The latest articles on DEV Community by Cláudio Filipe Lima Rapôso (@sertaoseracloud). https://dev.to/sertaoseracloud https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2686804%2F21b0095d-7793-4b03-b894-5b639c6264c0.png https://dev.to/sertaoseracloud en Cláudio Filipe Lima Rapôso Wed, 10 Jun 2026 16:45:00 +0000 https://dev.to/sertaoseracloud/orchestrating-multicloud-distributed-transactions-implementing-the-saga-pattern-across-aws-and-3a9a https://dev.to/sertaoseracloud/orchestrating-multicloud-distributed-transactions-implementing-the-saga-pattern-across-aws-and-3a9a <p>Maintaining strict transactional consistency across disparate cloud boundaries exposes platforms to catastrophic locking vulnerabilities. Engineering teams attempting to enforce distributed Two-Phase Commit (2PC) protocols across Amazon Web Services (AWS) and Microsoft Azure rapidly discover that the network latency inherent in inter-cloud transit breaks the fundamental mathematics of synchronous locking. When a primary database in AWS holds a lock awaiting acknowledgment from a replica in Azure, a transient network partition freezes the entire write domain, instantly starving the application of compute resources and cascading the failure across the platform. We refute the viability of synchronous cross-cloud commits, proposing instead the choreographed Saga pattern. By breaking the global transaction into a sequence of localized, independent commits, and publishing domain events to trigger the next step via AWS EventBridge and Azure Event Grid, architects eliminate lock contention entirely. If a downstream vendor rejects the operation, the system executes a deterministic series of compensating transactions to rollback the preceding states, guaranteeing eventual consistency and absolute resilience in production.</p> <h3> Prerequisites </h3> <p>Implementing a choreographed multicloud Saga requires advanced expertise in event-driven architectures and eventual consistency paradigms. The infrastructure must be strictly codified utilizing Terraform version 1.7.0 or higher, initialized with the HashiCorp AWS Provider version 5.40.0 and the AzureRM Provider version 3.90.0. The core compensation logic demands Python 3.12, supplemented by <code>boto3</code> version 1.34.0 and <code>azure-messaging-eventgrid</code> version 4.16.0. Operators must configure active OIDC federated trust between the AWS IAM environment and the Azure Active Directory tenant to authorize secure, cross-boundary webhook invocations.</p> <h3> Step-by-Step Implementation </h3> <h3> Establishing the Choreography Event Mesh </h3> <p>We initiate the multicloud Saga by provisioning the asynchronous routing topology required to transport state transition events across the vendor boundaries. The architectural justification for utilizing a publisher-subscriber mesh rather than direct API calls is the strict decoupling of temporal availability. If an AWS microservice invokes an Azure REST endpoint synchronously to advance the transaction, the AWS service inherits the Azure service downtime. By configuring Amazon EventBridge to push events to an Azure Event Grid Custom Topic via an API Destination, the AWS domain simply publishes the <code>TransactionInitiated</code> event and relinquishes control. EventBridge handles the authorization and transit retries autonomously. This choreography model ensures that neither cloud provider holds a synchronous connection open waiting for the partner cloud to complete its localized database commit.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"azurerm_eventgrid_topic"</span> <span class="s2">"multicloud_saga"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"enterprise-saga-choreography"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">core</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">core</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_cloudwatch_event_api_destination"</span> <span class="s2">"azure_saga_ingress"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"azure-eventgrid-destination"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Saga Event Routing to Azure"</span> <span class="nx">invocation_endpoint</span> <span class="p">=</span> <span class="nx">azurerm_eventgrid_topic</span><span class="p">.</span><span class="nx">multicloud_saga</span><span class="p">.</span><span class="nx">endpoint</span> <span class="nx">http_method</span> <span class="p">=</span> <span class="s2">"POST"</span> <span class="nx">invocation_rate_limit_per_second</span> <span class="p">=</span> <span class="mi">500</span> <span class="nx">connection_arn</span> <span class="p">=</span> <span class="nx">aws_cloudwatch_event_connection</span><span class="p">.</span><span class="nx">azure_auth</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_cloudwatch_event_rule"</span> <span class="s2">"saga_forwarding"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"forward-saga-events"</span> <span class="nx">event_bus_name</span> <span class="p">=</span> <span class="s2">"enterprise-core-bus"</span> <span class="nx">event_pattern</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">source</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"saga.orchestrator"</span><span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_cloudwatch_event_target"</span> <span class="s2">"azure_grid"</span> <span class="p">{</span> <span class="nx">rule</span> <span class="p">=</span> <span class="nx">aws_cloudwatch_event_rule</span><span class="p">.</span><span class="nx">saga_forwarding</span><span class="p">.</span><span class="nx">name</span> <span class="nx">target_id</span> <span class="p">=</span> <span class="s2">"AzureEventGrid"</span> <span class="nx">arn</span> <span class="p">=</span> <span class="nx">aws_cloudwatch_event_api_destination</span><span class="p">.</span><span class="nx">azure_saga_ingress</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">eventbridge_invoke</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> </code></pre> </div> <p>How do we prevent partial execution from permanently corrupting the origin state when the cross-cloud network call drops before the event payload reaches the Azure boundary?</p> <h3> Initiating the Saga via Transactional Outbox </h3> <p>We prevent silent data corruption during initial network failures by anchoring the Saga initialization within a Transactional Outbox inside the AWS execution boundary. When the AWS application begins the distributed transaction, it cannot safely mutate its local DynamoDB state and subsequently attempt to call EventBridge in two separate network operations. If the EventBridge call fails, the local state is altered, but the Azure step never executes, leaving the Saga permanently fractured. The Python domain logic executes a <code>transact_write_items</code> operation, committing the local business entity and the outbound domain event to DynamoDB in a single, atomic ACID transaction. A background worker polls the Outbox table and handles the delivery to EventBridge. This mechanism guarantees that if the local database commit succeeds, the choreography event is mathematically guaranteed to enter the multicloud transit layer.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">uuid</span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span><span class="p">,</span> <span class="n">timezone</span> <span class="kn">import</span> <span class="n">boto3</span> <span class="kn">from</span> <span class="n">aws_lambda_powertools</span> <span class="kn">import</span> <span class="n">Logger</span> <span class="n">logger</span> <span class="o">=</span> <span class="nc">Logger</span><span class="p">(</span><span class="n">service</span><span class="o">=</span><span class="sh">"</span><span class="s">SagaInitiator</span><span class="sh">"</span><span class="p">)</span> <span class="n">dynamodb</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">dynamodb</span><span class="sh">'</span><span class="p">)</span> <span class="k">class</span> <span class="nc">PaymentSagaService</span><span class="p">:</span> <span class="k">def</span> <span class="nf">initiate_multicloud_payment</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">order_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">amount</span><span class="p">:</span> <span class="nb">float</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="n">transaction_id</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">txn_</span><span class="si">{</span><span class="n">uuid</span><span class="p">.</span><span class="nf">uuid4</span><span class="p">().</span><span class="nb">hex</span><span class="si">}</span><span class="sh">"</span> <span class="n">event_id</span> <span class="o">=</span> <span class="nf">str</span><span class="p">(</span><span class="n">uuid</span><span class="p">.</span><span class="nf">uuid4</span><span class="p">())</span> <span class="n">saga_event</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">metadata</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">saga_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">transaction_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">event_type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">PaymentReserved</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">(</span><span class="n">timezone</span><span class="p">.</span><span class="n">utc</span><span class="p">).</span><span class="nf">isoformat</span><span class="p">(),</span> <span class="sh">"</span><span class="s">source</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">saga.orchestrator</span><span class="sh">"</span> <span class="p">},</span> <span class="sh">"</span><span class="s">data</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">order_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">order_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">reserved_amount</span><span class="sh">"</span><span class="p">:</span> <span class="n">amount</span> <span class="p">}</span> <span class="p">}</span> <span class="n">dynamodb</span><span class="p">.</span><span class="nf">transact_write_items</span><span class="p">(</span> <span class="n">TransactItems</span><span class="o">=</span><span class="p">[</span> <span class="p">{</span> <span class="sh">'</span><span class="s">Put</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span> <span class="sh">'</span><span class="s">TableName</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">LocalPayments</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Item</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span> <span class="sh">'</span><span class="s">TransactionId</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">S</span><span class="sh">'</span><span class="p">:</span> <span class="n">transaction_id</span><span class="p">},</span> <span class="sh">'</span><span class="s">Status</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">S</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">PENDING_AZURE_CONFIRMATION</span><span class="sh">'</span><span class="p">},</span> <span class="sh">'</span><span class="s">Amount</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">N</span><span class="sh">'</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">amount</span><span class="p">)}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="sh">'</span><span class="s">Put</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span> <span class="sh">'</span><span class="s">TableName</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">SagaOutbox</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Item</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span> <span class="sh">'</span><span class="s">EventId</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">S</span><span class="sh">'</span><span class="p">:</span> <span class="n">event_id</span><span class="p">},</span> <span class="sh">'</span><span class="s">Payload</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">S</span><span class="sh">'</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">saga_event</span><span class="p">)}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Saga </span><span class="si">{</span><span class="n">transaction_id</span><span class="si">}</span><span class="s"> initiated locally. Event </span><span class="si">{</span><span class="n">event_id</span><span class="si">}</span><span class="s"> staged for Azure routing.</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">transaction_id</span> </code></pre> </div> <p>What occurs when the Azure boundary successfully ingests the event but the local domain logic rejects the transaction due to a business invariant violation?</p> <h3> Executing Deterministic Compensations </h3> <p>When the Azure domain logic evaluates the payload and identifies a constraint violation, we execute a deterministic compensation sequence by publishing a counter-event back to the AWS origin. In a traditional monolithic database, a failure triggers a simple <code>ROLLBACK</code> command. In a multicloud Saga, the AWS transaction has already been committed to disk. To reverse it, the Azure Python adapter catches the domain exception and explicitly constructs a <code>PaymentCompensationRequested</code> event. The architectural necessity here is treating failures as first-class domain events rather than transient HTTP errors. The Azure application publishes this compensation payload onto Azure Event Grid, which routes it back to the AWS EventBridge origin. The AWS domain consumes this counter-event and executes an inverse transaction, updating the local database state from <code>PENDING</code> to <code>CANCELLED</code>, effectively repairing the distributed system state without ever utilizing a synchronous lock.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkspcz87z5tgvbfwbzr2y.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkspcz87z5tgvbfwbzr2y.png" alt="Sequence Diagram" width="800" height="308"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">from</span> <span class="n">azure.messaging.eventgrid</span> <span class="kn">import</span> <span class="n">EventGridPublisherClient</span><span class="p">,</span> <span class="n">EventGridEvent</span> <span class="kn">from</span> <span class="n">azure.core.credentials</span> <span class="kn">import</span> <span class="n">AzureKeyCredential</span> <span class="n">EVENTGRID_ENDPOINT</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">EVENTGRID_ENDPOINT</span><span class="sh">"</span><span class="p">]</span> <span class="n">EVENTGRID_KEY</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">EVENTGRID_KEY</span><span class="sh">"</span><span class="p">]</span> <span class="n">client</span> <span class="o">=</span> <span class="nc">EventGridPublisherClient</span><span class="p">(</span><span class="n">EVENTGRID_ENDPOINT</span><span class="p">,</span> <span class="nc">AzureKeyCredential</span><span class="p">(</span><span class="n">EVENTGRID_KEY</span><span class="p">))</span> <span class="k">class</span> <span class="nc">InventoryService</span><span class="p">:</span> <span class="k">def</span> <span class="nf">process_reservation</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">saga_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">order_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">amount</span><span class="p">:</span> <span class="nb">float</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># Simulate domain logic checking inventory limits </span> <span class="k">if</span> <span class="n">amount</span> <span class="o">&gt;</span> <span class="mi">10000</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">"</span><span class="s">Inventory limit exceeded for requested order.</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Inventory reserved successfully for Saga </span><span class="si">{</span><span class="n">saga_id</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">ValueError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Domain invariant violated. Initiating compensation for Saga </span><span class="si">{</span><span class="n">saga_id</span><span class="si">}</span><span class="s">: </span><span class="si">{</span><span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">compensation_event</span> <span class="o">=</span> <span class="nc">EventGridEvent</span><span class="p">(</span> <span class="n">subject</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="s">saga/</span><span class="si">{</span><span class="n">saga_id</span><span class="si">}</span><span class="s">/compensation</span><span class="sh">"</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">saga_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">saga_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">order_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">order_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">reason</span><span class="sh">"</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="p">},</span> <span class="n">event_type</span><span class="o">=</span><span class="sh">"</span><span class="s">PaymentCompensationRequested</span><span class="sh">"</span><span class="p">,</span> <span class="n">data_version</span><span class="o">=</span><span class="sh">"</span><span class="s">1.0</span><span class="sh">"</span> <span class="p">)</span> <span class="n">client</span><span class="p">.</span><span class="nf">send</span><span class="p">([</span><span class="n">compensation_event</span><span class="p">])</span> </code></pre> </div> <p>How do we mathematically guarantee that a delayed compensation event does not accidentally reverse a transaction that was subsequently retried and completed successfully?</p> <h3> Enforcing Idempotency in Compensation Handlers </h3> <p>We guarantee absolute safety against out-of-order delivery and duplicated compensations by enforcing strict state machine transitions within the AWS Hexagonal boundary. Because cross-cloud event buses utilize at-least-once delivery semantics, the AWS domain might receive the <code>PaymentCompensationRequested</code> event multiple times, or it might receive it after a human operator has already manually reconciled the state. To counteract this, the Python handler must evaluate the current state of the transaction before applying the inverse operation. The handler attempts a conditional update on the DynamoDB record. It instructs the database to change the state to <code>CANCELLED</code> strictly if the current state is still <code>PENDING_AZURE_CONFIRMATION</code>. If the record is already <code>CANCELLED</code> or <code>COMPLETED</code>, the conditional expression fails, and the Python application gracefully catches the <code>ConditionalCheckFailedException</code>. It acknowledges the event to the queue and discards it, ensuring that late-arriving compensations never corrupt the finalized business state.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">boto3</span> <span class="kn">from</span> <span class="n">botocore.exceptions</span> <span class="kn">import</span> <span class="n">ClientError</span> <span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Dict</span><span class="p">,</span> <span class="n">Any</span> <span class="n">dynamodb</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">resource</span><span class="p">(</span><span class="sh">'</span><span class="s">dynamodb</span><span class="sh">'</span><span class="p">)</span> <span class="n">table</span> <span class="o">=</span> <span class="n">dynamodb</span><span class="p">.</span><span class="nc">Table</span><span class="p">(</span><span class="sh">'</span><span class="s">LocalPayments</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">handle_compensation_event</span><span class="p">(</span><span class="n">event</span><span class="p">:</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">])</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="n">saga_id</span> <span class="o">=</span> <span class="n">event</span><span class="p">[</span><span class="sh">'</span><span class="s">data</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">saga_id</span><span class="sh">'</span><span class="p">]</span> <span class="n">reason</span> <span class="o">=</span> <span class="n">event</span><span class="p">[</span><span class="sh">'</span><span class="s">data</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">reason</span><span class="sh">'</span><span class="p">]</span> <span class="k">try</span><span class="p">:</span> <span class="n">table</span><span class="p">.</span><span class="nf">update_item</span><span class="p">(</span> <span class="n">Key</span><span class="o">=</span><span class="p">{</span><span class="sh">'</span><span class="s">TransactionId</span><span class="sh">'</span><span class="p">:</span> <span class="n">saga_id</span><span class="p">},</span> <span class="n">UpdateExpression</span><span class="o">=</span><span class="sh">"</span><span class="s">SET #s = :new_status, CompensationReason = :reason</span><span class="sh">"</span><span class="p">,</span> <span class="n">ConditionExpression</span><span class="o">=</span><span class="sh">"</span><span class="s">#s = :expected_status</span><span class="sh">"</span><span class="p">,</span> <span class="n">ExpressionAttributeNames</span><span class="o">=</span><span class="p">{</span> <span class="sh">'</span><span class="s">#s</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Status</span><span class="sh">'</span> <span class="p">},</span> <span class="n">ExpressionAttributeValues</span><span class="o">=</span><span class="p">{</span> <span class="sh">'</span><span class="s">:new_status</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">CANCELLED_VIA_COMPENSATION</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">:expected_status</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">PENDING_AZURE_CONFIRMATION</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">:reason</span><span class="sh">'</span><span class="p">:</span> <span class="n">reason</span> <span class="p">}</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Saga </span><span class="si">{</span><span class="n">saga_id</span><span class="si">}</span><span class="s"> successfully compensated and rolled back.</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="n">ClientError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">if</span> <span class="n">e</span><span class="p">.</span><span class="n">response</span><span class="p">[</span><span class="sh">'</span><span class="s">Error</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">Code</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="sh">'</span><span class="s">ConditionalCheckFailedException</span><span class="sh">'</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Compensation for Saga </span><span class="si">{</span><span class="n">saga_id</span><span class="si">}</span><span class="s"> ignored. State machine has already progressed.</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">RuntimeError</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Database error during compensation: </span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="n">response</span><span class="p">[</span><span class="sh">'</span><span class="s">Error</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">Message</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h3> Common Troubleshooting </h3> <p>When deploying choreographed Sagas across vendor boundaries, Dead Letter Queues (DLQ) frequently flood with rejected payloads. This typically occurs when the Azure Event Grid schema validation blocks incoming payloads originating from AWS EventBridge. EventBridge encapsulates custom JSON payloads within its own proprietary wrapper. If the Azure Event Grid Topic is strictly configured to expect the CloudEvents v1.0 schema, it will reject the raw EventBridge delivery. You must utilize an Input Mapping configuration on the Event Grid Custom Topic to extract the nested <code>detail</code> object from the AWS payload and map it to the top-level required fields of the CloudEvent specification.</p> <p>Another pervasive issue manifests as compensation loops, where AWS and Azure continuously bounce failure events back and forth. This indicates a failure in the termination logic of the Saga handlers. If the AWS compensation handler throws an unhandled exception because it cannot parse the Azure payload, the AWS SQS queue will eventually retry the message until it hits the max receive count, triggering a secondary failure alert. Always wrap your compensation handlers in broad <code>try/except</code> blocks that catch parsing errors and deliberately acknowledge the malformed message, pushing a notification to a monitoring channel rather than allowing the event-driven retry mechanism to cycle infinitely.</p> <h3> Conclusion </h3> <p>Orchestrating distributed transactions using the Saga pattern eliminates the brittle dependencies of synchronous locking across multicloud environments. By bridging AWS and Azure with decoupled event buses, implementing Transactional Outboxes, and enforcing idempotent compensations, architects build platforms capable of gracefully self-healing during localized vendor failures. As the complexity of the domain state machine increases, organizations should explore transitioning from pure choreography to orchestration utilizing a dedicated workflow engine. Tools like Temporal.io or AWS Step Functions provide a centralized, durable execution state, simplifying the visualization and auditing of highly complex, multi-step cross-cloud transactions.</p> <h3> References </h3> <p>Garcia-Molina, H., &amp; Salem, K. (1987). <em>Sagas</em>. ACM SIGMOD Record, 16(3), 249-259. <a href="https://doi.org/10.1145/38714.38742" rel="noopener noreferrer">https://doi.org/10.1145/38714.38742</a></p> <p>Richardson, C. (2018). <em>Microservices patterns: With examples in Java</em>. Manning Publications.</p> azure aws terraform python Cláudio Filipe Lima Rapôso Mon, 08 Jun 2026 16:31:00 +0000 https://dev.to/sertaoseracloud/architecting-multicloud-cqrs-decoupling-read-and-write-domains-across-aws-and-azure-9h6 https://dev.to/sertaoseracloud/architecting-multicloud-cqrs-decoupling-read-and-write-domains-across-aws-and-azure-9h6 <p>Monolithic relational databases choke under the read-heavy demands of globally distributed enterprise applications. When thousands of concurrent clients query complex aggregations, the primary transactional store experiences severe CPU contention, risking the integrity of write operations. Attempting to solve this by scaling up the primary database only defers the bottleneck and inextricably couples read traffic to the write domain's availability. If the single database degrades, the entire platform becomes unresponsive. Command Query Responsibility Segregation (CQRS) resolves this structural flaw by physically separating the write model from the read model. By orchestrating an event-driven data pipeline across Amazon Managed Streaming for Apache Kafka (MSK) and Microsoft Azure Event Hubs, engineering teams can project asynchronous materialized views optimized strictly for localized read performance. This multicloud topology guarantees that aggressive query patterns never impact transactional throughput, ensuring absolute resilience and low latency data access across disparate vendor networks.</p> <h3> Prerequisites </h3> <p>Implementing cross-cloud CQRS demands mastery of event sourcing, stream processing, and distributed network engineering. The infrastructure provisioning layer requires Terraform version 1.7.0 or higher, utilizing the HashiCorp AWS Provider version 5.40.0 and the AzureRM Provider version 3.90.0. The projection workers demand Python 3.12, supplemented by the <code>confluent-kafka</code> library version 2.3.0 and <code>azure-cosmos</code> version 4.5.1. A unified identity plane utilizing OpenID Connect (OIDC) is necessary for secure, cross-boundary authentication. Administrative access to configure Virtual Network peering or dedicated IPsec VPN tunnels between the AWS Virtual Private Cloud and the Azure Virtual Network is mandatory to guarantee encrypted transit.</p> <h3> Step-by-Step Implementation </h3> <h3> Architecting the Immutable Write Log with Amazon MSK </h3> <p>Establishing a robust CQRS write model requires an append-only, immutable ledger to record every domain state transition securely. We provision Amazon MSK to act as the central nervous system for the write domain. The architectural justification resides in the necessity for strict event ordering and indefinite retention capabilities. When a domain service processes a command, it does not mutate a traditional database table. Instead, it publishes a domain event to a specific Kafka topic. MSK guarantees that these events are replicated across three distinct Availability Zones, providing exceptional durability. By isolating the write operations to this streaming platform, the system achieves massive write throughput entirely unencumbered by complex SQL joins, index recalculations, or table locks.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx7on18af35f6u64zoona.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx7on18af35f6u64zoona.png" alt="Sequence Diagram" width="800" height="338"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_msk_cluster"</span> <span class="s2">"enterprise_event_store"</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"enterprise-write-domain"</span> <span class="nx">kafka_version</span> <span class="p">=</span> <span class="s2">"3.5.1"</span> <span class="nx">number_of_broker_nodes</span> <span class="p">=</span> <span class="mi">3</span> <span class="nx">broker_node_group_info</span> <span class="p">{</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"kafka.m5.large"</span> <span class="nx">client_subnets</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">private_az1</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">private_az2</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">private_az3</span><span class="p">.</span><span class="nx">id</span> <span class="p">]</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">msk_internal</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">storage_info</span> <span class="p">{</span> <span class="nx">ebs_storage_info</span> <span class="p">{</span> <span class="nx">volume_size</span> <span class="p">=</span> <span class="mi">1000</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">client_authentication</span> <span class="p">{</span> <span class="nx">sasl</span> <span class="p">{</span> <span class="nx">iam</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Architecture</span> <span class="p">=</span> <span class="s2">"CQRS"</span> <span class="nx">Domain</span> <span class="p">=</span> <span class="s2">"WriteModel"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>How do we replicate these highly sensitive, immutable events to an external cloud boundary without exposing the internal MSK brokers to the unpredictable latency and security threats of the public internet?</p> <h3> Bridging the Multicloud Boundary via MirrorMaker 2 </h3> <p>We bridge the isolated network boundaries by deploying Apache Kafka MirrorMaker 2 within an Amazon Elastic Container Service (ECS) Fargate cluster, pushing events asynchronously to Azure Event Hubs over a dedicated IPsec tunnel. The core architectural reasoning for this component is mitigating vendor lock-in while establishing a secondary read locality. Event Hubs natively supports the Kafka protocol, allowing MirrorMaker 2 to treat the Azure destination exactly like a standard Kafka cluster. By executing this replication process asynchronously, the AWS write domain remains completely insulated from any performance degradation occurring within the Azure network. The primary write operation acknowledges success immediately upon persisting to MSK. Subsequently, MirrorMaker 2 acts as an autonomous consumer, fetching batches of events and handling the eventual consistency delivery to the Azure environment securely.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"azurerm_eventhub_namespace"</span> <span class="s2">"multicloud_replica"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"enterprise-read-replica"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">core</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">core</span><span class="p">.</span><span class="nx">name</span> <span class="nx">sku</span> <span class="p">=</span> <span class="s2">"Standard"</span> <span class="nx">capacity</span> <span class="p">=</span> <span class="mi">4</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Architecture</span> <span class="p">=</span> <span class="s2">"CQRS"</span> <span class="nx">Domain</span> <span class="p">=</span> <span class="s2">"ReadModel"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"azurerm_eventhub"</span> <span class="s2">"transaction_events"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"transactions"</span> <span class="nx">namespace_name</span> <span class="p">=</span> <span class="nx">azurerm_eventhub_namespace</span><span class="p">.</span><span class="nx">multicloud_replica</span><span class="p">.</span><span class="nx">name</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">core</span><span class="p">.</span><span class="nx">name</span> <span class="nx">partition_count</span> <span class="p">=</span> <span class="mi">32</span> <span class="nx">message_retention</span> <span class="p">=</span> <span class="mi">7</span> <span class="p">}</span> </code></pre> </div> <p>If the event stream successfully traverses the multicloud boundary, how do the Azure computing units process this continuous influx of raw event data into highly optimized, localized read models without falling behind the throughput velocity?</p> <h3> Hydrating Materialized Views with Hexagonal Consumers </h3> <p>We construct the optimized read models by deploying horizontally scalable Python consumers that interpret the event stream and upsert document structures into Azure Cosmos DB. The architectural imperative here is the strict separation of concerns utilizing Hexagonal Architecture. The Python consumer acts purely as a driving adapter, polling the Event Hub via the Kafka protocol. It passes the raw event payload into a core domain projection service. This domain service computes the current state, pre-calculating the exact data shapes required by the frontend client interfaces, and passes the result to an outbound port connected to Cosmos DB. This methodology ensures the read database contains heavily denormalized, ready-to-serve JSON documents. When a client performs a read operation, Cosmos DB executes a point-read query in single-digit milliseconds, entirely bypassing runtime computational overhead.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">from</span> <span class="n">confluent_kafka</span> <span class="kn">import</span> <span class="n">Consumer</span><span class="p">,</span> <span class="n">KafkaError</span> <span class="kn">from</span> <span class="n">azure.cosmos</span> <span class="kn">import</span> <span class="n">CosmosClient</span> <span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Dict</span><span class="p">,</span> <span class="n">Any</span> <span class="n">EVENTHUB_CONN_STR</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">EVENTHUB_KAFKA_CONN_STR</span><span class="sh">"</span><span class="p">]</span> <span class="n">COSMOS_ENDPOINT</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">COSMOS_ENDPOINT</span><span class="sh">"</span><span class="p">]</span> <span class="n">COSMOS_KEY</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">COSMOS_KEY</span><span class="sh">"</span><span class="p">]</span> <span class="n">cosmos_client</span> <span class="o">=</span> <span class="nc">CosmosClient</span><span class="p">(</span><span class="n">COSMOS_ENDPOINT</span><span class="p">,</span> <span class="n">credential</span><span class="o">=</span><span class="n">COSMOS_KEY</span><span class="p">)</span> <span class="n">database</span> <span class="o">=</span> <span class="n">cosmos_client</span><span class="p">.</span><span class="nf">get_database_client</span><span class="p">(</span><span class="sh">"</span><span class="s">ReadModels</span><span class="sh">"</span><span class="p">)</span> <span class="n">container</span> <span class="o">=</span> <span class="n">database</span><span class="p">.</span><span class="nf">get_container_client</span><span class="p">(</span><span class="sh">"</span><span class="s">TransactionViews</span><span class="sh">"</span><span class="p">)</span> <span class="n">kafka_conf</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">bootstrap.servers</span><span class="sh">'</span><span class="p">:</span> <span class="n">EVENTHUB_CONN_STR</span><span class="p">,</span> <span class="sh">'</span><span class="s">security.protocol</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">SASL_SSL</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">sasl.mechanisms</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">PLAIN</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">sasl.username</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">$ConnectionString</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">sasl.password</span><span class="sh">'</span><span class="p">:</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">EVENTHUB_SASL_KEY</span><span class="sh">"</span><span class="p">],</span> <span class="sh">'</span><span class="s">group.id</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">projection-worker-group-v1</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">auto.offset.reset</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">earliest</span><span class="sh">'</span> <span class="p">}</span> <span class="k">def</span> <span class="nf">project_transaction_view</span><span class="p">(</span><span class="n">event_payload</span><span class="p">:</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">])</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="n">view_id</span> <span class="o">=</span> <span class="n">event_payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">account_id</span><span class="sh">"</span><span class="p">)</span> <span class="n">amount</span> <span class="o">=</span> <span class="nf">float</span><span class="p">(</span><span class="n">event_payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">amount</span><span class="sh">"</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> <span class="k">try</span><span class="p">:</span> <span class="n">current_view</span> <span class="o">=</span> <span class="n">container</span><span class="p">.</span><span class="nf">read_item</span><span class="p">(</span><span class="n">item</span><span class="o">=</span><span class="n">view_id</span><span class="p">,</span> <span class="n">partition_key</span><span class="o">=</span><span class="n">view_id</span><span class="p">)</span> <span class="n">current_view</span><span class="p">[</span><span class="sh">"</span><span class="s">total_balance</span><span class="sh">"</span><span class="p">]</span> <span class="o">+=</span> <span class="n">amount</span> <span class="n">current_view</span><span class="p">[</span><span class="sh">"</span><span class="s">transaction_count</span><span class="sh">"</span><span class="p">]</span> <span class="o">+=</span> <span class="mi">1</span> <span class="n">current_view</span><span class="p">[</span><span class="sh">"</span><span class="s">last_updated</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">event_payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">)</span> <span class="n">container</span><span class="p">.</span><span class="nf">upsert_item</span><span class="p">(</span><span class="n">body</span><span class="o">=</span><span class="n">current_view</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="n">new_view</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">:</span> <span class="n">view_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">account_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">view_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">total_balance</span><span class="sh">"</span><span class="p">:</span> <span class="n">amount</span><span class="p">,</span> <span class="sh">"</span><span class="s">transaction_count</span><span class="sh">"</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="sh">"</span><span class="s">last_updated</span><span class="sh">"</span><span class="p">:</span> <span class="n">event_payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">)</span> <span class="p">}</span> <span class="n">container</span><span class="p">.</span><span class="nf">create_item</span><span class="p">(</span><span class="n">body</span><span class="o">=</span><span class="n">new_view</span><span class="p">)</span> <span class="k">def</span> <span class="nf">start_projection_worker</span><span class="p">():</span> <span class="n">consumer</span> <span class="o">=</span> <span class="nc">Consumer</span><span class="p">(</span><span class="n">kafka_conf</span><span class="p">)</span> <span class="n">consumer</span><span class="p">.</span><span class="nf">subscribe</span><span class="p">([</span><span class="sh">'</span><span class="s">transactions</span><span class="sh">'</span><span class="p">])</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Started Cosmos DB projection worker...</span><span class="sh">"</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">msg</span> <span class="o">=</span> <span class="n">consumer</span><span class="p">.</span><span class="nf">poll</span><span class="p">(</span><span class="mf">1.0</span><span class="p">)</span> <span class="k">if</span> <span class="n">msg</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">:</span> <span class="k">continue</span> <span class="k">if</span> <span class="n">msg</span><span class="p">.</span><span class="nf">error</span><span class="p">():</span> <span class="k">if</span> <span class="n">msg</span><span class="p">.</span><span class="nf">error</span><span class="p">().</span><span class="nf">code</span><span class="p">()</span> <span class="o">!=</span> <span class="n">KafkaError</span><span class="p">.</span><span class="n">_PARTITION_EOF</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Consumer error: </span><span class="si">{</span><span class="n">msg</span><span class="p">.</span><span class="nf">error</span><span class="p">()</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">continue</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">msg</span><span class="p">.</span><span class="nf">value</span><span class="p">().</span><span class="nf">decode</span><span class="p">(</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">))</span> <span class="nf">project_transaction_view</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="k">except</span> <span class="nb">KeyboardInterrupt</span><span class="p">:</span> <span class="k">pass</span> <span class="k">finally</span><span class="p">:</span> <span class="n">consumer</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="nf">start_projection_worker</span><span class="p">()</span> </code></pre> </div> <p>What structural recovery mechanism exists when a faulty code deployment introduces a malformed projection schema, silently corrupting the materialized view inside Cosmos DB for several hours before detection?</p> <h3> Replaying the Stream for Schema Evolution and Recovery </h3> <p>We rectify structural corruption by treating the materialized view as entirely ephemeral and executing a deterministic event replay from the primary immutable log. The fundamental advantage of event sourcing is that application state derives entirely from the history of events. When data corruption occurs, or when a new business requirement dictates a different data structure, developers deploy a corrected version of the Python consumer logic bound to a new <code>group.id</code> configuration. This new consumer group ignores the corrupted offset markers and begins reading the event log from the absolute beginning (<code>auto.offset.reset = 'earliest'</code>). It rapidly projects the entire historical dataset into a fresh, isolated Cosmos DB container using the corrected schema logic. Once the new projection catches up to the current stream head, the routing layer seamlessly transitions client read traffic to the new container. The corrupted container is subsequently dropped, allowing for massive structural changes and recovery operations with zero downtime.</p> <h3> Common Troubleshooting </h3> <p>When establishing cross-cloud Kafka replication, authentication failures between MirrorMaker 2 and Azure Event Hubs are frequent. If the MirrorMaker logs display <code>SASL authentication failed</code>, ensure that the connection string provided to the destination configuration utilizes the <code>$ConnectionString</code> literal as the username, and the primary key of the Event Hubs Shared Access Policy as the password. Event Hubs enforces strict Kafka protocol validation, and utilizing misconfigured SASL/PLAIN mechanisms will result in silent connection drops.</p> <p>Another critical issue surfaces as extreme consumer lag within the Python projection workers during high-throughput ingestion spikes. If Cosmos DB begins returning HTTP 429 <code>TooManyRequests</code> errors, the Event Hub consumer will continuously block and retry, causing the offset lag to increase exponentially. This indicates that the Request Unit (RU) capacity provisioned on the Cosmos DB container is insufficient for the write velocity of the event stream. You must scale the container throughput dynamically using Azure Autoscale rules, or implement aggressive batching within the Python <code>azure-cosmos</code> client to commit multiple materialized views in a single transactional batch operation, significantly reducing the API call frequency.</p> <h3> Conclusion </h3> <p>Orchestrating a cross-cloud CQRS architecture using Amazon MSK and Azure Event Hubs establishes a deeply resilient data ecosystem. By segregating the immutable write operations from highly concurrent read demands, engineering teams can guarantee transactional integrity while providing localized, sub-millisecond query performance across vendor networks. Moving forward, teams scaling this pattern should implement Schema Registry integrations on the AWS origin. Enforcing strict Protobuf or Avro schemas before events enter the MSK topics ensures that schema evolution is mathematically validated, preventing malformed payloads from ever propagating across the multicloud boundary.</p> <h3> References </h3> <p>Kleppmann, M. (2017). <em>Designing data-intensive applications: The big ideas behind reliable, scalable, and maintainable systems</em>. O'Reilly Media.</p> <p>Stopford, B. (2018). <em>Designing event-driven systems: Concepts and patterns for streaming services with Apache Kafka</em>. O'Reilly Media.</p> azure aws terraform python Cláudio Filipe Lima Rapôso Sat, 06 Jun 2026 16:26:00 +0000 https://dev.to/sertaoseracloud/multicloud-execution-portability-abstracting-aws-dynamodb-and-azure-cosmos-db-via-hexagonal-3h33 https://dev.to/sertaoseracloud/multicloud-execution-portability-abstracting-aws-dynamodb-and-azure-cosmos-db-via-hexagonal-3h33 <p>Monolithic data access layers inherently bind compute execution to a specific cloud provider's proprietary database SDK. When an enterprise application tightly couples its business logic to Amazon Web Services (AWS) DynamoDB using <code>boto3</code>, attempting to failover execution to Microsoft Azure Cosmos DB during a systemic AWS outage becomes an insurmountable engineering challenge. True multicloud resilience demands that the application execution layer remains entirely ignorant of its underlying storage mechanism. By enforcing a strict Hexagonal Architecture paradigm, engineering teams can decouple the core domain from vendor specific infrastructure. Implementing pure Python output ports allows the runtime to dynamically inject either a DynamoDB adapter or a Cosmos DB adapter without altering a single line of business logic. This architectural abstraction guarantees execution portability, enabling workloads to shift seamlessly across cloud boundaries while neutralizing database vendor lock-in.</p> <h3> Prerequisites </h3> <p>Deploying this cloud agnostic data abstraction requires a deep understanding of Python object oriented programming and interface design. The compute environment requires Python 3.12. Vendor integration relies on the <code>boto3</code> library version 1.34.0 for AWS interactions and the <code>azure-cosmos</code> library version 4.5.1 for Azure interactions. Infrastructure provisioning requires Terraform version 1.7.0 or higher, utilizing the HashiCorp AWS Provider version 5.40.0 and the AzureRM Provider version 3.90.0. Ensure the execution environment possesses the necessary IAM roles for AWS and managed identities for Azure AD authentication.</p> <h3> Step-by-Step Implementation </h3> <h3> Defining the Core Domain and Outbound Port </h3> <p>The foundation of execution portability begins by explicitly defining the domain invariants and isolating them from external dependencies. We construct a pure Python dataclass to represent the core business entity and an Abstract Base Class (ABC) to serve as the outbound port. The architectural justification for this absolute decoupling is to protect the domain from the volatile nature of vendor APIs. The <code>TransactionRepositoryPort</code> must never accept or return <code>boto3</code> dictionaries or Azure Cosmos response objects. It operates exclusively using pure domain data transfer objects. If the domain layer imports an AWS SDK, the hexagonal boundary is breached, and multicloud portability is instantly destroyed. By establishing a rigid interface contract, we force all future database implementations to bend to the will of the domain, rather than bending the domain to accommodate the database.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">abc</span> <span class="kn">import</span> <span class="n">ABC</span><span class="p">,</span> <span class="n">abstractmethod</span> <span class="kn">from</span> <span class="n">dataclasses</span> <span class="kn">import</span> <span class="n">dataclass</span> <span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Optional</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span><span class="p">,</span> <span class="n">timezone</span> <span class="nd">@dataclass</span><span class="p">(</span><span class="n">frozen</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">class</span> <span class="nc">TransactionEntity</span><span class="p">:</span> <span class="n">transaction_id</span><span class="p">:</span> <span class="nb">str</span> <span class="n">account_id</span><span class="p">:</span> <span class="nb">str</span> <span class="n">amount</span><span class="p">:</span> <span class="nb">float</span> <span class="n">timestamp</span><span class="p">:</span> <span class="nb">str</span> <span class="k">class</span> <span class="nc">TransactionRepositoryPort</span><span class="p">(</span><span class="n">ABC</span><span class="p">):</span> <span class="nd">@abstractmethod</span> <span class="k">def</span> <span class="nf">save</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">transaction</span><span class="p">:</span> <span class="n">TransactionEntity</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="k">pass</span> <span class="nd">@abstractmethod</span> <span class="k">def</span> <span class="nf">find_by_id</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">transaction_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">account_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Optional</span><span class="p">[</span><span class="n">TransactionEntity</span><span class="p">]:</span> <span class="k">pass</span> <span class="k">class</span> <span class="nc">TransactionService</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">repository</span><span class="p">:</span> <span class="n">TransactionRepositoryPort</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">repository</span> <span class="o">=</span> <span class="n">repository</span> <span class="k">def</span> <span class="nf">process_new_transaction</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">account_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">amount</span><span class="p">:</span> <span class="nb">float</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">TransactionEntity</span><span class="p">:</span> <span class="k">if</span> <span class="n">amount</span> <span class="o">&lt;=</span> <span class="mi">0</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">"</span><span class="s">Transaction amount must be strictly positive.</span><span class="sh">"</span><span class="p">)</span> <span class="n">entity</span> <span class="o">=</span> <span class="nc">TransactionEntity</span><span class="p">(</span> <span class="n">transaction_id</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="s">txn_</span><span class="si">{</span><span class="nf">int</span><span class="p">(</span><span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">(</span><span class="n">timezone</span><span class="p">.</span><span class="n">utc</span><span class="p">).</span><span class="nf">timestamp</span><span class="p">())</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">account_id</span><span class="o">=</span><span class="n">account_id</span><span class="p">,</span> <span class="n">amount</span><span class="o">=</span><span class="n">amount</span><span class="p">,</span> <span class="n">timestamp</span><span class="o">=</span><span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">(</span><span class="n">timezone</span><span class="p">.</span><span class="n">utc</span><span class="p">).</span><span class="nf">isoformat</span><span class="p">()</span> <span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">repository</span><span class="p">.</span><span class="nf">save</span><span class="p">(</span><span class="n">entity</span><span class="p">)</span> <span class="k">return</span> <span class="n">entity</span> </code></pre> </div> <p>If the domain logic is now completely shielded from the infrastructure APIs, how do we translate these pure Python data structures into the proprietary JSON formats demanded by AWS and Azure respectively?</p> <h3> Implementing Vendor Specific Infrastructure Adapters </h3> <p>We translate the domain requests into proprietary vendor operations by writing dedicated, highly specialized infrastructure adapters that implement our abstract port. We construct a <code>DynamoDbAdapter</code> utilizing <code>boto3</code> and a <code>CosmosDbAdapter</code> utilizing the <code>azure-cosmos</code> client. The architectural necessity here is to encapsulate all SDK complexity, retry logic, and exception handling within these distinct classes. When the domain invokes the <code>save</code> method, the DynamoDB adapter formats the payload using the explicit <code>boto3</code> parameters, while the Cosmos DB adapter formats the payload into a standard JSON document incorporating the required <code>id</code> and partition key fields. These adapters act as the translation layer, ensuring that the idiosyncrasies of AWS request units and Azure throughput configurations never contaminate the core application memory space.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_dynamodb_table"</span> <span class="s2">"multicloud_transactions"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"Transactions"</span> <span class="nx">billing_mode</span> <span class="p">=</span> <span class="s2">"PAY_PER_REQUEST"</span> <span class="nx">hash_key</span> <span class="p">=</span> <span class="s2">"AccountId"</span> <span class="nx">range_key</span> <span class="p">=</span> <span class="s2">"TransactionId"</span> <span class="nx">attribute</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AccountId"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"S"</span> <span class="p">}</span> <span class="nx">attribute</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"TransactionId"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"S"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"azurerm_cosmosdb_sql_container"</span> <span class="s2">"multicloud_transactions"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"Transactions"</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">core</span><span class="p">.</span><span class="nx">name</span> <span class="nx">account_name</span> <span class="p">=</span> <span class="nx">azurerm_cosmosdb_account</span><span class="p">.</span><span class="nx">global</span><span class="p">.</span><span class="nx">name</span> <span class="nx">database_name</span> <span class="p">=</span> <span class="nx">azurerm_cosmosdb_sql_database</span><span class="p">.</span><span class="nx">core</span><span class="p">.</span><span class="nx">name</span> <span class="nx">partition_key_paths</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"/account_id"</span><span class="p">]</span> <span class="nx">partition_key_version</span> <span class="p">=</span> <span class="mi">2</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">boto3</span> <span class="kn">from</span> <span class="n">botocore.exceptions</span> <span class="kn">import</span> <span class="n">ClientError</span> <span class="kn">from</span> <span class="n">azure.cosmos</span> <span class="kn">import</span> <span class="n">CosmosClient</span> <span class="kn">from</span> <span class="n">azure.cosmos.exceptions</span> <span class="kn">import</span> <span class="n">CosmosHttpResponseError</span> <span class="k">class</span> <span class="nc">DynamoDbAdapter</span><span class="p">(</span><span class="n">TransactionRepositoryPort</span><span class="p">):</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">table_name</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">region_name</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="sh">"</span><span class="s">us-east-1</span><span class="sh">"</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">dynamodb</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">resource</span><span class="p">(</span><span class="sh">'</span><span class="s">dynamodb</span><span class="sh">'</span><span class="p">,</span> <span class="n">region_name</span><span class="o">=</span><span class="n">region_name</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">table</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">dynamodb</span><span class="p">.</span><span class="nc">Table</span><span class="p">(</span><span class="n">table_name</span><span class="p">)</span> <span class="k">def</span> <span class="nf">save</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">transaction</span><span class="p">:</span> <span class="n">TransactionEntity</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">table</span><span class="p">.</span><span class="nf">put_item</span><span class="p">(</span> <span class="n">Item</span><span class="o">=</span><span class="p">{</span> <span class="sh">'</span><span class="s">AccountId</span><span class="sh">'</span><span class="p">:</span> <span class="n">transaction</span><span class="p">.</span><span class="n">account_id</span><span class="p">,</span> <span class="sh">'</span><span class="s">TransactionId</span><span class="sh">'</span><span class="p">:</span> <span class="n">transaction</span><span class="p">.</span><span class="n">transaction_id</span><span class="p">,</span> <span class="sh">'</span><span class="s">Amount</span><span class="sh">'</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">transaction</span><span class="p">.</span><span class="n">amount</span><span class="p">),</span> <span class="sh">'</span><span class="s">Timestamp</span><span class="sh">'</span><span class="p">:</span> <span class="n">transaction</span><span class="p">.</span><span class="n">timestamp</span> <span class="p">}</span> <span class="p">)</span> <span class="k">except</span> <span class="n">ClientError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">RuntimeError</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">AWS DynamoDB write failed: </span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="n">response</span><span class="p">[</span><span class="sh">'</span><span class="s">Error</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">Message</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">find_by_id</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">transaction_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">account_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Optional</span><span class="p">[</span><span class="n">TransactionEntity</span><span class="p">]:</span> <span class="n">response</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">table</span><span class="p">.</span><span class="nf">get_item</span><span class="p">(</span><span class="n">Key</span><span class="o">=</span><span class="p">{</span><span class="sh">'</span><span class="s">AccountId</span><span class="sh">'</span><span class="p">:</span> <span class="n">account_id</span><span class="p">,</span> <span class="sh">'</span><span class="s">TransactionId</span><span class="sh">'</span><span class="p">:</span> <span class="n">transaction_id</span><span class="p">})</span> <span class="n">item</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">Item</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">item</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span> <span class="k">return</span> <span class="nc">TransactionEntity</span><span class="p">(</span> <span class="n">transaction_id</span><span class="o">=</span><span class="n">item</span><span class="p">[</span><span class="sh">'</span><span class="s">TransactionId</span><span class="sh">'</span><span class="p">],</span> <span class="n">account_id</span><span class="o">=</span><span class="n">item</span><span class="p">[</span><span class="sh">'</span><span class="s">AccountId</span><span class="sh">'</span><span class="p">],</span> <span class="n">amount</span><span class="o">=</span><span class="nf">float</span><span class="p">(</span><span class="n">item</span><span class="p">[</span><span class="sh">'</span><span class="s">Amount</span><span class="sh">'</span><span class="p">]),</span> <span class="n">timestamp</span><span class="o">=</span><span class="n">item</span><span class="p">[</span><span class="sh">'</span><span class="s">Timestamp</span><span class="sh">'</span><span class="p">]</span> <span class="p">)</span> <span class="k">class</span> <span class="nc">CosmosDbAdapter</span><span class="p">(</span><span class="n">TransactionRepositoryPort</span><span class="p">):</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">endpoint</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">key</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">database_name</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">container_name</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">client</span> <span class="o">=</span> <span class="nc">CosmosClient</span><span class="p">(</span><span class="n">endpoint</span><span class="p">,</span> <span class="n">credential</span><span class="o">=</span><span class="n">key</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">database</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">client</span><span class="p">.</span><span class="nf">get_database_client</span><span class="p">(</span><span class="n">database_name</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">container</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">database</span><span class="p">.</span><span class="nf">get_container_client</span><span class="p">(</span><span class="n">container_name</span><span class="p">)</span> <span class="k">def</span> <span class="nf">save</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">transaction</span><span class="p">:</span> <span class="n">TransactionEntity</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="n">document</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">:</span> <span class="n">transaction</span><span class="p">.</span><span class="n">transaction_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">account_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">transaction</span><span class="p">.</span><span class="n">account_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">amount</span><span class="sh">"</span><span class="p">:</span> <span class="n">transaction</span><span class="p">.</span><span class="n">amount</span><span class="p">,</span> <span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">:</span> <span class="n">transaction</span><span class="p">.</span><span class="n">timestamp</span> <span class="p">}</span> <span class="n">self</span><span class="p">.</span><span class="n">container</span><span class="p">.</span><span class="nf">upsert_item</span><span class="p">(</span><span class="n">body</span><span class="o">=</span><span class="n">document</span><span class="p">)</span> <span class="k">except</span> <span class="n">CosmosHttpResponseError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">RuntimeError</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Azure Cosmos DB write failed: </span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="n">message</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">find_by_id</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">transaction_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">account_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Optional</span><span class="p">[</span><span class="n">TransactionEntity</span><span class="p">]:</span> <span class="k">try</span><span class="p">:</span> <span class="n">item</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">container</span><span class="p">.</span><span class="nf">read_item</span><span class="p">(</span><span class="n">item</span><span class="o">=</span><span class="n">transaction_id</span><span class="p">,</span> <span class="n">partition_key</span><span class="o">=</span><span class="n">account_id</span><span class="p">)</span> <span class="k">return</span> <span class="nc">TransactionEntity</span><span class="p">(</span> <span class="n">transaction_id</span><span class="o">=</span><span class="n">item</span><span class="p">[</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">],</span> <span class="n">account_id</span><span class="o">=</span><span class="n">item</span><span class="p">[</span><span class="sh">'</span><span class="s">account_id</span><span class="sh">'</span><span class="p">],</span> <span class="n">amount</span><span class="o">=</span><span class="nf">float</span><span class="p">(</span><span class="n">item</span><span class="p">[</span><span class="sh">'</span><span class="s">amount</span><span class="sh">'</span><span class="p">]),</span> <span class="n">timestamp</span><span class="o">=</span><span class="n">item</span><span class="p">[</span><span class="sh">'</span><span class="s">timestamp</span><span class="sh">'</span><span class="p">]</span> <span class="p">)</span> <span class="k">except</span> <span class="n">CosmosHttpResponseError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">if</span> <span class="n">e</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">404</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span> <span class="k">raise</span> <span class="nc">RuntimeError</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Azure Cosmos DB read failed: </span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="n">message</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>When multiple infrastructure adapters exist within the codebase, how does the application seamlessly instantiate the correct cloud specific implementation during an active disaster recovery failover without requiring a manual code redeployment?</p> <h3> Dynamic Runtime Resolution and Dependency Injection </h3> <p>We achieve zero downtime adapter switching by implementing a dynamic dependency injection factory that resolves the target infrastructure at application startup. The architectural reasoning is operational agility. During a critical cloud degradation event, operators cannot wait for deployment pipelines to build and deploy modified application images to Azure. By reading an environment variable injected by the orchestrator, the application dynamically resolves which adapter to instantiate and pass into the <code>TransactionService</code>. This topology ensures that the identical Docker image functions perfectly in both the AWS container execution environments and the Azure container execution environments. The AWS deployment initializes the <code>DynamoDbAdapter</code>, while the Azure deployment initializes the <code>CosmosDbAdapter</code>. The domain logic remains entirely oblivious to this injection phase, continuing to process transactions securely and deterministically regardless of its physical execution location.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fda8jgdf23gumlmkhb1hj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fda8jgdf23gumlmkhb1hj.png" alt="Sequence Diagram" width="800" height="401"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">os</span> <span class="k">class</span> <span class="nc">RepositoryFactory</span><span class="p">:</span> <span class="nd">@staticmethod</span> <span class="k">def</span> <span class="nf">get_repository</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="n">TransactionRepositoryPort</span><span class="p">:</span> <span class="n">active_cloud</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">ACTIVE_CLOUD_PROVIDER</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">AWS</span><span class="sh">"</span><span class="p">).</span><span class="nf">upper</span><span class="p">()</span> <span class="k">if</span> <span class="n">active_cloud</span> <span class="o">==</span> <span class="sh">"</span><span class="s">AWS</span><span class="sh">"</span><span class="p">:</span> <span class="k">return</span> <span class="nc">DynamoDbAdapter</span><span class="p">(</span> <span class="n">table_name</span><span class="o">=</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">DYNAMODB_TABLE_NAME</span><span class="sh">"</span><span class="p">],</span> <span class="n">region_name</span><span class="o">=</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">AWS_REGION</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">us-east-1</span><span class="sh">"</span><span class="p">)</span> <span class="p">)</span> <span class="k">elif</span> <span class="n">active_cloud</span> <span class="o">==</span> <span class="sh">"</span><span class="s">AZURE</span><span class="sh">"</span><span class="p">:</span> <span class="k">return</span> <span class="nc">CosmosDbAdapter</span><span class="p">(</span> <span class="n">endpoint</span><span class="o">=</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">COSMOS_ENDPOINT</span><span class="sh">"</span><span class="p">],</span> <span class="n">key</span><span class="o">=</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">COSMOS_KEY</span><span class="sh">"</span><span class="p">],</span> <span class="n">database_name</span><span class="o">=</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">COSMOS_DB_NAME</span><span class="sh">"</span><span class="p">],</span> <span class="n">container_name</span><span class="o">=</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">COSMOS_CONTAINER_NAME</span><span class="sh">"</span><span class="p">]</span> <span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Unsupported cloud provider configuration: </span><span class="si">{</span><span class="n">active_cloud</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Application Bootstrap </span><span class="n">repository_port</span> <span class="o">=</span> <span class="n">RepositoryFactory</span><span class="p">.</span><span class="nf">get_repository</span><span class="p">()</span> <span class="n">transaction_service</span> <span class="o">=</span> <span class="nc">TransactionService</span><span class="p">(</span><span class="n">repository_port</span><span class="p">)</span> <span class="c1"># Domain execution remains identical regardless of the resolved adapter </span><span class="n">result</span> <span class="o">=</span> <span class="n">transaction_service</span><span class="p">.</span><span class="nf">process_new_transaction</span><span class="p">(</span><span class="n">account_id</span><span class="o">=</span><span class="sh">"</span><span class="s">ACC_9918</span><span class="sh">"</span><span class="p">,</span> <span class="n">amount</span><span class="o">=</span><span class="mf">250.00</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Transaction stored safely. Provider agnostic ID: </span><span class="si">{</span><span class="n">result</span><span class="p">.</span><span class="n">transaction_id</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>How do platform operators mitigate data structure failures when the primary key conventions differ fundamentally between DynamoDB composite keys and Cosmos DB document IDs?</p> <h3> Common Troubleshooting </h3> <p>When implementing cross cloud database abstraction, primary key translation failures are a dominant source of runtime errors. If the Cosmos DB adapter returns an <code>HTTP 400 Bad Request</code> citing partition key mismatch, you must verify the document <code>id</code> property. DynamoDB natively supports composite primary keys defined by a Hash Key and a Range Key. Cosmos DB requires a strict lowercase <code>id</code> field mapped to a unique string, alongside a separate, explicitly defined partition key. The Python Cosmos adapter must manually construct this <code>id</code> mapping, ensuring the domain's unique identifier is bound to the <code>id</code> property of the JSON dictionary before executing the upsert operation.</p> <p>Another critical issue surfaces as extreme latency degradation during connection initialization. If the <code>DynamoDbAdapter</code> performs rapidly but the <code>CosmosDbAdapter</code> consistently times out on the initial request within an Azure execution context, check the SDK connectivity mode. The Python <code>azure-cosmos</code> client may default to Gateway Mode, traversing extra proxy layers. Ensure your Azure networking is configured to support Direct Mode connectivity on TCP ports 10000 to 20000, allowing the client to communicate directly with the Cosmos DB backend storage replicas, significantly reducing round trip latency.</p> <h3> Conclusion </h3> <p>Abstracting cloud specific data services via Hexagonal Architecture establishes a resilient, vendor agnostic execution layer capable of surviving total provider degradation. By isolating domain logic from the <code>boto3</code> and <code>azure-cosmos</code> SDKs through strict Python output ports, engineering teams can dynamically pivot transactional workloads across AWS and Azure environments seamlessly. To complete the multicloud disaster recovery posture, architectures should deploy a background replication mesh bridging the two data stores utilizing DynamoDB Streams and Azure Event Grid to guarantee eventual data consistency alongside this compute portability.</p> <h3> References </h3> <p>Cockburn, A. (2005). <em>Hexagonal architecture</em>. Alistair Cockburn. <a href="https://alistair.cockburn.us/hexagonal-architecture/" rel="noopener noreferrer">https://alistair.cockburn.us/hexagonal-architecture/</a></p> <p>Vernon, V. (2013). <em>Implementing domain-driven design</em>. Addison-Wesley Professional.</p> azure aws python terraform Cláudio Filipe Lima Rapôso Thu, 04 Jun 2026 03:00:00 +0000 https://dev.to/sertaoseracloud/unifying-multicloud-observability-end-to-end-distributed-tracing-with-opentelemetry-across-aws-and-3ni1 https://dev.to/sertaoseracloud/unifying-multicloud-observability-end-to-end-distributed-tracing-with-opentelemetry-across-aws-and-3ni1 <p>Multicloud architectures distribute execution across distinct vendor boundaries, creating fragmented telemetry silos. When a critical user transaction originates in an Amazon Web Services (AWS) edge compute layer and asynchronously triggers a Microsoft Azure data ingestion pipeline, a failure leaves operators completely blind. Attempting to manually correlate AWS CloudWatch logs with Azure Application Insights traces during a severity one outage prolongs mean time to resolution and leads to catastrophic service level agreement breaches. Implementing a unified multicloud observability pipeline using OpenTelemetry resolves this telemetry fragmentation. By standardizing trace propagation headers and utilizing a centralized collector deployment to ingest and export spans simultaneously to AWS X-Ray and Azure Monitor, architects establish a single pane of glass. This vendor agnostic instrumentation guarantees end to end visibility, enabling rapid root cause analysis across the entire multicloud execution path in production environments.</p> <h3> Prerequisites </h3> <p>Implementing a distributed tracing pipeline requires a fundamental understanding of directed acyclic graphs and the W3C Trace Context specification. The infrastructure state requires Terraform version 1.7.0 or higher, initialized with the HashiCorp AWS Provider version 5.40.0. The application instrumentation requires Python 3.12, supplemented by the <code>opentelemetry-api</code> and <code>opentelemetry-sdk</code> libraries version 1.23.0. A foundational knowledge of container orchestration is necessary to deploy the collector agent. Active AWS and Azure subscriptions with administrative access to provision Amazon ECS clusters and Azure Monitor Application Insights workspaces are mandatory.</p> <h3> Step-by-Step Implementation </h3> <h3> Architecting the Centralized Collector Deployment </h3> <p>We establish the telemetry ingestion layer by deploying the OpenTelemetry Collector as a standalone service within Amazon ECS on AWS Fargate. The architectural justification for this centralized deployment lies in the decoupling of application logic from vendor specific export mechanisms. If microservices in AWS and Azure attempt to export telemetry directly to X-Ray and Application Insights, every application must bundle multiple heavy vendor SDKs, bloating container images and increasing compute overhead. By utilizing a central collector gateway, the microservices emit standard OpenTelemetry Protocol (OTLP) data to a single internal endpoint. The collector acts as a highly scalable telemetry router, processing the spans and fanning them out to the respective cloud provider backends. This pattern abstracts the vendor dependencies entirely away from the compute layer, allowing architects to rotate observability platforms without modifying a single line of business code.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_ssm_parameter"</span> <span class="s2">"otel_config"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"/multicloud/observability/otel-collector-config"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"String"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">yamlencode</span><span class="p">({</span> <span class="nx">receivers</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">otlp</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">protocols</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">grpc</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">endpoint</span> <span class="p">=</span> <span class="s2">"0.0.0.0:4317"</span> <span class="p">}</span> <span class="nx">http</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">endpoint</span> <span class="p">=</span> <span class="s2">"0.0.0.0:4318"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">exporters</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">awsxray</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="p">}</span> <span class="nx">azuremonitor</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">instrumentation_key</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">azure_app_insights_key</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">service</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">pipelines</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">traces</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">receivers</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"otlp"</span><span class="p">]</span> <span class="nx">processors</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"batch"</span><span class="p">]</span> <span class="nx">exporters</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"awsxray"</span><span class="p">,</span> <span class="s2">"azuremonitor"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">})</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_ecs_task_definition"</span> <span class="s2">"otel_collector"</span> <span class="p">{</span> <span class="nx">family</span> <span class="p">=</span> <span class="s2">"multicloud-otel-collector"</span> <span class="nx">requires_compatibilities</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"FARGATE"</span><span class="p">]</span> <span class="nx">network_mode</span> <span class="p">=</span> <span class="s2">"awsvpc"</span> <span class="nx">cpu</span> <span class="p">=</span> <span class="mi">512</span> <span class="nx">memory</span> <span class="p">=</span> <span class="mi">1024</span> <span class="nx">execution_role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">ecs_execution_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">task_role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">otel_task_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">container_definitions</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">([</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"aws-otel-collector"</span> <span class="nx">image</span> <span class="p">=</span> <span class="s2">"public.ecr.aws/aws-observability/aws-otel-collector:latest"</span> <span class="nx">secrets</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AOT_CONFIG_CONTENT"</span> <span class="nx">valueFrom</span> <span class="p">=</span> <span class="nx">aws_ssm_parameter</span><span class="p">.</span><span class="nx">otel_config</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="p">]</span> <span class="nx">portMappings</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">containerPort</span> <span class="p">=</span> <span class="mi">4317</span><span class="p">,</span> <span class="nx">hostPort</span> <span class="p">=</span> <span class="mi">4317</span><span class="p">,</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">containerPort</span> <span class="p">=</span> <span class="mi">4318</span><span class="p">,</span> <span class="nx">hostPort</span> <span class="p">=</span> <span class="mi">4318</span><span class="p">,</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="p">])</span> <span class="p">}</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frtww9i1bzsd122auam52.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frtww9i1bzsd122auam52.png" alt="sequence diagram" width="800" height="347"></a></p> <p>How do we ensure that a transaction originating in AWS maintains its exact cryptographic trace identity when traversing an external HTTP network boundary into an Azure environment?</p> <h3> Enforcing W3C Trace Context Propagation </h3> <p>We maintain distributed trace integrity across vendor boundaries by instrumenting our Python microservices to enforce strict W3C Trace Context propagation. The architectural necessity here is eliminating proprietary header formats. If an AWS service injects the legacy <code>X-Amzn-Trace-Id</code> header into an HTTP request destined for Azure, the Azure native services will fail to recognize the parent context, resulting in a fractured trace. By configuring the OpenTelemetry SDK to utilize the W3C standard <code>traceparent</code> and <code>tracestate</code> headers, we establish a universal telemetry language. The AWS client extracts its current span context, formats it according to the W3C specification, and injects it into the outbound HTTP headers. When the Azure function receives the payload, its OpenTelemetry middleware automatically extracts the <code>traceparent</code> header, adopting the exact trace ID generated by AWS and appending its own execution time as a child span within the global graph.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">requests</span> <span class="kn">from</span> <span class="n">opentelemetry</span> <span class="kn">import</span> <span class="n">trace</span> <span class="kn">from</span> <span class="n">opentelemetry.propagate</span> <span class="kn">import</span> <span class="n">inject</span> <span class="kn">from</span> <span class="n">opentelemetry.sdk.trace</span> <span class="kn">import</span> <span class="n">TracerProvider</span> <span class="kn">from</span> <span class="n">opentelemetry.sdk.trace.export</span> <span class="kn">import</span> <span class="n">BatchSpanProcessor</span> <span class="kn">from</span> <span class="n">opentelemetry.exporter.otlp.proto.grpc.trace_exporter</span> <span class="kn">import</span> <span class="n">OTLPSpanExporter</span> <span class="kn">from</span> <span class="n">opentelemetry.sdk.extension.aws.trace</span> <span class="kn">import</span> <span class="n">AwsXRayIdGenerator</span> <span class="c1"># Enforce X-Ray compatible ID generation for multicloud roots </span><span class="n">trace</span><span class="p">.</span><span class="nf">set_tracer_provider</span><span class="p">(</span><span class="nc">TracerProvider</span><span class="p">(</span><span class="n">id_generator</span><span class="o">=</span><span class="nc">AwsXRayIdGenerator</span><span class="p">()))</span> <span class="n">tracer</span> <span class="o">=</span> <span class="n">trace</span><span class="p">.</span><span class="nf">get_tracer</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="n">otlp_exporter</span> <span class="o">=</span> <span class="nc">OTLPSpanExporter</span><span class="p">(</span><span class="n">endpoint</span><span class="o">=</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">OTEL_EXPORTER_OTLP_ENDPOINT</span><span class="sh">"</span><span class="p">))</span> <span class="n">span_processor</span> <span class="o">=</span> <span class="nc">BatchSpanProcessor</span><span class="p">(</span><span class="n">otlp_exporter</span><span class="p">)</span> <span class="n">trace</span><span class="p">.</span><span class="nf">get_tracer_provider</span><span class="p">().</span><span class="nf">add_span_processor</span><span class="p">(</span><span class="n">span_processor</span><span class="p">)</span> <span class="k">def</span> <span class="nf">invoke_azure_downstream</span><span class="p">(</span><span class="n">payload</span><span class="p">:</span> <span class="nb">dict</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">requests</span><span class="p">.</span><span class="n">Response</span><span class="p">:</span> <span class="k">with</span> <span class="n">tracer</span><span class="p">.</span><span class="nf">start_as_current_span</span><span class="p">(</span><span class="sh">"</span><span class="s">CallAzureDataIngestion</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">span</span><span class="p">:</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{}</span> <span class="c1"># Inject W3C Traceparent into the outgoing HTTP headers </span> <span class="nf">inject</span><span class="p">(</span><span class="n">headers</span><span class="p">)</span> <span class="n">azure_endpoint</span> <span class="o">=</span> <span class="sh">"</span><span class="s">https://data-ingress.azurewebsites.net/api/ingest</span><span class="sh">"</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">http.method</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">http.url</span><span class="sh">"</span><span class="p">,</span> <span class="n">azure_endpoint</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="n">azure_endpoint</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="n">payload</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">5</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">http.status_code</span><span class="sh">"</span><span class="p">,</span> <span class="n">response</span><span class="p">.</span><span class="n">status_code</span><span class="p">)</span> <span class="k">return</span> <span class="n">response</span> <span class="k">except</span> <span class="n">requests</span><span class="p">.</span><span class="n">RequestException</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">span</span><span class="p">.</span><span class="nf">record_exception</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_status</span><span class="p">(</span><span class="n">trace</span><span class="p">.</span><span class="nc">Status</span><span class="p">(</span><span class="n">trace</span><span class="p">.</span><span class="n">StatusCode</span><span class="p">.</span><span class="n">ERROR</span><span class="p">))</span> <span class="k">raise</span> <span class="n">e</span> </code></pre> </div> <p>If the trace context successfully propagates across the multicloud network, what mechanism prevents the high volume telemetry data from overwhelming the central collector and inflating vendor storage costs?</p> <h3> Implementing Tail-Based Sampling for Cost Control </h3> <p>We control observability storage costs without losing critical diagnostic data by configuring tail-based sampling within the OpenTelemetry Collector pipeline. The architectural reasoning addresses the fundamental flaw of head-based sampling in distributed systems. If an AWS ingress gateway randomly samples ten percent of requests upfront, it will inevitably discard the traces of rare, downstream multicloud failures occurring in Azure. Tail-based sampling resolves this by holding the entire distributed trace in the collector's memory until the transaction fully completes across both cloud environments. Once the trace concludes, the collector policy engine evaluates the entire graph. If the trace contains an HTTP 500 error or exceeds a predefined latency threshold, the collector exports the trace to AWS X-Ray and Azure Monitor. If the trace represents a fast, successful transaction, it is discarded. This guarantees absolute visibility into multicloud anomalies while drastically reducing the volume of useless success telemetry persisted to expensive storage.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_ssm_parameter"</span> <span class="s2">"otel_tail_sampling_config"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"/multicloud/observability/otel-sampling-config"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"String"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">yamlencode</span><span class="p">({</span> <span class="nx">processors</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">tail_sampling</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">decision_wait</span> <span class="p">=</span> <span class="s2">"10s"</span> <span class="nx">num_traces</span> <span class="p">=</span> <span class="mi">50000</span> <span class="nx">policies</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"retain-errors"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"status_code"</span> <span class="nx">status_code</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">status_codes</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"ERROR"</span><span class="p">]</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"retain-high-latency"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"latency"</span> <span class="nx">latency</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">threshold_ms</span> <span class="p">=</span> <span class="mi">2000</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"probabilistic-baseline"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"probabilistic"</span> <span class="nx">probabilistic</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">sampling_percentage</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>When tail-based sampling retains an anomalous trace spanning both providers, how do platform operators troubleshoot sudden HTTP 403 Forbidden errors originating exclusively from the Azure Monitor export pipeline?</p> <h3> Common Troubleshooting </h3> <p>When the OpenTelemetry Collector fails to export spans to Azure Monitor, the collector logs will frequently display HTTP 403 Forbidden or HTTP 401 Unauthorized errors. This indicates a failure in the Azure Monitor exporter configuration. You must verify that the <code>instrumentation_key</code> provided to the collector matches the exact provisioning output of the target Azure Application Insights workspace. Ensure that no AWS Security Groups attached to the Fargate Elastic Network Interface (ENI) are blocking outbound egress on TCP port 443 to the Azure ingestion endpoints.</p> <p>Another frequent issue involves fragmented traces appearing in AWS X-Ray despite correct W3C propagation. This occurs because AWS X-Ray enforces a strict 96-bit trace ID format containing an embedded epoch timestamp. If the OpenTelemetry SDK generates a standard random 128-bit trace ID, X-Ray rejects the parent correlation. You must explicitly configure the <code>id_generator</code> within your Python OpenTelemetry configuration to utilize the <code>AwsXRayIdGenerator</code>, ensuring the root trace IDs are mathematically compatible with the AWS X-Ray backend requirements before they traverse to Azure.</p> <h3> Conclusion </h3> <p>Implementing a unified observability mesh using OpenTelemetry eliminates the diagnostic blind spots inherent in multicloud architectures. By centralizing telemetry ingestion, standardizing W3C trace context propagation, and aggressively sampling at the tail, engineering teams can trace complex transactions across AWS and Azure boundaries with mathematical precision. Organizations scaling this pattern should further integrate OpenTelemetry metric and log pipelines, eventually migrating visualization to a self hosted Grafana cluster to achieve a truly vendor independent, unified operational dashboard for the global infrastructure.</p> <h3> References </h3> <p>Chaganti, S., &amp; Gomez, M. (2023). <em>Mastering distributed tracing: Analyzing performance in microservices and complex systems</em>. O'Reilly Media.</p> <p>W3C. (2021). <em>W3C trace context: A standard for distributed tracing context propagation</em>. World Wide Web Consortium. <a href="https://www.w3.org/TR/trace-context/" rel="noopener noreferrer">https://www.w3.org/TR/trace-context/</a></p> azure aws terraform python Cláudio Filipe Lima Rapôso Tue, 02 Jun 2026 16:19:06 +0000 https://dev.to/sertaoseracloud/problematizing-split-brain-vulnerabilities-tri-regional-consensus-topologies-across-aws-and-azure-3e9a https://dev.to/sertaoseracloud/problematizing-split-brain-vulnerabilities-tri-regional-consensus-topologies-across-aws-and-azure-3e9a <p>to commit, inspect the MTU (Maximum Transmission Unit) sizes across the cross-cloud VPN or Direct Connect circuits. Standard Ethernet uses an MTU of 1500 bytes, but encapsulation protocols within IPsec tunnels often reduce the effective payload space to 1420 bytes or lower. If the consensus packets exceed this limit, the network layer fragments the packets, doubling the round-trip time for every log replication entry. Ensure that explicit Path MTU Discovery is active and clamp the TCP Maximum Segment Size (MSS) to 1380 bytes within your network firewall rules to ensure unfragmented packet delivery.</p> <h3> Conclusion </h3> <p>Constructing a federated consensus backbone across AWS and Azure using a neutral third-party Arbitrator eliminates the threat of split-brain data corruption during severe network partitions. By combining odd-node quorum topologies with time-bounded lease read management, engineering teams guarantee that transactional consistency remains uncompromised when network boundaries collapse. As data throughput scales across this multicloud matrix, architectures should evaluate the implementation of localized read-replicas configured with raft learner states. This configuration optimization permits the system to scale read operations across multiple geographical zones without expanding the voting quorum size, preserving rapid consensus negotiation speeds while satisfying rigorous global availability requirements.</p> <h3> References </h3> <p>Lamport, L. (1998). <em>The part-time parliament</em>. ACM Transactions on Computer Systems, 16(2), 133-169.</p> <p>Ongaro, D., &amp; Ousterhout, J. (2014). <em>In search of an understandable consensus algorithm</em>. USENIX Association.</p> azure aws terraform python Cláudio Filipe Lima Rapôso Tue, 02 Jun 2026 03:00:00 +0000 https://dev.to/sertaoseracloud/building-a-fault-tolerant-multicloud-event-mesh-bridging-aws-eventbridge-and-azure-service-bus-5ffb https://dev.to/sertaoseracloud/building-a-fault-tolerant-multicloud-event-mesh-bridging-aws-eventbridge-and-azure-service-bus-5ffb <p>Distributed systems utilizing asynchronous messaging often consolidate their event routing through a singular, regional message broker. When this centralized infrastructure degrades, the entire choreography of the microservices ecosystem halts. Critical domain events, such as payment confirmations or inventory deductions, become trapped in volatile memory or are dropped entirely, leading to irreversible data corruption across bounded contexts. Engineering teams can construct an infallible, highly available messaging topology by implementing a federated multicloud event backbone. Bridging Amazon EventBridge with Azure Service Bus creates an active-active event mesh that transcends vendor specific outages. This architecture guarantees strict at-least-once delivery across cloud boundaries, ensuring that high-throughput enterprise platforms maintain absolute data consistency and operational continuity even during catastrophic regional failures.</p> <h3> Prerequisites </h3> <p>Constructing a multicloud event mesh requires advanced knowledge of Domain-Driven Design principles, specifically domain events and the Outbox pattern. The deployment relies strictly on Infrastructure as Code to manage cross-provider state. Ensure the local environment is configured with Terraform version 1.7.0 or newer, utilizing the HashiCorp AWS Provider version 5.40.0 and the AzureRM Provider version 3.90.0. The core routing logic and consumer adapters require Python 3.12. Dependencies include <code>boto3</code> version 1.34.0 for AWS data plane interactions and <code>azure-servicebus</code> version 7.11.0 for cross-boundary ingestion. Administrative access to configure Azure Active Directory (Azure AD) App Registrations for OAuth2 client credentials is mandatory.</p> <h3> Step-by-Step Implementation </h3> <h3> Establishing the Cross-Cloud Routing Topology </h3> <p>We architect the external routing layer by configuring Amazon EventBridge to forward domain events directly into an Azure Service Bus queue via an API Destination. The architectural justification for this direct integration is the elimination of intermediate compute layers. Relying on an AWS Lambda function purely to poll EventBridge and push HTTP requests to Azure introduces unnecessary latency, increases cost, and creates an additional point of failure. EventBridge API Destinations handle the HTTP egress natively, managing the OAuth2 client credentials grant flow with Azure AD securely under the hood. By configuring an AWS CloudWatch Event Connection to fetch access tokens from the Microsoft identity platform, EventBridge guarantees secure, encrypted payload delivery to the Azure Service Bus namespace. This ensures that the AWS event bus remains entirely decoupled from the Azure consumer logic, establishing a clean boundary between the cloud environments.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"azuread_application"</span> <span class="s2">"eventbridge_publisher"</span> <span class="p">{</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="s2">"AWS-EventBridge-Publisher"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"azuread_service_principal"</span> <span class="s2">"eventbridge_sp"</span> <span class="p">{</span> <span class="nx">client_id</span> <span class="p">=</span> <span class="nx">azuread_application</span><span class="p">.</span><span class="nx">eventbridge_publisher</span><span class="p">.</span><span class="nx">client_id</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"azuread_application_password"</span> <span class="s2">"eventbridge_secret"</span> <span class="p">{</span> <span class="nx">application_object_id</span> <span class="p">=</span> <span class="nx">azuread_application</span><span class="p">.</span><span class="nx">eventbridge_publisher</span><span class="p">.</span><span class="nx">object_id</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_cloudwatch_event_connection"</span> <span class="s2">"azure_ad_auth"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"azure-service-bus-connection"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"OAuth2 connection to Azure AD"</span> <span class="nx">authorization_type</span> <span class="p">=</span> <span class="s2">"OAUTH_CLIENT_CREDENTIALS"</span> <span class="nx">auth_parameters</span> <span class="p">{</span> <span class="nx">oauth</span> <span class="p">{</span> <span class="nx">authorization_endpoint</span> <span class="p">=</span> <span class="s2">"https://login.microsoftonline.com/</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">azure_tenant_id</span><span class="k">}</span><span class="s2">/oauth2/v2.0/token"</span> <span class="nx">http_method</span> <span class="p">=</span> <span class="s2">"POST"</span> <span class="nx">oauth_http_parameters</span> <span class="p">{</span> <span class="nx">body</span> <span class="p">{</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"scope"</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"https://servicebus.azure.net/.default"</span> <span class="nx">is_value_secret</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">client_parameters</span> <span class="p">{</span> <span class="nx">client_id</span> <span class="p">=</span> <span class="nx">azuread_application</span><span class="p">.</span><span class="nx">eventbridge_publisher</span><span class="p">.</span><span class="nx">client_id</span> <span class="nx">client_secret</span> <span class="p">=</span> <span class="nx">azuread_application_password</span><span class="p">.</span><span class="nx">eventbridge_secret</span><span class="p">.</span><span class="nx">value</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_cloudwatch_event_api_destination"</span> <span class="s2">"azure_service_bus"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"azure-service-bus-destination"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Multicloud Event Egress"</span> <span class="nx">invocation_endpoint</span> <span class="p">=</span> <span class="s2">"https://</span><span class="k">${</span><span class="nx">azurerm_servicebus_namespace</span><span class="p">.</span><span class="nx">core</span><span class="p">.</span><span class="nx">name</span><span class="k">}</span><span class="s2">.servicebus.windows.net/</span><span class="k">${</span><span class="nx">azurerm_servicebus_queue</span><span class="p">.</span><span class="nx">events</span><span class="p">.</span><span class="nx">name</span><span class="k">}</span><span class="s2">/messages"</span> <span class="nx">http_method</span> <span class="p">=</span> <span class="s2">"POST"</span> <span class="nx">invocation_rate_limit_per_second</span> <span class="p">=</span> <span class="mi">300</span> <span class="nx">connection_arn</span> <span class="p">=</span> <span class="nx">aws_cloudwatch_event_connection</span><span class="p">.</span><span class="nx">azure_ad_auth</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_cloudwatch_event_rule"</span> <span class="s2">"cross_cloud_routing"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"route-transactions-to-azure"</span> <span class="nx">event_bus_name</span> <span class="p">=</span> <span class="nx">aws_cloudwatch_event_bus</span><span class="p">.</span><span class="nx">enterprise_bus</span><span class="p">.</span><span class="nx">name</span> <span class="nx">event_pattern</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">source</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"enterprise.transactions"</span><span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_cloudwatch_event_target"</span> <span class="s2">"azure_egress"</span> <span class="p">{</span> <span class="nx">rule</span> <span class="p">=</span> <span class="nx">aws_cloudwatch_event_rule</span><span class="p">.</span><span class="nx">cross_cloud_routing</span><span class="p">.</span><span class="nx">name</span> <span class="nx">target_id</span> <span class="p">=</span> <span class="s2">"SendToAzureServiceBus"</span> <span class="nx">arn</span> <span class="p">=</span> <span class="nx">aws_cloudwatch_event_api_destination</span><span class="p">.</span><span class="nx">azure_service_bus</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">eventbridge_invoke_role</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1uoa344oz43u11prgcrx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1uoa344oz43u11prgcrx.png" alt="sequence diagram" width="800" height="272"></a></p> <p>If the routing layer is highly available, how do we prevent the system from dropping events immediately at the source when the primary database commits successfully but the subsequent network call to EventBridge times out?</p> <h3> Guaranteeing Delivery via Transactional Outbox </h3> <p>We prevent immediate data loss during source network timeouts by implementing the Transactional Outbox pattern within our Python domain logic on AWS. The core architectural reasoning addresses the fundamental distributed systems flaw known as the dual write problem. Attempting to update a database record and publish an event to EventBridge in two distinct operations cannot be guaranteed atomically. If the database commit succeeds but the EventBridge <code>PutEvents</code> API call fails due to a transient network partition, the system state mutates silently, and downstream Azure consumers never receive the notification. By utilizing Amazon DynamoDB, we bundle the business state mutation and the domain event payload into a single atomic transaction. We write the event directly into an <code>Outbox</code> table. A background process, typically a DynamoDB Stream triggering a Lambda function, asynchronously polls this table and guarantees delivery to EventBridge. This decouples the synchronous user request from the asynchronous multicloud delivery mechanism, providing robust fault tolerance.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">uuid</span> <span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Dict</span><span class="p">,</span> <span class="n">Any</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span><span class="p">,</span> <span class="n">timezone</span> <span class="kn">import</span> <span class="n">boto3</span> <span class="kn">from</span> <span class="n">botocore.exceptions</span> <span class="kn">import</span> <span class="n">ClientError</span> <span class="kn">from</span> <span class="n">aws_lambda_powertools</span> <span class="kn">import</span> <span class="n">Logger</span> <span class="n">logger</span> <span class="o">=</span> <span class="nc">Logger</span><span class="p">(</span><span class="n">service</span><span class="o">=</span><span class="sh">"</span><span class="s">TransactionOutbox</span><span class="sh">"</span><span class="p">)</span> <span class="n">dynamodb</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">dynamodb</span><span class="sh">'</span><span class="p">)</span> <span class="k">class</span> <span class="nc">TransactionDomainService</span><span class="p">:</span> <span class="k">def</span> <span class="nf">process_transaction</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">account_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">amount</span><span class="p">:</span> <span class="nb">float</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="n">transaction_id</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">txn_</span><span class="si">{</span><span class="n">uuid</span><span class="p">.</span><span class="nf">uuid4</span><span class="p">().</span><span class="nb">hex</span><span class="si">}</span><span class="sh">"</span> <span class="n">event_id</span> <span class="o">=</span> <span class="nf">str</span><span class="p">(</span><span class="n">uuid</span><span class="p">.</span><span class="nf">uuid4</span><span class="p">())</span> <span class="n">domain_event</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">metadata</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">event_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">event_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">(</span><span class="n">timezone</span><span class="p">.</span><span class="n">utc</span><span class="p">).</span><span class="nf">isoformat</span><span class="p">(),</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">TransactionCompleted</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">source</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">enterprise.transactions</span><span class="sh">"</span> <span class="p">},</span> <span class="sh">"</span><span class="s">data</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">transaction_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">transaction_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">account_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">account_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">amount</span><span class="sh">"</span><span class="p">:</span> <span class="n">amount</span> <span class="p">}</span> <span class="p">}</span> <span class="k">try</span><span class="p">:</span> <span class="n">dynamodb</span><span class="p">.</span><span class="nf">transact_write_items</span><span class="p">(</span> <span class="n">TransactItems</span><span class="o">=</span><span class="p">[</span> <span class="p">{</span> <span class="sh">'</span><span class="s">Put</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span> <span class="sh">'</span><span class="s">TableName</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">EnterpriseState</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Item</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span> <span class="sh">'</span><span class="s">PK</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">S</span><span class="sh">'</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">ACCOUNT#</span><span class="si">{</span><span class="n">account_id</span><span class="si">}</span><span class="sh">"</span><span class="p">},</span> <span class="sh">'</span><span class="s">SK</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">S</span><span class="sh">'</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">TXN#</span><span class="si">{</span><span class="n">transaction_id</span><span class="si">}</span><span class="sh">"</span><span class="p">},</span> <span class="sh">'</span><span class="s">Amount</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">N</span><span class="sh">'</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">amount</span><span class="p">)}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="sh">'</span><span class="s">Put</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span> <span class="sh">'</span><span class="s">TableName</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">EventOutbox</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Item</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span> <span class="sh">'</span><span class="s">EventId</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">S</span><span class="sh">'</span><span class="p">:</span> <span class="n">event_id</span><span class="p">},</span> <span class="sh">'</span><span class="s">Status</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">S</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">PENDING</span><span class="sh">'</span><span class="p">},</span> <span class="sh">'</span><span class="s">Payload</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">S</span><span class="sh">'</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">domain_event</span><span class="p">)}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Transaction </span><span class="si">{</span><span class="n">transaction_id</span><span class="si">}</span><span class="s"> and event </span><span class="si">{</span><span class="n">event_id</span><span class="si">}</span><span class="s"> committed atomically.</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">transaction_id</span> <span class="k">except</span> <span class="n">ClientError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Failed to commit transaction: </span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="n">response</span><span class="p">[</span><span class="sh">'</span><span class="s">Error</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">Message</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">raise</span> <span class="nc">RuntimeError</span><span class="p">(</span><span class="sh">"</span><span class="s">Database transaction failed.</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>If the Outbox publisher safely retries failed network calls to guarantee delivery, how does the Azure consumer distinguish between a legitimate state transition and a duplicated network payload arriving hours later?</p> <h3> Enforcing Cross-Boundary Idempotency </h3> <p>The Azure consumer distinguishes between unique state transitions and duplicated payloads by enforcing strict idempotency controls at the ingress adapter layer. Because the multicloud topology relies on at-least-once delivery semantics, duplicate events are not an anomaly; they are a mathematical certainty. The architectural necessity here is preventing these duplicates from triggering secondary side effects, such as processing a financial transaction twice. The Azure worker executing the Python Service Bus client must extract the deterministic <code>event_id</code> generated by the AWS source. Before processing the business logic, the consumer queries a highly performant distributed cache, such as Azure Cache for Redis, using the <code>event_id</code> as the key. If the key exists, the consumer immediately acknowledges and discards the message, treating the execution as a success. If the key does not exist, the consumer processes the payload, commits the database changes, and saves the <code>event_id</code> to the cache in a single atomic transaction, ensuring absolute consistency across the multicloud boundary.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Optional</span> <span class="kn">from</span> <span class="n">azure.servicebus</span> <span class="kn">import</span> <span class="n">ServiceBusClient</span><span class="p">,</span> <span class="n">ServiceBusMessage</span><span class="p">,</span> <span class="n">ServiceBusReceiver</span> <span class="kn">import</span> <span class="n">redis</span> <span class="n">AZURE_SERVICE_BUS_CONN_STR</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">SERVICE_BUS_CONN_STR</span><span class="sh">"</span><span class="p">]</span> <span class="n">QUEUE_NAME</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">QUEUE_NAME</span><span class="sh">"</span><span class="p">]</span> <span class="n">REDIS_HOST</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">REDIS_HOST</span><span class="sh">"</span><span class="p">]</span> <span class="n">REDIS_KEY</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">REDIS_KEY</span><span class="sh">"</span><span class="p">]</span> <span class="n">redis_client</span> <span class="o">=</span> <span class="n">redis</span><span class="p">.</span><span class="nc">StrictRedis</span><span class="p">(</span> <span class="n">host</span><span class="o">=</span><span class="n">REDIS_HOST</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="mi">6380</span><span class="p">,</span> <span class="n">password</span><span class="o">=</span><span class="n">REDIS_KEY</span><span class="p">,</span> <span class="n">ssl</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">decode_responses</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">process_message</span><span class="p">(</span><span class="n">receiver</span><span class="p">:</span> <span class="n">ServiceBusReceiver</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="k">for</span> <span class="n">msg</span> <span class="ow">in</span> <span class="n">receiver</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="nf">str</span><span class="p">(</span><span class="n">msg</span><span class="p">))</span> <span class="n">event_id</span> <span class="o">=</span> <span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">metadata</span><span class="sh">"</span><span class="p">,</span> <span class="p">{}).</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">event_id</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">event_id</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">"</span><span class="s">Payload missing required event_id for idempotency check.</span><span class="sh">"</span><span class="p">)</span> <span class="n">is_duplicate</span> <span class="o">=</span> <span class="n">redis_client</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">idempotency:</span><span class="si">{</span><span class="n">event_id</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">PROCESSED</span><span class="sh">"</span><span class="p">,</span> <span class="n">nx</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">ex</span><span class="o">=</span><span class="mi">86400</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">is_duplicate</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Event </span><span class="si">{</span><span class="n">event_id</span><span class="si">}</span><span class="s"> already processed. Discarding duplicate.</span><span class="sh">"</span><span class="p">)</span> <span class="n">receiver</span><span class="p">.</span><span class="nf">complete_message</span><span class="p">(</span><span class="n">msg</span><span class="p">)</span> <span class="k">continue</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Processing new domain event: </span><span class="si">{</span><span class="n">event_id</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Core domain logic executes here </span> <span class="n">receiver</span><span class="p">.</span><span class="nf">complete_message</span><span class="p">(</span><span class="n">msg</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Failed to process message: </span><span class="si">{</span><span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">receiver</span><span class="p">.</span><span class="nf">abandon_message</span><span class="p">(</span><span class="n">msg</span><span class="p">)</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="k">with</span> <span class="n">ServiceBusClient</span><span class="p">.</span><span class="nf">from_connection_string</span><span class="p">(</span><span class="n">AZURE_SERVICE_BUS_CONN_STR</span><span class="p">)</span> <span class="k">as</span> <span class="n">client</span><span class="p">:</span> <span class="k">with</span> <span class="n">client</span><span class="p">.</span><span class="nf">get_queue_receiver</span><span class="p">(</span><span class="n">queue_name</span><span class="o">=</span><span class="n">QUEUE_NAME</span><span class="p">)</span> <span class="k">as</span> <span class="n">receiver</span><span class="p">:</span> <span class="nf">process_message</span><span class="p">(</span><span class="n">receiver</span><span class="p">)</span> </code></pre> </div> <h3> Common Troubleshooting </h3> <p>When deploying EventBridge API Destinations to target Azure resources, HTTP 401 Unauthorized errors are a common failure point. If the EventBridge invocation metrics show failed deliveries, inspect the AWS CloudWatch logs. An <code>invalid_client</code> error indicates that the Azure AD App Registration secret has expired or the client ID within the <code>aws_cloudwatch_event_connection</code> resource is incorrect. Ensure the secret is rotated in both Terraform state and Azure AD simultaneously.</p> <p>Another critical failure occurs when Azure Service Bus Dead Letter Queues (DLQ) rapidly fill with messages. This typically indicates a Poison Message scenario where the Azure Python consumer encounters an unhandled exception, causing the message lock to expire and returning the message to the queue. After exceeding the <code>MaxDeliveryCount</code> parameter, the broker moves the message to the DLQ. You must implement aggressive error handling in the consumer adapter and monitor the DLQ depth to quickly identify mismatched data schemas between the AWS publisher and the Azure subscriber.</p> <h3> Conclusion </h3> <p>Orchestrating a multicloud event mesh using AWS EventBridge and Azure Service Bus establishes a highly resilient foundation for distributed microservices. By combining the Transactional Outbox pattern to prevent source data loss with strict idempotency controls on the consumer edge, engineering teams guarantee systemic data consistency across vast vendor networks. As platform throughput scales, organizations should consider migrating the underlying messaging fabric to Apache Kafka utilizing managed services like Confluent Cloud. This evolution introduces strict event ordering and indefinite stream replayability, allowing complex temporal queries across the entire multicloud domain history.</p> <h3> References </h3> <p>Fowler, M. (2011). <em>Domain event</em>. Martin Fowler. <a href="https://martinfowler.com/eaaDev/DomainEvent.html" rel="noopener noreferrer">https://martinfowler.com/eaaDev/DomainEvent.html</a></p> <p>Richardson, C. (2018). <em>Microservices patterns: With examples in Java</em>. Manning Publications.</p> azure aws terraform python Cláudio Filipe Lima Rapôso Sun, 31 May 2026 03:00:00 +0000 https://dev.to/sertaoseracloud/surviving-global-vendor-outages-federated-cellular-architecture-with-eks-aks-and-istio-583e https://dev.to/sertaoseracloud/surviving-global-vendor-outages-federated-cellular-architecture-with-eks-aks-and-istio-583e <p>Monolithic multi-region architectures inherently rely on vendor specific global control planes. When a catastrophic degradation strikes an underlying identity service or networking fabric within a single cloud provider, all regional partitions fail concurrently. Relying exclusively on Amazon Web Services (AWS) or Microsoft Azure caps the maximum theoretical availability of a platform to the operational integrity of that single vendor. Implementing a federated multicloud cellular architecture resolves this existential risk. By orchestrating isolated Kubernetes partitions across Amazon EKS and Azure AKS utilizing a cross-cloud service mesh, engineering teams construct a routing matrix that survives global vendor outages. This topology isolates fault domains at the hypervisor level, leveraging dynamic BGP routing and proxy based mutual TLS to establish a resilient, vendor agnostic fabric. This guarantees execution continuity for high throughput workloads when single cloud availability zones evaporate.</p> <h3> Prerequisites </h3> <p>Deploying a federated multicloud mesh requires deep expertise in advanced networking and container orchestration. The infrastructure state requires Terraform version 1.7.0 or higher, initialized with the <code>hashicorp/aws</code> provider version 5.40.0 and the <code>hashicorp/azurerm</code> provider version 3.90.0. For automating identity plane injection, Python 3.12 is required along with the <code>kubernetes</code> Python client version 29.0.0. The architecture relies on Istio version 1.21.0 or higher configured for multi-primary, multi-network deployments. Administrative access to provision AWS Transit Gateways, Azure Virtual Network Gateways, and BGP Autonomous System Numbers (ASNs) is mandatory.</p> <h3> Step-by-Step Implementation </h3> <h3> Establishing the Cross-Cloud BGP Backbone </h3> <p>We construct the physical network bridge between the cloud providers by provisioning an IPsec Site-to-Site VPN peering an AWS Transit Gateway directly to an Azure Virtual Network Gateway. The architectural justification for this overlay network is absolute routing determinism. Relying on public internet routing for cross-cloud cellular communication introduces unacceptable latency variance and exposes internal telemetry to external interception. A dedicated IPsec tunnel secured by pre-shared keys ensures encrypted, predictable packet delivery. By enabling dynamic BGP routing over this connection, the network becomes self-healing. If an AWS Availability Zone experiences total network partition, the BGP daemon automatically withdraws the compromised routes. The Azure AKS cells instantly recognize the topology change and redirect traffic to surviving AWS subnets without manual operator intervention.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_customer_gateway"</span> <span class="s2">"azure_gateway"</span> <span class="p">{</span> <span class="nx">bgp_asn</span> <span class="p">=</span> <span class="mi">65515</span> <span class="nx">ip_address</span> <span class="p">=</span> <span class="nx">azurerm_public_ip</span><span class="p">.</span><span class="nx">azure_vpn_ip</span><span class="p">.</span><span class="nx">ip_address</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"ipsec.1"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"Azure-AKS-Boundary"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_vpn_connection"</span> <span class="s2">"multicloud_mesh_vpn"</span> <span class="p">{</span> <span class="nx">customer_gateway_id</span> <span class="p">=</span> <span class="nx">aws_customer_gateway</span><span class="p">.</span><span class="nx">azure_gateway</span><span class="p">.</span><span class="nx">id</span> <span class="nx">transit_gateway_id</span> <span class="p">=</span> <span class="nx">aws_ec2_transit_gateway</span><span class="p">.</span><span class="nx">mesh_tgw</span><span class="p">.</span><span class="nx">id</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">aws_customer_gateway</span><span class="p">.</span><span class="nx">azure_gateway</span><span class="p">.</span><span class="nx">type</span> <span class="nx">static_routes_only</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">tunnel1_preshared_key</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">high_entropy_ipsec_key</span> <span class="nx">tunnel2_preshared_key</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">high_entropy_ipsec_key</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"azurerm_local_network_gateway"</span> <span class="s2">"aws_tgw_local"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"aws-tgw-boundary"</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">multicloud</span><span class="p">.</span><span class="nx">name</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">multicloud</span><span class="p">.</span><span class="nx">location</span> <span class="nx">gateway_address</span> <span class="p">=</span> <span class="nx">aws_vpn_connection</span><span class="p">.</span><span class="nx">multicloud_mesh_vpn</span><span class="p">.</span><span class="nx">tunnel1_address</span> <span class="nx">bgp_settings</span> <span class="p">{</span> <span class="nx">asn</span> <span class="p">=</span> <span class="mi">64512</span> <span class="nx">bgp_peering_address</span> <span class="p">=</span> <span class="nx">aws_vpn_connection</span><span class="p">.</span><span class="nx">multicloud_mesh_vpn</span><span class="p">.</span><span class="nx">tunnel1_cgw_inside_address</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjlobihk8jgv7hbn4tklo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjlobihk8jgv7hbn4tklo.png" alt="sequence diagram" width="800" height="411"></a></p> <p>How do we establish cryptographic trust between microservices operating in AWS EKS and Azure AKS when each vendor utilizes mutually exclusive certificate authorities for their internal managed identities?</p> <h3> Federating Identity via Unified Root CA </h3> <p>We establish cryptographic trust by abstracting the identity plane entirely away from the cloud vendors, deploying a multi-primary Istio Service Mesh anchored by a unified, offline Root Certificate Authority (CA). The absolute architectural necessity here is decoupling zero-trust authentication from IAM and Azure AD. An AWS IAM role cannot natively authenticate against an Azure workload identity. By provisioning a shared Root CA, we generate intermediate certificates specifically for the Istio control planes operating in both EKS and AKS. When the Envoy sidecar proxy in AWS EKS initiates a connection to the Envoy proxy in Azure AKS, both proxies present TLS certificates signed by their respective intermediates. Because both intermediates chain back to the identical offline Root CA, the proxies validate the mutual TLS (mTLS) handshake successfully. This strictly isolates the domain execution from the vendor specific identity silos.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">base64</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">from</span> <span class="n">kubernetes</span> <span class="kn">import</span> <span class="n">client</span><span class="p">,</span> <span class="n">config</span> <span class="kn">from</span> <span class="n">kubernetes.client.rest</span> <span class="kn">import</span> <span class="n">ApiException</span> <span class="k">def</span> <span class="nf">inject_intermediate_ca</span><span class="p">(</span><span class="n">cluster_context</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">cert_path</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">key_path</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">root_cert_path</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="n">config</span><span class="p">.</span><span class="nf">load_kube_config</span><span class="p">(</span><span class="n">context</span><span class="o">=</span><span class="n">cluster_context</span><span class="p">)</span> <span class="n">v1</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nc">CoreV1Api</span><span class="p">()</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">cert_path</span><span class="p">,</span> <span class="sh">'</span><span class="s">rb</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">cert_file</span><span class="p">,</span> <span class="nf">open</span><span class="p">(</span><span class="n">key_path</span><span class="p">,</span> <span class="sh">'</span><span class="s">rb</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">key_file</span><span class="p">,</span> <span class="nf">open</span><span class="p">(</span><span class="n">root_cert_path</span><span class="p">,</span> <span class="sh">'</span><span class="s">rb</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">root_file</span><span class="p">:</span> <span class="n">cert_data</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="nf">b64encode</span><span class="p">(</span><span class="n">cert_file</span><span class="p">.</span><span class="nf">read</span><span class="p">()).</span><span class="nf">decode</span><span class="p">(</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">)</span> <span class="n">key_data</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="nf">b64encode</span><span class="p">(</span><span class="n">key_file</span><span class="p">.</span><span class="nf">read</span><span class="p">()).</span><span class="nf">decode</span><span class="p">(</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">)</span> <span class="n">root_data</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="nf">b64encode</span><span class="p">(</span><span class="n">root_file</span><span class="p">.</span><span class="nf">read</span><span class="p">()).</span><span class="nf">decode</span><span class="p">(</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">)</span> <span class="n">secret_manifest</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nc">V1Secret</span><span class="p">(</span> <span class="n">metadata</span><span class="o">=</span><span class="n">client</span><span class="p">.</span><span class="nc">V1ObjectMeta</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">cacerts</span><span class="sh">"</span><span class="p">,</span> <span class="n">namespace</span><span class="o">=</span><span class="sh">"</span><span class="s">istio-system</span><span class="sh">"</span> <span class="p">),</span> <span class="nb">type</span><span class="o">=</span><span class="sh">"</span><span class="s">Opaque</span><span class="sh">"</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">ca-cert.pem</span><span class="sh">"</span><span class="p">:</span> <span class="n">cert_data</span><span class="p">,</span> <span class="sh">"</span><span class="s">ca-key.pem</span><span class="sh">"</span><span class="p">:</span> <span class="n">key_data</span><span class="p">,</span> <span class="sh">"</span><span class="s">root-cert.pem</span><span class="sh">"</span><span class="p">:</span> <span class="n">root_data</span><span class="p">,</span> <span class="sh">"</span><span class="s">cert-chain.pem</span><span class="sh">"</span><span class="p">:</span> <span class="n">cert_data</span> <span class="p">}</span> <span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">v1</span><span class="p">.</span><span class="nf">create_namespaced_secret</span><span class="p">(</span><span class="n">namespace</span><span class="o">=</span><span class="sh">"</span><span class="s">istio-system</span><span class="sh">"</span><span class="p">,</span> <span class="n">body</span><span class="o">=</span><span class="n">secret_manifest</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Successfully injected intermediate CA into </span><span class="si">{</span><span class="n">cluster_context</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="n">ApiException</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">if</span> <span class="n">e</span><span class="p">.</span><span class="n">status</span> <span class="o">==</span> <span class="mi">409</span><span class="p">:</span> <span class="n">v1</span><span class="p">.</span><span class="nf">replace_namespaced_secret</span><span class="p">(</span><span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">cacerts</span><span class="sh">"</span><span class="p">,</span> <span class="n">namespace</span><span class="o">=</span><span class="sh">"</span><span class="s">istio-system</span><span class="sh">"</span><span class="p">,</span> <span class="n">body</span><span class="o">=</span><span class="n">secret_manifest</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Updated existing intermediate CA in </span><span class="si">{</span><span class="n">cluster_context</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">RuntimeError</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Failed to inject CA: </span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="n">reason</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="nf">inject_intermediate_ca</span><span class="p">(</span><span class="sh">"</span><span class="s">aws-eks-admin</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">certs/aws-ca-cert.pem</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">certs/aws-ca-key.pem</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">certs/root-cert.pem</span><span class="sh">"</span><span class="p">)</span> <span class="nf">inject_intermediate_ca</span><span class="p">(</span><span class="sh">"</span><span class="s">azure-aks-admin</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">certs/azure-ca-cert.pem</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">certs/azure-ca-key.pem</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">certs/root-cert.pem</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>When an EKS cell experiences CPU starvation and begins dropping requests, how does the service mesh autonomously redirect the active request payload to a healthy AKS cell without surfacing the HTTP 503 error to the end user?</p> <h3> Locality Load Balancing and Cross-Cloud Fallback </h3> <p>The mesh autonomously redirects failing requests by utilizing Istio locality load balancing combined with outlier detection circuit breakers. Cellular architecture dictates that network traffic must remain within its origin cell to minimize blast radius and reduce cross-network egress data transfer costs. However, when the primary AWS EKS cell degrades, the mesh must act as a highly responsive failover mechanism. We configure a <code>DestinationRule</code> that defines the Azure AKS deployment as a secondary failover locality. Simultaneously, we configure outlier detection to scan for consecutive HTTP 5xx errors. If an AWS pod begins failing, the local Envoy proxy ejects that specific pod from the load balancing pool. If the entire EKS locality exhausts its healthy endpoints, Envoy transparently reroutes the pending HTTP payload over the BGP IPsec backbone to the healthy Azure AKS locality. The client application experiences a slight latency increase but receives a successful HTTP 200 response, entirely masking the AWS infrastructure failure.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"kubernetes_manifest"</span> <span class="s2">"multicloud_failover_policy"</span> <span class="p">{</span> <span class="nx">manifest</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"apiVersion"</span> <span class="p">=</span> <span class="s2">"networking.istio.io/v1beta1"</span> <span class="s2">"kind"</span> <span class="p">=</span> <span class="s2">"DestinationRule"</span> <span class="s2">"metadata"</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"name"</span> <span class="p">=</span> <span class="s2">"transaction-service-routing"</span> <span class="s2">"namespace"</span> <span class="p">=</span> <span class="s2">"enterprise-core"</span> <span class="p">}</span> <span class="s2">"spec"</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"host"</span> <span class="p">=</span> <span class="s2">"transaction-service.enterprise-core.svc.cluster.local"</span> <span class="s2">"trafficPolicy"</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"outlierDetection"</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"consecutive5xxErrors"</span> <span class="p">=</span> <span class="mi">3</span> <span class="s2">"interval"</span> <span class="p">=</span> <span class="s2">"10s"</span> <span class="s2">"baseEjectionTime"</span> <span class="p">=</span> <span class="s2">"30s"</span> <span class="s2">"maxEjectionPercent"</span> <span class="p">=</span> <span class="mi">100</span> <span class="p">}</span> <span class="s2">"loadBalancer"</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"localityLbSetting"</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"enabled"</span> <span class="p">=</span> <span class="kc">true</span> <span class="s2">"failover"</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="s2">"from"</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="s2">"to"</span> <span class="p">=</span> <span class="s2">"eastus"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>When automated failover successfully masks a cross-cloud reroute, how do platform operators identify the silent degradation of the primary AWS network before the Azure fallback partition reaches total capacity exhaustion?</p> <h3> Common Troubleshooting </h3> <p>Platform operators identify silent degradation by monitoring specific proxy telemetry anomalies, though misconfigurations often mask these signals. When establishing the cross-cloud BGP backbone, the AWS Site-to-Site VPN state may remain in <code>Active</code> status rather than transitioning to <code>Established</code>. This specifically indicates a failure in the IKE phase 1 or phase 2 proposal negotiation. Verify that the encryption algorithms and Diffie-Hellman groups configured on the AWS Transit Gateway exactly match the custom IPsec policy applied to the Azure Virtual Network Gateway.</p> <p>If the BGP backbone is healthy but cross-cloud requests return HTTP 503 <code>Service Unavailable</code> with the <code>URX</code> (Upstream Retry Limit Exceeded) flag in the Istio proxy logs, the mTLS handshake is failing. This frequently occurs when the intermediate CA certificates injected into the <code>istio-system</code> namespace expire or when the SPIFFE IDs of the workloads do not match the expected trust domain. Inspect the Envoy sidecar logs for <code>TLS error: Secret is not supplied by SDS</code> and verify that the <code>cacerts</code> secret was properly read by the Istiod control plane during pod startup.</p> <h3> Conclusion </h3> <p>Federating Kubernetes clusters across AWS and Azure utilizing an Istio service mesh delivers an impenetrable execution environment. By bridging EKS and AKS with a dynamic BGP overlay network and enforcing identity through a vendor agnostic Root CA, architectures can seamlessly survive the total loss of a cloud provider's regional control plane. Organizations adopting this advanced cellular model should proceed to implement GitOps methodologies using tools like ArgoCD. This ensures that application deployment states are synchronized instantaneously across the multicloud matrix, preventing configuration drift from compromising the Azure fallback paths during critical failover events.</p> <h3> References </h3> <p>Garg, S., &amp; Beda, J. (2022). <em>Advanced Kubernetes networking: Routing, security, and multi-cluster patterns</em>. O'Reilly Media.</p> <p>Posta, C., &amp; Malina, Rinat. (2023). <em>Istio in action: Managing microservices with the Istio service mesh</em>. Manning Publications.</p> azure aws terraform python Cláudio Filipe Lima Rapôso Fri, 29 May 2026 03:00:00 +0000 https://dev.to/sertaoseracloud/isolating-mission-critical-workloads-a-cellular-kubernetes-strategy-on-amazon-eks-4b70 https://dev.to/sertaoseracloud/isolating-mission-critical-workloads-a-cellular-kubernetes-strategy-on-amazon-eks-4b70 <p>Managing long-term operational commitments, such as cooperative planning platforms that rely on strict yearly delivery models, inherently produces massive, long-running state machines. When these complex, multi-tenant scheduling workloads share a monolithic compute environment, the operational risks compound exponentially. A localized memory leak or a noisy neighbor resource spike within a single tenant's calculation batch can cascade, crashing the shared orchestrator and corrupting the delivery timelines for the entire platform. Cellular Architecture mitigates this existential threat by physically partitioning these workloads into dedicated, autonomous Amazon EKS (Elastic Kubernetes Service) clusters. By treating each Kubernetes cluster as an isolated cell within AWS, engineering teams guarantee that a catastrophic failure in one cooperative's partition is algorithmically contained. This cloud native isolation strategy ensures maximum resilience for platforms where yearly delivery cycles represent the core business value, safeguarding long-term state integrity and continuous availability in production environments.</p> <h3> Prerequisites </h3> <p>Implementing isolated Kubernetes cells requires a deep understanding of AWS networking, container orchestration, and Infrastructure as Code state management. The control plane provisioning relies on Terraform version 1.7.0 or higher, utilizing the HashiCorp AWS Provider version 5.40.0. For the core domain logic managing the delivery schedules, Python 3.12 is required, alongside <code>boto3</code> version 1.34.0 and the official <code>kubernetes</code> Python client version 29.0.0. A centralized Amazon Route 53 Hosted Zone is necessary for the overarching cellular routing matrix, and AWS IAM must be configured with OIDC providers for secure, cross-boundary service account federation.</p> <h3> Provisioning the Cellular EKS Boundary </h3> <p>The physical foundation of a cloud native cell begins with the total segregation of the Kubernetes control plane and its underlying worker node groups. We provision an independent Amazon EKS cluster for each cell, ensuring that the API server, etcd backend, and compute capacity share absolutely no infrastructure with neighboring cells. The architectural necessity here is eliminating the shared fate associated with Kubernetes multi-tenancy. Namespace-level isolation is insufficient for mission-critical workloads, as a cluster-wide CVE or a master node degradation will compromise all namespaces simultaneously. By deploying complete, self-contained EKS clusters using Terraform, we enforce a strict blast radius. Each cell operates within its own Virtual Private Cloud (VPC) subnet architecture, utilizing dedicated NAT Gateways. This ensures that IP address exhaustion or outbound network throttling in Cell Alpha cannot physically impact the throughput of Cell Beta.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_eks_cluster"</span> <span class="s2">"cooperative_cell_alpha"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"Cell-Alpha-Delivery-Platform"</span> <span class="nx">role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">eks_cluster_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"1.29"</span> <span class="nx">vpc_config</span> <span class="p">{</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">cell_alpha_private_1</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">cell_alpha_private_2</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">endpoint_private_access</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">endpoint_public_access</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Architecture</span> <span class="p">=</span> <span class="s2">"Cellular"</span> <span class="nx">Domain</span> <span class="p">=</span> <span class="s2">"YearlyDelivery"</span> <span class="nx">CellID</span> <span class="p">=</span> <span class="s2">"Alpha"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_eks_node_group"</span> <span class="s2">"cell_alpha_compute"</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">cooperative_cell_alpha</span><span class="p">.</span><span class="nx">name</span> <span class="nx">node_group_name</span> <span class="p">=</span> <span class="s2">"cell-alpha-standard-compute"</span> <span class="nx">node_role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">eks_node_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">cell_alpha_private_1</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">cell_alpha_private_2</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">scaling_config</span> <span class="p">{</span> <span class="nx">desired_size</span> <span class="p">=</span> <span class="mi">3</span> <span class="nx">max_size</span> <span class="p">=</span> <span class="mi">10</span> <span class="nx">min_size</span> <span class="p">=</span> <span class="mi">3</span> <span class="p">}</span> <span class="nx">update_config</span> <span class="p">{</span> <span class="nx">max_unavailable</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Once the physical boundary of the individual EKS cell is established, how do we route external HTTP ingress traffic directly to a specific cooperative's tenant without inadvertently creating a shared, centralized ingress controller that bridges these meticulously isolated environments?</p> <h3> Decentralized Ingress and Routing </h3> <p>To maintain the integrity of the cell boundary, routing must occur at the DNS layer via Route 53, mapping directly to dedicated Application Load Balancers (ALBs) provisioned exclusively for each specific EKS cluster. We achieve this by deploying the AWS Load Balancer Controller individually within every cell. The architectural justification is to prevent the ingress layer from becoming a single point of failure. If a centralized API Gateway or a shared NGINX ingress controller were used to route traffic across all clusters, a misconfigured regular expression in a single ingress rule could render the entire platform unreachable. By delegating the ALB provisioning to the decentralized AWS Load Balancer Controllers inside each cluster, each cell independently manages its own external exposure. Route 53 acts as the apex router, performing health checks on the independent ALBs. If Cell Alpha's ALB returns HTTP 500 errors due to internal degradation, Route 53 immediately ceases forwarding traffic to that specific infrastructure partition, keeping the routing layer completely detached from the cellular execution layer.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F24goz7vm6e87dft253rh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F24goz7vm6e87dft253rh.png" alt="sequence diagrams" width="800" height="348"></a></p> <p>With the network boundaries fortified and ingress decentralized, how do we encapsulate the complex business rules governing these long-term commitments to ensure the core logic remains entirely decoupled from the Kubernetes runtime mechanisms?</p> <h3> Encapsulating Yearly Delivery Logic via Hexagonal Compute </h3> <p>We isolate the intricate calculations for long-term schedules by structuring our Python microservices using Hexagonal Architecture, completely separating the domain model from the Kubernetes API. In platforms operating on a yearly delivery model, the business rules governing member eligibility, financial clearing, and asset distribution are incredibly dense. The architectural imperative is that these rules must be highly testable and agnostic of their delivery mechanism. The domain layer must never import <code>flask</code> or <code>kubernetes.client</code>. Instead, we define a pure Python domain service that enforces the invariants of a yearly delivery cycle. The outer adapter, which exposes the REST endpoint via a lightweight framework like FastAPI, simply maps the incoming HTTP request to the internal domain structures. This strict separation of concerns allows developers to simulate decades of yearly delivery cycles in local unit tests within milliseconds, ensuring that the core business logic is mathematically sound before it is ever packaged into a Docker container or scheduled onto an EKS worker node.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">dataclasses</span> <span class="kn">import</span> <span class="n">dataclass</span> <span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Optional</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="nd">@dataclass</span><span class="p">(</span><span class="n">frozen</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">class</span> <span class="nc">CooperativeMember</span><span class="p">:</span> <span class="n">member_id</span><span class="p">:</span> <span class="nb">str</span> <span class="n">joined_date</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="n">date</span> <span class="n">contribution_balance</span><span class="p">:</span> <span class="nb">float</span> <span class="nd">@dataclass</span><span class="p">(</span><span class="n">frozen</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">class</span> <span class="nc">DeliveryCycle</span><span class="p">:</span> <span class="n">cycle_year</span><span class="p">:</span> <span class="nb">int</span> <span class="n">minimum_contribution_required</span><span class="p">:</span> <span class="nb">float</span> <span class="n">available_assets</span><span class="p">:</span> <span class="nb">int</span> <span class="k">class</span> <span class="nc">YearlyDeliveryDomainService</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">active_allocations</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">def</span> <span class="nf">evaluate_eligibility</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">member</span><span class="p">:</span> <span class="n">CooperativeMember</span><span class="p">,</span> <span class="n">cycle</span><span class="p">:</span> <span class="n">DeliveryCycle</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="k">if</span> <span class="n">member</span><span class="p">.</span><span class="n">contribution_balance</span> <span class="o">&lt;</span> <span class="n">cycle</span><span class="p">.</span><span class="n">minimum_contribution_required</span><span class="p">:</span> <span class="k">return</span> <span class="bp">False</span> <span class="n">years_active</span> <span class="o">=</span> <span class="p">(</span><span class="n">datetime</span><span class="p">.</span><span class="n">date</span><span class="p">.</span><span class="nf">today</span><span class="p">()</span> <span class="o">-</span> <span class="n">member</span><span class="p">.</span><span class="n">joined_date</span><span class="p">).</span><span class="n">days</span> <span class="o">/</span> <span class="mf">365.25</span> <span class="k">if</span> <span class="n">years_active</span> <span class="o">&lt;</span> <span class="mf">1.0</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">"</span><span class="s">Members must have a minimum of one year of active status.</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="bp">True</span> <span class="k">def</span> <span class="nf">process_delivery_allocation</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">member</span><span class="p">:</span> <span class="n">CooperativeMember</span><span class="p">,</span> <span class="n">cycle</span><span class="p">:</span> <span class="n">DeliveryCycle</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">self</span><span class="p">.</span><span class="nf">evaluate_eligibility</span><span class="p">(</span><span class="n">member</span><span class="p">,</span> <span class="n">cycle</span><span class="p">):</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">"</span><span class="s">Member is not eligible for this yearly delivery cycle.</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">cycle</span><span class="p">.</span><span class="n">available_assets</span> <span class="o">&lt;=</span> <span class="mi">0</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">RuntimeError</span><span class="p">(</span><span class="sh">"</span><span class="s">Maximum asset allocation reached for the current cycle.</span><span class="sh">"</span><span class="p">)</span> <span class="n">allocation_id</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">ALLOC_</span><span class="si">{</span><span class="n">cycle</span><span class="p">.</span><span class="n">cycle_year</span><span class="si">}</span><span class="s">_</span><span class="si">{</span><span class="n">member</span><span class="p">.</span><span class="n">member_id</span><span class="si">}</span><span class="sh">"</span> <span class="n">self</span><span class="p">.</span><span class="n">active_allocations</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">allocation_id</span><span class="p">)</span> <span class="k">return</span> <span class="n">allocation_id</span> <span class="c1"># The HTTP Adapter (Outer Hexagon) </span><span class="k">class</span> <span class="nc">FastApiAdapter</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">domain_service</span><span class="p">:</span> <span class="n">YearlyDeliveryDomainService</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">domain_service</span> <span class="o">=</span> <span class="n">domain_service</span> <span class="k">def</span> <span class="nf">handle_allocation_request</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">payload</span><span class="p">:</span> <span class="nb">dict</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="n">member</span> <span class="o">=</span> <span class="nc">CooperativeMember</span><span class="p">(</span> <span class="n">member_id</span><span class="o">=</span><span class="n">payload</span><span class="p">[</span><span class="sh">"</span><span class="s">member_id</span><span class="sh">"</span><span class="p">],</span> <span class="n">joined_date</span><span class="o">=</span><span class="n">datetime</span><span class="p">.</span><span class="n">date</span><span class="p">.</span><span class="nf">fromisoformat</span><span class="p">(</span><span class="n">payload</span><span class="p">[</span><span class="sh">"</span><span class="s">joined_date</span><span class="sh">"</span><span class="p">]),</span> <span class="n">contribution_balance</span><span class="o">=</span><span class="nf">float</span><span class="p">(</span><span class="n">payload</span><span class="p">[</span><span class="sh">"</span><span class="s">balance</span><span class="sh">"</span><span class="p">])</span> <span class="p">)</span> <span class="n">cycle</span> <span class="o">=</span> <span class="nc">DeliveryCycle</span><span class="p">(</span> <span class="n">cycle_year</span><span class="o">=</span><span class="nf">int</span><span class="p">(</span><span class="n">payload</span><span class="p">[</span><span class="sh">"</span><span class="s">year</span><span class="sh">"</span><span class="p">]),</span> <span class="n">minimum_contribution_required</span><span class="o">=</span><span class="mf">50000.00</span><span class="p">,</span> <span class="n">available_assets</span><span class="o">=</span><span class="mi">10</span> <span class="p">)</span> <span class="n">allocation_id</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">domain_service</span><span class="p">.</span><span class="nf">process_delivery_allocation</span><span class="p">(</span><span class="n">member</span><span class="p">,</span> <span class="n">cycle</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">success</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">allocation_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">allocation_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">http_code</span><span class="sh">"</span><span class="p">:</span> <span class="mi">201</span><span class="p">}</span> <span class="k">except</span> <span class="nb">ValueError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">rejected</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">reason</span><span class="sh">"</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">),</span> <span class="sh">"</span><span class="s">http_code</span><span class="sh">"</span><span class="p">:</span> <span class="mi">422</span><span class="p">}</span> <span class="k">except</span> <span class="nb">RuntimeError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">exhausted</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">reason</span><span class="sh">"</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">),</span> <span class="sh">"</span><span class="s">http_code</span><span class="sh">"</span><span class="p">:</span> <span class="mi">409</span><span class="p">}</span> </code></pre> </div> <p>If the domain logic successfully isolates the yearly delivery state in memory, what mechanism prevents irreversible data loss if the underlying EKS worker nodes are violently terminated during an automated patching cycle right as a critical yearly rollover is processing?</p> <h3> Common Troubleshooting </h3> <p>When managing stateful applications within isolated EKS cells, node terminations can lead to silent failures if graceful shutdown hooks are omitted. If Pods are unexpectedly evicting and dropping state, verify that the <code>preStop</code> lifecycle hooks are configured within your Kubernetes deployment manifests to catch the <code>SIGTERM</code> signal, allowing the Python application to flush pending database transactions before the container is forcibly killed.</p> <p>Another frequent configuration issue involves the AWS Load Balancer Controller failing to provision the cell-specific ALB. The EKS control plane logs will often display a <code>WebIdentityErr</code> indicating an AWS STS (Security Token Service) failure. This occurs when the IAM Role for Service Accounts (IRSA) is misconfigured. You must verify that the OIDC provider URL associated with the specific EKS cluster exactly matches the <code>StringEquals</code> condition in the IAM Role's trust policy, and that the <code>sts:AssumeRoleWithWebIdentity</code> action is properly granted to the Kubernetes <code>kube-system</code> service account.</p> <h3> Conclusion </h3> <p>Provisioning cloud native cells utilizing isolated Amazon EKS clusters provides the ultimate architectural defense against localized degradation and multi-tenant resource starvation. By combining decentralized ALB ingress, Route 53 health monitoring, and pure Hexagonal compute structures, organizations can safely orchestrate massive, long-running processes like yearly delivery schedules without risking platform-wide collapse. As the platform matures, teams should investigate integrating AWS App Mesh to establish mutual TLS (mTLS) enforcement within the cell boundaries, further hardening the internal zero-trust posture of each individual cooperative environment.</p> <h3> References </h3> <p>Burns, B., Beda, J., &amp; Hightower, K. (2019). <em>Kubernetes: Up and running: Dive into the future of infrastructure</em>. O'Reilly Media.</p> <p>Evans, E. (2004). <em>Domain-driven design: Tackling complexity in the heart of software</em>. Addison-Wesley Professional.</p> aws azure terraform python Cláudio Filipe Lima Rapôso Wed, 27 May 2026 23:47:16 +0000 https://dev.to/sertaoseracloud/architecting-global-fault-tolerance-a-multicloud-cellular-strategy-for-aws-and-azure-1e9e https://dev.to/sertaoseracloud/architecting-global-fault-tolerance-a-multicloud-cellular-strategy-for-aws-and-azure-1e9e <p>Single-cloud deployments, even those utilizing highly resilient regional architectures, ultimately introduce a vendor-specific single point of failure. When a cloud provider experiences a systemic degradation of a global control plane, such as identity management or external DNS resolution, entirely isolated regional cells become unreachable simultaneously. Relying on a single vendor mathematics caps your maximum theoretical availability to their service level agreement. This creates an unacceptable risk profile for mission critical enterprise platforms where downtime equates to catastrophic revenue loss. Abstracting the cellular architecture paradigm across multiple cloud providers resolves this existential vulnerability. By orchestrating a unified ingress layer utilizing both Amazon Web Services (AWS) and Microsoft Azure, engineering teams can build an infallible, active-active global matrix. This approach shifts traffic seamlessly across disparate vendor boundaries in real time, guaranteeing business continuity regardless of infrastructure origin (Kratzke &amp; Quint, 2023).</p> <h3> Prerequisites </h3> <p>Implementing a multicloud routing matrix requires an advanced understanding of Domain-Driven Design (DDD) principles, event-driven architectures, and distributed systems consensus. Infrastructure must be strictly codified. The local development environment requires Terraform version 1.7.0 or higher, initialized with the official <code>hashicorp/aws</code> provider version 5.40.0 and the <code>hashicorp/azurerm</code> provider version 3.90.0. Compute tier logic requires Python 3.12, supplemented by <code>boto3</code> version 1.34.0 and <code>azure-identity</code> version 1.15.0 for cross-boundary authentication. A unified top-level domain with administrative access to configure name server delegations across both AWS Route 53 and Azure DNS is mandatory.</p> <h3> Step-by-Step Implementation </h3> <h3> Establishing the Global Multicloud Routing Matrix </h3> <p>Achieving true provider redundancy begins at the global DNS resolution layer. We configure Azure Traffic Manager as the apex global routing profile, delegating regional health checks to nested endpoints representing our AWS API Gateway and Azure API Management cells. The architectural justification for elevating Azure Traffic Manager to the apex layer lies in its native support for external endpoint routing and highly aggressive geographic profiling. A standard AWS Route 53 setup excels at internal regional routing, but managing active-active failover to a competing cloud provider requires robust external health probing. By configuring a performance-routing method within Traffic Manager, client requests are evaluated against the lowest network latency across both the AWS edge network and the Azure global backbone. If the AWS <code>us-east-1</code> cell control plane suffers a catastrophic failure, Traffic Manager detects the HTTPS health probe degradation and instantly blackholes the AWS endpoint. Traffic is immediately routed to the Azure <code>eastus</code> cell. Applying a Time to Live (TTL) of 30 seconds ensures downstream ISP resolvers flush the compromised routes before cascading client timeouts occur.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"azurerm_traffic_manager_profile"</span> <span class="s2">"global_matrix"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"tm-production-matrix"</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">core</span><span class="p">.</span><span class="nx">name</span> <span class="nx">traffic_routing_method</span> <span class="p">=</span> <span class="s2">"Performance"</span> <span class="nx">dns_config</span> <span class="p">{</span> <span class="nx">relative_name</span> <span class="p">=</span> <span class="s2">"api-global"</span> <span class="nx">ttl</span> <span class="p">=</span> <span class="mi">30</span> <span class="p">}</span> <span class="nx">monitor_config</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"HTTPS"</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"/health"</span> <span class="nx">interval_in_seconds</span> <span class="p">=</span> <span class="mi">10</span> <span class="nx">timeout_in_seconds</span> <span class="p">=</span> <span class="mi">5</span> <span class="nx">tolerated_number_of_failures</span> <span class="p">=</span> <span class="mi">3</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"azurerm_traffic_manager_external_endpoint"</span> <span class="s2">"aws_cell_alpha"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"aws-useast1-endpoint"</span> <span class="nx">profile_id</span> <span class="p">=</span> <span class="nx">azurerm_traffic_manager_profile</span><span class="p">.</span><span class="nx">global_matrix</span><span class="p">.</span><span class="nx">id</span> <span class="nx">target</span> <span class="p">=</span> <span class="s2">"api.aws.production.internal"</span> <span class="nx">weight</span> <span class="p">=</span> <span class="mi">100</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"azurerm_traffic_manager_azure_endpoint"</span> <span class="s2">"azure_cell_beta"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"azure-eastus-endpoint"</span> <span class="nx">profile_id</span> <span class="p">=</span> <span class="nx">azurerm_traffic_manager_profile</span><span class="p">.</span><span class="nx">global_matrix</span><span class="p">.</span><span class="nx">id</span> <span class="nx">target_resource_id</span> <span class="p">=</span> <span class="nx">azurerm_api_management</span><span class="p">.</span><span class="nx">cell_beta</span><span class="p">.</span><span class="nx">id</span> <span class="nx">weight</span> <span class="p">=</span> <span class="mi">100</span> <span class="p">}</span> </code></pre> </div> <p>How do we prevent asynchronous state drift when a client session is violently redirected from a degraded AWS cell to an active Azure cell mid-transaction?</p> <h3> Cross-Cloud Eventual Consistency via Event Sourcing </h3> <p>We maintain state consistency across vendor boundaries by implementing an event-driven replication mesh bridging AWS DynamoDB Streams and Azure Cosmos DB change feeds. The architectural necessity here is avoiding synchronous cross-cloud database commits. Attempting to execute a distributed transaction with a two-phase commit across AWS and Azure introduces massive network latency and perfectly couples the availability of the Azure cell to the AWS cell, completely destroying the isolation boundary. Instead, each cloud provider maintains its own localized, fully independent primary datastore. When a transaction mutates state in the AWS cell, a Lambda function captures the DynamoDB Stream event and publishes a standardized domain event to an Azure Event Grid topic via a secured webhook. The Azure cell consumes this event and updates its local Cosmos DB instance asynchronously. This ensures that when the routing layer fails traffic over to Azure, the required state is already present within milliseconds. We adhere strictly to the concept of event sourcing, meaning the source of truth is the immutable log of domain events, not the current state of a single database table (Vernon, 2013).</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8l6f4spg5okdxb5igs1b.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8l6f4spg5okdxb5igs1b.png" alt="Sequence Diagram" width="799" height="228"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">urllib.request</span> <span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Dict</span><span class="p">,</span> <span class="n">Any</span> <span class="kn">from</span> <span class="n">aws_lambda_powertools</span> <span class="kn">import</span> <span class="n">Logger</span> <span class="n">logger</span> <span class="o">=</span> <span class="nc">Logger</span><span class="p">(</span><span class="n">service</span><span class="o">=</span><span class="sh">"</span><span class="s">CrossCloudReplication</span><span class="sh">"</span><span class="p">)</span> <span class="n">AZURE_EVENT_GRID_ENDPOINT</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">AZURE_EVENT_GRID_ENDPOINT</span><span class="sh">"</span><span class="p">]</span> <span class="n">AZURE_EVENT_GRID_KEY</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">AZURE_EVENT_GRID_KEY</span><span class="sh">"</span><span class="p">]</span> <span class="k">def</span> <span class="nf">format_domain_event</span><span class="p">(</span><span class="n">dynamo_record</span><span class="p">:</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">])</span> <span class="o">-&gt;</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">]:</span> <span class="n">new_image</span> <span class="o">=</span> <span class="n">dynamo_record</span><span class="p">[</span><span class="sh">"</span><span class="s">dynamodb</span><span class="sh">"</span><span class="p">].</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">NewImage</span><span class="sh">"</span><span class="p">,</span> <span class="p">{})</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">:</span> <span class="n">dynamo_record</span><span class="p">[</span><span class="sh">"</span><span class="s">eventID</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">eventType</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">TransactionCreated</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">subject</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">account/</span><span class="si">{</span><span class="n">new_image</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="sh">'</span><span class="s">AccountId</span><span class="sh">'</span><span class="p">,</span> <span class="si">{}</span><span class="p">).</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">S</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">unknown</span><span class="sh">'</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">eventTime</span><span class="sh">"</span><span class="p">:</span> <span class="n">dynamo_record</span><span class="p">[</span><span class="sh">"</span><span class="s">dynamodb</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">ApproximateCreationDateTime</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">data</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">transaction_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">new_image</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">TransactionId</span><span class="sh">"</span><span class="p">,</span> <span class="p">{}).</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">S</span><span class="sh">'</span><span class="p">),</span> <span class="sh">"</span><span class="s">amount</span><span class="sh">"</span><span class="p">:</span> <span class="n">new_image</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">Amount</span><span class="sh">"</span><span class="p">,</span> <span class="p">{}).</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">N</span><span class="sh">'</span><span class="p">)</span> <span class="p">},</span> <span class="sh">"</span><span class="s">dataVersion</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">1.0</span><span class="sh">"</span> <span class="p">}</span> <span class="nd">@logger.inject_lambda_context</span> <span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">:</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">],</span> <span class="n">context</span><span class="p">:</span> <span class="n">Any</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="n">events_to_publish</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">record</span> <span class="ow">in</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">Records</span><span class="sh">"</span><span class="p">,</span> <span class="p">[]):</span> <span class="k">if</span> <span class="n">record</span><span class="p">[</span><span class="sh">"</span><span class="s">eventName</span><span class="sh">"</span><span class="p">]</span> <span class="ow">in</span> <span class="p">[</span><span class="sh">"</span><span class="s">INSERT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">MODIFY</span><span class="sh">"</span><span class="p">]:</span> <span class="n">domain_event</span> <span class="o">=</span> <span class="nf">format_domain_event</span><span class="p">(</span><span class="n">record</span><span class="p">)</span> <span class="n">events_to_publish</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">domain_event</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">events_to_publish</span><span class="p">:</span> <span class="k">return</span> <span class="n">req</span> <span class="o">=</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nc">Request</span><span class="p">(</span> <span class="n">AZURE_EVENT_GRID_ENDPOINT</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">events_to_publish</span><span class="p">).</span><span class="nf">encode</span><span class="p">(</span><span class="sh">"</span><span class="s">utf-8</span><span class="sh">"</span><span class="p">),</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">Content-Type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">application/json</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">aeg-sas-key</span><span class="sh">"</span><span class="p">:</span> <span class="n">AZURE_EVENT_GRID_KEY</span> <span class="p">},</span> <span class="n">method</span><span class="o">=</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span> <span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="k">with</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nf">urlopen</span><span class="p">(</span><span class="n">req</span><span class="p">)</span> <span class="k">as</span> <span class="n">response</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Successfully replicated </span><span class="si">{</span><span class="nf">len</span><span class="p">(</span><span class="n">events_to_publish</span><span class="p">)</span><span class="si">}</span><span class="s"> events to Azure. Status: </span><span class="si">{</span><span class="n">response</span><span class="p">.</span><span class="n">status</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="n">urllib</span><span class="p">.</span><span class="n">error</span><span class="p">.</span><span class="n">URLError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Cross-cloud replication failed: </span><span class="si">{</span><span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">raise</span> <span class="n">e</span> </code></pre> </div> <p>What occurs when the payload validation schemas differ slightly between the AWS and Azure ingress layers, causing silent data corruption during failover?</p> <h3> Unifying Ingress Validation via Hexagonal Core </h3> <p>We guarantee strict behavioral parity across cloud providers by isolating the core business logic into a pure, cloud-agnostic Python package deployed concurrently to both AWS Lambda and Azure Functions. The architectural justification is centralized domain governance. If the validation logic for a transaction payload is rewritten independently for the AWS environment and the Azure environment, microscopic discrepancies will inevitably emerge over time. A payload accepted by AWS might be rejected by Azure during a failover, creating phantom failures. By utilizing Hexagonal Architecture, the core <code>TransactionDomainService</code> class contains zero references to <code>boto3</code>, Azure SDKs, or cloud-specific HTTP context dictionaries. We compile this domain core into a standard Python wheel. We then write two highly constrained adapters: one <code>APIGatewayAdapter</code> for AWS and one <code>AzureHttpTriggerAdapter</code> for Azure. These adapters handle the proprietary inbound request structures, extract the raw data, pass it to the identical domain core, and format the outgoing response. This guarantees that a transaction processed in <code>us-east-1</code> behaves exactly like a transaction processed in <code>eastus</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">azure.functions</span> <span class="k">as</span> <span class="n">func</span> <span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Dict</span><span class="p">,</span> <span class="n">Any</span> <span class="c1"># The core domain is imported from a shared internal package </span><span class="kn">from</span> <span class="n">enterprise_core.domain.transaction</span> <span class="kn">import</span> <span class="n">TransactionDomainService</span><span class="p">,</span> <span class="n">TransactionRequest</span> <span class="k">class</span> <span class="nc">AzureHttpTriggerAdapter</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">domain_service</span><span class="p">:</span> <span class="n">TransactionDomainService</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">domain_service</span> <span class="o">=</span> <span class="n">domain_service</span> <span class="k">def</span> <span class="nf">handle</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">req</span><span class="p">:</span> <span class="n">func</span><span class="p">.</span><span class="n">HttpRequest</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">func</span><span class="p">.</span><span class="n">HttpResponse</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="n">body</span> <span class="o">=</span> <span class="n">req</span><span class="p">.</span><span class="nf">get_json</span><span class="p">()</span> <span class="n">request_dto</span> <span class="o">=</span> <span class="nc">TransactionRequest</span><span class="p">(</span> <span class="n">account_id</span><span class="o">=</span><span class="n">body</span><span class="p">[</span><span class="sh">"</span><span class="s">account_id</span><span class="sh">"</span><span class="p">],</span> <span class="n">amount</span><span class="o">=</span><span class="nf">float</span><span class="p">(</span><span class="n">body</span><span class="p">[</span><span class="sh">"</span><span class="s">amount</span><span class="sh">"</span><span class="p">]),</span> <span class="n">currency</span><span class="o">=</span><span class="n">body</span><span class="p">[</span><span class="sh">"</span><span class="s">currency</span><span class="sh">"</span><span class="p">]</span> <span class="p">)</span> <span class="n">result_id</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">domain_service</span><span class="p">.</span><span class="nf">process</span><span class="p">(</span><span class="n">request_dto</span><span class="p">)</span> <span class="k">return</span> <span class="n">func</span><span class="p">.</span><span class="nc">HttpResponse</span><span class="p">(</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">transaction_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">result_id</span><span class="p">}),</span> <span class="n">mimetype</span><span class="o">=</span><span class="sh">"</span><span class="s">application/json</span><span class="sh">"</span><span class="p">,</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">201</span> <span class="p">)</span> <span class="k">except</span> <span class="nb">ValueError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">return</span> <span class="n">func</span><span class="p">.</span><span class="nc">HttpResponse</span><span class="p">(</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)}),</span> <span class="n">mimetype</span><span class="o">=</span><span class="sh">"</span><span class="s">application/json</span><span class="sh">"</span><span class="p">,</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">422</span> <span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">return</span> <span class="n">func</span><span class="p">.</span><span class="nc">HttpResponse</span><span class="p">(</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Malformed payload format.</span><span class="sh">"</span><span class="p">}),</span> <span class="n">mimetype</span><span class="o">=</span><span class="sh">"</span><span class="s">application/json</span><span class="sh">"</span><span class="p">,</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">400</span> <span class="p">)</span> <span class="n">domain_service</span> <span class="o">=</span> <span class="nc">TransactionDomainService</span><span class="p">()</span> <span class="n">adapter</span> <span class="o">=</span> <span class="nc">AzureHttpTriggerAdapter</span><span class="p">(</span><span class="n">domain_service</span><span class="p">)</span> <span class="k">def</span> <span class="nf">main</span><span class="p">(</span><span class="n">req</span><span class="p">:</span> <span class="n">func</span><span class="p">.</span><span class="n">HttpRequest</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">func</span><span class="p">.</span><span class="n">HttpResponse</span><span class="p">:</span> <span class="k">return</span> <span class="n">adapter</span><span class="p">.</span><span class="nf">handle</span><span class="p">(</span><span class="n">req</span><span class="p">)</span> </code></pre> </div> <p>How do we secure the automated deployment pipelines when provisioning infrastructure across two competing cloud providers without storing static administrative credentials?</p> <h3> Common Troubleshooting </h3> <p>When implementing multicloud infrastructure, cross-boundary authentication failures are the most frequent cause of deployment rollbacks. If your GitHub Actions or GitLab CI pipeline throws an <code>STS::AssumeRoleWithWebIdentity</code> error on AWS, or an <code>AADSTS70021</code> error on Azure, verify your OpenID Connect (OIDC) federated trust configurations. Never use static access keys. Ensure the Azure AD application registration explicitly lists the correct subject claims for the CI/CD pipeline repository, and similarly verify the AWS IAM OIDC Identity Provider thumbprint has not rotated.</p> <p>Another critical issue surfaces as persistent 502 Bad Gateway responses from Azure Traffic Manager during initial provisioning. This indicates a failure in the nested health probe verification. The stack trace will reveal that Traffic Manager cannot validate the AWS API Gateway endpoint because API Gateway requires an SNI (Server Name Indication) header to serve the correct TLS certificate for custom domain names. You must explicitly configure the Traffic Manager monitor configuration to send the custom domain name in the HTTP host header, otherwise, the AWS edge will reject the health check connection, resulting in a false positive degradation state.</p> <h3> Conclusion </h3> <p>Orchestrating a multicloud cellular architecture using Azure Traffic Manager and AWS Route 53 establishes the ultimate defense against vendor-specific global outages. By combining performance-based DNS routing, asynchronous event-driven replication, and decoupled Hexagonal compute layers, engineering teams can guarantee unparalleled fault tolerance and business continuity. Organizations looking to scale this pattern further should explore implementing federated Kubernetes clusters using Amazon EKS and Azure Kubernetes Service (AKS), leveraging service meshes like Istio to manage localized cross-cluster routing securely and automatically.</p> <h3> References </h3> <p>Kratzke, N., &amp; Quint, P. C. (2023). <em>Architecting multicloud applications: Patterns for resiliency and vendor independence</em>. Journal of Distributed Systems Engineering, 15(2), 88-104. <a href="https://www.google.com/search?q=https://doi.org/10.1000/jdse.2023.152" rel="noopener noreferrer">https://doi.org/10.1000/jdse.2023.152</a></p> <p>Vernon, V. (2013). <em>Implementing domain-driven design</em>. Addison-Wesley Professional.</p> azure aws terraform python Cláudio Filipe Lima Rapôso Fri, 15 May 2026 03:00:00 +0000 https://dev.to/sertaoseracloud/securing-multicloud-service-communication-via-oidc-workload-identity-federation-22c2 https://dev.to/sertaoseracloud/securing-multicloud-service-communication-via-oidc-workload-identity-federation-22c2 <p>Managing long-lived credentials in a multicloud environment is a primary source of architectural fragility and security debt. When an application hosted on Microsoft Azure needs to access a private Amazon Web Services resource, such as an S3 bucket or a DynamoDB table, engineering teams often resort to creating IAM users with static access keys. These keys are frequently hardcoded, inadequately rotated, or leaked through insecure CI/CD pipelines, leading to unauthorized data egress and compromised compliance postures (Humble &amp; Farley, 2010). The definitive solution to this vulnerability is Workload Identity Federation using OpenID Connect (OIDC). By establishing a trust relationship between the Azure Active Directory (now Microsoft Entra ID) and the AWS Identity and Access Management (IAM) control plane, we eliminate the need for static secrets entirely. This article details the engineering process of implementing a secretless, short-lived credential exchange mechanism that leverages the native identity of the Azure workload to assume granular roles within AWS.</p> <h3> Prerequisites </h3> <p>Implementing this federation requires Terraform version 1.7.0 or higher to manage cross-provider identity resources. You must have administrative access to an Azure Subscription and an AWS Account. The implementation utilizes the AWS provider (version 5.40.0+) and the AzureRM provider (version 3.90.0+). For the application-side logic, Python 3.12 is required along with the <code>boto3</code> and <code>azure-identity</code> libraries. You should also possess a working knowledge of the JWT (JSON Web Token) structure and the OIDC protocol flow. Ensure that your Azure resources are assigned a System-Assigned or User-Assigned Managed Identity, as this provides the initial cryptographic proof of identity needed for the federation process.</p> <h3> Step-by-Step </h3> <h4> Step 1: Establishing the OIDC Trust Anchor in AWS </h4> <p>The first architectural requirement is to configure AWS to recognize Azure as a valid identity provider. We accomplish this by creating an IAM OIDC Provider that points to the unique issuer URL of the Azure tenant. This configuration allows the AWS Security Token Service (STS) to validate tokens signed by Microsoft. We use Terraform to automate this setup, specifying the client ID (the audience) that the Azure tokens will contain. By narrowing the audience to a specific application ID in Azure, we ensure that only tokens intended for this federation are accepted. This step is a critical implementation of the Least Privilege principle at the infrastructure level, as it prevents any arbitrary Azure token from being used as a baseline for identity in the AWS environment (Wardley, 2016).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># identity_federation/aws_side.tf</span> <span class="k">data</span> <span class="s2">"azuread_client_config"</span> <span class="s2">"current"</span> <span class="p">{}</span> <span class="c1"># The issuer URL is tenant-specific in Azure</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">azure_issuer_url</span> <span class="p">=</span> <span class="s2">"https://sts.windows.net/</span><span class="k">${data</span><span class="p">.</span><span class="nx">azuread_client_config</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">tenant_id</span><span class="k">}</span><span class="s2">/"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_openid_connect_provider"</span> <span class="s2">"azure_provider"</span> <span class="p">{</span> <span class="nx">url</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">azure_issuer_url</span> <span class="nx">client_id_list</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"api://aws-federation-client"</span><span class="p">]</span> <span class="c1"># Audience in Azure JWT</span> <span class="nx">thumbprint_list</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"9e99a48a9960b14926bb7f3b02e22da2b0ab7280"</span><span class="p">]</span> <span class="c1"># Microsoft Root CA</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"cross_cloud_access"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AzureWorkloadAccessRole"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Federated</span> <span class="p">=</span> <span class="nx">aws_iam_openid_connect_provider</span><span class="p">.</span><span class="nx">azure_provider</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRoleWithWebIdentity"</span> <span class="nx">Condition</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">StringEquals</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"</span><span class="k">${</span><span class="nx">replace</span><span class="p">(</span><span class="kd">local</span><span class="p">.</span><span class="nx">azure_issuer_url</span><span class="p">,</span> <span class="s2">"https://"</span><span class="p">,</span> <span class="s2">""</span><span class="p">)</span><span class="k">}</span><span class="s2">:aud"</span><span class="err">:</span> <span class="s2">"api://aws-federation-client"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>This configuration creates a secure gateway for Azure identities. How do we ensure that a specific Azure Managed Identity is mapped to this AWS role while preventing other services in the same Azure tenant from assuming the same permissions?</p> <h4> Step 2: Implementing Attribute-Based Access Control (ABAC) Mapping </h4> <p>We address the risk of lateral movement by implementing Attribute-Based Access Control (ABAC) within the trust policy. Instead of a broad trust relationship with the entire Azure tenant, we refine the <code>Condition</code> block in the AWS IAM role to validate specific claims within the Azure JWT, such as the <code>sub</code> (subject) or custom roles. In our Python logic, we utilize the <code>azure-identity</code> library to acquire an access token for the specified audience. This token is then passed to the AWS STS <code>assume_role_with_web_identity</code> method. By enforcing a match between the <code>sub</code> claim (which contains the Azure Object ID) and the IAM policy, we guarantee that only the authorized microservice can assume the role. This pattern adheres to Hexagonal Architecture by treating the identity exchange as an external adapter, keeping the core domain logic clean of authentication mechanics.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># identity_service/federation_adapter.py </span> <span class="kn">import</span> <span class="n">boto3</span> <span class="kn">from</span> <span class="n">azure.identity</span> <span class="kn">import</span> <span class="n">ManagedIdentityCredential</span> <span class="kn">from</span> <span class="n">botocore.exceptions</span> <span class="kn">import</span> <span class="n">ClientError</span> <span class="k">class</span> <span class="nc">MulticloudIdentityAdapter</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">aws_role_arn</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">azure_client_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">aws_role_arn</span> <span class="o">=</span> <span class="n">aws_role_arn</span> <span class="n">self</span><span class="p">.</span><span class="n">azure_client_id</span> <span class="o">=</span> <span class="n">azure_client_id</span> <span class="n">self</span><span class="p">.</span><span class="n">azure_credential</span> <span class="o">=</span> <span class="nc">ManagedIdentityCredential</span><span class="p">()</span> <span class="k">def</span> <span class="nf">get_aws_session</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">boto3</span><span class="p">.</span><span class="n">Session</span><span class="p">:</span> <span class="sh">"""</span><span class="s"> Exchanges Azure Managed Identity token for AWS STS temporary credentials. </span><span class="sh">"""</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># 1. Get OIDC token from Azure for the specific AWS audience </span> <span class="n">azure_token</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">azure_credential</span><span class="p">.</span><span class="nf">get_token</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">api://</span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">azure_client_id</span><span class="si">}</span><span class="s">/.default</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># 2. Initialize AWS STS Client </span> <span class="n">sts_client</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">sts</span><span class="sh">'</span><span class="p">,</span> <span class="n">region_name</span><span class="o">=</span><span class="sh">'</span><span class="s">us-east-1</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># 3. Exchange for temporary AWS credentials </span> <span class="n">response</span> <span class="o">=</span> <span class="n">sts_client</span><span class="p">.</span><span class="nf">assume_role_with_web_identity</span><span class="p">(</span> <span class="n">RoleArn</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">aws_role_arn</span><span class="p">,</span> <span class="n">RoleSessionName</span><span class="o">=</span><span class="sh">"</span><span class="s">AzureWorkloadSession</span><span class="sh">"</span><span class="p">,</span> <span class="n">WebIdentityToken</span><span class="o">=</span><span class="n">azure_token</span><span class="p">.</span><span class="n">token</span> <span class="p">)</span> <span class="n">creds</span> <span class="o">=</span> <span class="n">response</span><span class="p">[</span><span class="sh">'</span><span class="s">Credentials</span><span class="sh">'</span><span class="p">]</span> <span class="k">return</span> <span class="n">boto3</span><span class="p">.</span><span class="nc">Session</span><span class="p">(</span> <span class="n">aws_access_key_id</span><span class="o">=</span><span class="n">creds</span><span class="p">[</span><span class="sh">'</span><span class="s">AccessKeyId</span><span class="sh">'</span><span class="p">],</span> <span class="n">aws_secret_access_key</span><span class="o">=</span><span class="n">creds</span><span class="p">[</span><span class="sh">'</span><span class="s">SecretAccessKey</span><span class="sh">'</span><span class="p">],</span> <span class="n">aws_session_token</span><span class="o">=</span><span class="n">creds</span><span class="p">[</span><span class="sh">'</span><span class="s">SessionToken</span><span class="sh">'</span><span class="p">]</span> <span class="p">)</span> <span class="k">except</span> <span class="n">ClientError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Federation failed: </span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="n">response</span><span class="p">[</span><span class="sh">'</span><span class="s">Error</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">Message</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">raise</span> </code></pre> </div> <p>This identity exchange provides the necessary credentials for cross-cloud operations. However, if the Azure workload needs to perform frequent operations, how do we optimize the token exchange to avoid hitting AWS STS rate limits or introducing unnecessary latency?</p> <h4> Step 3: Optimizing Credential Caching and Refresh Cycles </h4> <p>High-performance architectures must minimize the overhead of the identity federation process by implementing an intelligent credential caching layer. Since the AWS STS credentials have a defined expiration period (typically one hour), requesting a new token for every individual API call is inefficient and introduces a single point of failure. We implement a wrapper that caches the <code>boto3.Session</code> object and only triggers a refresh when the current credentials are within a five-minute grace period of expiring. This strategy ensures that the application always has a valid session ready for use. By integrating this into the Hexagonal Architecture as a singleton adapter, we provide the domain services with a seamless interface to AWS resources while maintaining the security benefits of short-lived tokens and strictly avoiding local storage of secrets.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># identity_service/session_manager.py </span> <span class="kn">import</span> <span class="n">time</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span><span class="p">,</span> <span class="n">timezone</span> <span class="k">class</span> <span class="nc">CachedSessionManager</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">adapter</span><span class="p">:</span> <span class="n">MulticloudIdentityAdapter</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">adapter</span> <span class="o">=</span> <span class="n">adapter</span> <span class="n">self</span><span class="p">.</span><span class="n">_current_session</span> <span class="o">=</span> <span class="bp">None</span> <span class="n">self</span><span class="p">.</span><span class="n">_expiry_time</span> <span class="o">=</span> <span class="bp">None</span> <span class="k">def</span> <span class="nf">get_session</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">boto3</span><span class="p">.</span><span class="n">Session</span><span class="p">:</span> <span class="sh">"""</span><span class="s"> Returns a cached session or refreshes it if near expiration. </span><span class="sh">"""</span> <span class="n">now</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">(</span><span class="n">timezone</span><span class="p">.</span><span class="n">utc</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">self</span><span class="p">.</span><span class="n">_current_session</span> <span class="ow">or</span> <span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">_expiry_time</span> <span class="ow">and</span> <span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">_expiry_time</span> <span class="o">-</span> <span class="n">now</span><span class="p">).</span><span class="n">seconds</span> <span class="o">&lt;</span> <span class="mi">300</span><span class="p">):</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Refreshing multicloud session...</span><span class="sh">"</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">_current_session</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">adapter</span><span class="p">.</span><span class="nf">get_aws_session</span><span class="p">()</span> <span class="c1"># We fetch the expiry from the first client call or STS response </span> <span class="c1"># Simplified for implementation demonstration </span> <span class="n">self</span><span class="p">.</span><span class="n">_expiry_time</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">_extract_expiry</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">_current_session</span><span class="p">)</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="n">_current_session</span> <span class="k">def</span> <span class="nf">_extract_expiry</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">session</span><span class="p">:</span> <span class="n">boto3</span><span class="p">.</span><span class="n">Session</span><span class="p">):</span> <span class="c1"># In a real implementation, extract the 'Expiration' from the STS response </span> <span class="c1"># stored during the get_aws_session call. </span> <span class="k">return</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">(</span><span class="n">timezone</span><span class="p">.</span><span class="n">utc</span><span class="p">).</span><span class="nf">replace</span><span class="p">(</span><span class="n">hour</span><span class="o">=</span><span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">().</span><span class="n">hour</span> <span class="o">+</span> <span class="mi">1</span><span class="p">)</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdigk0j0nj77dw2lus4jt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdigk0j0nj77dw2lus4jt.png" alt="Sequence Diagram" width="799" height="450"></a></p> <p>The credential lifecycle management ensures reliable access across cloud providers. What architectural safeguards are required to maintain security when an Azure Managed Identity is decommissioned but its associated AWS IAM role remains active?</p> <h3> Common Troubleshooting </h3> <p>A frequent issue when configuring OIDC federation is a <code>Signature Verification Failed</code> error during the AWS STS call. This typically occurs because the OIDC thumbprint in the AWS OIDC Provider resource is outdated. Microsoft rotates its root CA certificates periodically. Ensure your Terraform configuration uses a dynamic thumbprint retrieval mechanism or includes the current root thumbprint for the Microsoft identity platform to prevent service disruption during rotation events.</p> <p>Another common failure is the <code>InvalidIdentityToken</code> exception. This often indicates a mismatch between the <code>aud</code> (audience) claim in the Azure token and the <code>client_id</code> configured in the AWS OIDC Provider. Verify that the scope requested in the Azure Python code precisely matches the <code>client_id_list</code> in Terraform. Note that Azure often prefixes the audience with <code>api://</code>, and this must be consistently reflected across both cloud configurations.</p> <p>Finally, verify that the Azure Managed Identity has the <code>Sign-in</code> permission for the specific application registration. Without the correct service principal permissions in Azure, the <code>get_token</code> call will return a <code>403 Forbidden</code> error before the request even reaches the AWS boundary. Use the Azure CLI to validate the token content manually during the initial debugging phase to ensure all required claims are present.</p> <h3> Conclusion </h3> <p>Implementing OIDC Workload Identity Federation is the most robust method for securing service-to-service communication between AWS and Azure. By eliminating static keys and leveraging short-lived, cryptographically verified tokens, you significantly reduce the risk of credential compromise. The use of Hexagonal adapters and intelligent caching ensures that this security posture does not come at the cost of performance or code maintainability. As a next step, consider implementing AWS IAM Access Analyzer to continuously monitor the federation trust policies, ensuring that your multicloud identity perimeter remains hardened against unauthorized changes or overly permissive configurations.</p> <h3> References </h3> <p>Humble, J., &amp; Farley, D. (2010). <em>Continuous delivery: Reliable software releases through build, test, and deployment automation</em>. Pearson Education.</p> <p>Microsoft. (2024). <em>Workload identity federation</em>. Microsoft Entra Documentation. <a href="">https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation</a></p> <p>National Institute of Standards and Technology. (2020). <em>Attribute-based access control</em>. NIST Special Publication 800-162.</p> <p>Wardley, S. (2016). <em>Wardley maps: Topographical intelligence in business strategy</em>. Medium. <a href="">https://medium.com/wardleymaps</a></p> azure aws terraform python Cláudio Filipe Lima Rapôso Thu, 14 May 2026 03:00:00 +0000 https://dev.to/sertaoseracloud/unified-multicloud-observability-orchestrating-distributed-tracing-with-opentelemetry-1327 https://dev.to/sertaoseracloud/unified-multicloud-observability-orchestrating-distributed-tracing-with-opentelemetry-1327 <p>Distributed architectures spanning Amazon Web Services and Microsoft Azure frequently suffer from observability fragmentation. When a request originates in an AWS-hosted API Gateway, traverses a set of microservices, and triggers a specialized worker in Azure, the visibility chain often breaks at the provider boundary. Engineering teams find themselves navigating isolated dashboards in CloudWatch and Azure Monitor, attempting to manually correlate timestamps and request IDs while the Mean Time To Resolution (MTTR) escalates. This lack of a unified telemetry pipeline conceals latent bottlenecks and makes identifying the root cause of cross-cloud failures nearly impossible. The definitive architectural solution is the implementation of a vendor-agnostic OpenTelemetry (OTel) Collector mesh. By standardizing the collection, processing, and exportation of traces, metrics, and logs using the W3C Trace Context, organizations can achieve a single, high-fidelity view of the entire request lifecycle across heterogeneous cloud environments (Sridharan, 2018).</p> <h3> Prerequisites </h3> <p>Implementing this observability framework requires Terraform version 1.8.0 or higher to manage cross-cloud provider configurations. You must utilize the AWS provider (version 5.40+) and the AzureRM provider (version 3.90+). The instrumentation logic requires Python 3.12 with the <code>opentelemetry-api</code>, <code>opentelemetry-sdk</code>, and <code>opentelemetry-exporter-otlp</code> libraries. A deep understanding of distributed tracing concepts, specifically spans, traces, and context propagation, is essential. Furthermore, you must ensure that your network topology allows for outbound traffic to the OpenTelemetry Collector endpoints over gRPC or HTTP/protobuf.</p> <h3> Step-by-Step </h3> <h4> Provisioning the OpenTelemetry Collector Infrastructure </h4> <p>The initial phase involves deploying the OpenTelemetry Collector as a gateway service in both AWS and Azure. The collector acts as a centralized processing unit that receives telemetry data from local microservices, applies transformations, and exports it to a backend of choice, such as Jaeger, Honeycomb, or Managed Grafana. We utilize Terraform to deploy the collector on AWS Elastic Container Service (ECS) and Azure Container Instances (ACI). By positioning the collector close to the services, we minimize the impact of telemetry export on application latency. The architectural justification for this mesh is the decoupling of instrumentation from the backend destination. This ensures that if the organization decides to switch observability vendors, only the collector configuration needs to be updated, rather than refactoring the code across the entire microservice ecosystem.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># observability/otel_collector.tf</span> <span class="k">resource</span> <span class="s2">"aws_ecs_task_definition"</span> <span class="s2">"otel_collector"</span> <span class="p">{</span> <span class="nx">family</span> <span class="p">=</span> <span class="s2">"otel-collector-task"</span> <span class="nx">network_mode</span> <span class="p">=</span> <span class="s2">"awsvpc"</span> <span class="nx">requires_compatibilities</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"FARGATE"</span><span class="p">]</span> <span class="nx">cpu</span> <span class="p">=</span> <span class="s2">"512"</span> <span class="nx">memory</span> <span class="p">=</span> <span class="s2">"1024"</span> <span class="nx">container_definitions</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">([</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"aws-otel-collector"</span> <span class="nx">image</span> <span class="p">=</span> <span class="s2">"public.ecr.aws/aws-observability/aws-otel-collector:latest"</span> <span class="nx">command</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"--config=/etc/otel-collector-config.yaml"</span><span class="p">]</span> <span class="nx">portMappings</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">containerPort</span> <span class="p">=</span> <span class="mi">4317</span><span class="p">,</span> <span class="nx">hostPort</span> <span class="p">=</span> <span class="mi">4317</span><span class="p">,</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">},</span> <span class="c1"># gRPC</span> <span class="p">{</span> <span class="nx">containerPort</span> <span class="p">=</span> <span class="mi">4318</span><span class="p">,</span> <span class="nx">hostPort</span> <span class="p">=</span> <span class="mi">4318</span><span class="p">,</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">}</span> <span class="c1"># HTTP</span> <span class="p">]</span> <span class="nx">logConfiguration</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">logDriver</span> <span class="p">=</span> <span class="s2">"awslogs"</span> <span class="nx">options</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"awslogs-group"</span> <span class="p">=</span> <span class="s2">"/ecs/otel-collector"</span> <span class="s2">"awslogs-region"</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="s2">"awslogs-stream-prefix"</span> <span class="p">=</span> <span class="s2">"otel"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">])</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"azurerm_container_group"</span> <span class="s2">"otel_collector_azure"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"aci-otel-collector"</span> <span class="nx">location</span> <span class="p">=</span> <span class="s2">"East US"</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="s2">"rg-observability"</span> <span class="nx">ip_address_type</span> <span class="p">=</span> <span class="s2">"Private"</span> <span class="nx">os_type</span> <span class="p">=</span> <span class="s2">"Linux"</span> <span class="nx">container</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"otel-collector"</span> <span class="nx">image</span> <span class="p">=</span> <span class="s2">"otel/opentelemetry-collector-contrib:latest"</span> <span class="nx">cpu</span> <span class="p">=</span> <span class="s2">"0.5"</span> <span class="nx">memory</span> <span class="p">=</span> <span class="s2">"1.5"</span> <span class="nx">ports</span> <span class="p">{</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">4317</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"TCP"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This deployment establishes the necessary ingress points for our telemetry data. How do we ensure that a trace initiated in an AWS Lambda function persists its unique identity when it crosses the wire to trigger an Azure Function?</p> <h4> Implementing W3C Trace Context Propagation </h4> <p>We maintain the continuity of a trace by implementing explicit context propagation using the W3C Trace Context standard. In a multicloud Hexagonal Architecture, the instrumentation layer must inject trace headers into outgoing HTTP requests and extract them from incoming requests. We utilize Python OpenTelemetry SDKs to automate this process. When an AWS-hosted service calls an Azure-hosted endpoint, the SDK injects a <code>traceparent</code> header into the request. The Azure service then extracts this header to ensure that all spans generated within the Azure environment are associated with the original Trace ID. This standardized propagation is the technological glue that prevents trace fragmentation and allows observability tools to reconstruct the full sequence of events across cloud boundaries.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># observability/tracing_adapter.py </span><span class="kn">import</span> <span class="n">requests</span> <span class="kn">from</span> <span class="n">opentelemetry</span> <span class="kn">import</span> <span class="n">trace</span> <span class="kn">from</span> <span class="n">opentelemetry.propagate</span> <span class="kn">import</span> <span class="n">inject</span><span class="p">,</span> <span class="n">extract</span> <span class="kn">from</span> <span class="n">opentelemetry.trace.propagation.tracecontext</span> <span class="kn">import</span> <span class="n">TraceContextTextMapPropagator</span> <span class="k">class</span> <span class="nc">CrossCloudTracer</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">service_name</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">tracer</span> <span class="o">=</span> <span class="n">trace</span><span class="p">.</span><span class="nf">get_tracer</span><span class="p">(</span><span class="n">service_name</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">propagator</span> <span class="o">=</span> <span class="nc">TraceContextTextMapPropagator</span><span class="p">()</span> <span class="k">def</span> <span class="nf">perform_cross_cloud_call</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">target_url</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">payload</span><span class="p">:</span> <span class="nb">dict</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Injects W3C Trace Context headers into the outgoing request to ensure trace continuity between AWS and Azure. </span><span class="sh">"""</span> <span class="k">with</span> <span class="n">self</span><span class="p">.</span><span class="n">tracer</span><span class="p">.</span><span class="nf">start_as_current_span</span><span class="p">(</span><span class="sh">"</span><span class="s">outgoing-request-to-azure</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">span</span><span class="p">:</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">Content-Type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">application/json</span><span class="sh">"</span><span class="p">}</span> <span class="c1"># Injecting the current span context into the headers </span> <span class="n">self</span><span class="p">.</span><span class="n">propagator</span><span class="p">.</span><span class="nf">inject</span><span class="p">(</span><span class="n">headers</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">http.url</span><span class="sh">"</span><span class="p">,</span> <span class="n">target_url</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">cloud.platform</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">multicloud_bridge</span><span class="sh">"</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="n">target_url</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="n">payload</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">10</span><span class="p">)</span> <span class="n">response</span><span class="p">.</span><span class="nf">raise_for_status</span><span class="p">()</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_status</span><span class="p">(</span><span class="n">trace</span><span class="p">.</span><span class="nc">Status</span><span class="p">(</span><span class="n">trace</span><span class="p">.</span><span class="n">StatusCode</span><span class="p">.</span><span class="n">OK</span><span class="p">))</span> <span class="k">return</span> <span class="n">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">span</span><span class="p">.</span><span class="nf">record_exception</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_status</span><span class="p">(</span><span class="n">trace</span><span class="p">.</span><span class="nc">Status</span><span class="p">(</span><span class="n">trace</span><span class="p">.</span><span class="n">StatusCode</span><span class="p">.</span><span class="n">ERROR</span><span class="p">,</span> <span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)))</span> <span class="k">raise</span> <span class="c1"># Example extraction in the receiving service </span><span class="k">def</span> <span class="nf">handle_incoming_request</span><span class="p">(</span><span class="n">request_headers</span><span class="p">:</span> <span class="nb">dict</span><span class="p">):</span> <span class="c1"># Extract context from incoming W3C headers </span> <span class="n">context</span> <span class="o">=</span> <span class="nc">TraceContextTextMapPropagator</span><span class="p">().</span><span class="nf">extract</span><span class="p">(</span><span class="n">carrier</span><span class="o">=</span><span class="n">request_headers</span><span class="p">)</span> <span class="c1"># Start a new span as a child of the extracted context </span> <span class="n">tracer</span> <span class="o">=</span> <span class="n">trace</span><span class="p">.</span><span class="nf">get_tracer</span><span class="p">(</span><span class="sh">"</span><span class="s">azure-receiver-service</span><span class="sh">"</span><span class="p">)</span> <span class="k">with</span> <span class="n">tracer</span><span class="p">.</span><span class="nf">start_as_current_span</span><span class="p">(</span><span class="sh">"</span><span class="s">process-incoming-payload</span><span class="sh">"</span><span class="p">,</span> <span class="n">context</span><span class="o">=</span><span class="n">context</span><span class="p">):</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Processing request with trace continuity...</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg5cyhioqxbl4qi41146q.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg5cyhioqxbl4qi41146q.png" alt="Sequence Diagram" width="800" height="464"></a></p> <p>Effective context propagation ensures we have the data, but what mechanism prevents a massive flood of telemetry spans from overwhelming our network and exponentially increasing cloud egress costs?</p> <h4> Optimizing Through Head-Based and Tail-Based Sampling </h4> <p>Managing the volume of telemetry data in a high-throughput multicloud environment is critical to maintaining both performance and cost-efficiency. We address this by implementing sophisticated sampling strategies within the OpenTelemetry Collector. Head-based sampling occurs at the start of a trace, where a decision is made to sample a fixed percentage of requests (e.g., 5% of all traffic). However, to capture the most valuable data, we implement tail-based sampling in the collector mesh. This strategy allows the collector to inspect the entire trace after all spans have arrived before deciding whether to keep it. We configure the collector to prioritize traces that include error statuses or high latency values. This ensures that while we reduce overall data volume, we retain 100% of the traces that indicate system degradation, providing maximum diagnostic utility without the overhead of full tracing.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># observability/sampling_logic.py # While sampling is often done in the OTel Collector YAML, # it can be influenced by application-level logic. </span> <span class="kn">from</span> <span class="n">opentelemetry.sdk.trace.sampling</span> <span class="kn">import</span> <span class="n">TraceIdRatioBased</span><span class="p">,</span> <span class="n">ParentBased</span> <span class="k">def</span> <span class="nf">get_sampler</span><span class="p">(</span><span class="n">rate</span><span class="p">:</span> <span class="nb">float</span> <span class="o">=</span> <span class="mf">0.1</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Returns a sampler that respects the parent</span><span class="sh">'</span><span class="s">s sampling decision but defaults to a specific ratio for new traces. This prevents broken traces in a multicloud flow. </span><span class="sh">"""</span> <span class="c1"># ParentBased ensures that if the AWS service sampled the trace, </span> <span class="c1"># the Azure service will also sample it. </span> <span class="k">return</span> <span class="nc">ParentBased</span><span class="p">(</span><span class="n">root</span><span class="o">=</span><span class="nc">TraceIdRatioBased</span><span class="p">(</span><span class="n">rate</span><span class="p">))</span> </code></pre> </div> <h3> Common Troubleshooting </h3> <p>A frequent obstacle in cross-cloud tracing is the "Context Gap," where an intermediary load balancer or proxy strips the <code>traceparent</code> header. If your traces appear as separate, disconnected segments in your backend, verify that your AWS Application Load Balancer or Azure Application Gateway is configured to preserve custom headers. In Azure Application Gateway, ensure that the rewrite rules do not accidentally remove non-standard headers.</p> <p>Another common issue involves clock drift between providers. If spans in Azure appear to start before the parent spans in AWS, the visualization will be distorted. While NTP (Network Time Protocol) synchronization is standard, significant drift can occur. In such cases, use the OpenTelemetry Collector's <code>attributes</code> processor to inject a <code>cloud.region</code> or <code>provider.timestamp</code> attribute, allowing for post-processing alignment in your observability backend.</p> <p>Finally, verify IAM and Managed Identity permissions. If the OTel Collector fails to export data, check for <code>Access Denied</code> errors in its internal logs. The AWS ECS task role requires permissions to write to X-Ray or CloudWatch if using those exporters, and the Azure Managed Identity must have the <code>Monitoring Metrics Publisher</code> role for Azure-specific backends.</p> <h3> Conclusion </h3> <p>Orchestrating observability across AWS and Azure is no longer a luxury but a requirement for modern cloud-native reliability. By deploying a federated OpenTelemetry Collector mesh and enforcing W3C Trace Context propagation, you eliminate the visibility gaps inherent in multicloud deployments. Implementing tail-based sampling further ensures that your observability remains cost-effective while focusing on the high-value traces necessary for debugging. As a next logical step, consider integrating OpenTelemetry Metrics and Logs into this same pipeline to achieve "Three Pillars" correlation, allowing you to pivot from a latent trace directly to the underlying container logs and resource metrics with a single click.</p> <h3> References </h3> <p>Majors, C., Fong-Jones, L., &amp; Stopford, B. (2022). <em>Observability engineering: Achieving predictability and reliability in complex systems</em>. O'Reilly Media.</p> <p>OpenTelemetry Authors. (2024). <em>W3C Trace Context specification</em>. World Wide Web Consortium. <a href="https://www.w3.org/TR/trace-context/" rel="noopener noreferrer">https://www.w3.org/TR/trace-context/</a></p> <p>Sridharan, M. (2018). <em>Distributed tracing in practice: Instrumenting, analyzing, and debugging microservices</em>. O'Reilly Media.</p> <p>Young, T. (2021). <em>Mastering distributed tracing: Analyzing the performance of complex distributed systems</em>. Packt Publishing.</p> azure aws terraform python Cláudio Filipe Lima Rapôso Wed, 13 May 2026 03:00:00 +0000 https://dev.to/sertaoseracloud/implementing-multicloud-data-sharding-with-hexagonal-storage-adapters-2ad https://dev.to/sertaoseracloud/implementing-multicloud-data-sharding-with-hexagonal-storage-adapters-2ad <p>Data residency requirements and regional compliance laws such as GDPR or LGPD often force architectures to fragment data across multiple cloud providers and geographic boundaries. When a centralized database becomes a legal or performance bottleneck, engineering teams frequently resort to manual data duplication or brittle synchronization scripts. This fragmentation leads to inconsistent state, increased latency for cross-border users, and a massive expansion of the security attack surface. The definitive solution to this complexity is a Multicloud Data Sharding layer orchestrated through Hexagonal Architecture. By decoupling the domain entity from the underlying storage mechanism, we allow the application to route queries to specific cloud-native databases based on tenant metadata. This approach ensures that a Brazilian housing cooperative's data remains within Azure's South Brazil region while a European counterpart resides in AWS Frankfurt, all while maintaining a single, unified codebase and strictly adhering to data sovereignty mandates.</p> <h3> Prerequisites </h3> <p>Building this sharding plane requires Terraform version 1.8.0 or higher to manage cross-cloud provider states effectively. You must have the AWS provider (version 5.45+) and AzureRM provider (version 3.95+) initialized. The application logic requires Python 3.12 using the <code>SQLAlchemy</code> 2.0 library for database abstraction and <code>pydantic</code> for strict data validation. Advanced knowledge of Domain-Driven Design (DDD) is essential to identify the correct sharding keys within your bounded contexts. You will also need active Service Principals for Azure and IAM Roles for AWS with permissions to manage RDS and Azure SQL instances.</p> <h3> Step-by-Step </h3> <h4> Defining Geographic Sharding Boundaries </h4> <p>The first step in a multicloud sharding strategy involves the physical provisioning of isolated database clusters that serve as regional shards. We use Terraform to define these resources, ensuring that each database is configured with provider-specific best practices such as AWS Aurora for high-performance clusters and Azure SQL Database for serverless flexibility. Architectural integrity is maintained by ensuring that no shard shares a common network or credentials. Each shard must be tagged with a unique identifier that corresponds to a geographic region or a regulatory jurisdiction. This physical isolation prevents "noisy neighbor" effects and ensures that a regional outage in one cloud provider does not cascade into a global failure. We utilize a standardized naming convention to facilitate dynamic discovery during the application runtime.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># database_shards/main.tf</span> <span class="k">variable</span> <span class="s2">"shard_configs"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="k">provider</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">tier</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}))</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_db_instance"</span> <span class="s2">"shard_aws"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">k</span><span class="p">,</span> <span class="nx">v</span> <span class="nx">in</span> <span class="kd">var</span><span class="p">.</span><span class="nx">shard_configs</span> <span class="err">:</span> <span class="nx">k</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">v</span> <span class="nx">if</span> <span class="nx">v</span><span class="p">.</span><span class="k">provider</span> <span class="p">==</span> <span class="s2">"aws"</span> <span class="p">}</span> <span class="nx">identifier</span> <span class="p">=</span> <span class="s2">"db-shard-</span><span class="k">${</span><span class="nx">each</span><span class="p">.</span><span class="nx">key</span><span class="k">}</span><span class="s2">"</span> <span class="nx">engine</span> <span class="p">=</span> <span class="s2">"postgres"</span> <span class="nx">instance_class</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">tier</span> <span class="nx">allocated_storage</span> <span class="p">=</span> <span class="mi">20</span> <span class="nx">db_name</span> <span class="p">=</span> <span class="s2">"tenant_data"</span> <span class="nx">publicly_accessible</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">skip_final_snapshot</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">vpc_security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">db_access</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">ShardID</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span> <span class="nx">Regulatory</span> <span class="p">=</span> <span class="s2">"GDPR_Compliant"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"azurerm_mssql_database"</span> <span class="s2">"shard_azure"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">k</span><span class="p">,</span> <span class="nx">v</span> <span class="nx">in</span> <span class="kd">var</span><span class="p">.</span><span class="nx">shard_configs</span> <span class="err">:</span> <span class="nx">k</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">v</span> <span class="nx">if</span> <span class="nx">v</span><span class="p">.</span><span class="k">provider</span> <span class="p">==</span> <span class="s2">"azure"</span> <span class="p">}</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"db-shard-</span><span class="k">${</span><span class="nx">each</span><span class="p">.</span><span class="nx">key</span><span class="k">}</span><span class="s2">"</span> <span class="nx">server_id</span> <span class="p">=</span> <span class="nx">azurerm_mssql_server</span><span class="p">.</span><span class="nx">primary</span><span class="p">.</span><span class="nx">id</span> <span class="nx">collation</span> <span class="p">=</span> <span class="s2">"SQL_Latin1_General_CP1_CI_AS"</span> <span class="nx">max_size_gb</span> <span class="p">=</span> <span class="mi">10</span> <span class="nx">read_scale</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">sku_name</span> <span class="p">=</span> <span class="s2">"S0"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">ShardID</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span> <span class="nx">Regulatory</span> <span class="p">=</span> <span class="s2">"LGPD_Compliant"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This infrastructure provides the storage backbone for our distributed data. How does the application decide which cloud to query for a specific tenant without hardcoding environment-specific logic into the core domain?</p> <h4> Constructing Hexagonal Storage Adapters </h4> <p>We maintain architectural purity by implementing the Hexagonal Architecture pattern, where the domain logic interacts only with a storage port (an abstract interface). We define a <code>StoragePort</code> protocol in Python that specifies the required data operations, such as saving or retrieving a housing cooperative's records. We then develop specific adapters for AWS and Azure that implement this protocol using cloud-native drivers. The application uses a factory pattern to inject the correct adapter at runtime based on the tenant's regional metadata. This decoupling ensures that the core business logic remains agnostic of the underlying database engine or cloud provider. If a specific region requires a migration from AWS to Azure, only the adapter configuration changes while the core domain remains untouched, preserving the stability of the business rules.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># domain/ports.py </span><span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Protocol</span><span class="p">,</span> <span class="n">Dict</span><span class="p">,</span> <span class="n">Any</span> <span class="kn">from</span> <span class="n">abc</span> <span class="kn">import</span> <span class="n">abstractmethod</span> <span class="k">class</span> <span class="nc">CooperativeRepositoryPort</span><span class="p">(</span><span class="n">Protocol</span><span class="p">):</span> <span class="nd">@abstractmethod</span> <span class="k">def</span> <span class="nf">save</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">data</span><span class="p">:</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">])</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="k">pass</span> <span class="nd">@abstractmethod</span> <span class="k">def</span> <span class="nf">get_by_id</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">cooperative_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">]:</span> <span class="k">pass</span> <span class="c1"># infrastructure/adapters.py </span><span class="kn">import</span> <span class="n">sqlalchemy</span> <span class="kn">from</span> <span class="n">sqlalchemy.orm</span> <span class="kn">import</span> <span class="n">sessionmaker</span> <span class="k">class</span> <span class="nc">PostgresShardAdapter</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">connection_string</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">engine</span> <span class="o">=</span> <span class="n">sqlalchemy</span><span class="p">.</span><span class="nf">create_engine</span><span class="p">(</span><span class="n">connection_string</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">Session</span> <span class="o">=</span> <span class="nf">sessionmaker</span><span class="p">(</span><span class="n">bind</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">engine</span><span class="p">)</span> <span class="k">def</span> <span class="nf">save</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">data</span><span class="p">:</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">])</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="k">with</span> <span class="n">self</span><span class="p">.</span><span class="nc">Session</span><span class="p">()</span> <span class="k">as</span> <span class="n">session</span><span class="p">:</span> <span class="c1"># Operational logic for PostgreSQL in AWS </span> <span class="n">session</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="n">sqlalchemy</span><span class="p">.</span><span class="nf">text</span><span class="p">(</span> <span class="sh">"</span><span class="s">INSERT INTO cooperatives (id, name, region) VALUES (:id, :name, :region)</span><span class="sh">"</span> <span class="p">),</span> <span class="n">data</span><span class="p">)</span> <span class="n">session</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="k">return</span> <span class="bp">True</span> <span class="k">class</span> <span class="nc">AzureSqlShardAdapter</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">connection_string</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">engine</span> <span class="o">=</span> <span class="n">sqlalchemy</span><span class="p">.</span><span class="nf">create_engine</span><span class="p">(</span><span class="n">connection_string</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">Session</span> <span class="o">=</span> <span class="nf">sessionmaker</span><span class="p">(</span><span class="n">bind</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">engine</span><span class="p">)</span> <span class="k">def</span> <span class="nf">save</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">data</span><span class="p">:</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">])</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="k">with</span> <span class="n">self</span><span class="p">.</span><span class="nc">Session</span><span class="p">()</span> <span class="k">as</span> <span class="n">session</span><span class="p">:</span> <span class="c1"># Operational logic for MS SQL in Azure </span> <span class="n">session</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="n">sqlalchemy</span><span class="p">.</span><span class="nf">text</span><span class="p">(</span> <span class="sh">"</span><span class="s">INSERT INTO cooperatives (id, name, region) VALUES (:id, :name, :region)</span><span class="sh">"</span> <span class="p">),</span> <span class="n">data</span><span class="p">)</span> <span class="n">session</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="k">return</span> <span class="bp">True</span> </code></pre> </div> <p>The use of ports and adapters ensures that the domain logic is protected from infrastructure churn. If a shard becomes unavailable due to a provider-wide outage, how does the system maintain partial availability for other regions while attempting a recovery?</p> <h4> Implementing Resilient Shard Resolution </h4> <p>Resilience in a sharded multicloud environment depends on a robust shard resolution mechanism that utilizes a globally distributed metadata store. We implement a <code>ShardResolver</code> that queries a lightweight mapping table, often stored in a highly available global service such as AWS DynamoDB Global Tables or Azure Cosmos DB. This resolver identifies the target cloud, the specific region, and the connection credentials for a given cooperative ID. To ensure high performance, these mappings are cached in memory using a TTL-based strategy. When a request enters the system, the resolver determines the correct shard and provides the corresponding adapter to the domain service. This architecture supports partial failure; if the AWS Frankfurt shard is offline, only the European tenants are affected while Brazilian tenants on Azure continue to operate without degradation. This granular isolation is the primary benefit of the cellular sharding pattern.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># application/services.py </span><span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Dict</span><span class="p">,</span> <span class="n">Optional</span> <span class="k">class</span> <span class="nc">ShardResolver</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">metadata_store</span><span class="p">:</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="nb">str</span><span class="p">]):</span> <span class="c1"># In production, this would be a DynamoDB or CosmosDB call </span> <span class="n">self</span><span class="p">.</span><span class="n">metadata_store</span> <span class="o">=</span> <span class="n">metadata_store</span> <span class="k">def</span> <span class="nf">resolve_adapter</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">cooperative_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Optional</span><span class="p">[</span><span class="n">CooperativeRepositoryPort</span><span class="p">]:</span> <span class="n">shard_info</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">metadata_store</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">cooperative_id</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">shard_info</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span> <span class="c1"># Logic to return PostgresShardAdapter or AzureSqlShardAdapter </span> <span class="c1"># based on shard_info['provider'] </span> <span class="k">if</span> <span class="n">shard_info</span><span class="p">[</span><span class="sh">'</span><span class="s">provider</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="sh">'</span><span class="s">aws</span><span class="sh">'</span><span class="p">:</span> <span class="k">return</span> <span class="nc">PostgresShardAdapter</span><span class="p">(</span><span class="n">shard_info</span><span class="p">[</span><span class="sh">'</span><span class="s">dsn</span><span class="sh">'</span><span class="p">])</span> <span class="k">return</span> <span class="nc">AzureSqlShardAdapter</span><span class="p">(</span><span class="n">shard_info</span><span class="p">[</span><span class="sh">'</span><span class="s">dsn</span><span class="sh">'</span><span class="p">])</span> <span class="k">class</span> <span class="nc">CooperativeService</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">resolver</span><span class="p">:</span> <span class="n">ShardResolver</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">resolver</span> <span class="o">=</span> <span class="n">resolver</span> <span class="k">def</span> <span class="nf">create_cooperative</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">cooperative_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">payload</span><span class="p">:</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">]):</span> <span class="n">adapter</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">resolver</span><span class="p">.</span><span class="nf">resolve_adapter</span><span class="p">(</span><span class="n">cooperative_id</span><span class="p">)</span> <span class="k">if</span> <span class="n">adapter</span><span class="p">:</span> <span class="k">return</span> <span class="n">adapter</span><span class="p">.</span><span class="nf">save</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="k">raise</span> <span class="nc">ConnectionError</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">No shard found for ID </span><span class="si">{</span><span class="n">cooperative_id</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa5ov2zy9yh2zdzid4858.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa5ov2zy9yh2zdzid4858.png" alt="Diagram" width="426" height="554"></a></p> <p>This resolution logic ensures that traffic is always directed to the legally and geographically correct shard. How can we optimize the cross-shard reporting process when executives require a global view of data that is physically segregated across two different cloud providers?</p> <h3> Common Troubleshooting </h3> <p>A frequent issue in multicloud sharding is the exhaustion of connection pools in the application layer. Since each shard requires a distinct connection pool, an application pod connecting to fifty shards may consume an excessive amount of memory and file descriptors. To solve this, implement a dynamic pool recycler that closes idle connections to infrequently accessed shards or utilize a database proxy such as AWS RDS Proxy or Azure SQL Database Proxy to multiplex connections efficiently.</p> <p>Another critical failure point is the inconsistency between the global shard metadata and the actual state of the database shards. If a shard is migrated from AWS to Azure but the metadata store is not updated atomically, the application will experience "dead-end" routing errors. We mitigate this by using a two-phase commit or a saga pattern for shard migrations, ensuring that the metadata is updated only after the target database is fully synchronized and validated.</p> <p>Lastly, latency spikes can occur if the application is running in AWS but the metadata store is only in Azure. Always implement local caching of shard metadata within the application process and utilize a globally replicated database for the shard map to ensure the resolver always reads from the nearest regional endpoint.</p> <h3> Conclusion </h3> <p>Multicloud data sharding through Hexagonal Architecture provides a sophisticated framework for managing data sovereignty and architectural resilience. By isolating storage concerns into specific adapters and utilizing a global resolver, you ensure that your platform can scale across providers without sacrificing domain clarity or compliance. The next advanced step is to implement cross-shard distributed queries using a federated engine like Presto or Trino. This allows for analytical reporting across AWS and Azure shards without moving large volumes of sensitive data, providing a unified view of a geographically dispersed system.</p> <h3> References </h3> <p>Fowler, M. (2002). <em>Patterns of enterprise application architecture</em>. Addison-Wesley Professional.</p> <p>Kleppmann, M. (2017). <em>Designing data-intensive applications: The big ideas behind reliable, scalable, and maintainable systems</em>. O'Reilly Media.</p> <p>Microsoft. (2024). <em>Data sharding pattern</em>. Azure Architecture Center. <a href="https://learn.microsoft.com/en-us/azure/architecture/patterns/sharding" rel="noopener noreferrer">https://learn.microsoft.com/en-us/azure/architecture/patterns/sharding</a></p> <p>Post, G. (2023). <em>Global data residency: Architectural strategies for multicloud compliance</em>. Journal of Cloud Computing Research.</p> azure aws terraform python