birsoff saphir saladine
Saundra Balock
I pulled this chapter together from dozens of sources that were at times somewhat contradictory. Facts on the ground change over time and depend who is telling the story and what audience they're addressing. I tried to create as coherent a narrative as I could. If there are any errors I'd be more than happy to fix them. Keep in mind this article is not a technical deep dive. It's a big picture type article. For example, I don't mention the word microservice even once :-)
Given our discussion in the What is Cloud Computing? chapter, you might expect Netflix to serve video using AWS. Press play in a Netflix application and video stored in S3 would be streamed from S3, over the internet, directly to your device.
Another relevant factoid is Netflix is subscription based. Members pay Netflix monthly and can cancel at any time. When you press play to chill on Netflix, it had better work. Unhappy members unsubscribe.
The client is the user interface on any device used to browse and play Netflix videos. It could be an app on your iPhone, a website on your desktop computer, or even an app on your Smart TV. Netflix controls each and every client for each and every device.
Everything that happens before you hit play happens in the backend, which runs in AWS. That includes things like preparing all new incoming video and handling requests from all apps, websites, TVs, and other devices.
In 2007 Netflix introduced their streaming video-on-demand service that allowed subscribers to stream television series and films via the Netflix website on personal computers, or the Netflix software on a variety of supported platforms, including smartphones and tablets, digital media players, video game consoles, and smart TVs.
Netflix succeeded. Netflix certainly executed well, but they were late to the game, and that helped them. By 2007 the internet was fast enough and cheap enough to support streaming video services. That was never the case before. The addition of fast, low-cost mobile bandwidth and the introduction of powerful mobile devices like smart phones and tablets, has made it easier and cheaper for anyone to stream video at any time from anywhere. Timing is everything.
Building out a datacenter is a lot of work. Ordering equipment takes a long time. Installing and getting all the equipment working takes a long time. And as soon they got everything working they would run out of capacity, and the whole process had to start over again.
The long lead times for equipment forced Netflix to adopt what is known as a vertical scaling strategy. Netflix made big programs that ran on big computers. This approach is called building a monolith. One program did everything.
What Netflix was good at was delivering video to their members. Netflix would rather concentrate on getting better at delivering video rather than getting better at building datacenters. Building datacenters was not a competitive advantage for Netflix, delivering video is.
It took more than eight years for Netflix to complete the process of moving from their own datacenters to AWS. During that period Netflix grew its number of streaming customers eightfold. Netflix now runs on several hundred thousand EC2 instances.
The advantage of having three regions is that any one region can fail, and the other regions will step in handle all the members in the failed region. When a region fails, Netflix calls this evacuating a region.
The header image is meant to intrigue you, to draw you into selecting a video. The idea is the more compelling the header image, the more likely you are to watch a video. And the more videos you watch, the less likely you are to unsubscribe from Netflix.
The first thing Netflix does is spend a lot of time validating the video. It looks for digital artifacts, color changes, or missing frames that may have been caused by previous transcoding attempts or data transmission problems.
A pipeline is simply a series of steps data is put through to make it ready for use, much like an assembly line in a factory. More than 70 different pieces of software have a hand in creating every video.
The idea behind a CDN is simple: put video as close as possible to users by spreading computers throughout the world. When a user wants to watch a video, find the nearest computer with the video on it and stream to the device from there.
In 2007, when Netflix debuted its new streaming service, it had 36 million members in 50 countries, watching more than a billion hours of video each month, streaming multiple terabits of content per second.
At the same time, Netflix was also devoting a lot of effort into all the AWS services we talked about earlier. Netflix calls the services in AWS its control plane. Control plane is a telecommunications term identifying the part of the system that controls everything else. In your body, your brain is the control plane; it controls everything else.
In 2011, Netflix realized at its scale it needed a dedicated CDN solution to maximize network efficiency. Video distribution is a core competency for Netflix and could be a huge competitive advantage.
The number of OCAs on a site depends on how reliable Netflix wants the site to be, the amount of Netflix traffic (bandwidth) that is delivered from that site, and the percentage of traffic a site allows to be streamed.
Within a location, a popular video like House of Cards is copied to many different OCAs. The more popular a video, the more servers it will be copied to. Why? If there was only one copy of a very popular video, streaming the video to members would overwhelm the server. As they say, many hands make light work.
Right now, up to 100% of Netflix content is being served from within ISP networks. This reduces costs by relieving internet congestion for ISPs. At the same time, Netflix members experience a high-quality viewing experience. And network performance improves for everyone.
What may not be immediately obvious is that the OCAs are independent of each other. OCAs act as self-sufficient video-serving archipelagos. Members streaming from one OCA are not affected when other OCAs fail.
I recently ran into problems running an apple tv with netflix at my work. After some digging around our sonicwall firewall with one of their support techs we found the service being blocked by the certificate netflix was passing. Apparently the certificate Wasn't passing the "Detect Certificate signed by an Untrusted CA" so there using self signed or their certificate has the wrong name or whatever.
Has anyone seen netflix signing there own certs? seem odd that a public company would do that?The tech said the cert was missing the common name on it so maybe its just misconfigured.Would be interesting to hear your thoughts, I turned off the check and its working fine, but never had a problem with a big company with non compliant certs.Interestingly the problem doesn't arise on browsers running netflix in our office.
Well I reconstructed the certificate that were sent back and forth and there not self signed... But is there anything wrong with them? so my new question would be how do you check if a certificate is good or bad?
Which basically says that from openssl's perspective (and assuming you have the 'typical' set of ca certificates, i.e. those pulled in by your OSes version of ca-certificates-mozilla), the Netflix cert is valid.
I registered a virtual private server with a dedicated public IP and set up my own private VPN on it. Out of curiosity, I tried to access Netflix over it and I got the famous "You seem to be using an unblocker or proxy" screen.
I have always thought that Netflix simply maintains a blacklist of public VPN providers. But in this case I'm using my own private IP. How is it possible that Netflix is able to detect my VPN? Isn't it kind of a point of a VPN that it should not be detectable?
Note that the server is set up in a country where Netflix is actually very limited. Therefore it seems unlikely that anybody would run a public VPN to provide access to Netflix here and got all IPs owned by this provider blacklisted as a result.
Until now, I was under the impression that Netflix blocks IP addresses based on the suspicious traffic going through those IPs. In the case of this particular VPS provider, I find it very unlikely. I seriously doubt that anybody has built a public VPN which was heavily used to access Netflix because the provider is located in a country where Netflix gets only around 10% of the US content. It would make no sense at all to tunnel to this country to watch Netflix.
My guess would be that Netflix uses some kind of smart algorithm to distinguish between IPs belonging to ISPs (those are good) and to VPS providers (those are bad as they are likely to be used for VPNs). My IP is registered to a company whose name actually contains the word "hosting" which means that the algorithm didn't have to be really smart in this case.
So to answer my original question, I'd say that even though nothing suggests that it is actually possible to detect a VPN, the source IP address can reveal enough information about itself to make it clear that this is no Jon Doe browsing from his home computer.
The way they are blocking in particular seems to be done through blocking routes coming from data centers who may be hosting VPNs (Not likely to be legitimate traffic at all) and even going as far as working with ISPs who actually have stuff like this to provide to homes and businesses: - Guaranteeing their routing is going to be quite strict (Check the deployment guide which goes somewhat into this: ).
The proposed solution I've heard so far to this is to use a VPN method which works 'peer to peer' - Essentially something like a ghetto version of tor without the onion routing aspect of it. Think kind of like Hola, which was that crazy one which faced a lot of controversy years ago because it had nasty security vulnerabilities (And which may be a deciding factor in you not using this particular circumvention). There's some solutions here which may work for you:
90f70e40cf