The Night We Split the Brain: A Telling of Control & Data Planes for Cloud Microservices
Split control and data planes with versioned snapshots and four contracts — routing, policy, limits, release — for safer rollouts and reliably boring systems.
Join the DZone community and get the full member experience.
Join For FreeYou know those pages you receive in the middle of the night? Not a full-blown fire, mind you, but rather a slow-burning panic? Let me tell you one of those stories that changed the way my team built software forever. It was 2 a.m., and the graphs looked bad. Not dead, mind you, but sick. Our microservices were still talking, but P95 latencies were rising high in the sky, like a lazy balloon. And retries were starting to cascade. The whole system felt like it was in a swamp.
So what was the problem? A “safe” configuration change to our API gateway, a new rate limit, and slight change of routing. It turned out that this change and a previous deploy of an unrelated service that occurred at least an hour earlier had collided in some silent serpentine handshake. The result was a slow, luscious, and irresistible drain on performance.
“Just roll back the service,” someone in the war room said. It was then we hit the wall. "But what service is that?” we asked. We were stuck. The logic that controlled how the traffic flowed was baked into the same code that handled the traffic! To fix this problem, new code had to be deployed. We were playing roulette with our customer’s experience, once again.
That night we drew a simple line upon a white board. On one side we wrote “Control Plane.” On the other side, we wrote, “Data Plane.” This had nothing to do with AI or some sort of complicated magic, but a timeless principle separation of concerns to regain our sanity. Let me walk you through the how and why of it, along with why it may be the most important principle you adopt.
What Would You Say are the Control and Data Planes?
If you have ever felt that pit in your stomach when you are about to make a configuration change in production, this is for you. Let’s boil down this seemingly complicated concept to a super easy analogy.
Imagine you have a jet airplane. The pilot is in the cockpit at a control panel. This is the Control Plane. This is where the pilot (human) determines the destination, altitude, and speed. They flip switches and set parameters.
The flight computer and engines? That is the Data Plane. This system takes the pilot’s inputs and effectuates them with lightning speed and accuracy, and deals with the complexities of flight physics in real time.
Now apply that to software.
-
The Control Plane is where the humans make decisions. It’s the cockpit for your engineers. This is where you set routing rules, rate limits, feature flags, and deployment policies. This is the "what" and the "why."
-
The Data Plane is where the computers take actions. It’s the flight computer for your services. This is where user requests are handled this is where authentication, routing, retries, and rate limits are applied and happen at millisecond speeds. It’s the "how."
The moment we decoupled these two concepts, our world was suddenly a lot simpler.
Why Break Them Up? The Midnight Miracle
So, why bother? Because that night we were the victims of a situation that was all gnarled up. By splitting the planes up, we discovered super-powers which we didn’t know we were missing:
1. Faster, Safer Rollouts: Imagine that we can shift traffic from one blue deployment to another green deployment, not by a frantic code deploy, but by the simple sliding of a percent in a control panel. Instant canaries, shadow traffic, rollbacks, etc. We could have it all.
2. Blast-radius reduction: Changing a policy or config was no longer necessary in the hot code path that was handling millions of requests. We could change the "rules of the game," without stopping the game.
3. Predictable performance: By enforcing limits and quotas in the data-plane, we could for the first time protect ourselves from the "noisy neighbors" of rollback, while finding predictable, controllable costs.
4. Tractable incident response: This is the biggie. Instead of "which service do we roll back?" the question became "which lever in the control plane do we pull?" Flicking a kill switch or going back to a previous snapshot is infinitely faster and safer than a full-blown deploy.
The "mystery config," which was so grey and uncertain as to what was running in production vanished. "What's in prod?" was a simple log field: `snapshot_version: 42`.
The Four Tiny Contracts That Tamed the Chaos
We did not build a large complex system in one night. We started by defining four simple contracts between our control and data planes. These are not simply documents. These are the APIs that will be religiously enforced by the data plane.
1. The Routing Contract: How do we get there?
-
Inputs: A route name — example orders.v1, tenantid, region.
-
Outputs: An ordered list of backends with weights, health check policies and failover solutions.
This is how we do canary releases and failover.
2. The Policy Contract: Who is allowed to do this?
-
Inputs: The IP of the request, headers, and security claims (like jwt scopes).
-
Outputs: A simple yes or no. This centralizes authentication and authorization logic.
3. The Limits Contract: How much is too much?
-
Inputs: A route and a tenant.
-
Outputs: Enforced rate limits (RPS), concurrency limits, timeouts, and retry budgets. This is what keeps us from getting stuck in retry storms and keeps us safe from traffic spikes.
4. The Release Contract: How do we safely release the system?
-
Inputs: The status of the current release.
-
Outputs: Feature flag status, canary percentages, freeze windows, and kill switches. This is our rollout and emergency brake system.
A Glimpse of What a Snapshot Looks Like
The control plane decisions are sent to the data plane in the form of versioned, immutable “snapshots.” Here’s a simplistic shape that is a good starting concept.
It’s simply JSON but it is the single source of truth of your runtime configuration.
{
"version": 42,
"signed": "base64-signature-for-trust",
"routes": {
"orders.v1": {
"backends": [
{"url":"https://orders-blue.internal", "weight": 90},
{"url":"https://orders-green.internal", "weight": 10}
],
"timeoutMs": 800,
"retries": {
"maxFourAttempts": 2,
"perTryTimeoutMs": 300,
"jitterMs": 50
},
"circuit": {
"failureRatePct": 30,
"openSecs": 60
},
"limits": {
"globalRps": 2000,
"perTenant": {
"free": 50,
"pro": 500,
"enterprise": 5000
}
},
"access": {
"allowCidrs": ["10.0.0.0/8"],
"requireScopes": ["orders:read"]
},
"release": {
"canaryPct": 10,
"freeze": false,
"killSwitch": false
}
}
}
}
}Pretty cool, huh? In one place you can see that 10% of traffic for the orders.v1 route is going to the green deployment; it has a strict 2-retry policy and it has a ceiling of 2,000 global requests per second. It’s this clarity that is transformational.
How the Data Plane Complies: A Node.js Skit
How does the data plane avail itself of this? It is simpler than you think. The data plane is required to be drab and quick. It enforces, it does not improvise. Here is an immensely simplified sketch in Node.js to ground the concept.
// gateway.js -- an easier data plane
const http = require('http');
const fetch = require('node-fetch');
// The single source of truth for the data plane, loaded through the control plane
let SNAPSHOT = {
version: 0,
routes: {}
};
// Periodically request the latest snapshot from the control plane
async function refresh() {
try {
const res = await fetch(process.env.CONTROL_PLANE_URL + '/v1/snapshot');
const snapshot = await res.json();
// TODO: Verify signature here for security!
// If the new snapshot's version is higher than the current, we must update
if (snapshot.version > SNAPSHOT.version) {
SNAPSHOT = snapshot;
console.log(`Updated to snapshot version ${snapshot.version}`)
}
} catch (err) {
console.error('Snapshot had a problem refreshing!', err);
}
}
// Refresh every 1.5 seconds
setInterval(refreshSnapshot, 1500);
// The proxying logic
async function handleReq(req, res) {
// 1. Obtain the queries from the snapshot
const route = SNAPSHOT.routes['orders.v1'];
if (!route) {
return res.writeHead(503).end('Route in snapshot not found');
}
// 2.Check Access Auth
if (!requestAllowed(req, route.access)) {
return res.writeHead(403).end('Forbidden');
}
// 3. Check Rate Limits
if (!checkRateLimit(route)) {
return res.writeHead(429).end('Rate limited');
}
// 4. Run the request with retries, timouts and circuit breaking
let tries = 0
const start = Date.now();
while (tries <= routeConfig.retries.maxTries) {
tries++;
const backendUrl = getBackend(routeConfig); // We use weights here
try {
// Impose the per try timeout
const controller = new AbortController();
const timeoutId = setTimeout(() => {
controller.abort()
}, routeConfig.retries.perTryTimeoutMs);
const backendResponse = await fetch(backendUrl, {
signal: controller.signal,
headers: req.headers
});
clearTimeout(timeoutId);
// We have succeded so we pipe the result back to res
if (backendResponse.ok) {
res.writeHead(backendResponse.status, backendResponse.headers);
return backendResponse.body.pipe(res);
}
// We are not OK so we check if we should trip the circuit breaker
registerFailureForCircuitBreaker(routeConfig);
} catch (e) {
// network failures timeouts etc
registerFailureForCircuitBreaker(routeConfig);
}
// Wait with jitter before retry
await sleep(routeConfig.retries.jitterMs);
// Check if we have exceeded the total route timeout
if ((Date.now() - timeStarted) > routeConfig.timeoutMs) break;
}
// If all attempts failed, we send a 502
res.writeHead(502).end('Upstream error');
// Create the server
http.createServer(handleRequest).listen(8080);
}The Result: Incidents That Didn’t Happen
A week later, one of our backend external dependencies started to throttle. This would have caused a retry storm, queue buildup, and full-blown incident in the old world. What happened in the new world?
The circuit breaker in the data plane detected the high failure rate and “opened.” The retries stopped immediately. The canary system detected the latency increase and automatically drained the traffic from the failing backend service. This was mildly annoying but self-healing. The most beautiful part? No pager went off. The team did not even know that it happened until the logs were reviewed the next day. This is the power of giving your system different brains and brawn.
Your “Start Today” List
This should not need to be massively painful rewrite. You can start small.
-
Identify One Thing: Find one thing to externalize-feature flags or a simple rate limit for instance. Make a simple control API for it.
-
Version Your Config: Start publishing versioned immutable configuration snapshots.
-
Enforce in One Place: Take a single service (say your gateway) and have it read from the snapshot.
-
Log the Version: Make sure that every request logs the snapshot_version so you know what is running.
-
Define a Kill Switch: Build a control plane lever that can instantly switch off a non specified critical feature or route.
Frequently Asked Questions (FAQ)
Q1: Isn't this overkill for a small team or a simple application?
A: It absolutely can be. If you have but a handful of services and your configuration changes seldom then the complexity may be not worth it. But the moment you have to start with the fear of config change, or find yourself spending time on the problem, what is really running, then you have tremendous ROI from this separation. Start simple.
Q2: How is this different from a service mesh such as Istio or Linkerd?
A: A service mesh is a brilliant off the shelf implementation of this precise pattern! The control plane of the mesh (Istio for example) looks after the configuration and the sidecar proxies (Envoy) provide the data plane. This we have essentially built a lightweight application version of the same concept. It is quite often the case that using a service mesh is the best way to obtain this separation effect.
Q3: Doesn't the control plane become a single point of failure?
A: A good question. The data plane should be fault-tolerant by design. It caches the last good known snapshot and is capable of working for a long time even if it loses its connection to the control plane. The API of the control plane should be highly available. However, the core of the request handling of the system is capable of surviving its temporary loss.
Q4: We use Kubernetes. Isn’t that precisely what ConfigMaps and Secrets are for?
A: Yes, ConfigMaps and Secrets are a *sort* of control plane, but they are generally a little too primitive. They lack contracts, versioning, signing, and traffic management levers (such as canaries and circuit breakers). They are a good tack in the right direction, but in the cases of complex routing and policy, you will often need an additional sophisticated system sitting above them.
The Final Word: From Roulette to Levers
People sometimes wonder if separating the control and data plane is just overengineering. My answer is always the same: It is right up until that next page at 2 a.m. that is not about a fire, but about a slow and mysterious drainage that no one can nail down.
We didn’t add more ceremony or complexity that night. We added levers. We added clarity. We gave our system a separate mind to make decisions and a large body to execute them. Now, when things get a little shaky, we don’t throw the dice. We throw a snapshot. And our systems remain gloriously and productively boring. And that is exactly how we want it.
Opinions expressed by DZone contributors are their own.
Comments