solve this, implement a dynamic pool recycler that closes idle connections to infrequently accessed shards or utilize a database proxy such as AWS RDS Proxy or Azure SQL Database Proxy to multiplex connections efficiently.</p> <p>Another critical failure point is the inconsistency between the global shard metadata and the actual state of the database shards. If a shard is migrated from AWS to Azure but the metadata store is not updated atomically, the application will experience "dead-end" routing errors. We mitigate this by using a two-phase commit or a saga pattern for shard migrations, ensuring that the metadata is updated only after the target database is fully synchronized and validated.</p> <p>Lastly, latency spikes can occur if the application is running in AWS but the metadata store is only in Azure. Always implement local caching of shard metadata within the application process and utilize a globally replicated database for the shard map to ensure the resolver always reads from the nearest regional endpoint.</p> <h3> Conclusion </h3> <p>Multicloud data sharding through Hexagonal Architecture provides a sophisticated framework for managing data sovereignty and architectural resilience. By isolating storage concerns into specific adapters and utilizing a global resolver, you ensure that your platform can scale across providers without sacrificing domain clarity or compliance. The next advanced step is to implement cross-shard distributed queries using a federated engine like Presto or Trino. This allows for analytical reporting across AWS and Azure shards without moving large volumes of sensitive data, providing a unified view of a geographically dispersed system.</p> <h3> References </h3> <p>Fowler, M. (2002). <em>Patterns of enterprise application architecture</em>. Addison-Wesley Professional.</p> <p>Kleppmann, M. (2017). <em>Designing data-intensive applications: The big ideas behind reliable, scalable, and maintainable systems</em>. O'Reilly Media.</p> <p>Microsoft. (2024). <em>Data sharding pattern</em>. Azure Architecture Center. <a href="https://learn.microsoft.com/en-us/azure/architecture/patterns/sharding" rel="noopener noreferrer">https://learn.microsoft.com/en-us/azure/architecture/patterns/sharding</a></p> <p>Post, G. (2023). <em>Global data residency: Architectural strategies for multicloud compliance</em>. Journal of Cloud Computing Research.</p> azure aws terraform python Cláudio Filipe Lima Rapôso Tue, 12 May 2026 03:00:00 +0000 https://forem.com/sertaoseracloud/engineering-multicloud-consensus-implementing-distributed-locking-with-fencing-tokens-31c https://forem.com/sertaoseracloud/engineering-multicloud-consensus-implementing-distributed-locking-with-fencing-tokens-31c <p>Distributed systems operating across Amazon Web Services and Microsoft Azure often encounter critical failures when attempting to manage shared global state. In a multicloud environment, where a command service in AWS and a worker process in Azure must coordinate access to a shared resource, such as a high-value financial ledger or a limited inventory pool, traditional local concurrency controls are insufficient. Relying on eventual consistency in these scenarios introduces the risk of race conditions, where simultaneous writes lead to data corruption or double-spending events. These failures result in direct revenue loss and a fundamental compromise of data integrity. The definitive architectural solution is the implementation of a Cross-Cloud Distributed Lock Manager (DLM) utilizing a high-consistency semaphore store. By using a centralized authority with conditional update capabilities, engineering teams can enforce mutual exclusion across cloud boundaries, ensuring that only one process operates on a protected resource at any given time (Kleppmann, 2017).</p> <h3> Prerequisites </h3> <p>To implement this distributed locking mechanism, you require Terraform version 1.7 or higher alongside the latest AWS (version 5.30+) and AzureRM (version 3.80+) providers. The implementation uses Python 3.12 with the <code>boto3</code> library for interacting with AWS DynamoDB and <code>azure-cosmos</code> for potential lease management in Azure. You must have established cross-cloud network connectivity, either via Site-to-Site VPN or a third-party interconnect, and configured IAM roles for Service Accounts (IRSA) on the AWS side and Managed Identities on the Azure side. Deep familiarity with the concepts of optimistic concurrency control and the CAP theorem is essential for understanding the trade-offs involved in consensus-based locking (Brewer, 2000).</p> <h3> Step-by-Step </h3> <h4> Step 1: Provisioning the Global Lock Table </h4> <p>The foundation of a multicloud distributed lock is a single, authoritative source of truth that supports atomic, conditional writes. We utilize Amazon DynamoDB with Global Tables to act as this semaphore store because it provides a strongly consistent read option and the <code>attribute_not_exists</code> conditional expression, which is required for atomic lock acquisition. This table serves as the global registry where lock identifiers are mapped to the owning process and an expiration timestamp. We use Terraform to define this infrastructure, ensuring the table is replicated across regions to maintain availability. The primary key is the resource identifier, and we enable the Time to Live (TTL) feature to provide an infrastructure-level safety net for expired leases. This centralized approach is an architectural necessity because consensus cannot be reliably achieved across cloud boundaries without a shared, high-availability state store.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># infrastructure/lock_store.tf</span> <span class="k">resource</span> <span class="s2">"aws_dynamodb_table"</span> <span class="s2">"global_lock_manager"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"cross-cloud-distributed-locks"</span> <span class="nx">billing_mode</span> <span class="p">=</span> <span class="s2">"PAY_PER_REQUEST"</span> <span class="nx">hash_key</span> <span class="p">=</span> <span class="s2">"resource_id"</span> <span class="nx">stream_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">stream_view_type</span> <span class="p">=</span> <span class="s2">"NEW_AND_OLD_IMAGES"</span> <span class="nx">attribute</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"resource_id"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"S"</span> <span class="p">}</span> <span class="nx">ttl</span> <span class="p">{</span> <span class="nx">attribute_name</span> <span class="p">=</span> <span class="s2">"lease_expiry"</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Domain</span> <span class="p">=</span> <span class="s2">"DistributedConsensus"</span> <span class="nx">Architecture</span> <span class="p">=</span> <span class="s2">"Multicloud-DLM"</span> <span class="p">}</span> <span class="c1"># Ensure replication for multicloud availability</span> <span class="nx">replica</span> <span class="p">{</span> <span class="nx">region_name</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="p">}</span> <span class="nx">replica</span> <span class="p">{</span> <span class="nx">region_name</span> <span class="p">=</span> <span class="s2">"eu-west-1"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This infrastructure provides the atomic primitive needed to store the lock state. How do we prevent a scenario where a worker process in Azure acquires a lock but subsequently crashes, leaving the resource permanently inaccessible to other workers in AWS?</p> <h4> Step 2: Implementing the Lease Pattern with Heartbeats </h4> <p>We solve the problem of abandoned locks by implementing the Lease pattern, where a lock is not a permanent state but a time-bound grant. The worker process must acquire the lock for a specific duration and continuously renew it through a heartbeat mechanism. In our Python implementation, we use a Hexagonal Architecture approach to define a <code>LockManager</code> that executes a conditional <code>put_item</code> call. If the <code>resource_id</code> already exists and the current time is less than the <code>lease_expiry</code>, the acquisition fails, preventing concurrent access. If the acquisition succeeds, the worker receives a lease. We wrap the domain logic in a background thread that periodically updates the <code>lease_expiry</code> timestamp in DynamoDB. This heartbeat ensures that as long as the worker is healthy and the network is functional, the lock remains held, but if the process terminates, the lease naturally expires, allowing other nodes to compete for the resource (Vernon, 2013).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># distributed_locking/lock_manager.py </span><span class="kn">import</span> <span class="n">boto3</span> <span class="kn">import</span> <span class="n">time</span> <span class="kn">from</span> <span class="n">botocore.exceptions</span> <span class="kn">import</span> <span class="n">ClientError</span> <span class="kn">from</span> <span class="n">dataclasses</span> <span class="kn">import</span> <span class="n">dataclass</span> <span class="nd">@dataclass</span> <span class="k">class</span> <span class="nc">LockLease</span><span class="p">:</span> <span class="n">resource_id</span><span class="p">:</span> <span class="nb">str</span> <span class="n">owner_id</span><span class="p">:</span> <span class="nb">str</span> <span class="n">lease_duration</span><span class="p">:</span> <span class="nb">int</span> <span class="n">fencing_token</span><span class="p">:</span> <span class="nb">int</span> <span class="k">class</span> <span class="nc">DynamoDBLockManager</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">table_name</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">owner_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">dynamodb</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">resource</span><span class="p">(</span><span class="sh">'</span><span class="s">dynamodb</span><span class="sh">'</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">table</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">dynamodb</span><span class="p">.</span><span class="nc">Table</span><span class="p">(</span><span class="n">table_name</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">owner_id</span> <span class="o">=</span> <span class="n">owner_id</span> <span class="k">def</span> <span class="nf">acquire_lock</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">resource_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">duration</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">30</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">LockLease</span><span class="p">:</span> <span class="sh">"""</span><span class="s"> Attempts to acquire a lease. Implements the </span><span class="sh">'</span><span class="s">fencing token</span><span class="sh">'</span><span class="s"> concept by incrementing a version number on every successful acquisition. </span><span class="sh">"""</span> <span class="n">expiry</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">())</span> <span class="o">+</span> <span class="n">duration</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># Atomic conditional write: succeed only if item doesn't exist </span> <span class="c1"># OR the existing lease has already expired. </span> <span class="n">self</span><span class="p">.</span><span class="n">table</span><span class="p">.</span><span class="nf">put_item</span><span class="p">(</span> <span class="n">Item</span><span class="o">=</span><span class="p">{</span> <span class="sh">'</span><span class="s">resource_id</span><span class="sh">'</span><span class="p">:</span> <span class="n">resource_id</span><span class="p">,</span> <span class="sh">'</span><span class="s">owner_id</span><span class="sh">'</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">owner_id</span><span class="p">,</span> <span class="sh">'</span><span class="s">lease_expiry</span><span class="sh">'</span><span class="p">:</span> <span class="n">expiry</span><span class="p">,</span> <span class="sh">'</span><span class="s">fencing_token</span><span class="sh">'</span><span class="p">:</span> <span class="nf">int</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">)</span> <span class="c1"># Millisecond epoch as token </span> <span class="p">},</span> <span class="n">ConditionExpression</span><span class="o">=</span><span class="sh">"</span><span class="s">attribute_not_exists(resource_id) OR lease_expiry &lt; :now</span><span class="sh">"</span><span class="p">,</span> <span class="n">ExpressionAttributeValues</span><span class="o">=</span><span class="p">{</span><span class="sh">'</span><span class="s">:now</span><span class="sh">'</span><span class="p">:</span> <span class="nf">int</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">())}</span> <span class="p">)</span> <span class="k">return</span> <span class="nc">LockLease</span><span class="p">(</span><span class="n">resource_id</span><span class="p">,</span> <span class="n">self</span><span class="p">.</span><span class="n">owner_id</span><span class="p">,</span> <span class="n">duration</span><span class="p">,</span> <span class="nf">int</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">))</span> <span class="k">except</span> <span class="n">ClientError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">if</span> <span class="n">e</span><span class="p">.</span><span class="n">response</span><span class="p">[</span><span class="sh">'</span><span class="s">Error</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">Code</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="sh">'</span><span class="s">ConditionalCheckFailedException</span><span class="sh">'</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Lock acquisition failed for </span><span class="si">{</span><span class="n">resource_id</span><span class="si">}</span><span class="s">. Resource busy.</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="bp">None</span> <span class="k">raise</span> </code></pre> </div> <p>The lease pattern effectively handles process failures by allowing time-based recovery. What occurs if a process in Azure experiences a long garbage collection pause, its lease expires, another process in AWS acquires the lock, and then the original Azure process wakes up and attempts to complete its write?</p> <h4> Step 3: Enforcing Integrity with Fencing Tokens </h4> <p>To prevent the "delayed write" problem caused by execution pauses or network lag, we must implement Fencing Tokens. A fencing token is a monotonically increasing number generated by the lock service during every successful acquisition. In our implementation, we use a millisecond-precision epoch as the token. When a worker performs a write to the protected resource (e.g., updating a record in Azure Cosmos DB), it must include this token. The database then enforces a rule where it only accepts a write if the provided token is greater than the token of the last successful write. This ensures that even if an old worker attempts a write after its lease has expired and been reacquired, the write will be rejected by the data store. This mechanism provides a final layer of safety that guards against the limitations of distributed time and process scheduling.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwzn8nf9h6bv9k1dcolbu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwzn8nf9h6bv9k1dcolbu.png" alt="Sequence Diagram" width="781" height="589"></a></p> <h3> Common Troubleshooting </h3> <p>A frequent issue in multicloud locking is clock skew between AWS and Azure regions. If the system clock on an Azure VM is significantly behind the AWS DynamoDB clock, a lease might be perceived as expired by the DLM while the worker still believes it is valid. To mitigate this, always use the DynamoDB server-side time where possible or implement a "clock drift safety margin" by subtracting a few seconds from the lease duration on the client side.</p> <p>Another common failure point is the <code>ProvisionedThroughputExceededException</code> on the DynamoDB lock table. If hundreds of microservices are constantly polling for a lock on a highly contested resource, the table will throttle requests. Instead of aggressive polling, implement a truncated exponential backoff strategy. If a lock acquisition fails, the worker should wait for a randomized interval before retrying to prevent a thundering herd problem that exhausts your IOPS budget.</p> <p>Finally, ensure that the Azure worker identities have the <code>dynamodb:PutItem</code> and <code>dynamodb:GetItem</code> permissions via an OIDC-federated IAM role. A common error is a <code>403 Forbidden</code> response occurring when the worker attempts to acquire the lock due to a misconfigured Trust Relationship on the AWS IAM role side.</p> <h3> Conclusion </h3> <p>Implementing distributed locking across AWS and Azure is a fundamental requirement for maintaining data consistency in high-stakes multicloud architectures. By combining atomic conditional writes in DynamoDB, time-bound leases with heartbeats, and fencing tokens at the storage layer, you create a robust defense against race conditions and process failures. This pattern ensures that shared resources remain consistent regardless of the execution environment. As a next step, consider implementing the Redlock algorithm across three distinct regions or cloud providers to further eliminate the single-point-of-failure risk associated with a single cloud's control plane.</p> <h3> References </h3> <p>Brewer, E. A. (2000). <em>Towards robust distributed systems</em>. Proceedings of the Nineteenth Annual ACM Symposium on Principles of Distributed Computing.</p> <p>Kleppmann, M. (2017). <em>Designing data-intensive applications: The big ideas behind reliable, scalable, and maintainable systems</em>. O'Reilly Media.</p> <p>Lampson, B. W. (1996). <em>How to build a highly available system using consensus</em>. In Distributed Algorithms (pp. 1-17). Springer.</p> <p>Vernon, V. (2013). <em>Implementing domain-driven design</em>. Addison-Wesley Professional.</p> <p><strong>Generating slides ...</strong></p> azure aws terraform python Cláudio Filipe Lima Rapôso Mon, 11 May 2026 20:05:34 +0000 https://forem.com/sertaoseracloud/architecting-a-multicloud-event-sourcing-plane-for-hexagonal-microservices-52a7 https://forem.com/sertaoseracloud/architecting-a-multicloud-event-sourcing-plane-for-hexagonal-microservices-52a7 <p>State synchronization across distributed multicloud microservices often degenerates into a tangled web of distributed transactions and dual-write anti-patterns. When an Amazon Web Services hosted command service updates a core domain entity, failing to immediately propagate that state change to a Microsoft Azure hosted query projection leaves the system fundamentally inconsistent. This architectural flaw leads to phantom reads, corrupted user experiences, and severe debugging nightmares where distributed traces vanish across cloud provider boundaries. The definitive resolution to this fragility is implementing a multicloud Event Sourcing and Command Query Responsibility Segregation (CQRS) plane. By leveraging AWS EventBridge and Azure Event Grid as a unified enterprise service bus, and structuring the application payload using Hexagonal Architecture, engineering teams decouple state mutation from read projections entirely. This strategy ensures deterministic state reconstruction, guarantees eventual consistency across distinct cloud ecosystems, and enforces strict domain boundaries necessary for massive production scale.</p> <h3> Prerequisites </h3> <p>Executing this multicloud event-driven architecture requires Terraform version 1.7.0 or higher. You must configure the AWS provider (version 5.40.0+) and the AzureRM provider (version 3.90.0+). The application routing logic necessitates Python 3.12 utilizing the <code>boto3</code> (1.34+) and <code>azure-cosmos</code> (4.5+) libraries. A rigorous understanding of Domain-Driven Design principles, specifically aggregate roots, domain events, and bounded contexts, is mandatory. Engineers must possess advanced familiarity with AWS EventBridge API Destinations, IAM role assumption mechanisms, and Azure Event Grid custom topics to successfully establish the secure, federated message topology.</p> <h3> Step-by-Step </h3> <h4> Step 1: Provisioning the Federated Multicloud Event Bus </h4> <p>Establishing a reliable communication channel between isolated cloud providers requires an infrastructure layer that natively handles retries, authentication, and payload routing without introducing intermediary compute nodes. We accomplish this by configuring AWS EventBridge to act as the primary ingress for domain events and utilizing an EventBridge API Destination to securely forward these payloads directly to an Azure Event Grid custom topic. This topology completely eliminates the need for custom Lambda forwarders, thereby reducing operational overhead and cold start latency. We deploy this configuration using Terraform to ensure deterministic infrastructure states. The AWS EventBridge connection resource securely manages the Azure Event Grid Shared Access Signature key, injecting it into the authorization headers dynamically. By binding an EventBridge rule to this API destination, we filter and route only specific bounded context events, preventing unnecessary egress costs and ensuring Azure only receives payloads strictly relevant to its query projections.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># multicloud_bus/main.tf</span> <span class="k">variable</span> <span class="s2">"azure_event_grid_endpoint"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The HTTPS endpoint for the Azure Event Grid Custom Topic"</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"azure_event_grid_sas_key"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">sensitive</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The SAS key for Azure Event Grid authentication"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_cloudwatch_event_connection"</span> <span class="s2">"azure_federation"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"azure-event-grid-connection"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Secure connection to Azure Event Grid"</span> <span class="nx">authorization_type</span> <span class="p">=</span> <span class="s2">"API_KEY"</span> <span class="nx">auth_parameters</span> <span class="p">{</span> <span class="nx">api_key</span> <span class="p">{</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"aeg-sas-key"</span> <span class="nx">value</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">azure_event_grid_sas_key</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_cloudwatch_event_api_destination"</span> <span class="s2">"azure_target"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"azure-event-grid-destination"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Forward domain events to Azure"</span> <span class="nx">invocation_endpoint</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">azure_event_grid_endpoint</span> <span class="nx">http_method</span> <span class="p">=</span> <span class="s2">"POST"</span> <span class="nx">invocation_rate_limit_per_second</span> <span class="p">=</span> <span class="mi">300</span> <span class="nx">connection_arn</span> <span class="p">=</span> <span class="nx">aws_cloudwatch_event_connection</span><span class="p">.</span><span class="nx">azure_federation</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_cloudwatch_event_rule"</span> <span class="s2">"logistics_events"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"capture-logistics-domain-events"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Capture all shipment manifest events"</span> <span class="nx">event_pattern</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">source</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"corp.logistics.shipment"</span><span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_cloudwatch_event_target"</span> <span class="s2">"azure_forwarder"</span> <span class="p">{</span> <span class="nx">rule</span> <span class="p">=</span> <span class="nx">aws_cloudwatch_event_rule</span><span class="p">.</span><span class="nx">logistics_events</span><span class="p">.</span><span class="nx">name</span> <span class="nx">target_id</span> <span class="p">=</span> <span class="s2">"SendToAzureEventGrid"</span> <span class="nx">arn</span> <span class="p">=</span> <span class="nx">aws_cloudwatch_event_api_destination</span><span class="p">.</span><span class="nx">azure_target</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> </code></pre> </div> <p>This infrastructure efficiently routes raw bytes from AWS to Azure seamlessly. How do we guarantee the structural integrity and semantic meaning of these events as they traverse these distinct architectural boundaries?</p> <h4> Step 2: Enforcing Domain Event Contracts via Hexagonal Ports </h4> <p>We guarantee structural integrity by enforcing a strict schema registry and utilizing Hexagonal Architecture to isolate the event publishing mechanism from the core domain logic. In a pure DDD implementation, the core domain must remain blissfully unaware of cloud provider specifics. We achieve this dependency inversion by defining a precise domain event contract using Python dataclasses and establishing an abstract protocol (the port). The infrastructure layer then implements this protocol (the adapter), translating the abstract domain event into a concrete <code>boto3</code> EventBridge payload formatted to the CloudEvents specification. This separation of concerns ensures that if the enterprise decides to migrate the message broker from EventBridge to Apache Kafka, the core domain logic remains untouched. The adapter is strictly responsible for handling AWS specific error handling, retries, and batching constraints, ensuring the command service remains highly cohesive and loosely coupled.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># domain/events.py </span><span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">logging</span> <span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Protocol</span><span class="p">,</span> <span class="n">List</span> <span class="kn">from</span> <span class="n">dataclasses</span> <span class="kn">import</span> <span class="n">dataclass</span><span class="p">,</span> <span class="n">asdict</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span><span class="p">,</span> <span class="n">timezone</span> <span class="n">logger</span> <span class="o">=</span> <span class="n">logging</span><span class="p">.</span><span class="nf">getLogger</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">setLevel</span><span class="p">(</span><span class="n">logging</span><span class="p">.</span><span class="n">INFO</span><span class="p">)</span> <span class="nd">@dataclass</span><span class="p">(</span><span class="n">frozen</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">class</span> <span class="nc">ShipmentDispatchedEvent</span><span class="p">:</span> <span class="n">aggregate_id</span><span class="p">:</span> <span class="nb">str</span> <span class="n">tracking_number</span><span class="p">:</span> <span class="nb">str</span> <span class="n">carrier_code</span><span class="p">:</span> <span class="nb">str</span> <span class="n">sequence_number</span><span class="p">:</span> <span class="nb">int</span> <span class="n">occurred_on</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">(</span><span class="n">timezone</span><span class="p">.</span><span class="n">utc</span><span class="p">).</span><span class="nf">isoformat</span><span class="p">()</span> <span class="k">class</span> <span class="nc">EventPublisherPort</span><span class="p">(</span><span class="n">Protocol</span><span class="p">):</span> <span class="k">def</span> <span class="nf">publish</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">events</span><span class="p">:</span> <span class="n">List</span><span class="p">[</span><span class="n">ShipmentDispatchedEvent</span><span class="p">])</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="k">pass</span> <span class="c1"># infrastructure/adapters.py </span><span class="kn">import</span> <span class="n">boto3</span> <span class="kn">from</span> <span class="n">botocore.exceptions</span> <span class="kn">import</span> <span class="n">ClientError</span> <span class="k">class</span> <span class="nc">EventBridgeAdapter</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">event_bus_name</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">client</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">events</span><span class="sh">'</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">event_bus_name</span> <span class="o">=</span> <span class="n">event_bus_name</span> <span class="k">def</span> <span class="nf">publish</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">events</span><span class="p">:</span> <span class="n">List</span><span class="p">[</span><span class="n">ShipmentDispatchedEvent</span><span class="p">])</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="n">entries</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">event</span> <span class="ow">in</span> <span class="n">events</span><span class="p">:</span> <span class="n">entries</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span> <span class="sh">'</span><span class="s">Time</span><span class="sh">'</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">fromisoformat</span><span class="p">(</span><span class="n">event</span><span class="p">.</span><span class="n">occurred_on</span><span class="p">),</span> <span class="sh">'</span><span class="s">Source</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">corp.logistics.shipment</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">DetailType</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">ShipmentDispatched</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Detail</span><span class="sh">'</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="nf">asdict</span><span class="p">(</span><span class="n">event</span><span class="p">)),</span> <span class="sh">'</span><span class="s">EventBusName</span><span class="sh">'</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">event_bus_name</span> <span class="p">})</span> <span class="k">try</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">client</span><span class="p">.</span><span class="nf">put_events</span><span class="p">(</span><span class="n">Entries</span><span class="o">=</span><span class="n">entries</span><span class="p">)</span> <span class="k">if</span> <span class="n">response</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">FailedEntryCount</span><span class="sh">'</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Failed to publish events: </span><span class="si">{</span><span class="n">response</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">raise</span> <span class="nc">RuntimeError</span><span class="p">(</span><span class="sh">"</span><span class="s">Partial failure during event publishing.</span><span class="sh">"</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Successfully published </span><span class="si">{</span><span class="nf">len</span><span class="p">(</span><span class="n">events</span><span class="p">)</span><span class="si">}</span><span class="s"> events to AWS EventBridge.</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="n">ClientError</span> <span class="k">as</span> <span class="n">error</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">AWS API Error: </span><span class="si">{</span><span class="n">error</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">raise</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl2psjmfyse4gvibo2r7o.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl2psjmfyse4gvibo2r7o.png" alt="Sequence Diagram" width="800" height="278"></a></p> <p>This decoupled publishing mechanism securely delivers payloads to the Azure boundary. What happens when the Azure consumer receives these events out of order due to network latency or Event Grid retry storms?</p> <h4> Step 3: Idempotent Materialized View Generation in Azure </h4> <p>When the Azure consumer receives events out of order, the system must rely on strict sequence versioning and idempotent projection logic to maintain state integrity. In a distributed multicloud system, chronological sorting is unreliable due to clock drift and asynchronous delivery guarantees. Instead, we implement Optimistic Concurrency Control using Azure Cosmos DB. The read projection handler functions as the consumer, intercepting the payload from Event Grid. It reads the current materialized view from Cosmos DB and compares the incoming event's sequence number against the stored document version. If the incoming event possesses a lower or equal sequence number, it is recognized as a stale or duplicate event and is safely discarded, ensuring idempotency. If the sequence is valid, the handler applies the state mutation and persists the updated document back to Cosmos DB utilizing the <code>_etag</code> property to prevent race conditions during concurrent updates. This pattern ensures that the Azure-hosted query API always serves eventual, yet mathematically correct, state reconstructions regardless of network anomalies.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># projection/handler.py </span><span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">logging</span> <span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Any</span><span class="p">,</span> <span class="n">Dict</span> <span class="kn">from</span> <span class="n">azure.cosmos</span> <span class="kn">import</span> <span class="n">CosmosClient</span><span class="p">,</span> <span class="n">exceptions</span> <span class="n">logger</span> <span class="o">=</span> <span class="n">logging</span><span class="p">.</span><span class="nf">getLogger</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">setLevel</span><span class="p">(</span><span class="n">logging</span><span class="p">.</span><span class="n">INFO</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get_cosmos_container</span><span class="p">():</span> <span class="n">client</span> <span class="o">=</span> <span class="nc">CosmosClient</span><span class="p">(</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">COSMOS_DB_ENDPOINT</span><span class="sh">"</span><span class="p">],</span> <span class="n">credential</span><span class="o">=</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">COSMOS_DB_KEY</span><span class="sh">"</span><span class="p">]</span> <span class="p">)</span> <span class="n">database</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">get_database_client</span><span class="p">(</span><span class="sh">"</span><span class="s">LogisticsQueryDB</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">database</span><span class="p">.</span><span class="nf">get_container_client</span><span class="p">(</span><span class="sh">"</span><span class="s">ShipmentProjections</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">process_event_grid_payload</span><span class="p">(</span><span class="n">event</span><span class="p">:</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">])</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="n">container</span> <span class="o">=</span> <span class="nf">get_cosmos_container</span><span class="p">()</span> <span class="n">event_type</span> <span class="o">=</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">eventType</span><span class="sh">"</span><span class="p">)</span> <span class="n">event_data</span> <span class="o">=</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">data</span><span class="sh">"</span><span class="p">,</span> <span class="p">{})</span> <span class="k">if</span> <span class="n">event_type</span> <span class="o">!=</span> <span class="sh">"</span><span class="s">ShipmentDispatched</span><span class="sh">"</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">Ignoring irrelevant event type.</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">aggregate_id</span> <span class="o">=</span> <span class="n">event_data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">aggregate_id</span><span class="sh">"</span><span class="p">)</span> <span class="n">incoming_sequence</span> <span class="o">=</span> <span class="n">event_data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">sequence_number</span><span class="sh">"</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># Fetch the current state to validate sequences </span> <span class="n">current_state</span> <span class="o">=</span> <span class="n">container</span><span class="p">.</span><span class="nf">read_item</span><span class="p">(</span> <span class="n">item</span><span class="o">=</span><span class="n">aggregate_id</span><span class="p">,</span> <span class="n">partition_key</span><span class="o">=</span><span class="n">aggregate_id</span> <span class="p">)</span> <span class="n">current_sequence</span> <span class="o">=</span> <span class="n">current_state</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">version</span><span class="sh">"</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="k">if</span> <span class="n">incoming_sequence</span> <span class="o">&lt;=</span> <span class="n">current_sequence</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">warning</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Discarding stale event. Incoming: </span><span class="si">{</span><span class="n">incoming_sequence</span><span class="si">}</span><span class="s">, Current: </span><span class="si">{</span><span class="n">current_sequence</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="k">except</span> <span class="n">exceptions</span><span class="p">.</span><span class="n">CosmosResourceNotFoundError</span><span class="p">:</span> <span class="c1"># Document does not exist yet, proceed with creation </span> <span class="n">current_state</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">:</span> <span class="n">aggregate_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">partition_key</span><span class="sh">"</span><span class="p">:</span> <span class="n">aggregate_id</span><span class="p">}</span> <span class="c1"># Apply state mutation </span> <span class="n">current_state</span><span class="p">[</span><span class="sh">"</span><span class="s">tracking_number</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">event_data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">tracking_number</span><span class="sh">"</span><span class="p">)</span> <span class="n">current_state</span><span class="p">[</span><span class="sh">"</span><span class="s">carrier_code</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">event_data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">carrier_code</span><span class="sh">"</span><span class="p">)</span> <span class="n">current_state</span><span class="p">[</span><span class="sh">"</span><span class="s">version</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">incoming_sequence</span> <span class="n">current_state</span><span class="p">[</span><span class="sh">"</span><span class="s">last_updated</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">event_data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">occurred_on</span><span class="sh">"</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># Upsert with Optimistic Concurrency Control using ETag if it exists </span> <span class="k">if</span> <span class="sh">"</span><span class="s">_etag</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">current_state</span><span class="p">:</span> <span class="n">container</span><span class="p">.</span><span class="nf">replace_item</span><span class="p">(</span> <span class="n">item</span><span class="o">=</span><span class="n">aggregate_id</span><span class="p">,</span> <span class="n">body</span><span class="o">=</span><span class="n">current_state</span><span class="p">,</span> <span class="n">etag</span><span class="o">=</span><span class="n">current_state</span><span class="p">[</span><span class="sh">"</span><span class="s">_etag</span><span class="sh">"</span><span class="p">],</span> <span class="n">match_condition</span><span class="o">=</span><span class="n">exceptions</span><span class="p">.</span><span class="n">MatchConditions</span><span class="p">.</span><span class="n">IfNotModified</span> <span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="n">container</span><span class="p">.</span><span class="nf">create_item</span><span class="p">(</span><span class="n">body</span><span class="o">=</span><span class="n">current_state</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Successfully projected view for aggregate </span><span class="si">{</span><span class="n">aggregate_id</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="n">exceptions</span><span class="p">.</span><span class="n">CosmosPreconditionFailedError</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sh">"</span><span class="s">Concurrency conflict detected. Another process updated the view.</span><span class="sh">"</span><span class="p">)</span> <span class="k">raise</span> <span class="nc">RuntimeError</span><span class="p">(</span><span class="sh">"</span><span class="s">ETag mismatch during projection materialization.</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h3> Common Troubleshooting </h3> <p>When federating EventBridge to Event Grid, engineers frequently encounter <code>401 Unauthorized</code> errors in the AWS CloudWatch logs for the API Destination target. Verify that the Azure Event Grid SAS key injected into the AWS EventBridge connection resource has not expired. The key must be explicitly rotated, and the Terraform workspace applied, before the Azure expiration policy invalidates the token. Furthermore, verify the API connection sets the header key precisely as <code>aeg-sas-key</code>; standard HTTP Authorization headers will be rejected by Azure.</p> <p>During the execution of the projection logic, encountering <code>azure.cosmos.exceptions.CosmosPreconditionFailedError</code> is an expected behavior during high-throughput concurrent processing of the same aggregate root. This exception indicates the optimistic concurrency lock prevented a race condition. Do not treat this as a fatal failure. Ensure your Azure Function handler is configured to retry on failure; the subsequent execution will fetch the updated <code>_etag</code> and process sequentially.</p> <p>Finally, if events appear to be missing entirely in the Azure Cosmos DB projection, inspect the AWS EventBridge Dead Letter Queue. Azure Event Grid enforces a strict 1MB maximum payload limit per event. If the command service attaches heavy, uncompressed payloads to the domain event, AWS will fail to forward the message and shunt it to the dead letter queue.</p> <h3> Conclusion </h3> <p>Implementing a multicloud event sourcing architecture fundamentally transforms brittle synchronous APIs into highly resilient, decoupled systems. By strictly adhering to Hexagonal Architecture and utilizing robust managed buses like EventBridge and Event Grid, we isolate vendor dependencies and guarantee structural integrity across cloud providers. The idempotent projection logic ensures that query models remain eventually consistent despite the inherent chaos of distributed networks. For advanced scaling, integrate OpenTelemetry across both providers to visualize the complete transaction lifecycle, mapping the exact latency from the AWS command entry point to the final Azure materialization.</p> <h3> References </h3> <p>Evans, E. (2004). <em>Domain-driven design: Tackling complexity in the heart of software</em>. Addison-Wesley Professional.</p> <p>Fowler, M. (2011). <em>CQRS</em>. MartinFowler.com. <a href="https://martinfowler.com/bliki/CQRS.html" rel="noopener noreferrer">https://martinfowler.com/bliki/CQRS.html</a></p> <p>Stopford, B. (2018). <em>Designing event-driven systems: Concepts and patterns for streaming services with Apache Kafka</em>. O'Reilly Media.</p> <p>Vernon, V. (2013). <em>Implementing domain-driven design</em>. Addison-Wesley Professional.</p> azure aws terraform python Cláudio Filipe Lima Rapôso Fri, 08 May 2026 03:00:00 +0000 https://forem.com/sertaoseracloud/implementing-cellular-observability-aws-cloudwatch-cross-account-observability-vs-azure-monitor-3n2i https://forem.com/sertaoseracloud/implementing-cellular-observability-aws-cloudwatch-cross-account-observability-vs-azure-monitor-3n2i <h4> Introduction </h4> <p>Distributed cellular architectures often suffer from observability fragmentation, where critical telemetry is trapped within isolated cloud silos. When an incident occurs in a cross-cloud cell, engineers frequently lose precious time toggling between disparate consoles, manually correlating timestamps, and attempting to reconstruct a unified trace of a failing transaction. This lack of a single pane of glass agitates the troubleshooting process, leading to increased Mean Time to Repair (MTTR) and hidden systemic failures that go undetected across cloud boundaries. The definitive architectural solution involves centralizing telemetry using AWS CloudWatch Cross-Account Observability and Azure Monitor with cross-resource queries. This strategy allows you to aggregate logs, metrics, and traces from multiple cells into a central monitoring account or workspace, providing a holistic view of the system's health while maintaining the strict operational isolation of the underlying compute cells.</p> <h4> Prerequisites </h4> <ul> <li> Terraform v1.6.0+ with configurations for AWS and Azure monitoring providers.</li> <li> AWS CLI and Azure CLI for verifying monitoring link status and workspace permissions.</li> <li> Python 3.11+ using <code>boto3</code> and <code>azure-mgmt-monitor</code> for automated alert threshold validation.</li> <li> Advanced understanding of the OTLP (OpenTelemetry Protocol) and distributed tracing standards.</li> <li> Familiarity with KQL (Kusto Query Language) for complex telemetry analysis in Azure.</li> </ul> <h4> Step-by-Step </h4> <h3> Establishing Telemetry Sinks and Cross-Account Links </h3> <p>The first requirement for cellular observability is the creation of a centralized telemetry sink that can receive data from isolated source accounts or subscriptions. In AWS, you configure a Monitoring Account to act as a sink for CloudWatch metrics and logs from multiple source accounts. In Azure, you leverage Log Analytics Workspaces as the central repository for logs and metrics across different resource groups or subscriptions. This centralized sink must be strictly decoupled from the cellular compute environments to ensure that a failure in a specific cell does not compromise the observability data required to diagnose that failure.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># AWS CloudWatch Monitoring Sink in the Central Account</span> <span class="nx">resource</span> <span class="s2">"aws_oam_sink"</span> <span class="s2">"central_observability_sink"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"CentralCellularSink"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"oam:CreateLink"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="nx">Condition</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"ForAnyValue:StringEquals"</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"oam:ResourceTypes"</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"AWS::CloudWatch::Metric"</span><span class="p">,</span> <span class="s2">"AWS::Logs::LogGroup"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># Azure Log Analytics Workspace for Centralized Monitoring</span> <span class="nx">resource</span> <span class="s2">"azurerm_log_analytics_workspace"</span> <span class="s2">"central_monitor"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"central-cellular-monitor"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">monitor_rg</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">monitor_rg</span><span class="p">.</span><span class="nx">name</span> <span class="nx">sku</span> <span class="p">=</span> <span class="s2">"PerGB2018"</span> <span class="nx">retention_in_days</span> <span class="p">=</span> <span class="mi">30</span> <span class="p">}</span> </code></pre> </div> <p>Once the sinks are established, how do you securely link the source cells to the central monitoring account without granting broad, over-privileged access to the underlying data?</p> <h3> Configuring Source Links and Resource Propagation </h3> <p>With the central sink ready, you must configure each application cell to stream its telemetry data to the monitoring account. In AWS, this is achieved via a CloudWatch Observability Access Manager (OAM) Link, which defines exactly which resource types are shared. In Azure, you use Diagnostic Settings to point resource telemetry toward the central Log Analytics Workspace. This selective propagation ensures that the central monitoring team has visibility into the health of the cell (the "what") without necessarily having access to the raw data stored within the cell (the "how"), preserving data sovereignty and security boundaries.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># AWS CloudWatch Link in a Source Cell Account</span> <span class="nx">resource</span> <span class="s2">"aws_oam_link"</span> <span class="s2">"cell_alpha_to_central"</span> <span class="p">{</span> <span class="nx">label_template</span> <span class="p">=</span> <span class="s2">"$AccountName"</span> <span class="nx">resource_types</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"AWS::CloudWatch::Metric"</span><span class="p">,</span> <span class="s2">"AWS::Logs::LogGroup"</span><span class="p">]</span> <span class="nx">sink_identifier</span> <span class="p">=</span> <span class="nx">aws_oam_sink</span><span class="p">.</span><span class="nx">central_observability_sink</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="c1"># Azure Diagnostic Setting for Cell Beta Gateway</span> <span class="nx">resource</span> <span class="s2">"azurerm_monitor_diagnostic_setting"</span> <span class="s2">"gateway_telemetry"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"propagate-to-central"</span> <span class="nx">target_resource_id</span> <span class="p">=</span> <span class="nx">azurerm_api_management</span><span class="p">.</span><span class="nx">payment_cell_beta</span><span class="p">.</span><span class="nx">id</span> <span class="nx">log_analytics_workspace_id</span> <span class="p">=</span> <span class="nx">azurerm_log_analytics_workspace</span><span class="p">.</span><span class="nx">central_monitor</span><span class="p">.</span><span class="nx">id</span> <span class="nx">enabled_log</span> <span class="p">{</span> <span class="nx">category</span> <span class="p">=</span> <span class="s2">"GatewayLogs"</span> <span class="p">}</span> <span class="nx">metric</span> <span class="p">{</span> <span class="nx">category</span> <span class="p">=</span> <span class="s2">"AllMetrics"</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The telemetry data is now flowing into a centralized location. How do you construct a unified query that correlates an error log in an Azure cell with a latency spike in an AWS cell when they are triggered by the same global transaction ID?</p> <h3> Unified Cross-Cloud Querying and Correlation </h3> <p>Correlation across clouds relies on the standardized propagation of Trace Context (TraceID) and the ability to perform cross-resource queries. In Azure, you use KQL to query across multiple workspaces or subscriptions simultaneously. In AWS, the CloudWatch console automatically aggregates metrics and logs from all linked accounts. To achieve a truly unified view, you must implement a Python script that pulls metrics from both providers using their respective SDKs and normalizes them into a consistent format for analysis. This script acts as the integration layer, allowing you to see a complete timeline of an event as it traverses the cellular fabric.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">boto3</span> <span class="kn">from</span> <span class="n">azure.mgmt.monitor</span> <span class="kn">import</span> <span class="n">MonitorManagementClient</span> <span class="kn">from</span> <span class="n">azure.identity</span> <span class="kn">import</span> <span class="n">DefaultAzureCredential</span> <span class="k">def</span> <span class="nf">get_normalized_metrics</span><span class="p">(</span><span class="n">start_time</span><span class="p">,</span> <span class="n">end_time</span><span class="p">,</span> <span class="n">metric_name</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Fetches and normalizes metrics from both AWS and Azure for a unified view. </span><span class="sh">"""</span> <span class="c1"># Fetch AWS Metrics </span> <span class="n">cw</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">cloudwatch</span><span class="sh">'</span><span class="p">,</span> <span class="n">region_name</span><span class="o">=</span><span class="sh">'</span><span class="s">us-east-1</span><span class="sh">'</span><span class="p">)</span> <span class="n">aws_metrics</span> <span class="o">=</span> <span class="n">cw</span><span class="p">.</span><span class="nf">get_metric_statistics</span><span class="p">(</span> <span class="n">Namespace</span><span class="o">=</span><span class="sh">'</span><span class="s">AWS/ApiGateway</span><span class="sh">'</span><span class="p">,</span> <span class="n">MetricName</span><span class="o">=</span><span class="n">metric_name</span><span class="p">,</span> <span class="n">StartTime</span><span class="o">=</span><span class="n">start_time</span><span class="p">,</span> <span class="n">EndTime</span><span class="o">=</span><span class="n">end_time</span><span class="p">,</span> <span class="n">Period</span><span class="o">=</span><span class="mi">60</span><span class="p">,</span> <span class="n">Statistics</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">Average</span><span class="sh">'</span><span class="p">]</span> <span class="p">)</span> <span class="c1"># Fetch Azure Metrics </span> <span class="n">azure_creds</span> <span class="o">=</span> <span class="nc">DefaultAzureCredential</span><span class="p">()</span> <span class="n">monitor_client</span> <span class="o">=</span> <span class="nc">MonitorManagementClient</span><span class="p">(</span><span class="n">azure_creds</span><span class="p">,</span> <span class="sh">"</span><span class="s">your-subscription-id</span><span class="sh">"</span><span class="p">)</span> <span class="n">azure_metrics</span> <span class="o">=</span> <span class="n">monitor_client</span><span class="p">.</span><span class="n">metrics</span><span class="p">.</span><span class="nf">list</span><span class="p">(</span> <span class="sh">"</span><span class="s">resource-id-for-apim</span><span class="sh">"</span><span class="p">,</span> <span class="n">timespan</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">start_time</span><span class="p">.</span><span class="nf">isoformat</span><span class="p">()</span><span class="si">}</span><span class="s">/</span><span class="si">{</span><span class="n">end_time</span><span class="p">.</span><span class="nf">isoformat</span><span class="p">()</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">interval</span><span class="o">=</span><span class="sh">'</span><span class="s">PT1M</span><span class="sh">'</span><span class="p">,</span> <span class="n">metricnames</span><span class="o">=</span><span class="n">metric_name</span><span class="p">,</span> <span class="n">aggregation</span><span class="o">=</span><span class="sh">'</span><span class="s">Average</span><span class="sh">'</span> <span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">aws</span><span class="sh">"</span><span class="p">:</span> <span class="n">aws_metrics</span><span class="p">[</span><span class="sh">'</span><span class="s">Datapoints</span><span class="sh">'</span><span class="p">],</span> <span class="sh">"</span><span class="s">azure</span><span class="sh">"</span><span class="p">:</span> <span class="n">azure_metrics</span><span class="p">.</span><span class="n">value</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="n">timeseries</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="n">data</span> <span class="p">}</span> </code></pre> </div> <p>Telemetry is now centralized and queryable. How do you ensure that an alert triggered in the central monitoring account is routed back to the specific team responsible for the failing cell without creating a "noisy neighbor" effect that alerts everyone for a localized issue?</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fykux5dpt3nfhbc4p52rz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fykux5dpt3nfhbc4p52rz.png" alt="Solution Diagram" width="800" height="338"></a></p> <h4> Common Troubleshooting </h4> <ol> <li> <strong>Metric Namespace Collisions:</strong> When aggregating metrics from multiple cells, identical namespace names (e.g., <code>Production/Payments</code>) make it impossible to distinguish the source. <ul> <li> <strong>Solution:</strong> Use the <code>label_template</code> in AWS OAM and custom dimensions in Azure Monitor to include the Account ID or Subscription ID in every metric name or dimension.</li> </ul> </li> <li> <strong>Latency in Cross-Region Log Aggregation:</strong> Logs from a remote region may take several minutes to appear in a central sink, causing alerts to trigger later than expected. <ul> <li> <strong>Solution:</strong> Use "In-Region" alerts for critical health signals (e.g., HTTP 5xx errors) and use the "Centralized Sink" primarily for long-term analysis, reporting, and non-critical correlation.</li> </ul> </li> <li> <strong>Missing Permissions for <code>oam:CreateLink</code>:</strong> The IAM role or user attempting to create the link in the source account lacks the necessary permissions to interact with the central sink. <ul> <li> <strong>Solution:</strong> Ensure the Sink Policy in the central account explicitly allows the Source Account ID to perform <code>oam:CreateLink</code>.</li> </ul> </li> </ol> <h4> Conclusion </h4> <p>Cellular observability transforms isolated streams of data into a cohesive narrative of system behavior. By implementing AWS CloudWatch Cross-Account Observability and Azure Monitor centralized logging, you gain the visibility necessary to manage complex, multi-cloud architectures. This centralized approach preserves the autonomy of individual cells while providing the high-level oversight required for global incident response. As a next step, you should explore the implementation of Synthetic Canaries that run from multiple geographic locations, simulating user traffic to validate that both the application logic and the observability pipelines are functioning correctly across all cloud boundaries.</p> <h4> References </h4> <p>Amazon Web Services. (2023). <em>CloudWatch cross-account observability</em>. AWS User Guide. <a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account.html" rel="noopener noreferrer">https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account.html</a></p> <p>Microsoft. (2024). <em>Standardize monitoring with Azure Monitor</em>. Microsoft Learn. <a href="https://learn.microsoft.com/en-us/azure/azure-monitor/best-practices-analysis" rel="noopener noreferrer">https://learn.microsoft.com/en-us/azure/azure-monitor/best-practices-analysis</a></p> <p>OpenTelemetry Authors. (2023). <em>OpenTelemetry Specification</em>. <a href="https://opentelemetry.io/docs/specs/otel/" rel="noopener noreferrer">https://opentelemetry.io/docs/specs/otel/</a></p> aws azure terraform python Cláudio Filipe Lima Rapôso Thu, 07 May 2026 03:00:00 +0000 https://forem.com/sertaoseracloud/implementing-cellular-data-sovereignty-aws-dynamodb-global-tables-vs-azure-cosmos-db-multi-region-2o0i https://forem.com/sertaoseracloud/implementing-cellular-data-sovereignty-aws-dynamodb-global-tables-vs-azure-cosmos-db-multi-region-2o0i <h4> Introduction </h4> <p>Data gravity often forces architectural compromises that lead to regional lock-in and high-latency cross-cloud synchronization. When building cellular systems, the primary challenge is ensuring that data remains local to the compute cell for performance while remaining globally available for disaster recovery. Traditional active-passive database replication creates a bottleneck where a failure in the primary region halts all write operations across the entire global fabric. Agitating the problem, manual conflict resolution in multi-master setups often leads to data corruption or "last-writer-wins" scenarios that destroy business logic integrity. The definitive architectural solution involves implementing truly multi-region, multi-active state stores using AWS DynamoDB Global Tables and Azure Cosmos DB with multi-region writes. This approach ensures that every cell has a local, writable copy of the data, providing single-digit millisecond latency and deterministic conflict resolution managed by the cloud control plane.</p> <h4> Prerequisites </h4> <ul> <li> Terraform v1.6.0+ with providers for AWS and Azure.</li> <li> AWS CLI and Azure CLI for verifying replication lag and consistency levels.</li> <li> Python 3.11+ using <code>boto3</code> and <code>azure-cosmos</code> (v4.5.0+) for consistency validation.</li> <li> Deep understanding of the CAP Theorem (Consistency, Availability, Partition Tolerance) and its implications on distributed systems.</li> <li> Familiarity with CRDTs (Conflict-free Replicated Data Types) and vector clocks for eventual consistency management.</li> </ul> <h4> Step-by-Step </h4> <h3> Provisioning Multi-Active Global State Stores </h3> <p>To achieve cellular isolation, each cell must interact with a database endpoint that is physically co-located within the same cloud region. You must provision database resources that support native, hardware-accelerated replication across geographic boundaries. AWS DynamoDB Global Tables automate the creation of identical tables across regions, handling the underlying stream-based replication. In Azure, Cosmos DB allows you to enable multi-region writes, turning every regional replica into a writable endpoint. This configuration eliminates the need for cross-region "home" routing, ensuring that a network partition between AWS and Azure does not stop a local cell from processing transactions.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># AWS DynamoDB Global Table for Cellular State</span> <span class="nx">resource</span> <span class="s2">"aws_dynamodb_table"</span> <span class="s2">"cellular_state"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"GlobalCellState"</span> <span class="nx">billing_mode</span> <span class="p">=</span> <span class="s2">"PAY_PER_REQUEST"</span> <span class="nx">hash_key</span> <span class="p">=</span> <span class="s2">"PK"</span> <span class="nx">range_key</span> <span class="p">=</span> <span class="s2">"SK"</span> <span class="nx">stream_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">stream_view_type</span> <span class="p">=</span> <span class="s2">"NEW_AND_OLD_IMAGES"</span> <span class="nx">attribute</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"PK"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"S"</span> <span class="p">}</span> <span class="nx">attribute</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"SK"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"S"</span> <span class="p">}</span> <span class="nx">replica</span> <span class="p">{</span> <span class="nx">region_name</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="p">}</span> <span class="nx">replica</span> <span class="p">{</span> <span class="nx">region_name</span> <span class="p">=</span> <span class="s2">"us-west-2"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Azure Cosmos DB with Multi-Region Writes</span> <span class="nx">resource</span> <span class="s2">"azurerm_cosmosdb_account"</span> <span class="s2">"cellular_cosmos"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"cellular-state-cosmos"</span> <span class="nx">location</span> <span class="p">=</span> <span class="s2">"East US"</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">data_rg</span><span class="p">.</span><span class="nx">name</span> <span class="nx">offer_type</span> <span class="p">=</span> <span class="s2">"Standard"</span> <span class="nx">kind</span> <span class="p">=</span> <span class="s2">"GlobalDocumentDB"</span> <span class="nx">enable_multiple_write_locations</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">consistency_policy</span> <span class="p">{</span> <span class="nx">consistency_level</span> <span class="p">=</span> <span class="s2">"Session"</span> <span class="p">}</span> <span class="nx">geo_location</span> <span class="p">{</span> <span class="nx">location</span> <span class="p">=</span> <span class="s2">"East US"</span> <span class="nx">failover_priority</span> <span class="p">=</span> <span class="mi">0</span> <span class="p">}</span> <span class="nx">geo_location</span> <span class="p">{</span> <span class="nx">location</span> <span class="p">=</span> <span class="s2">"West US"</span> <span class="nx">failover_priority</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>With writable endpoints available in every region, how do you prevent conflicting updates to the same record from occurring simultaneously in two different cells, and how is the "winner" determined without human intervention?</p> <h3> Defining Conflict Resolution Policies for Distributed Cells </h3> <p>When two cells update the same partition key at the same time, the system must have a deterministic way to resolve the collision. AWS DynamoDB Global Tables use a "Last Writer Wins" (LWW) strategy based on a hidden timestamp attribute managed by the service. Azure Cosmos DB offers more flexibility, allowing you to define custom conflict resolution policies, such as using a specific numeric property (e.g., a version counter) or a stored procedure to merge changes. You must choose a strategy that aligns with your domain logic; for financial transactions, a version-based check is often superior to a timestamp. This layer of logic ensures that the state across all cells eventually converges to a consistent value without requiring expensive distributed locks.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Azure Cosmos DB Container with Custom Conflict Resolution</span> <span class="nx">resource</span> <span class="s2">"azurerm_cosmosdb_sql_container"</span> <span class="s2">"state_container"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"CellData"</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">data_rg</span><span class="p">.</span><span class="nx">name</span> <span class="nx">account_name</span> <span class="p">=</span> <span class="nx">azurerm_cosmosdb_account</span><span class="p">.</span><span class="nx">cellular_cosmos</span><span class="p">.</span><span class="nx">name</span> <span class="nx">database_name</span> <span class="p">=</span> <span class="nx">azurerm_cosmosdb_sql_database</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">name</span> <span class="nx">partition_key_path</span> <span class="p">=</span> <span class="s2">"/cellId"</span> <span class="nx">conflict_resolution_policy</span> <span class="p">{</span> <span class="nx">mode</span> <span class="p">=</span> <span class="s2">"LastWriterWins"</span> <span class="nx">conflict_resolution_path</span> <span class="p">=</span> <span class="s2">"/_ts"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The system is now replicating state and resolving conflicts. How do you measure the "staleness" of the data in a follower cell to ensure that your application logic does not make critical decisions based on out-of-date information during a replication lag spike?</p> <h3> Validating Replication Latency and Data Staleness </h3> <p>Observability in a distributed state store requires monitoring the gap between the time a record was written in the source cell and the time it becomes visible in the target cell. Both AWS and Azure provide metrics for replication latency (e.g., <code>ReplicationLatency</code> in DynamoDB and <code>Statelessness</code> in Cosmos DB). You must implement a validation script that periodically writes a "heartbeat" record to one cell and measures the time it takes to appear in all other cells. This data allows your application to dynamically adjust its behavior—for example, switching from "Eventual Consistency" to "Strong Consistency" reads if the replication lag exceeds a predefined threshold.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">boto3</span> <span class="kn">import</span> <span class="n">time</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span><span class="p">,</span> <span class="n">timezone</span> <span class="k">def</span> <span class="nf">measure_dynamodb_replication_lag</span><span class="p">(</span><span class="n">table_name</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">source_region</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">target_region</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Measures the replication lag between two DynamoDB Global Table regions. </span><span class="sh">"""</span> <span class="n">src_client</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">dynamodb</span><span class="sh">'</span><span class="p">,</span> <span class="n">region_name</span><span class="o">=</span><span class="n">source_region</span><span class="p">)</span> <span class="n">tgt_client</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">dynamodb</span><span class="sh">'</span><span class="p">,</span> <span class="n">region_name</span><span class="o">=</span><span class="n">target_region</span><span class="p">)</span> <span class="n">test_id</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">lag-test-</span><span class="si">{</span><span class="nf">int</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">())</span><span class="si">}</span><span class="sh">"</span> <span class="n">write_time</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">(</span><span class="n">timezone</span><span class="p">.</span><span class="n">utc</span><span class="p">)</span> <span class="c1"># Write heartbeat </span> <span class="n">src_client</span><span class="p">.</span><span class="nf">put_item</span><span class="p">(</span> <span class="n">TableName</span><span class="o">=</span><span class="n">table_name</span><span class="p">,</span> <span class="n">Item</span><span class="o">=</span><span class="p">{</span> <span class="sh">'</span><span class="s">PK</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">S</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">HEARTBEAT</span><span class="sh">'</span><span class="p">},</span> <span class="sh">'</span><span class="s">SK</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">S</span><span class="sh">'</span><span class="p">:</span> <span class="n">test_id</span><span class="p">},</span> <span class="sh">'</span><span class="s">WriteTimestamp</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">S</span><span class="sh">'</span><span class="p">:</span> <span class="n">write_time</span><span class="p">.</span><span class="nf">isoformat</span><span class="p">()}</span> <span class="p">}</span> <span class="p">)</span> <span class="c1"># Poll target region </span> <span class="k">for</span> <span class="n">attempt</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="mi">20</span><span class="p">):</span> <span class="n">response</span> <span class="o">=</span> <span class="n">tgt_client</span><span class="p">.</span><span class="nf">get_item</span><span class="p">(</span> <span class="n">TableName</span><span class="o">=</span><span class="n">table_name</span><span class="p">,</span> <span class="n">Key</span><span class="o">=</span><span class="p">{</span><span class="sh">'</span><span class="s">PK</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">S</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">HEARTBEAT</span><span class="sh">'</span><span class="p">},</span> <span class="sh">'</span><span class="s">SK</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">S</span><span class="sh">'</span><span class="p">:</span> <span class="n">test_id</span><span class="p">}}</span> <span class="p">)</span> <span class="k">if</span> <span class="sh">'</span><span class="s">Item</span><span class="sh">'</span> <span class="ow">in</span> <span class="n">response</span><span class="p">:</span> <span class="n">read_time</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">(</span><span class="n">timezone</span><span class="p">.</span><span class="n">utc</span><span class="p">)</span> <span class="n">lag</span> <span class="o">=</span> <span class="p">(</span><span class="n">read_time</span> <span class="o">-</span> <span class="n">write_time</span><span class="p">).</span><span class="nf">total_seconds</span><span class="p">()</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">SUCCESS</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">lag_seconds</span><span class="sh">"</span><span class="p">:</span> <span class="n">lag</span><span class="p">}</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mf">0.5</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">TIMEOUT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Replication exceeded 10 seconds</span><span class="sh">"</span><span class="p">}</span> <span class="c1"># Performance check for the data cell </span><span class="n">lag_report</span> <span class="o">=</span> <span class="nf">measure_dynamodb_replication_lag</span><span class="p">(</span><span class="sh">"</span><span class="s">GlobalCellState</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">us-east-1</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">us-west-2</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">lag_report</span><span class="p">)</span> </code></pre> </div> <p>State is synchronized and monitored. How do you handle a scenario where a specific cell must perform a "Strongly Consistent" read across clouds to verify a global limit (e.g., a credit balance) without sacrificing the low-latency benefits of the cellular model?</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjrzefjfe9dq58olihtom.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjrzefjfe9dq58olihtom.png" alt="Solution Diagram" width="800" height="399"></a></p> <h4> Common Troubleshooting </h4> <ol> <li> <strong>Capacity Bottlenecks on Replicas:</strong> If a replica region has lower provisioned throughput than the source region, replication will throttle, leading to massive lag. <ul> <li> <strong>Solution:</strong> Always use "On-Demand" (AWS) or "Autoscale" (Azure) for cellular databases to ensure all regions scale symmetrically. Verify <code>ThrottledRequests</code> metrics in both providers.</li> </ul> </li> <li> <strong>LWW Timestamp Precision:</strong> Last-writer-wins relies on server-side timestamps. If two writes occur within the same millisecond in different regions, the resolution is non-deterministic. <ul> <li> <strong>Solution:</strong> Use a custom "Version" attribute and implement a "Pre-condition" check (Optimistic Concurrency Control) at the application layer to ensure updates only happen if the version matches the expected state.</li> </ul> </li> </ol> <h4> Conclusion </h4> <p>Multi-active data replication is the engine that drives high-availability cellular architectures. By leveraging AWS DynamoDB Global Tables and Azure Cosmos DB, you remove the "master region" bottleneck and provide every cell with the data it needs to operate autonomously. This design ensures that your system can survive the loss of an entire cloud region while maintaining data integrity. As a next step, you should explore implementing "Cell-Local" caching layers using Redis or Dragonfly to further reduce the load on the global state stores and improve response times for read-heavy workloads.</p> <h4> References </h4> <p>Amazon Web Services. (2024). <em>Amazon DynamoDB Global Tables: Multi-region replication for DynamoDB</em>. <a href="https://aws.amazon.com/dynamodb/global-tables/" rel="noopener noreferrer">https://aws.amazon.com/dynamodb/global-tables/</a></p> <p>Kleppmann, M. (2017). <em>Designing Data-Intensive Applications: The Big Ideas Behind Reliable, Scalable, and Maintainable Systems</em>. O'Reilly Media.</p> <p>Microsoft. (2023). <em>Configure multi-region writes in your applications that use Azure Cosmos DB</em>. Microsoft Learn. <a href="https://learn.microsoft.com/en-us/azure/cosmos-db/nosql/how-to-multi-write" rel="noopener noreferrer">https://learn.microsoft.com/en-us/azure/cosmos-db/nosql/how-to-multi-write</a></p> aws azure terraform python Cláudio Filipe Lima Rapôso Wed, 06 May 2026 03:00:00 +0000 https://forem.com/sertaoseracloud/implementing-cellular-isolation-aws-iam-roles-for-anywhere-vs-azure-workload-identity-for-1hnh https://forem.com/sertaoseracloud/implementing-cellular-isolation-aws-iam-roles-for-anywhere-vs-azure-workload-identity-for-1hnh <h4> Introduction </h4> <p>Credential sprawl in multi-cloud environments represents a catastrophic security risk where static, long-lived access keys act as dormant vulnerabilities waiting to be exploited. When application cells operating in one cloud provider must securely access sensitive state stores or message queues in another, engineers often resort to hardcoded service account keys or insecure environment variables. This practice violates the core tenet of cellular isolation by creating a global identity that, if compromised, allows an attacker to traverse across cloud boundaries and pivot between independent cells. The definitive architectural solution involves leveraging OpenID Connect (OIDC) to establish a trust relationship between AWS and Azure. By implementing AWS IAM Roles Anywhere and Azure Workload Identity, you enable each cell to exchange its native identity token for short-lived, scoped credentials. This strategy eliminates static secrets, enforces the principle of least privilege, and ensures that identity is as isolated and ephemeral as the compute cells it serves.</p> <h4> Prerequisites </h4> <ul> <li> Terraform v1.6.0+ with the <code>aws</code> and <code>azurerm</code> providers configured for identity federation.</li> <li> An active Public Key Infrastructure (PKI) or a private Certificate Authority (CA) such as AWS Private CA or Azure Key Vault Managed HSM.</li> <li> OpenSSL or a similar tool for generating X.509 certificates to be used with IAM Roles Anywhere.</li> <li> Python 3.11+ with <code>boto3</code> and <code>azure-identity</code> libraries for validating token exchange workflows.</li> <li> Advanced understanding of the OIDC (OpenID Connect) flow and JSON Web Token (JWT) structure.</li> </ul> <h4> Step-by-Step </h4> <h3> Establishing the Trust Anchor and Profile in AWS </h3> <p>Securing a cellular boundary requires a verifiable trust anchor that AWS can use to validate certificates issued to external workloads. AWS IAM Roles Anywhere extends the capabilities of IAM roles to workloads running outside of AWS, such as an application cell hosted in Azure. You must first create a Trust Anchor, which points to your private CA, and a Profile that defines which roles the external workload is permitted to assume. This decoupling ensures that even if a certificate is valid, the workload can only assume roles that match the specific policy constraints of its designated cell. This configuration transforms identity from a static secret into a cryptographic proof of origin.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># AWS IAM Roles Anywhere Trust Anchor</span> <span class="nx">resource</span> <span class="s2">"aws_rolesanywhere_trust_anchor"</span> <span class="s2">"azure_cell_alpha"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"azure-cell-alpha-anchor"</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">source</span> <span class="p">{</span> <span class="nx">source_data</span> <span class="p">{</span> <span class="nx">x509_certificate_data</span> <span class="p">=</span> <span class="nx">file</span><span class="p">(</span><span class="s2">"ca-certificates.crt"</span><span class="p">)</span> <span class="p">}</span> <span class="nx">source_type</span> <span class="p">=</span> <span class="s2">"CERTIFICATE_BUNDLE"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># IAM Role with Trust Policy for Roles Anywhere</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"cell_alpha_access_role"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"CellAlphaCrossCloudRole"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"sts:AssumeRole"</span><span class="p">,</span> <span class="s2">"sts:TagSession"</span><span class="p">,</span> <span class="s2">"sts:SetSourceIdentity"</span> <span class="p">]</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"rolesanywhere.amazonaws.com"</span> <span class="p">}</span> <span class="nx">Condition</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">StringEquals</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"aws:PrincipalTag/x509Subject/CN"</span><span class="err">:</span> <span class="s2">"cell-alpha.azure.enterprise.local"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>With the AWS trust anchor established, how do you verify that an Azure-based cell is actually the entity it claims to be before it attempts to assume the role, especially when certificates might be valid but issued to the wrong service?</p> <h3> Configuring Azure Workload Identity for Federated Trust </h3> <p>Azure Workload Identity provides a mechanism to assign an identity to a pod or service running in Azure and federate that identity with external providers like AWS. You must create a Managed Identity in Azure and configure a federated identity credential that links the Azure identity to the AWS OIDC provider. This creates a bidirectional trust loop: Azure vouches for the workload's identity via a signed JWT, and AWS validates that JWT against its internal OIDC configuration. By using Azure Workload Identity, you ensure that the application cell never handles raw credentials; instead, it requests a token from the local identity endpoint, which is then presented to AWS for credential exchange.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Azure User Assigned Managed Identity</span> <span class="nx">resource</span> <span class="s2">"azurerm_user_assigned_identity"</span> <span class="s2">"cell_alpha_identity"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"cell-alpha-identity"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">cellular_rg</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">cellular_rg</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="c1"># Federated Identity Credential for AWS OIDC</span> <span class="nx">resource</span> <span class="s2">"azurerm_federated_identity_credential"</span> <span class="s2">"aws_federation"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"cell-alpha-aws-federation"</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">cellular_rg</span><span class="p">.</span><span class="nx">name</span> <span class="nx">audience</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"api://AzureADTokenExchange"</span><span class="p">]</span> <span class="nx">issuer</span> <span class="p">=</span> <span class="nx">azurerm_kubernetes_cluster</span><span class="p">.</span><span class="nx">cell_cluster</span><span class="p">.</span><span class="nx">oidc_issuer_url</span> <span class="nx">parent_id</span> <span class="p">=</span> <span class="nx">azurerm_user_assigned_identity</span><span class="p">.</span><span class="nx">cell_alpha_identity</span><span class="p">.</span><span class="nx">id</span> <span class="nx">subject</span> <span class="p">=</span> <span class="s2">"system:serviceaccount:payments:cell-alpha-sa"</span> <span class="p">}</span> </code></pre> </div> <p>The trust is now established between the two cloud providers. How do you implement the actual runtime exchange logic within the application code to ensure that the transition from an Azure token to an AWS session is both performant and resilient to network latency?</p> <h3> Orchestrating Runtime Credential Exchange </h3> <p>The runtime exchange involves a multi-step handshake where the application retrieves an Azure AD token and exchanges it for AWS temporary security credentials. You must implement a signing process where the Azure Managed Identity signs a request to the AWS IAM Roles Anywhere endpoint. This process uses the <code>boto3</code> SDK in conjunction with the <code>azure-identity</code> library. The application logic must be partition-aware, ensuring it only requests the role associated with its specific cellular boundary. We implement a Python wrapper that handles the certificate-based signing required by AWS Roles Anywhere to obtain a scoped STS (Security Token Service) session.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">boto3</span> <span class="kn">from</span> <span class="n">azure.identity</span> <span class="kn">import</span> <span class="n">DefaultAzureCredential</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span><span class="p">,</span> <span class="n">timezone</span> <span class="k">def</span> <span class="nf">get_cross_cloud_aws_session</span><span class="p">(</span><span class="n">trust_anchor_arn</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">profile_arn</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">role_arn</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Exchanges Azure identity context for temporary AWS credentials using IAM Roles Anywhere certificate signing. </span><span class="sh">"""</span> <span class="c1"># In a production cellular environment, the certificate and private key </span> <span class="c1"># are mounted as projected volumes via Azure Key Vault or cert-manager. </span> <span class="n">cert_path</span> <span class="o">=</span> <span class="sh">"</span><span class="s">/var/run/secrets/cellular/client.crt</span><span class="sh">"</span> <span class="n">private_key_path</span> <span class="o">=</span> <span class="sh">"</span><span class="s">/var/run/secrets/cellular/client.key</span><span class="sh">"</span> <span class="c1"># Utilizing the AWS Roles Anywhere helper or signing logic </span> <span class="c1"># to generate a Signature Version 4 request. </span> <span class="n">client</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">rolesanywhere</span><span class="sh">'</span><span class="p">,</span> <span class="n">region_name</span><span class="o">=</span><span class="sh">'</span><span class="s">us-east-1</span><span class="sh">'</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># Note: Actual signing requires a custom process or the aws-sigv4-proxy </span> <span class="c1"># This represents the logic of obtaining the temporary session. </span> <span class="n">response</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">create_session</span><span class="p">(</span> <span class="n">cert</span><span class="o">=</span><span class="n">cert_path</span><span class="p">,</span> <span class="n">profileArn</span><span class="o">=</span><span class="n">profile_arn</span><span class="p">,</span> <span class="n">roleArn</span><span class="o">=</span><span class="n">role_arn</span><span class="p">,</span> <span class="n">trustAnchorArn</span><span class="o">=</span><span class="n">trust_anchor_arn</span> <span class="p">)</span> <span class="n">credentials</span> <span class="o">=</span> <span class="n">response</span><span class="p">[</span><span class="sh">'</span><span class="s">credentialSet</span><span class="sh">'</span><span class="p">][</span><span class="mi">0</span><span class="p">][</span><span class="sh">'</span><span class="s">credentials</span><span class="sh">'</span><span class="p">]</span> <span class="k">return</span> <span class="n">boto3</span><span class="p">.</span><span class="nc">Session</span><span class="p">(</span> <span class="n">aws_access_key_id</span><span class="o">=</span><span class="n">credentials</span><span class="p">[</span><span class="sh">'</span><span class="s">accessKeyId</span><span class="sh">'</span><span class="p">],</span> <span class="n">aws_secret_access_key</span><span class="o">=</span><span class="n">credentials</span><span class="p">[</span><span class="sh">'</span><span class="s">secretAccessKey</span><span class="sh">'</span><span class="p">],</span> <span class="n">aws_session_token</span><span class="o">=</span><span class="n">credentials</span><span class="p">[</span><span class="sh">'</span><span class="s">sessionToken</span><span class="sh">'</span><span class="p">]</span> <span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Credential exchange failed for cell: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">raise</span> <span class="c1"># Example: Accessing an AWS DynamoDB Table from an Azure Cell </span><span class="n">aws_session</span> <span class="o">=</span> <span class="nf">get_cross_cloud_aws_session</span><span class="p">(</span> <span class="n">trust_anchor_arn</span><span class="o">=</span><span class="sh">"</span><span class="s">arn:aws:rolesanywhere:us-east-1:123456789012:trust-anchor/abc</span><span class="sh">"</span><span class="p">,</span> <span class="n">profile_arn</span><span class="o">=</span><span class="sh">"</span><span class="s">arn:aws:rolesanywhere:us-east-1:123456789012:profile/def</span><span class="sh">"</span><span class="p">,</span> <span class="n">role_arn</span><span class="o">=</span><span class="sh">"</span><span class="s">arn:aws:iam::123456789012:role/CellAlphaCrossCloudRole</span><span class="sh">"</span> <span class="p">)</span> <span class="n">dynamo</span> <span class="o">=</span> <span class="n">aws_session</span><span class="p">.</span><span class="nf">resource</span><span class="p">(</span><span class="sh">'</span><span class="s">dynamodb</span><span class="sh">'</span><span class="p">)</span> </code></pre> </div> <p>Credentials are now scoped and ephemeral. How do you enforce a "kill switch" mechanism that can immediately invalidate all active sessions for a specific cell in the event of a detected identity anomaly without affecting the rest of the multi-cloud infrastructure?</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frn2q8etw12ftdhtcb45k.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frn2q8etw12ftdhtcb45k.png" alt="Sequence Diagram" width="800" height="344"></a></p> <h3> Implementing Identity Revocation and Policy Guardrails </h3> <p>A robust cellular architecture must include the capability to immediately revoke access for a compromised identity at the policy layer. You achieve this by using AWS IAM Service Control Policies (SCPs) and Azure Conditional Access policies that monitor for "impossible travel" or anomalous credential usage. In AWS, you can attach an inline policy to the Roles Anywhere Profile that denies all actions if a specific session tag indicates the cell is in "quarantine" mode. This allows for fine-grained revocation that targets only the affected cell. This layer of defense-in-depth ensures that even if an attacker manages to obtain a short-lived token, their window of opportunity can be closed programmatically across the entire multi-cloud fabric.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># AWS IAM Policy for Conditional Revocation</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"cell_quarantine_policy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"CellQuarantinePolicy"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">cell_alpha_access_role</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Deny"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="nx">Condition</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">StringEquals</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"aws:PrincipalTag/CellStatus"</span><span class="err">:</span> <span class="s2">"Quarantined"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>The identity lifecycle is now fully managed and revocable. How do you monitor for the silent failure of certificate renewals in the Azure cell, which could lead to a sudden and widespread loss of access to AWS state stores during a critical production window?</p> <h4> Common Troubleshooting </h4> <ol> <li> <strong>Clock Skew Mismatches:</strong> If the system time on the Azure host differs from AWS by more than 5 minutes, the STS <code>AssumeRole</code> request will fail with an <code>ExpiredToken</code> or <code>InvalidClientTokenId</code> error. <ul> <li> <strong>Solution:</strong> Ensure NTP (Network Time Protocol) synchronization is active on all Azure compute nodes. Validate the <code>IssuedAt</code> time in the Azure JWT before attempting the exchange.</li> </ul> </li> <li> <strong>Missing <code>sts:TagSession</code> Permissions:</strong> The IAM role in AWS must explicitly allow the <code>sts:TagSession</code> action in its trust policy if you are passing attributes from the certificate (like the Common Name) as session tags. <ul> <li> <strong>Solution:</strong> Update the Assume Role Policy Document to include <code>sts:TagSession</code> in the <code>Action</code> list. Check the CloudTrail logs for <code>AccessDenied</code> errors during the <code>CreateSession</code> call.</li> </ul> </li> <li> <strong>Intermediate CA Chain Validation:</strong> AWS IAM Roles Anywhere may fail to validate a certificate if the entire chain (Root CA and Intermediate CAs) is not correctly uploaded to the Trust Anchor. <ul> <li> <strong>Solution:</strong> Bundle the Root and all Intermediate certificates into a single PEM file before updating the <code>aws_rolesanywhere_trust_anchor</code> resource.</li> </ul> </li> </ol> <h4> Conclusion </h4> <p>Establishing a federated identity between AWS and Azure is the cornerstone of a secure multi-cloud cellular architecture. By removing static credentials and utilizing OIDC-based exchange via IAM Roles Anywhere and Azure Workload Identity, you ensure that identity is treated as a dynamic, cryptographic asset. This approach significantly reduces the attack surface and aligns with modern Zero Trust principles. As a next step, you should implement automated certificate rotation using HashiCorp Vault or AWS Private CA, ensuring that the cryptographic keys backing your cellular identity are refreshed frequently without manual intervention.</p> <h4> References </h4> <p>Amazon Web Services. (2022). <em>Extend AWS IAM roles to workloads outside of AWS with IAM Roles Anywhere</em>. AWS Security Blog. <a href="https://aws.amazon.com/blogs/security/extend-aws-iam-roles-to-workloads-outside-of-aws-with-iam-roles-anywhere/" rel="noopener noreferrer">https://aws.amazon.com/blogs/security/extend-aws-iam-roles-to-workloads-outside-of-aws-with-iam-roles-anywhere/</a></p> <p>Microsoft. (2023). <em>Workload identity federation</em>. Microsoft Entra ID Documentation. <a href="https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation" rel="noopener noreferrer">https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation</a></p> <p>Hardt, D. (2012). <em>The OAuth 2.0 Authorization Framework</em> (RFC 6749). IETF Data Tracker. <a href="https://datatracker.ietf.org/doc/html/rfc6749" rel="noopener noreferrer">https://datatracker.ietf.org/doc/html/rfc6749</a></p> aws azure terraform phyton Cláudio Filipe Lima Rapôso Tue, 05 May 2026 03:00:00 +0000 https://forem.com/sertaoseracloud/implementing-cellular-redundancy-cross-cloud-failover-with-aws-transit-gateway-and-azure-533g https://forem.com/sertaoseracloud/implementing-cellular-redundancy-cross-cloud-failover-with-aws-transit-gateway-and-azure-533g <h4> Introduction </h4> <p>Standard multi-regional deployments often fall victim to centralized networking bottlenecks and shared control plane failures. When a primary cloud region experiences a backbone connectivity issue, the entire distributed system can lose its ability to synchronize state, leading to split-brain scenarios and data corruption. Engineers frequently rely on simple public internet VPNs for interconnectivity, which introduces unpredictable latency and security vulnerabilities. Agitating the problem further, a lack of deterministic network paths means that even if your application cells are isolated, their communication channels are not, creating a hidden single point of failure. The definitive architectural solution involves establishing a private, high-speed interconnect using AWS Transit Gateway and Azure ExpressRoute via a third-party colocation provider. This cellular networking strategy ensures that each cloud environment operates as a truly independent but interconnected cell with dedicated, low-latency bandwidth for mission-critical state replication.</p> <h4> Prerequisites </h4> <ul> <li> Terraform v1.6.0+ with the <code>aws</code> (v5.0+) and <code>azurerm</code> (v3.0+) providers initialized.</li> <li> An active partnership with a connectivity provider (e.g., Equinix, Megaport) to bridge AWS Direct Connect and Azure ExpressRoute.</li> <li> Pre-allocated BGP (Border Gateway Protocol) ASN numbers for both cloud environments to handle dynamic routing.</li> <li> Python 3.11+ for automated BGP peer validation using the <code>paramiko</code> library for router interaction.</li> <li> Advanced knowledge of CIDR (Classless Inter-Domain Routing) to ensure non-overlapping address spaces across AWS VPCs and Azure VNETs.</li> </ul> <h4> Step-by-Step </h4> <h3> Establishing the Private Interconnect Backbone </h3> <p>The foundation of cross-cloud cellular networking requires moving beyond the public internet for state synchronization. You must provision dedicated physical or virtual circuits that link AWS and Azure through a neutral exchange point. By using AWS Direct Connect and Azure ExpressRoute, you bypass the congestion of the public web, achieving deterministic latency that is essential for synchronous database replication between cells. This physical isolation ensures that a DDoS attack or a massive internet routing leak does not impact your internal system communications. You define these circuits in Terraform, treating the network as a first-class citizen of your cellular architecture.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># AWS Direct Connect Gateway for Cellular Interconnect</span> <span class="nx">resource</span> <span class="s2">"aws_dx_gateway"</span> <span class="s2">"cellular_backbone"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"aws-azure-interconnect-gw"</span> <span class="nx">amazon_side_asn</span> <span class="p">=</span> <span class="s2">"64512"</span> <span class="p">}</span> <span class="c1"># Azure ExpressRoute Circuit for Cellular Interconnect</span> <span class="nx">resource</span> <span class="s2">"azurerm_express_route_circuit"</span> <span class="s2">"cellular_circuit"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"azure-aws-interconnect-erc"</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">network_rg</span><span class="p">.</span><span class="nx">name</span> <span class="nx">location</span> <span class="p">=</span> <span class="s2">"East US"</span> <span class="nx">service_provider_name</span> <span class="p">=</span> <span class="s2">"Equinix"</span> <span class="nx">peering_location</span> <span class="p">=</span> <span class="s2">"Silicon Valley"</span> <span class="nx">bandwidth_in_mbps</span> <span class="p">=</span> <span class="mi">1000</span> <span class="nx">sku</span> <span class="p">{</span> <span class="nx">tier</span> <span class="p">=</span> <span class="s2">"Standard"</span> <span class="nx">family</span> <span class="p">=</span> <span class="s2">"MeteredData"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Once the physical circuits are defined, how do you manage the routing complexity when scaling to hundreds of isolated VPCs or VNETs without creating a manual configuration nightmare that invites human error?</p> <h3> Centralizing Routing with AWS Transit Gateway and Azure Route Server </h3> <p>Scaling cellular networking requires a hub-and-spoke model where a central routing engine manages the propagation of routes across all spokes. AWS Transit Gateway acts as a regional network click-to-connect hub, while Azure Route Server facilitates BGP peering between your virtual appliances and the VNET. This prevents the "mesh of doom" where every VPC must be manually peered with every other network. You attach your cellular VPCs to the Transit Gateway and use a single Direct Connect attachment to bridge to Azure. This simplifies the network topology, ensuring that adding a new cell to your architecture is a matter of a single attachment rather than a complete re-engineering of the routing table.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># AWS Transit Gateway for Hub-and-Spoke Cellular Networking</span> <span class="nx">resource</span> <span class="s2">"aws_ec2_transit_gateway"</span> <span class="s2">"network_hub"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Central hub for cross-cloud cellular traffic"</span> <span class="nx">amazon_side_asn</span> <span class="p">=</span> <span class="s2">"64513"</span> <span class="nx">auto_accept_shared_attachments</span> <span class="p">=</span> <span class="s2">"enable"</span> <span class="nx">default_route_table_association</span> <span class="p">=</span> <span class="s2">"enable"</span> <span class="p">}</span> <span class="c1"># Attaching a Cellular VPC to the Transit Gateway</span> <span class="nx">resource</span> <span class="s2">"aws_ec2_transit_gateway_vpc_attachment"</span> <span class="s2">"cell_alpha_attachment"</span> <span class="p">{</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">private_cell_alpha</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">transit_gateway_id</span> <span class="p">=</span> <span class="nx">aws_ec2_transit_gateway</span><span class="p">.</span><span class="nx">network_hub</span><span class="p">.</span><span class="nx">id</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">cell_alpha</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <p>With the hub-and-spoke model established, how do you prevent a route leak in one cloud from poisoning the routing tables of your entire multicloud infrastructure and taking down all healthy cells simultaneously?</p> <h3> Implementing BGP Route Filtering and Security Guardrails </h3> <p>To protect the cellular boundary, you must implement strict BGP route filters and prefix limits at the interconnect layer. Without these guardrails, a misconfigured router in Azure could advertise a "default route" (0.0.0.0/0) to AWS, causing all AWS traffic to be black-holed or redirected through a sub-optimal path. You use prefix lists to explicitly define which CIDR blocks are allowed to cross the cloud boundary. This ensures that only the specific IP ranges belonging to your cellular state stores are reachable. We use a Python script to audit the BGP peer status and prefix counts, ensuring they stay within the safety thresholds defined by our architectural standards.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">boto3</span> <span class="kn">import</span> <span class="n">json</span> <span class="k">def</span> <span class="nf">audit_bgp_prefixes</span><span class="p">(</span><span class="n">direct_connect_gateway_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">expected_count</span><span class="p">:</span> <span class="nb">int</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Validates the number of prefixes advertised via BGP to prevent route leaks. </span><span class="sh">"""</span> <span class="n">client</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">directconnect</span><span class="sh">'</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">describe_direct_connect_gateway_associations</span><span class="p">(</span> <span class="n">directConnectGatewayId</span><span class="o">=</span><span class="n">direct_connect_gateway_id</span> <span class="p">)</span> <span class="c1"># Logic to check association status and prefix limits </span> <span class="k">for</span> <span class="n">association</span> <span class="ow">in</span> <span class="n">response</span><span class="p">[</span><span class="sh">'</span><span class="s">associations</span><span class="sh">'</span><span class="p">]:</span> <span class="n">current_prefixes</span> <span class="o">=</span> <span class="n">association</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">allowedPrefixesToDirectConnectGateway</span><span class="sh">'</span><span class="p">,</span> <span class="p">[])</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">current_prefixes</span><span class="p">)</span> <span class="o">&gt;</span> <span class="n">expected_count</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Prefix limit exceeded: </span><span class="si">{</span><span class="nf">len</span><span class="p">(</span><span class="n">current_prefixes</span><span class="p">)</span><span class="si">}</span><span class="s"> &gt; </span><span class="si">{</span><span class="n">expected_count</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">SUCCESS</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">BGP prefixes within safe limits</span><span class="sh">"</span><span class="p">}</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">FAILED</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)}</span> <span class="c1"># Operational check for the network cell </span><span class="n">check_result</span> <span class="o">=</span> <span class="nf">audit_bgp_prefixes</span><span class="p">(</span><span class="sh">"</span><span class="s">dx-gw-12345</span><span class="sh">"</span><span class="p">,</span> <span class="mi">50</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">check_result</span><span class="p">,</span> <span class="n">indent</span><span class="o">=</span><span class="mi">2</span><span class="p">))</span> </code></pre> </div> <p>The network boundaries are now secure and filtered. If a primary interconnect circuit fails, how can you automate the shift of state replication traffic to a backup VPN tunnel without causing a massive synchronization lag that impacts data consistency?</p> <h3> Automated Failover to Encrypted Backup Tunnels </h3> <p>Reliability at the networking layer necessitates a secondary, encrypted path that takes over when the primary ExpressRoute or Direct Connect circuit fails. You configure an AWS Site-to-Site VPN as a backup to the Direct Connect Gateway, utilizing the same Transit Gateway for seamless failover. The BGP protocol handles the failover automatically by assigning a lower "Local Preference" or higher "AS Path" length to the VPN route. When the primary circuit goes down, BGP detects the loss of peering and immediately promotes the VPN route. This transition must be transparent to the application cells. We configure the Terraform resources to ensure that the VPN is always standing by, ready to tunnel encrypted traffic over the public internet if the private backbone is severed.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># AWS VPN Gateway as Backup for Direct Connect</span> <span class="nx">resource</span> <span class="s2">"aws_vpn_gateway"</span> <span class="s2">"backup_gateway"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">cell_alpha</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="c1"># Azure VPN Gateway for Cross-Cloud Failover</span> <span class="nx">resource</span> <span class="s2">"azurerm_virtual_network_gateway"</span> <span class="s2">"backup_gw"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"azure-backup-vpn-gw"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">network_rg</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">network_rg</span><span class="p">.</span><span class="nx">name</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Vpn"</span> <span class="nx">vpn_type</span> <span class="p">=</span> <span class="s2">"RouteBased"</span> <span class="nx">active_active</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">enable_bgp</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">sku</span> <span class="p">=</span> <span class="s2">"VpnGw1"</span> <span class="nx">ip_configuration</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"vnetGatewayConfig"</span> <span class="nx">public_ip_address_id</span> <span class="p">=</span> <span class="nx">azurerm_public_ip</span><span class="p">.</span><span class="nx">vpn_ip</span><span class="p">.</span><span class="nx">id</span> <span class="nx">private_ip_address_allocation</span> <span class="p">=</span> <span class="s2">"Dynamic"</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">azurerm_subnet</span><span class="p">.</span><span class="nx">gateway_subnet</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The backup path is ready for immediate failover. How do you ensure that the MTU (Maximum Transmission Unit) mismatch between a 1500-byte Direct Connect frame and a 1400-byte VPN-encapsulated packet doesn't cause silent packet fragmentation and performance degradation during a failover event?</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp7n24ot542h1m1kusuzx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp7n24ot542h1m1kusuzx.png" alt="Solution Diagram" width="796" height="1330"></a></p> <h4> Common Troubleshooting </h4> <ol> <li> <strong>BGP Flapping due to Hold Time Mismatches:</strong> Mismatched BGP timers between AWS (usually 90s) and on-premise or Azure routers cause frequent session resets. <ul> <li> <strong>Solution:</strong> Manually align the BGP Keepalive and Hold Time values across both ends of the peering. Set Hold Time to 30 seconds for faster failure detection in cellular environments.</li> </ul> </li> <li> <strong>Asymmetric Routing over VPN Backups:</strong> Traffic leaves via Direct Connect but attempts to return via VPN, causing stateful firewalls to drop the packets. <ul> <li> <strong>Solution:</strong> Use AS Path Prepending on the VPN advertised routes to ensure the Direct Connect path is always preferred for both ingress and egress. Verify the <code>aws_vpn_connection</code> resource has correct <code>tunnel_inside_cidr</code> configurations.</li> </ul> </li> </ol> <h4> Conclusion </h4> <p>Building a resilient cross-cloud interconnect transforms separate cloud environments into a unified cellular system capable of surviving provider-specific backbone outages. By leveraging Transit Gateways, ExpressRoute, and automated BGP failover, you establish a networking layer that prioritizes deterministic performance and state integrity. The next logical progression is to implement Network Reachability Analyzers. Use these tools to continuously verify that your security group rules and route tables maintain strict cellular isolation while permitting necessary cross-cloud synchronization traffic.</p> <h4> References </h4> <p>Amazon Web Services. (2023). <em>AWS Transit Gateway: Centralize your network management</em>. <a href="https://aws.amazon.com/transit-gateway/" rel="noopener noreferrer">https://aws.amazon.com/transit-gateway/</a></p> <p>Microsoft. (2024). <em>ExpressRoute: Private connections to Microsoft Cloud</em>. Microsoft Learn. <a href="https://learn.microsoft.com/en-us/azure/expressroute/expressroute-introduction" rel="noopener noreferrer">https://learn.microsoft.com/en-us/azure/expressroute/expressroute-introduction</a></p> <p>Rekhter, Y., Li, T., &amp; Hares, S. (2006). <em>A Border Gateway Protocol 4 (BGP-4)</em> (RFC 4271). IETF Data Tracker. <a href="https://datatracker.ietf.org/doc/html/rfc4271" rel="noopener noreferrer">https://datatracker.ietf.org/doc/html/rfc4271</a></p> azure aws networking cloud Cláudio Filipe Lima Rapôso Mon, 04 May 2026 03:00:00 +0000 https://forem.com/sertaoseracloud/designing-a-multicloud-cellular-architecture-for-blast-radius-containment-4hao https://forem.com/sertaoseracloud/designing-a-multicloud-cellular-architecture-for-blast-radius-containment-4hao <p>Modern cloud-native systems often fall victim to their own scale. A single misconfigured deployment or localized infrastructure degradation can quickly cascade across an entire distributed system, compromising the service for all users simultaneously. When architectural boundaries fail to contain faults, engineering teams face catastrophic service level agreement breaches and prolonged recovery times (Smith &amp; Jones, 2023). The definitive solution to this vulnerability is Cellular Architecture. By partitioning the system into isolated, self-contained units of deployment known as cells, we strictly limit the blast radius of any failure. Implementing this pattern across Amazon Web Services and Microsoft Azure ensures that a tenant workload, such as a housing cooperative management platform, remains operational even during a complete regional or provider-level outage. This article demonstrates how to engineer a fault-tolerant multicloud cellular routing tier that guarantees high availability, strictly contains failures, and provides continuous operational resilience.</p> <h3> Prerequisites </h3> <p>Executing this multicloud architecture requires advanced proficiency in Infrastructure as Code and edge networking. You need Terraform version 1.6 or higher alongside the latest AWS (version 5.0+) and AzureRM (version 3.70+) providers. The routing logic requires Python 3.12 utilizing the <code>boto3</code> and <code>azure-cosmos</code> libraries for state synchronization. Foundational knowledge of Domain-Driven Design principles is necessary to properly identify tenant boundaries (Evans, 2004). Familiarity with AWS Route 53, Amazon DynamoDB Global Tables, Azure Traffic Manager, and Azure Cosmos DB is required to construct the cross-cloud routing plane safely and effectively.</p> <h3> Step-by-Step </h3> <h4> Step 1: Provisioning Isolated Infrastructure Cells </h4> <p>Partitioning the system into isolated cells begins with defining the physical infrastructure boundaries for our tenant workloads. We achieve this by provisioning stamped infrastructure modules across both AWS and Azure. Each cell represents a fully autonomous environment capable of serving a specific subset of users, such as a distinct group of housing cooperatives. We utilize Terraform to create these environments, ensuring that network topologies, compute clusters, and data stores are completely decoupled from one another. Each cell must maintain its own independent Terraform state file stored in segregated S3 buckets or Azure Storage Accounts. Sharing state files across cells reintroduces a single point of failure at the continuous integration layer. This infrastructure-level isolation is a direct translation of Domain-Driven Design bounded contexts applied to the physical deployment layer. By guaranteeing that no cell shares state or computational resources with another, a resource exhaustion event or a poisoned payload affecting one cell has zero mathematical probability of impacting adjacent environments.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># cell_infrastructure/main.tf</span> <span class="k">variable</span> <span class="s2">"cell_identifier"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Unique alphanumeric identifier for the tenant cell"</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"cloud_provider"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">([</span><span class="s2">"aws"</span><span class="p">,</span> <span class="s2">"azure"</span><span class="p">],</span> <span class="kd">var</span><span class="p">.</span><span class="nx">cloud_provider</span><span class="p">)</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Provider must be strictly aws or azure."</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"cell_network"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">cloud_provider</span> <span class="p">==</span> <span class="s2">"aws"</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.</span><span class="k">${</span><span class="nx">regex</span><span class="p">(</span><span class="s2">"[0-9]+"</span><span class="p">,</span> <span class="kd">var</span><span class="p">.</span><span class="nx">cell_identifier</span><span class="p">)</span><span class="k">}</span><span class="s2">.0.0/16"</span> <span class="nx">enable_dns_hostnames</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"vpc-cell-</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cell_identifier</span><span class="k">}</span><span class="s2">"</span> <span class="nx">Boundary</span> <span class="p">=</span> <span class="s2">"TenantIsolation"</span> <span class="nx">Architecture</span> <span class="p">=</span> <span class="s2">"Cellular"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"azurerm_virtual_network"</span> <span class="s2">"cell_network"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">cloud_provider</span> <span class="p">==</span> <span class="s2">"azure"</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"vnet-cell-</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cell_identifier</span><span class="k">}</span><span class="s2">"</span> <span class="nx">address_space</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.</span><span class="k">${</span><span class="nx">regex</span><span class="p">(</span><span class="s2">"[0-9]+"</span><span class="p">,</span> <span class="kd">var</span><span class="p">.</span><span class="nx">cell_identifier</span><span class="p">)</span><span class="k">}</span><span class="s2">.0.0/16"</span><span class="p">]</span> <span class="nx">location</span> <span class="p">=</span> <span class="s2">"eastus2"</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="s2">"rg-cells-production"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"vnet-cell-</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cell_identifier</span><span class="k">}</span><span class="s2">"</span> <span class="nx">Boundary</span> <span class="p">=</span> <span class="s2">"TenantIsolation"</span> <span class="nx">Architecture</span> <span class="p">=</span> <span class="s2">"Cellular"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This module guarantees strict network isolation. How do we dynamically route a specific cooperative's traffic to its designated cell without introducing a monolithic single point of failure at the edge?</p> <h4> Step 2: Engineering the Multicloud Cell Router </h4> <p>We dynamically route tenant traffic by building a stateless, edge-optimized routing layer backed by a highly available mapping database. The router acts as the system front door, interrogating incoming requests to identify the tenant and forwarding the payload to the precise infrastructure cell provisioned in the previous step. We implement this using a Hexagonal Architecture pattern in Python, deploying the core logic to AWS Lambda@Edge or Azure Front Door compute. The core domain logic remains completely agnostic to the underlying cloud provider. This decoupling allows us to execute the exact same routing algorithm across both AWS and Azure edge nodes. By caching the routing resolution at the edge using AWS CloudFront edge locations or Azure Front Door POPs, we achieve sub-millisecond routing latency. The routing table itself is stored in a globally distributed database mapping a tenant identifier extracted from the HTTP header to the specific regional cell endpoint.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># routing_core/domain.py </span><span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">logging</span> <span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Protocol</span><span class="p">,</span> <span class="n">Dict</span><span class="p">,</span> <span class="n">Optional</span> <span class="kn">from</span> <span class="n">dataclasses</span> <span class="kn">import</span> <span class="n">dataclass</span> <span class="n">logger</span> <span class="o">=</span> <span class="n">logging</span><span class="p">.</span><span class="nf">getLogger</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">setLevel</span><span class="p">(</span><span class="n">logging</span><span class="p">.</span><span class="n">INFO</span><span class="p">)</span> <span class="nd">@dataclass</span><span class="p">(</span><span class="n">frozen</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">class</span> <span class="nc">TenantContext</span><span class="p">:</span> <span class="n">cooperative_id</span><span class="p">:</span> <span class="nb">str</span> <span class="n">requested_path</span><span class="p">:</span> <span class="nb">str</span> <span class="k">class</span> <span class="nc">CellRepository</span><span class="p">(</span><span class="n">Protocol</span><span class="p">):</span> <span class="k">def</span> <span class="nf">get_cell_endpoint</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">cooperative_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">]:</span> <span class="k">pass</span> <span class="k">class</span> <span class="nc">MulticloudRouter</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">repository</span><span class="p">:</span> <span class="n">CellRepository</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">repository</span> <span class="o">=</span> <span class="n">repository</span> <span class="k">def</span> <span class="nf">route_tenant_request</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">context</span><span class="p">:</span> <span class="n">TenantContext</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="nb">str</span><span class="p">]:</span> <span class="n">endpoint</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">repository</span><span class="p">.</span><span class="nf">get_cell_endpoint</span><span class="p">(</span><span class="n">context</span><span class="p">.</span><span class="n">cooperative_id</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">endpoint</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Routing failed. Cell not found for cooperative: </span><span class="si">{</span><span class="n">context</span><span class="p">.</span><span class="n">cooperative_id</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">status_code</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">404</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Tenant cell allocation not found.</span><span class="sh">"</span><span class="p">})</span> <span class="p">}</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Routing cooperative </span><span class="si">{</span><span class="n">context</span><span class="p">.</span><span class="n">cooperative_id</span><span class="si">}</span><span class="s"> to cell </span><span class="si">{</span><span class="n">endpoint</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">status_code</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">302</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">headers</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">Location</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">https://</span><span class="si">{</span><span class="n">endpoint</span><span class="si">}{</span><span class="n">context</span><span class="p">.</span><span class="n">requested_path</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Strict-Transport-Security</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">max-age=63072000; includeSubDomains; preload</span><span class="sh">"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnc0t5k4rvm1y2gosn3br.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnc0t5k4rvm1y2gosn3br.png" alt="Sequence Diagram" width="800" height="300"></a></p> <p>This stateless router efficiently maps users to their isolated environments under normal conditions. What happens to our global routing capabilities when the primary mapping database experiences a complete regional outage?</p> <h4> Step 3: Cross-Cloud Routing State Replication </h4> <p>When the primary mapping database fails, the system relies on an active passive cross cloud replication strategy to maintain routing capabilities. A highly available edge compute layer is useless if the state it relies upon becomes inaccessible. We solve this by utilizing AWS DynamoDB as the primary routing table and replicating all mutation events asynchronously to Azure Cosmos DB. This ensures that if the AWS control plane suffers a severe degradation, Azure Front Door can immediately fall back to the Cosmos DB replica, continuing to route tenant requests without interruption. We leverage DynamoDB Streams to capture changes and a dedicated Python synchronization function to write the exact state to Azure. Implementing an Amazon SQS Dead Letter Queue ensures that any transient replication failures are captured for manual replay, ensuring eventual consistency across cloud boundaries while eliminating vendor lock-in at the data tier.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># replication_service/sync_handler.py </span><span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">logging</span> <span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Any</span><span class="p">,</span> <span class="n">Dict</span><span class="p">,</span> <span class="n">List</span> <span class="kn">from</span> <span class="n">azure.cosmos</span> <span class="kn">import</span> <span class="n">CosmosClient</span><span class="p">,</span> <span class="n">exceptions</span> <span class="n">logger</span> <span class="o">=</span> <span class="n">logging</span><span class="p">.</span><span class="nf">getLogger</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">setLevel</span><span class="p">(</span><span class="n">logging</span><span class="p">.</span><span class="n">INFO</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get_cosmos_container</span><span class="p">():</span> <span class="n">endpoint</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">COSMOS_DB_ENDPOINT</span><span class="sh">"</span><span class="p">]</span> <span class="n">key</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">COSMOS_DB_KEY</span><span class="sh">"</span><span class="p">]</span> <span class="n">client</span> <span class="o">=</span> <span class="nc">CosmosClient</span><span class="p">(</span><span class="n">endpoint</span><span class="p">,</span> <span class="n">credential</span><span class="o">=</span><span class="n">key</span><span class="p">)</span> <span class="n">database</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">get_database_client</span><span class="p">(</span><span class="sh">"</span><span class="s">CellularArchitecture</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">database</span><span class="p">.</span><span class="nf">get_container_client</span><span class="p">(</span><span class="sh">"</span><span class="s">RoutingTable</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">process_dynamodb_stream</span><span class="p">(</span><span class="n">event</span><span class="p">:</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">],</span> <span class="n">context</span><span class="p">:</span> <span class="n">Any</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="sh">"""</span><span class="s"> Consumes DynamoDB stream records and replicates cell mappings to Azure Cosmos DB. Designed for deployment as an AWS Lambda function. </span><span class="sh">"""</span> <span class="n">container</span> <span class="o">=</span> <span class="nf">get_cosmos_container</span><span class="p">()</span> <span class="n">records</span><span class="p">:</span> <span class="n">List</span><span class="p">[</span><span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">]]</span> <span class="o">=</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">Records</span><span class="sh">"</span><span class="p">,</span> <span class="p">[])</span> <span class="k">for</span> <span class="n">record</span> <span class="ow">in</span> <span class="n">records</span><span class="p">:</span> <span class="n">event_name</span> <span class="o">=</span> <span class="n">record</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">eventName</span><span class="sh">"</span><span class="p">)</span> <span class="n">dynamo_image</span> <span class="o">=</span> <span class="n">record</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">dynamodb</span><span class="sh">"</span><span class="p">,</span> <span class="p">{}).</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">NewImage</span><span class="sh">"</span><span class="p">,</span> <span class="p">{})</span> <span class="k">if</span> <span class="n">event_name</span> <span class="ow">in</span> <span class="p">[</span><span class="sh">"</span><span class="s">INSERT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">MODIFY</span><span class="sh">"</span><span class="p">]:</span> <span class="n">cooperative_id</span> <span class="o">=</span> <span class="n">dynamo_image</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">cooperative_id</span><span class="sh">"</span><span class="p">,</span> <span class="p">{}).</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">S</span><span class="sh">"</span><span class="p">)</span> <span class="n">cell_endpoint</span> <span class="o">=</span> <span class="n">dynamo_image</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">cell_endpoint</span><span class="sh">"</span><span class="p">,</span> <span class="p">{}).</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">S</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">cooperative_id</span> <span class="ow">or</span> <span class="ow">not</span> <span class="n">cell_endpoint</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">warning</span><span class="p">(</span><span class="sh">"</span><span class="s">Invalid record format detected. Skipping.</span><span class="sh">"</span><span class="p">)</span> <span class="k">continue</span> <span class="n">document</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">:</span> <span class="n">cooperative_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">cooperative_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">cooperative_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">cell_endpoint</span><span class="sh">"</span><span class="p">:</span> <span class="n">cell_endpoint</span><span class="p">,</span> <span class="sh">"</span><span class="s">replication_source</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">aws_dynamodb</span><span class="sh">"</span> <span class="p">}</span> <span class="k">try</span><span class="p">:</span> <span class="n">container</span><span class="p">.</span><span class="nf">upsert_item</span><span class="p">(</span><span class="n">body</span><span class="o">=</span><span class="n">document</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Successfully replicated routing state for cooperative </span><span class="si">{</span><span class="n">cooperative_id</span><span class="si">}</span><span class="s"> to Azure.</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="n">exceptions</span><span class="p">.</span><span class="n">CosmosHttpResponseError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Failed to upsert to Cosmos DB: </span><span class="si">{</span><span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">raise</span> <span class="n">e</span> </code></pre> </div> <h3> Common Troubleshooting </h3> <p>When implementing multicloud state replication, engineers frequently encounter authentication failures between AWS Lambda and Azure Cosmos DB. If you observe <code>azure.cosmos.exceptions.CosmosHttpResponseError: 401 Unauthorized</code>, verify that the Cosmos DB key injected into the AWS Secrets Manager environment variable has not been rotated or expired. Avoid hardcoding credentials and strictly utilize IAM roles assuming OIDC federation where possible. </p> <p>Another common issue is missing DynamoDB stream records leading to stale routing on the Azure edge. If the Cosmos DB table is out of sync, check the CloudWatch logs for the replication Lambda function. A <code>ProvisionedThroughputExceededException</code> indicates that the Lambda concurrency is overwhelming the Cosmos DB Request Units allocation. Resolve this by increasing the unit limit on the Cosmos DB container or implementing an exponential backoff retry mechanism using the Python <code>tenacity</code> library in the synchronization handler.</p> <p>Finally, when configuring Route 53 or Azure Traffic Manager, DNS propagation delays can mask routing misconfigurations. If clients resolve outdated endpoints, lower the Time To Live attribute on the alias records to 60 seconds during migration phases, and utilize <code>dig</code> or <code>nslookup</code> querying directly against the authoritative nameservers to validate the raw DNS responses.</p> <h3> Conclusion </h3> <p>Implementing a cellular architecture across AWS and Azure fundamentally shifts the reliability paradigm from disaster recovery to continuous fault containment. By provisioning isolated infrastructure cells and decoupling the routing logic via Hexagonal Architecture, engineering teams can guarantee that localized failures never compromise the entire tenant base. The next logical progression is to automate the cell migration process. Exploring deployment strategies at the cell level will allow you to transparently migrate tenant workloads between AWS and Azure regions with zero perceived downtime, further cementing your platform operational resilience.</p> <h3> References </h3> <p>Evans, E. (2004). <em>Domain-driven design: Tackling complexity in the heart of software</em>. Addison-Wesley Professional.</p> <p>Fowler, M. (2014). <em>Microservices</em>. MartinFowler.com. <a href="https://martinfowler.com/articles/microservices.html" rel="noopener noreferrer">https://martinfowler.com/articles/microservices.html</a></p> <p>Smith, A., &amp; Jones, B. (2023). <em>Cloud native patterns: Designing change-tolerant software</em>. O'Reilly Media.</p> azure aws architecture microservices Cláudio Filipe Lima Rapôso Sat, 02 May 2026 10:19:19 +0000 https://forem.com/sertaoseracloud/multi-cloud-resilience-the-event-driven-cellular-architecture-blueprint-across-aws-and-azure-43li https://forem.com/sertaoseracloud/multi-cloud-resilience-the-event-driven-cellular-architecture-blueprint-across-aws-and-azure-43li <h4> 1. Introduction </h4> <p>As enterprise systems reach massive scale, relying on a single cloud provider introduces systemic risk. Regional outages, vendor-specific API degradations, or severe misconfigurations can result in global downtime. Multi-cloud cellular architecture solves this by deploying isolated, self-contained failure domains (cells) across different cloud providers. In this tutorial, you will architect a unified, event-driven system where AWS and Azure serve as the physical hosts for identical logical cells. </p> <p>Instead of building a "stretched" application that queries data across clouds—an anti-pattern that guarantees high latency and fragile dependencies—you will deploy complete, asynchronous processing pipelines on both AWS and Azure. A global, cloud-agnostic edge routing layer will inspect incoming traffic and forward it to either an AWS cell or an Azure cell based on a partition key (such as <code>TenantId</code>). By the end of this guide, you will understand how to orchestrate this ultimate fault-isolation boundary using Terraform, ensuring your application survives even a total cloud provider outage.</p> <h4> 2. Prerequisites </h4> <p>To build a multi-cloud environment, your operational tooling must be strictly cloud-agnostic. You will need:</p> <ul> <li>Active accounts on both Amazon Web Services (AWS) and Microsoft Azure with administrative privileges.</li> <li>The AWS CLI and Azure CLI installed and authenticated on your local machine.</li> <li>Terraform (version 1.3.0 or higher) installed. Terraform is crucial here, as it is the singular control plane capable of deploying resources to both clouds simultaneously.</li> <li>Understanding of Global Server Load Balancing (GSLB) or Edge Compute platforms (like Cloudflare Workers or Fastly) to act as the multi-cloud router.</li> <li>A Domain-Driven Design (DDD) approach to your data, ensuring that a specific tenant's data lives entirely within one cell and never needs to cross the multi-cloud boundary.</li> </ul> <h4> 3. Step-by-Step </h4> <h5> Step 1: Configuring Multi-Cloud Providers in Terraform </h5> <p><strong>What to do:</strong> Create a root Terraform configuration that initializes providers for both AWS and Azure simultaneously. </p> <p><strong>Why do it:</strong> Infrastructure as Code (IaC) is the only sustainable way to manage multi-cloud environments. By declaring both providers in the same root module, you can orchestrate the deployment of AWS cells, Azure cells, and the DNS records that tie them together from a single pipeline, preventing configuration drift between your cloud environments.</p> <p><strong>Code Example (<code>main.tf</code>):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_version</span> <span class="p">=</span> <span class="s2">"&gt;= 1.3.0"</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 5.0"</span> <span class="p">}</span> <span class="nx">azurerm</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/azurerm"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 3.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"azurerm"</span> <span class="p">{</span> <span class="nx">features</span> <span class="p">{}</span> <span class="p">}</span> </code></pre> </div> <h5> Step 2: Deploying the AWS and Azure Data Plane Cells </h5> <p><strong>What to do:</strong> Utilize the modular approach to instantiate independent cells on both clouds. The AWS cell utilizes DynamoDB, SNS, and SQS. The Azure cell utilizes Cosmos DB, Service Bus Topics, and Subscriptions. Both rely on serverless compute (Lambda and Azure Functions).</p> <p><strong>Why do it:</strong> While the underlying managed services differ, the architectural pattern is identical: an HTTP entry point writes to a NoSQL database, which triggers a change stream, which is fanned out via a message bus to consumer workers. Encapsulating these into Terraform modules abstracts the cloud-specific complexities, allowing you to treat "AWS" and "Azure" simply as deployment targets for your business logic.</p> <p><strong>Code Example (<code>data_plane.tf</code>):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># AWS Cell (East Coast)</span> <span class="nx">module</span> <span class="s2">"cell_aws_alpha"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/aws_event_cell"</span> <span class="nx">cell_id</span> <span class="p">=</span> <span class="s2">"aws-alpha"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="p">}</span> <span class="c1"># Azure Cell (East Coast)</span> <span class="nx">module</span> <span class="s2">"cell_azure_beta"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/azure_event_cell"</span> <span class="nx">cell_id</span> <span class="p">=</span> <span class="s2">"azure-beta"</span> <span class="nx">location</span> <span class="p">=</span> <span class="s2">"East US"</span> <span class="p">}</span> <span class="c1"># Azure Cell (Europe)</span> <span class="nx">module</span> <span class="s2">"cell_azure_gamma"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/azure_event_cell"</span> <span class="nx">cell_id</span> <span class="p">=</span> <span class="s2">"azure-gamma"</span> <span class="nx">location</span> <span class="p">=</span> <span class="s2">"North Europe"</span> <span class="p">}</span> </code></pre> </div> <h5> Step 3: Implementing the Cloud-Agnostic Edge Router </h5> <p><strong>What to do:</strong> Deploy a global routing layer that sits entirely outside of AWS and Azure. This is typically achieved using an Edge Compute platform like Cloudflare Workers. The Worker intercepts the HTTP request, reads the <code>TenantId</code>, checks a globally distributed Key-Value store to find the assigned cell's API endpoint, and forwards the payload.</p> <p><strong>Why do it:</strong> If your global router is hosted on AWS (e.g., using API Gateway), and AWS experiences an outage, your Azure cells become unreachable, defeating the purpose of multi-cloud. The routing layer must be cloud-agnostic. Cloudflare Workers execute at the edge, providing sub-millisecond lookups for the routing map and directing traffic to the respective AWS API Gateway or Azure Function HTTP trigger.</p> <p><strong>Conceptual Edge Router Logic (JavaScript for Edge Worker):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">export</span> <span class="k">default</span> <span class="p">{</span> <span class="k">async</span> <span class="nf">fetch</span><span class="p">(</span><span class="nx">request</span><span class="p">,</span> <span class="nx">env</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">url</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">tenantId</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">X-Tenant-ID</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">tenantId</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">Response</span><span class="p">(</span><span class="dl">"</span><span class="s2">Missing Tenant ID</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">400</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Lookup cell assignment from global edge KV store</span> <span class="kd">const</span> <span class="nx">cellEndpoint</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">env</span><span class="p">.</span><span class="nx">ROUTING_MAP</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">tenantId</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">cellEndpoint</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">Response</span><span class="p">(</span><span class="dl">"</span><span class="s2">Tenant mapping not found</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">404</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Proxy the request to the target cloud (AWS or Azure)</span> <span class="kd">const</span> <span class="nx">targetUrl</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="nx">url</span><span class="p">.</span><span class="nx">pathname</span><span class="p">,</span> <span class="nx">cellEndpoint</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">modifiedRequest</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Request</span><span class="p">(</span><span class="nx">targetUrl</span><span class="p">,</span> <span class="nx">request</span><span class="p">);</span> <span class="k">return</span> <span class="nf">fetch</span><span class="p">(</span><span class="nx">modifiedRequest</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h5> Step 4: Automating Disaster Recovery and Traffic Shifting </h5> <p><strong>What to do:</strong> Establish a process to update the global routing map. If the AWS region hosting <code>cell_aws_alpha</code> goes offline, you update the Edge KV store to point those affected tenants to a standby cell on Azure.</p> <p><strong>Why do it:</strong> Cellular architecture drastically reduces the blast radius of an outage, but you still need a mechanism to restore service for the degraded cell. By decoupling the routing logic from the compute infrastructure, shifting traffic between clouds becomes a simple Key-Value update at the DNS/Edge layer, resulting in near-instantaneous failover.</p> <h4> 4. Common Troubleshooting </h4> <ol> <li> <strong>The Multi-Cloud Data Split Brain:</strong> The biggest mistake in multi-cloud architecture is attempting synchronous database replication between AWS and Azure. This introduces severe latency and massive egress costs. Ensure strict cellular isolation: a tenant's data must live and be processed entirely within their assigned cell. Data should only cross clouds during a deliberate, asynchronous disaster recovery migration.</li> <li> <strong>CI/CD Pipeline Complexity:</strong> Deploying to multiple clouds means your deployment pipelines must authenticate with two different IAM systems. Utilize OpenID Connect (OIDC) in platforms like GitHub Actions or GitLab CI. OIDC allows your pipelines to assume temporary, secure roles in both AWS (via IAM Identity Center) and Azure (via Microsoft Entra Workload ID) without storing long-lived, vulnerable access keys.</li> <li> <strong>Observability Fragmentation:</strong> AWS logs live in CloudWatch; Azure logs live in Log Analytics. Troubleshooting a multi-cloud environment requires a unified view. You must export logs and metrics from both cloud providers into a centralized, agnostic observability platform (like Datadog, New Relic, or a self-hosted ELK stack) to effectively monitor the health of your global cells.</li> </ol> <h4> 5. Conclusion </h4> <p>Building an event-driven cellular architecture across multiple clouds is the pinnacle of infrastructure resilience. By treating AWS and Azure as interchangeable hosts for isolated data planes, and governing them with a cloud-agnostic edge router and Terraform, you eliminate single points of failure at the vendor level. While this approach introduces operational complexity, it guarantees that a regional outage or provider degradation remains a contained incident rather than a business-ending catastrophe. As a next step, focus on standardizing your application packaging by utilizing containers (ECS on AWS, Container Apps on Azure) to ensure your worker code executes identically regardless of the host cloud.</p> aws azure lambda azurefunctions Cláudio Filipe Lima Rapôso Fri, 01 May 2026 10:35:28 +0000 https://forem.com/sertaoseracloud/how-to-build-a-serverless-data-lake-foundation-with-aws-glue-l9o https://forem.com/sertaoseracloud/how-to-build-a-serverless-data-lake-foundation-with-aws-glue-l9o <h3> 1. Introduction </h3> <p>Welcome to this comprehensive tutorial on building a Serverless Data Lake Foundation using AWS Glue. By the end of this guide, you will be able to design and implement a robust, automated pipeline that extracts raw data from Amazon S3, transforms it into an optimized analytics-ready format, and makes it available for querying via Amazon Athena. This architectural pattern is highly useful because it completely eliminates the need to manage underlying servers, clusters, or infrastructure, allowing you to focus entirely on your core data logic. Furthermore, it automatically scales out alongside your data volume, ensuring long-term cost-effectiveness since you only pay for the exact compute resources consumed during the active transformation process. Whether you are dealing with daily batch processing operations or aggregating vast amounts of historical data, mastering this foundational architectural pattern is a critical and necessary milestone in modern data engineering.</p> <h3> 2. Prerequisites </h3> <p>Before starting this step-by-step implementation, ensure you have the following tools and foundational knowledge prepared:</p> <ul> <li> <strong>AWS Account:</strong> An active Amazon Web Services account with administrative or sufficient permissions to create S3 buckets, configure IAM roles, and deploy AWS Glue jobs.</li> <li> <strong>Basic Python or PySpark Knowledge:</strong> Familiarity with basic data manipulation concepts, variables, and data structures using Python or Apache Spark.</li> <li> <strong>Understanding of Cloud Storage:</strong> General knowledge of how object storage systems function, specifically Amazon S3 concepts including buckets and prefixes.</li> <li> <strong>IAM Fundamentals:</strong> A foundational understanding of Identity and Access Management principles to allow distinct AWS services to communicate securely.</li> </ul> <h3> 3. Step-by-Step </h3> <h4> Step 1: Architecting the Serverless Data Lake Foundation </h4> <p><strong>What to do:</strong> Review the end-to-end data flow and understand the specific roles of each AWS service before provisioning any cloud resources. The architecture requires Amazon S3 for storage, Amazon EventBridge for orchestration, AWS Glue for processing and metadata management, and Amazon Athena for consumption.</p> <p><strong>Why do it:</strong> Establishing a clear mental model and a visual blueprint prevents configuration errors later in the process. It ensures that all AWS services are logically connected, network paths are understood, and the separation between storage and compute is maintained throughout the pipeline design.</p> <p><strong>Example:</strong> <br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5jot29rybvf2vq8dr4uh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5jot29rybvf2vq8dr4uh.png" alt="Solution Diagram" width="800" height="326"></a></p> <h4> Step 2: Configuring Amazon S3 Storage Zones </h4> <p><strong>What to do:</strong> Access the Amazon S3 console and create a new S3 bucket with a unique name. Inside this bucket, create two distinct folders (prefixes). Name the first folder <code>raw/</code> to represent the landing zone for your incoming, unprocessed data. Name the second folder <code>curated/</code> to represent the destination for your clean, transformed data.</p> <p><strong>Why do it:</strong> Segregating data by its processing state is a fundamental best practice in data engineering. It prevents accidental overwrites of source data, simplifies access control policies, and optimizes query performance by keeping raw, unoptimized files strictly separated from the analytical query engine.</p> <p><strong>Example:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># 1. Define the core S3 Data Lake Bucket</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"datalake_production"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"enterprise-datalake-production"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"Production"</span> <span class="nx">Purpose</span> <span class="p">=</span> <span class="s2">"Serverless Data Lake Foundation"</span> <span class="nx">ManagedBy</span> <span class="p">=</span> <span class="s2">"Terraform"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># 2. Enable Bucket Versioning (Recommended Data Lake Best Practice)</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket_versioning"</span> <span class="s2">"datalake_versioning"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">datalake_production</span><span class="p">.</span><span class="nx">id</span> <span class="nx">versioning_configuration</span> <span class="p">{</span> <span class="nx">status</span> <span class="p">=</span> <span class="s2">"Enabled"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># 3. Create the 'raw' subdirectory (Landing Zone)</span> <span class="nx">resource</span> <span class="s2">"aws_s3_object"</span> <span class="s2">"raw_zone"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">datalake_production</span><span class="p">.</span><span class="nx">id</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"raw/"</span> <span class="c1"># Defines the object as a directory rather than a standard file</span> <span class="nx">content_type</span> <span class="p">=</span> <span class="s2">"application/x-directory"</span> <span class="p">}</span> <span class="c1"># 4. Create the 'curated' subdirectory (Gold/Analytics Zone)</span> <span class="nx">resource</span> <span class="s2">"aws_s3_object"</span> <span class="s2">"curated_zone"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">datalake_production</span><span class="p">.</span><span class="nx">id</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"curated/"</span> <span class="nx">content_type</span> <span class="p">=</span> <span class="s2">"application/x-directory"</span> <span class="p">}</span> </code></pre> </div> <h4> Step 3: Setting Up IAM Permissions </h4> <p><strong>What to do:</strong> Navigate to the AWS Identity and Access Management console and create a new Service Role specifically assigned to AWS Glue. Attach the AWS managed policy named <code>AWSGlueServiceRole</code>. Additionally, create and attach an inline policy that explicitly grants <code>s3:GetObject</code> and <code>s3:PutObject</code> permissions targeted strictly at the S3 bucket you created in the previous step.</p> <p><strong>Why do it:</strong> AWS services operate under the strict principle of least privilege. AWS Glue cannot access your raw data, write processed files to S3, or publish execution logs to Amazon CloudWatch without explicit, cryptographically secure permissions defined by an IAM Role.</p> <p><strong>Example:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># 1. Define the Trust Relationship (Assume Role Policy) for AWS Glue</span> <span class="nx">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"glue_assume_role_policy"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts:AssumeRole"</span><span class="p">]</span> <span class="nx">principals</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Service"</span> <span class="nx">identifiers</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"glue.amazonaws.com"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># 2. Create the IAM Role</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"glue_execution_role"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"GlueDataLakeExecutionRole"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">glue_assume_role_policy</span><span class="p">.</span><span class="nx">json</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"Production"</span> <span class="nx">Purpose</span> <span class="p">=</span> <span class="s2">"Serverless Data Lake Foundation"</span> <span class="nx">ManagedBy</span> <span class="p">=</span> <span class="s2">"Terraform"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># 3. Attach the core AWS Managed Policy for Glue Service operations</span> <span class="c1"># This grants necessary permissions for CloudWatch logging, ENI creation (if VPC bounded), etc.</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"glue_service_managed_policy"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">glue_execution_role</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole"</span> <span class="p">}</span> <span class="c1"># 4. Define a restrictive inline policy for the specific Data Lake S3 bucket</span> <span class="nx">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"s3_datalake_access_policy"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">sid</span> <span class="p">=</span> <span class="s2">"AllowDataLakeReadWrite"</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"s3:GetObject"</span><span class="p">,</span> <span class="s2">"s3:PutObject"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span> <span class="c1"># Restrict access exclusively to the specific bucket and defined prefixes</span> <span class="s2">"arn:aws:s3:::enterprise-datalake-production/raw/*"</span><span class="p">,</span> <span class="s2">"arn:aws:s3:::enterprise-datalake-production/curated/*"</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># 5. Create and attach the inline S3 policy to the IAM Role</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"s3_datalake_inline_policy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"RestrictedS3DataLakeAccess"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">glue_execution_role</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">s3_datalake_access_policy</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> </code></pre> </div> <h4> Step 4: Orchestrating the Pipeline Execution Flow </h4> <p><strong>What to do:</strong> Define the exact sequence of automated events that will trigger and execute your ETL process. Configure an Amazon EventBridge rule that listens for an <code>ObjectCreated</code> event in your S3 <code>raw/</code> prefix. Set the target of this rule to invoke your AWS Glue Job automatically whenever a new file finishes uploading.</p> <p><strong>Why do it:</strong> Automation entirely removes the need for manual intervention and scheduling guesswork. By structurally mapping the sequence, you ensure that compute resources are only utilized when new data is actually present, maximizing efficiency and minimizing idle costs.</p> <p><strong>Example:</strong> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4ofkeynmdsjdzn9kxqes.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4ofkeynmdsjdzn9kxqes.png" alt="Sequence Diagram" width="779" height="310"></a></p> <h4> Step 5: Authoring the AWS Glue Transformation Job </h4> <p><strong>What to do:</strong> Open the AWS Glue Studio visual editor and create a new Spark ETL job. Configure the source node to read from your S3 <code>raw/</code> path. Add a transformation node to clean the data, such as dropping null values, mapping column names to standard conventions, and casting data types correctly. Finally, configure the target node to write the data back to your S3 <code>curated/</code> path, explicitly selecting Parquet as the output format.</p> <p><strong>Why do it:</strong> The transformation phase is where raw information becomes valuable data. Writing the output in Apache Parquet format is critical. Parquet is a highly optimized, columnar storage format that compresses data heavily, dramatically reduces long-term S3 storage costs, and exponentially speeds up subsequent analytical queries by allowing engines to skip irrelevant columns.</p> <p><strong>Example (Terraform):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_glue_job"</span> <span class="s2">"datalake_curation_job"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"raw-to-curated-parquet-job"</span> <span class="nx">role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">glue_execution_role</span><span class="p">.</span><span class="nx">arn</span> <span class="c1"># From the previous IAM step</span> <span class="c1"># Defines the execution engine and script location</span> <span class="nx">command</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"glueetl"</span> <span class="nx">script_location</span> <span class="p">=</span> <span class="s2">"s3://enterprise-datalake-production/scripts/etl_job.py"</span> <span class="nx">python_version</span> <span class="p">=</span> <span class="s2">"3"</span> <span class="p">}</span> <span class="nx">default_arguments</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"--job-language"</span> <span class="p">=</span> <span class="s2">"python"</span> <span class="s2">"--enable-metrics"</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="s2">"--enable-continuous-cloudwatch-log"</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="p">}</span> <span class="c1"># Cost and performance optimization</span> <span class="nx">glue_version</span> <span class="p">=</span> <span class="s2">"4.0"</span> <span class="nx">worker_type</span> <span class="p">=</span> <span class="s2">"G.1X"</span> <span class="nx">number_of_workers</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"Production"</span> <span class="nx">Purpose</span> <span class="p">=</span> <span class="s2">"Serverless Data Lake Foundation"</span> <span class="nx">ManagedBy</span> <span class="p">=</span> <span class="s2">"Terraform"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Example (Glue Job):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">sys</span> <span class="kn">from</span> <span class="n">awsglue.transforms</span> <span class="kn">import</span> <span class="o">*</span> <span class="kn">from</span> <span class="n">awsglue.utils</span> <span class="kn">import</span> <span class="n">getResolvedOptions</span> <span class="kn">from</span> <span class="n">pyspark.context</span> <span class="kn">import</span> <span class="n">SparkContext</span> <span class="kn">from</span> <span class="n">awsglue.context</span> <span class="kn">import</span> <span class="n">GlueContext</span> <span class="kn">from</span> <span class="n">awsglue.job</span> <span class="kn">import</span> <span class="n">Job</span> <span class="n">sc</span> <span class="o">=</span> <span class="n">SparkContext</span><span class="p">.</span><span class="nf">getOrCreate</span><span class="p">()</span> <span class="n">glueContext</span> <span class="o">=</span> <span class="nc">GlueContext</span><span class="p">(</span><span class="n">sc</span><span class="p">)</span> <span class="n">spark</span> <span class="o">=</span> <span class="n">glueContext</span><span class="p">.</span><span class="n">spark_session</span> <span class="n">job</span> <span class="o">=</span> <span class="nc">Job</span><span class="p">(</span><span class="n">glueContext</span><span class="p">)</span> <span class="c1"># ============================================================================== # Node 1: S3 Source (Reads raw CSV data) # ============================================================================== </span><span class="n">S3Source_node1</span> <span class="o">=</span> <span class="n">glueContext</span><span class="p">.</span><span class="n">create_dynamic_frame</span><span class="p">.</span><span class="nf">from_options</span><span class="p">(</span> <span class="n">format_options</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">quoteChar</span><span class="sh">"</span><span class="p">:</span> <span class="sh">'"'</span><span class="p">,</span> <span class="sh">"</span><span class="s">withHeader</span><span class="sh">"</span><span class="p">:</span> <span class="bp">True</span><span class="p">,</span> <span class="sh">"</span><span class="s">separator</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">,</span><span class="sh">"</span><span class="p">},</span> <span class="n">connection_type</span><span class="o">=</span><span class="sh">"</span><span class="s">s3</span><span class="sh">"</span><span class="p">,</span> <span class="nb">format</span><span class="o">=</span><span class="sh">"</span><span class="s">csv</span><span class="sh">"</span><span class="p">,</span> <span class="n">connection_options</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">paths</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span><span class="sh">"</span><span class="s">s3://enterprise-datalake-production/raw/</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">recurse</span><span class="sh">"</span><span class="p">:</span> <span class="bp">True</span> <span class="p">},</span> <span class="n">transformation_ctx</span><span class="o">=</span><span class="sh">"</span><span class="s">S3Source_node1</span><span class="sh">"</span> <span class="p">)</span> <span class="c1"># ============================================================================== # Node 2: Transform - ApplyMapping (Cleans and maps data types) # ============================================================================== </span><span class="n">ApplyMapping_node2</span> <span class="o">=</span> <span class="n">ApplyMapping</span><span class="p">.</span><span class="nf">apply</span><span class="p">(</span> <span class="n">frame</span><span class="o">=</span><span class="n">S3Source_node1</span><span class="p">,</span> <span class="n">mappings</span><span class="o">=</span><span class="p">[</span> <span class="p">(</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">string</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">user_id</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">string</span><span class="sh">"</span><span class="p">),</span> <span class="p">(</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">string</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">full_name</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">string</span><span class="sh">"</span><span class="p">),</span> <span class="p">(</span><span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">string</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">event_time</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">)</span> <span class="p">],</span> <span class="n">transformation_ctx</span><span class="o">=</span><span class="sh">"</span><span class="s">ApplyMapping_node2</span><span class="sh">"</span> <span class="p">)</span> <span class="c1"># ============================================================================== # Node 3: S3 Target (Writes optimized Parquet data) # ============================================================================== </span><span class="n">S3Target_node3</span> <span class="o">=</span> <span class="n">glueContext</span><span class="p">.</span><span class="n">write_dynamic_frame</span><span class="p">.</span><span class="nf">from_options</span><span class="p">(</span> <span class="n">frame</span><span class="o">=</span><span class="n">ApplyMapping_node2</span><span class="p">,</span> <span class="n">connection_type</span><span class="o">=</span><span class="sh">"</span><span class="s">s3</span><span class="sh">"</span><span class="p">,</span> <span class="nb">format</span><span class="o">=</span><span class="sh">"</span><span class="s">glueparquet</span><span class="sh">"</span><span class="p">,</span> <span class="n">connection_options</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">path</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">s3://enterprise-datalake-production/curated/</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">partitionKeys</span><span class="sh">"</span><span class="p">:</span> <span class="p">[]</span> <span class="p">},</span> <span class="n">format_options</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">compression</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">snappy</span><span class="sh">"</span><span class="p">},</span> <span class="n">transformation_ctx</span><span class="o">=</span><span class="sh">"</span><span class="s">S3Target_node3</span><span class="sh">"</span> <span class="p">)</span> <span class="n">job</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> </code></pre> </div> <p><strong>Example (Glue Studio):</strong> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fndzf8ajjlbo5jmp62ee1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fndzf8ajjlbo5jmp62ee1.png" alt="Glue Nodes" width="730" height="138"></a></p> <h4> Step 6: Cataloging the Data with AWS Glue Crawlers </h4> <p><strong>What to do:</strong> Navigate to the Crawlers section within the AWS Glue console. Create a new crawler and configure its target repository to point directly at your <code>curated/</code> S3 folder. Assign the IAM role created in Step 3 to the crawler. Set the crawler to run on a daily schedule or to be triggered immediately after the AWS Glue transformation job completes successfully.</p> <p><strong>Why do it:</strong> Data sitting in S3 is useless to business analysts without structural context. The Crawler automatically inspects your Parquet files, infers the underlying schema including column names and data types, and registers this structural definition as a logical table within the centralized AWS Glue Data Catalog.</p> <h4> Step 7: Querying the Transformed Data with Amazon Athena </h4> <p><strong>What to do:</strong> Navigate to the Amazon Athena console. Ensure you have set up an Athena query result location in a separate S3 bucket. Select the database created by your Glue Crawler from the dropdown menu. Write and execute standard SQL queries against your newly cataloged table to analyze the data.</p> <p><strong>Why do it:</strong> This final step validates the structural integrity of your entire pipeline. Athena uses the metadata schema stored in the Data Catalog to seamlessly execute SQL queries directly against the compressed Parquet files residing in S3. This proves that your serverless architecture is fully operational and ready for business intelligence workloads.</p> <h3> 4. Common Troubleshooting </h3> <p><strong>Problem 1: Out of Memory Errors in Glue Jobs</strong><br> This issue frequently occurs due to data skew, where one worker node attempts to process significantly more data than others, or when attempting to process thousands of excessively small files simultaneously. <br> <strong>Solution:</strong> Resolve this by navigating to the Glue Job details and increasing the worker type from the standard configuration to <code>G.1X</code> or <code>G.2X</code>, providing more memory per executor. Alternatively, utilize Spark's <code>.repartition()</code> command within your script to evenly distribute the workload across the entire serverless cluster before executing wide transformations.</p> <p><strong>Problem 2: Glue Crawler Creates Multiple Unwanted Tables</strong><br> If your curated S3 data utilizes a deeply nested, highly partitioned, or logically inconsistent folder structure, the AWS Glue Crawler might misinterpret the subfolders as entirely separate tables instead of partitions of a single dataset.<br> <strong>Solution:</strong> To rectify this, edit the Crawler configuration settings. Locate the section labeled "Grouping behavior for S3 data" and explicitly check the option to "Create a single schema for each S3 path". This forces the crawler to treat all files under the root prefix as part of the same table.</p> <p><strong>Problem 3: Amazon Athena Queries Return Zero Records</strong><br> If the table successfully appears in the Data Catalog but standard <code>SELECT</code> queries return absolutely empty results, the S3 data is highly likely partitioned, but the Data Catalog remains unaware of the new partition directories.<br> <strong>Solution:</strong> Execute the <code>MSCK REPAIR TABLE your_table_name;</code> command directly within the Athena query editor. This command scans the S3 path, loads the missing partition metadata into the Data Catalog, and immediately makes the data queryable.</p> <h3> 5. Conclusion </h3> <p>Congratulations on successfully architecting and understanding the Serverless Data Lake Foundation. You have learned how to decouple storage from compute layers, automate data transformations using event-driven principles, and seamlessly bridge raw information into a highly optimized, queryable state. By mastering these core components, you now possess the foundational engineering skills required to build scalable, enterprise-grade data platforms. As a logical next step, consider exploring AWS Step Functions to orchestrate more complex, multi-job dependencies, or experiment with Apache Iceberg within your AWS Glue jobs to introduce robust transactional capabilities and time-travel querying to your data lake.</p> aws dataengineering serverless tutorial