Ppaul/failover ledger endpoint

[PallabPaul]

Contributing to the Azure SDK

Please see our CONTRIBUTING.md if you are not familiar with contributing to this repository or have questions.

For specific information about pull request etiquette and best practices, see this section.

Changes:

• Added support to route to failover ledgers for the GetLedgerEntry, GetLedgerEntryAsync, GetCurrentLedgerEntry, and GetCurrentLedgerEntryAsync methods.

[PallabPaul]

TODO:

• remove log lines
• merge /failover endpoint CP logic before merging this

[PallabPaul]

TODO:

• remove log lines
• merge /failover endpoint CP logic before merging this

Done

[Copilot]

Pull Request Overview

This pull request adds failover endpoint support to the Azure Confidential Ledger SDK, enabling automatic routing to backup ledger instances when the primary endpoint fails. The implementation provides a new failover service that can discover and attempt operations against backup ledger endpoints.

Key changes include:

• Introduction of a new ConfidentialLedgerFailoverService class that handles failover endpoint discovery and execution
• Integration of the failover service into the main ConfidentialLedgerClient
• Version bump from 1.4.1-beta.3 to 1.5.0-beta.1

Reviewed Changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 6 comments.

File	Description
ConfidentialLedgerFailoverService.cs	New service class implementing failover endpoint discovery and operation execution logic
ConfidentialLedgerClient.cs	Integration of the failover service into the main client
Azure.Security.ConfidentialLedger.csproj	Version increment to reflect new failover functionality
CHANGELOG.md	Documentation of the new failover routing feature

---

_{You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.}

[taicchoumsft]

just a minor suggestion, probably not worth doing for this PR since this customer only has one failover: switch to Task.WhenAny or similar for the async failovers method. That should also simplify handling of the requestfailed exceptions.

[taicchoumsft]

Just curious - what breaks if we use the regular utf8 encoder?

[taicchoumsft]

The Azure Response ContentStream is settable. I'm wondering if we can just set the currentResponse.contentStream with your memorystream to avoid wrapping and creating the SyntheticResponse.

azure-sdk-for-net/sdk/core/Azure.Core/src/Response.cs

Line 32 in 88c2ddd

public abstract Stream? ContentStream { get; set; }

[taicchoumsft]

Is passing the primaryEndpoint needed here?

[taicchoumsft]

Should UnknownLedgerEntry be retriable? That's a guarantee that no key was written in that transaction right?

[msftsettiy]

As discussed, please explore the option to set the service identity cert for the fail over endpoints in the transport options object.

[taicchoumsft]

Forgetting a little: does the pipeline account for Not Ready state? I only remember that the python SDK does not.

[github-actions]

Hi @PallabPaul. Thank you for your interest in helping to improve the Azure SDK experience and for your contribution. We've noticed that there hasn't been recent engagement on this pull request. If this is still an active work stream, please let us know by pushing some changes or leaving a comment. Otherwise, we'll close this out in 7 days.

[github-actions]

Hi @PallabPaul. Thank you for your contribution. Since there hasn't been recent engagement, we're going to close this out. Feel free to respond with a comment containing /reopen if you'd like to continue working on these changes. Please be sure to use the command to reopen or remove the no-recent-activity label; otherwise, this is likely to be closed again with the next cleanup pass.

[PallabPaul]

/reopen

[ivarprudnikov]

To get the actual value you'd need to follow the same logic as in GetIdentityServerTlsCert, i.e.

ledgerOptions?.CertificateEndpoint ?? new Uri(Default_Certificate_Endpoint)

It can be overriden in ledgerOptions, and please reuse the default endpoint value from ConfidentialLedgerClient but that would need to change private const string to public const string I bet

[ivarprudnikov]

primary endpoint host already contains the suffix, which might be staging or any new env we add later like ppe. Therefore if would make sense to replace the first part of the existing host instead of constructing the new one with the current prod suffix.

[ivarprudnikov]

This is an interesting point. It is saying that the order of the failover ledgers is important and sequential. For instance if there are 2 failover ledgers and the primary fails it will redirect all traffic to the first failover ledger and then to third only if the primary and secondary fail. Third one would rarely be used in this case.

If the order does not matter much it might make sense to forward requests to a randomly ordered list of failover ledgers to improve the distribution of the requests. So that when we get x million of requests they do not suddenly get all forwarded to the failover ledger but distribute that load across all of the failover ones.

[ivarprudnikov]

These errors need to be updated, I doubt that a failover endpoint has so many retriable conditions. 404 would mean that the ledger does not exist, UnknownLedgerEntry is not related to /failover, 408 not necessary either. 503 and 504 can be dropped because they are included in ex.Status >= 500

[ivarprudnikov]

To make sure failover works as expected the timeout would need to be extended, for instance if the client is getting an entry the timer starts. The requests will be retried to primary according to the client options and default pipeline options, i.e. this will eat into timeout quite a bit. Then we say the failover needs to happen with the remaining time which not only needs to fulfill the original intent of getting an entry but also fetch the list of failover ledgers (needs more work).

What I am saying is that we either automatically extend the timeout here, or increase it in the default client options for all ledgers that use failover endpoints or somehow tell the customers to make sure it is increased in their client options to work as expected.

[ivarprudnikov]

suggestion:
to not repeat this block for every request is could be implemented in an additional http pipeline policy which currently has default settings, etc. it would be possible to refactor the ConfidentialLedgerFailoverService into a policy and add it to the base client thus enabling automatic failover for any request: HttpPipelineBuilder.Build(..., failoverPolicy, ...)

The policy might look like:

public class FailoverPolicy : HttpPipelinePolicy
{
...

public override void Process(HttpMessage message, ReadOnlyMemory<HttpPipelinePolicy> pipeline)
    {
        TrySendWithFailover(message, pipeline);
    }
...

private void TrySendWithFailover(HttpMessage message, ReadOnlyMemory<HttpPipelinePolicy> pipeline)
    {
        // TODO: get endpoints _endpoints (primary + failover ones)
        // this is an exampl e, in reality we'd want to first retry the primary endpoin and only then failover
        for (int attempt = 0; attempt < _endpoints.Count; attempt++)
        {
            message.Request.Uri.Reset(_endpoints[_currentIndex]);
            try
            {
                ProcessNext(message, pipeline);
                if (message.Response.Status >= 200 && message.Response.Status < 500)
                    return; // Success
            }
            catch
            {
                // Ignore and try next endpoint
            }
            _currentIndex = (_currentIndex + 1) % _endpoints.Count;
        }
        throw new RequestFailedException("All endpoints failed.");
    }
...
}