Skip to content

Ppaul/failover ledger endpoint #51947

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
PallabPaul wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Ppaul/failover ledger endpoint #51947

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
2e30dd0
Update PostLedgerEntryOperation retry logic
PallabPaul Aug 3, 2023
515190d
merge master
Aug 7, 2025
2fa1b35
add base failover endpoint implementation
Aug 12, 2025
af7213a
add base failover implementation
Aug 12, 2025
cb79689
clean
Aug 12, 2025
bf8d04e
address collection id cases
Aug 13, 2025
19870c2
cleaned up failover service and client logic
Aug 14, 2025
409c510
address copilot comments
Aug 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions sdk/confidentialledger/Azure.Security.ConfidentialLedger/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
# Release History

## 1.5.0-beta.1 (Unreleased)

### Features Added
- Added support to route to failover ledgers for the `GetLedgerEntry`, `GetLedgerEntryAsync`, `GetCurrentLedgerEntry`, and `GetCurrentLedgerEntryAsync` methods.

## 1.4.1-beta.3 (Unreleased)

### Features Added
Expand Down
2 changes: 1 addition & 1 deletion ...tialledger/Azure.Security.ConfidentialLedger/src/Azure.Security.ConfidentialLedger.csproj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
<PropertyGroup>
<Description>Client SDK for the Azure Confidential Ledger service</Description>
<AssemblyTitle>Azure Confidential Ledger</AssemblyTitle>
<Version>1.4.1-beta.3</Version>
<Version>1.5.0-beta.1</Version>
<!--The ApiCompatVersion is managed automatically and should not generally be modified manually.-->
<ApiCompatVersion>1.3.0</ApiCompatVersion>
<PackageTags>Azure ConfidentialLedger</PackageTags>
Expand Down
1 change: 1 addition & 0 deletions sdk/confidentialledger/Azure.Security.ConfidentialLedger/src/ConfidentialLedgerClient.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@ internal ConfidentialLedgerClient(Uri ledgerEndpoint, TokenCredential credential
new ConfidentialLedgerResponseClassifier());
_ledgerEndpoint = ledgerEndpoint;
_apiVersion = actualOptions.Version;
_failoverService = new ConfidentialLedgerFailoverService(_pipeline, ClientDiagnostics);
}

internal class ConfidentialLedgerResponseClassifier : ResponseClassifier
Expand Down
262 changes: 262 additions & 0 deletions ...identialledger/Azure.Security.ConfidentialLedger/src/ConfidentialLedgerFailoverService.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,262 @@
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.

using System;
using System.Collections.Generic;
using System.Text.Json;
using System.Diagnostics;
using System.Threading;
using System.Threading.Tasks;
using Azure.Core;
using Azure.Core.Pipeline;

namespace Azure.Security.ConfidentialLedger
{
internal class ConfidentialLedgerFailoverService
{
private readonly HttpPipeline _pipeline;
private readonly ClientDiagnostics _clientDiagnostics;

internal const string IdentityServiceBaseUrl = "https://identity.confidential-ledger.core.azure.com";
Copy link
Member

@ivarprudnikov ivarprudnikov Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To get the actual value you'd need to follow the same logic as in GetIdentityServerTlsCert, i.e.

ledgerOptions?.CertificateEndpoint ?? new Uri(Default_Certificate_Endpoint)

It can be overriden in ledgerOptions, and please reuse the default endpoint value from ConfidentialLedgerClient but that would need to change private const string to public const string I bet

internal const string LedgerDomainSuffix = "confidential-ledger.azure.com";

private static ResponseClassifier _responseClassifier200;
private static ResponseClassifier ResponseClassifier200 => _responseClassifier200 ??= new StatusCodeClassifier(stackalloc ushort[] { 200 });

public ConfidentialLedgerFailoverService(HttpPipeline pipeline, ClientDiagnostics clientDiagnostics)
{
_pipeline = pipeline ?? throw new ArgumentNullException(nameof(pipeline));
_clientDiagnostics = clientDiagnostics ?? throw new ArgumentNullException(nameof(clientDiagnostics));
}
// Overloads for failover-only execution with collectionId gating.
public Task<T> ExecuteOnFailoversAsync<T>(
Uri primaryEndpoint,
Func<Uri, Task<T>> operationAsync,
string operationName,
string collectionIdGate,
CancellationToken cancellationToken = default)
{
if (string.IsNullOrEmpty(collectionIdGate))
{
return operationAsync(primaryEndpoint); // collection gating: no failover
}
return ExecuteOnFailoversAsync(primaryEndpoint, operationAsync, operationName, cancellationToken);
}

public T ExecuteOnFailovers<T>(
Uri primaryEndpoint,
Func<Uri, T> operationSync,
string operationName,
string collectionIdGate,
CancellationToken cancellationToken = default)
{
if (string.IsNullOrEmpty(collectionIdGate))
{
return operationSync(primaryEndpoint);
}
return ExecuteOnFailovers(primaryEndpoint, operationSync, operationName, cancellationToken);
}

private async Task<List<Uri>> GetFailoverEndpointsAsync(
Uri primaryEndpoint,
CancellationToken cancellationToken = default)
{
try
{
string ledgerId = primaryEndpoint.Host.Substring(0, primaryEndpoint.Host.IndexOf('.'));

Uri failoverUrl = new Uri($"{IdentityServiceBaseUrl}/failover/{ledgerId}");

using HttpMessage message = CreateFailoverRequest(failoverUrl);
Response response = await _pipeline.ProcessMessageAsync(message, new RequestContext()).ConfigureAwait(false);
return ParseFailoverEndpoints(primaryEndpoint, response);
}
catch (Exception)
{
// suppress metadata retrieval exception
}
return new List<Uri>();
}

private List<Uri> GetFailoverEndpoints(
Uri primaryEndpoint,
CancellationToken cancellationToken = default)
{
try
{
// retrieving sync metadata
string ledgerId = primaryEndpoint.Host.Substring(0, primaryEndpoint.Host.IndexOf('.'));

Uri failoverUrl = new Uri($"{IdentityServiceBaseUrl}/failover/{ledgerId}");

using HttpMessage message = CreateFailoverRequest(failoverUrl);
Response response = _pipeline.ProcessMessage(message, new RequestContext());
return ParseFailoverEndpoints(primaryEndpoint, response);
}
catch (Exception)
{
// suppress metadata retrieval exception
}
return new List<Uri>();
}

private static List<Uri> ParseFailoverEndpoints(Uri primaryEndpoint, Response response)
{
var endpoints = new List<Uri>();
if (response?.Status != 200)
{
return endpoints;
}
try
{
using JsonDocument jsonDoc = JsonDocument.Parse(response.Content);
jsonDoc.RootElement.TryGetProperty("ledgerId", out _); // optional
if (jsonDoc.RootElement.TryGetProperty("failoverLedgers", out JsonElement failoverArray))
{
foreach (JsonElement failoverLedger in failoverArray.EnumerateArray())
{
string failoverLedgerId = null;
try
{
switch (failoverLedger.ValueKind)
{
case JsonValueKind.String:
failoverLedgerId = failoverLedger.GetString();
break;
case JsonValueKind.Object:
if (failoverLedger.TryGetProperty("name", out JsonElement nameProp) && nameProp.ValueKind == JsonValueKind.String)
{
failoverLedgerId = nameProp.GetString();
}
else
{
foreach (JsonProperty prop in failoverLedger.EnumerateObject())
{
if (prop.Value.ValueKind == JsonValueKind.String && string.Equals(prop.Name, "id", StringComparison.OrdinalIgnoreCase))
{
failoverLedgerId = prop.Value.GetString();
break;
}
}
}
break;
}
}
catch (JsonException jex)
{
#if DEBUG
Debug.WriteLine($"[ConfidentialLedgerFailoverService] JSON parse issue for failoverLedger element: {jex.Message}");
#endif
_ = jex; // suppress unused warning in non-DEBUG builds
}
catch (InvalidOperationException ioex)
{
#if DEBUG
Debug.WriteLine($"[ConfidentialLedgerFailoverService] Invalid operation while parsing failoverLedger element: {ioex.Message}");
#endif
_ = ioex; // suppress unused warning in non-DEBUG builds
}

if (!string.IsNullOrEmpty(failoverLedgerId))
{
Uri endpoint = new UriBuilder(primaryEndpoint) { Host = $"{failoverLedgerId}.{LedgerDomainSuffix}" }.Uri;
Copy link
Member

@ivarprudnikov ivarprudnikov Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

primary endpoint host already contains the suffix, which might be staging or any new env we add later like ppe. Therefore if would make sense to replace the first part of the existing host instead of constructing the new one with the current prod suffix.

endpoints.Add(endpoint);
}
}
}
}
catch (Exception)
{
// ignore entire parse failure
}
return endpoints;
}

private HttpMessage CreateFailoverRequest(Uri failoverUrl)
{
HttpMessage message = _pipeline.CreateMessage(new RequestContext(), ResponseClassifier200);
Request request = message.Request;

request.Method = RequestMethod.Get;

var uri = new RawRequestUriBuilder();
uri.Reset(failoverUrl);
request.Uri = uri;

request.Headers.Add("Accept", "application/json");

return message;
}

private static bool IsRetriableFailure(RequestFailedException ex)
{
// Include 404 and specific UnknownLedgerEntry error code.
return ex.Status == 404 ||
Copy link
Member

@ivarprudnikov ivarprudnikov Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These errors need to be updated, I doubt that a failover endpoint has so many retriable conditions. 404 would mean that the ledger does not exist, UnknownLedgerEntry is not related to /failover, 408 not necessary either. 503 and 504 can be dropped because they are included in ex.Status >= 500

string.Equals(ex.ErrorCode, "UnknownLedgerEntry", StringComparison.OrdinalIgnoreCase) ||
ex.Status >= 500 ||
ex.Status == 408 ||
ex.Status == 429 ||
ex.Status == 503 ||
ex.Status == 504;
}

// Execute an operation only against discovered failover endpoints (skips primary). Used for specialized fallback flows.
public async Task<T> ExecuteOnFailoversAsync<T>(
Uri primaryEndpoint,
Func<Uri, Task<T>> operationAsync,
string operationName,
CancellationToken cancellationToken = default)
{
List<Uri> endpoints = await GetFailoverEndpointsAsync(primaryEndpoint, cancellationToken).ConfigureAwait(false);
Exception last = null;
foreach (var ep in endpoints)
Copy link
Member

@ivarprudnikov ivarprudnikov Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is an interesting point. It is saying that the order of the failover ledgers is important and sequential. For instance if there are 2 failover ledgers and the primary fails it will redirect all traffic to the first failover ledger and then to third only if the primary and secondary fail. Third one would rarely be used in this case.

If the order does not matter much it might make sense to forward requests to a randomly ordered list of failover ledgers to improve the distribution of the requests. So that when we get x million of requests they do not suddenly get all forwarded to the failover ledger but distribute that load across all of the failover ones.

{
// attempt endpoint
try
{
cancellationToken.ThrowIfCancellationRequested();
return await operationAsync(ep).ConfigureAwait(false);
}
catch (RequestFailedException ex) when (IsRetriableFailure(ex))
{
// endpoint failed, continue
last = ex;
}
catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
{
throw;
}
}
throw last ?? new RequestFailedException("All failover endpoints failed in failovers mode");
}

public T ExecuteOnFailovers<T>(
Uri primaryEndpoint,
Func<Uri, T> operationSync,
string operationName,
CancellationToken cancellationToken = default)
{
List<Uri> endpoints = GetFailoverEndpoints(primaryEndpoint, cancellationToken);
Exception last = null;
foreach (var ep in endpoints)
{
// attempt endpoint
try
{
cancellationToken.ThrowIfCancellationRequested();
return operationSync(ep);
}
catch (RequestFailedException ex) when (IsRetriableFailure(ex))
{
// endpoint failed
last = ex;
}
catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
{
throw;
}
}
throw last ?? new RequestFailedException("All failover endpoints failed in failovers mode");
}
}
}
Loading
Loading