Requirements & goals:- Measure availability/latency/error-rate of critical third-party calls (payment, auth).- Detect regressions before customers notice, provide graceful degradation, and account third-party impact in our SLOs/error budget.Instrumentation1. Synthetic probing (out-of-band):- Periodic scripted probes that exercise representative flows (auth token request, payment authorization) from multiple regions and networks at 1–5 min intervals.- Collect latency, HTTP status, response body correctness, and TLS/CA/redirect checks.- Tag probes by region, network, and time-of-day.2. In-band telemetry (real traffic):- Emit per-request telemetry from service: dependency_latency_ms, dependency_status_code, dependency_error_type, business_impact (e.g., payment_hold).- Use distributed tracing to correlate user transaction spans with dependency spans and capture sample traces for high-latency/error requests.- Aggregate into histograms (p50/p95/p99), error-rate counters, and SLIs.Example synthetic probe (simplified):python
import requests, time
start=time.time()
r=requests.post("https://payments.example/authorize", json=payload, timeout=3)
lat=(time.time()-start)*1000
emit_metric("payment_probe_latency_ms", lat, tags={"region":"us-east"})
emit_metric("payment_probe_status", r.status_code)
Detection & Alerts- Define SLIs for latency (p95), success rate (HTTP 2xx and semantic success), and functional correctness.- Alert on synthetic degradation (e.g., probe success rate < 99% for 5m) and on in-band user-impacting errors (increase in user-facing error rate or sustained p95 latency increase).- Use anomaly detection on traces and dependency error spikes.Resilience: Fallbacks & Circuit Breakers- Per-dependency circuit breaker with these states: CLOSED, OPEN, HALF-OPEN.- Tripping conditions: rolling-window error-rate threshold (e.g., >5% errors over 1m) or latency SLA breach.- Automatic backoff with exponential cool-down; allow a small rate of probes in HALF-OPEN to test recovery.- Granularity: circuit breakers per endpoint and per customer-tenant for noisy neighbors.- Fallback strategies ordered by business impact: 1. Local cached success (e.g., cached token / last-known-good settings) 2. Reduced-functionality path (e.g., queue payment for later capture with user-visible note) 3. User-visible error with clear remediation- Ensure fallbacks are safe (idempotent, reversible) and audited.Accounting third-party reliability in our SLOs & error budgets- Split SLOs into two components: - End-to-end SLO (user-visible success & latency) - Dependency attribution SLO (fraction of errors attributable to third-party)- Maintain an "external dependency budget": classify errors as internal vs external using telemetry/traces. Example: If end-to-end availability SLO = 99.95% monthly, allow a portion (e.g., 0.03%) to be attributed to third-party failures; the rest must be internal.- If third-party consumes > X% of our error budget, trigger vendor escalation: open support ticket, failover to backup provider, enable mitigation runbook.- Negotiate contractual SLAs and map vendor SLA windows to our SLO tolerances; do not blindly accept vendor SLA as our SLO.Operationalization & Runbooks- Automate remediation: circuit-breaker actions, automatic route to backup providers, and queuing.- Runbooks: steps for triage, vendor escalation, customer communications, rollback of new integrations.- Regularly review synthetic vs in-band divergence to detect monitoring gaps.- Post-incident: blameless postmortem, update SLO allocations, and add tests for uncovered failure modes.Trade-offs & notes- Synthetic probes catch availability but may miss real-user network paths—always pair with in-band telemetry.- Conservative fallbacks preserve safety but may reduce functionality; align fallbacks with product/PM for acceptable UX.- Over-attributing to vendor may hide internal issues—ensure strict, auditable attribution logic (trace IDs, error codes, upstream latency contributions).This design gives early detection through probes, precise attribution via tracing and metrics, automated protection via circuit breakers and fallbacks, and a governance model that accounts for third-party reliability in our SLOs and error budgets.