Sponsor: Do you build complex software systems? See how NServiceBus makes it easier to design, build, and manage software systems that use message queues to achieve loose coupling. Get started for free.

Welcome to the new week!

Let’s start with an invitation; on Wednesday 25th we’ll run the next webinar for our community.

This time, a special guest Mateusz Jendza, with the topic: Why Verified Credentials is the Future of Digital Identity!

Verifiable Credentials are an intriguing topic, something like Blockchain but without Blockchain (luckily!). They are an open standard for digital credentials. They can represent information found in physical credentials, such as a passport or license, and new things with no physical equivalent, such as bank account ownership. They can be used to verify our identity by trusted providers and do it securely as they're digitally signed, which makes them tamper-resistant and instantaneously verifiable.

Mateusz is a Principal Technical Architect at SoftwareOne. In the last few years, he has focused on helping companies use Identity Management solutions correctly (with a focus on Entra ID and Azure AD B2C). He’s also a member of our community, my friend and a go-to person for me on those topics.

Feel invited, become paid subscribers and join us live. Click here to see all the details.

I think I mentioned that already, but I dislike the split between "domain" and "integration" events. The split is highly misleading. All of them should be domain events and represent business facts.

I prefer to split them into internal and external (or, as Nick Tune, into private and public). That helps to understand that those events are just understandable in different contexts:
- Internal/Private in the inner module context,
- External/Public in the whole system context.

Understanding this split is essential in defining the event-driven API. Yes, API. Events should be treated as such.

I wrote longer on how to tackle this topic:

• Oskar Dudycz - Internal and external events, or how to design event-driven API

If you’re searching for other resources, check Marc Klefter talk:

• Marc Klefter - Powering Event-Driven APIs with Event Sourcing

He explained it in a calm, systematic way. The only asterisk I’d add is that I prefer Summary Event over Event-State Carried Transfer. But besides that, really good explanations of whys and hows.

Marc’s talk was recorded at the Axon Conference, and I saw that live as I joined as a guest. Typically, product conferences are mostly about selling stuff and overfocusing on the product details. This conference was different and had good talks showing the wider picture.

The best talk and the highlight for me were:

• Michael Schoenmaekers, Leon van Dooren - Empowering Security and Privacy. How Axon Framework and Axon Server helped Linckr to ISO Certification

I encourage you to watch it even if you’re not interested in Privacy, Event Sourcing or Axon. It’s an intriguing case study showing how to make proper buy vs build decisions (e.g. instead of writing their own case management tool, they just used an off-the-shelf product). Plus, it also nicely shows how research works like:

• Solid - A specification that lets people store their data securely in decentralized data stores called Pods

And incorporate them into the product. Plus, the talk was well delivered.

Some say Serverless is dead, but those reports are greatly exaggerated. Serverless is here to stay, and as with each technology, we get complaints when it’s getting mature. Wrong usage, mishaps and lessons learned are part of the adoption curve. The trick is whether we learn from them or will blindly repeat past mistakes.

The best way to learn is to see successful attempts and analyse them. So let’s bring them in!

• Hashnode - Hashnode's Overall Architecture. How Hashnode runs on a scale (almost) completely serverless

• Yan Cui - How I built an affiliate tracking system in a weekend with serverless

Serverless is a great approach if we need to evaluate the idea quickly, aren’t sure about the expected usage characteristics or can charge clients per usage.

Also, we should remember that we don’t have to choose the architecture style for a lifetime. We can pivot when our initial environment changes (e.g. we learned more about the actual usage and can drive other decisions from it).

Speaking on learning the right usage and busting the wrong explanation. That’s precisely what I did on the webinar last week explaining the details of modelling in Event Sourcing.

• Oskar Dudycz - Keep your streams short! Or how to model event-sourced systems efficiently

I redid my DDDEU talk, explaining again why adding temporal aspects to your event model will improve it (e.g. using Accounting Month instead of Account as your domain model). Even if you saw this talk already, I encourage you to check the recording, as in the end, we had a longer Q&A part.

All of the biggest cloud providers faced the biggest DDoS attack so far. It was based on the zero-day vulnerability in the HTTP/2 protocol, termed the “HTTP/2 Rapid Reset”. This exploit leverages a feature in HTTP/2 where attackers continuously send and then promptly cancel requests, causing servers to become overwhelmed and resulting in a denial of service.

This exploit targets the HTTP/2’s stream cancellation function, emphasizing the importance of understanding and securing web infrastructure. In light of these revelations, companies like Cloudflare, Google, AWS, and Microsoft wrote summaries of how they dealt with it. Read more in:

• AWS - How AWS protects customers from DDoS events

• Cloudflare - HTTP/2 Zero-Day vulnerability results in record-breaking DDoS attacks

• Google - Google mitigated the largest DDoS attack to date, peaking above 398 million rps

• Microsoft Response to Distributed Denial of Service (DDoS) Attacks against HTTP/2

All of them are intriguing and in-depth case studies. It’s also interesting that all companies openly wrote about it simultaneously. I complained a few times about companies delaying the threat report, but here, all looks fair.

Sharding and partitioning are one of the most foundational tools for scaling systems. Some techniques can be applied on the application level by properly grouping logically your features, yet some have to be provided by your tooling, for instance, databases. Check the latest episode of .NET Rocks, Oren Eini goes deep into explaining the challenges and potential solutions:

• .NET Rocks - Data Sharding with Oren Eini

If you’re curious how and why it can become complex in a cloud environment, it’s definitely a must-listen.

Check also other links!
Oskar

p.s. I invite you to join the paid version of Architecture Weekly. It already contains the exclusive Discord channel for subscribers (and my GitHub sponsors), monthly webinars, etc. It is a vibrant space for knowledge sharing. Don’t wait to be a part of it!

p.s.2. Ukraine is still under brutal Russian invasion. A lot of Ukrainian people are hurt, without shelter and need help. You can help in various ways, for instance, directly helping refugees, spreading awareness, and putting pressure on your local government or companies. You can also support Ukraine by donating, e.g. to the Ukraine humanitarian organisation, Ambulances for Ukraine or Red Cross.

Architecture

• Oskar Dudycz - Internal and external events, or how to design event-driven API

• Oskar Dudycz - Keep your streams short! Or how to model event-sourced systems efficiently

• AWS - How AWS protects customers from DDoS events

• Cloudflare - HTTP/2 Zero-Day vulnerability results in record-breaking DDoS attacks

• Google - Google mitigated the largest DDoS attack to date, peaking above 398 million rps

• Michael Schoenmaekers, Leon van Dooren - Empowering Security and Privacy. How Axon Framework and Axon Server helped Linckr to ISO Certification

• Hashnode - Hashnode's Overall Architecture. How Hashnode runs on a scale (almost) completely serverless

• Yan Cui - How I built an affiliate tracking system in a weekend with serverless

• Marc Klefter - Powering Event-Driven APIs with Event Sourcing

• Jim Fisher - Redis Pub/Sub under the hood

• Bilgin Ibryam - The Commoditization of the Software Stack: How Application-First Cloud Services are Changing the Game

• Derek Comartin - How to seed a new Microservice with data?

• Bart Wullems - Gall’s law and how it applies to software architecture

DevOps

• Malin Litwinski - Empathy: The Secret sauce of Resilience

Databases

• Timescale - How We Made PostgreSQL a Better Vector Database

• Timescale - Vector Cookbook. A collection of recipes to build applications with LLMs using PostgreSQL and Timescale Vector.

• .NET Rocks - Data Sharding with Oren Eini

API

• HTTPie Desktop — cross-platform API testing client for humans. Painlessly test REST, GraphQL, and HTTP APIs.

AWS

• AWS - GraphQL Gateway Based Federation with AWS AppSync and GraphQL Fusion

JVM

• Luiz Hespanha, Flavio Brasil - A JVM threading model for the containerized times

.NET

• Jamie Maguire - Handling Database Migrations in Mature Applications with Fluent Migrator

• Tim Deschryver - Wolverine is for the developers

• Anthony Simmon - Preventing breaking changes in .NET class libraries

• Jim Aho - .NET Developer on MacOS

Coding Life

• Taylor Poindexter, Scott Hanselman - How to Build a Meaningful Career

Management

• Gregor Ojstersek - How I measure developer productivity

Industry

• TechCrunch - Atlassian to acquire former unicorn Loom for $975M

• Harvard Business Review - When Blind Hiring Advances DEI — and When It Doesn’t

• The Register - Largest local government body in Europe goes under amid Oracle disaster

• The Register - Excel recruitment time bomb makes top trainee doctors 'unappointable'

Security

• Solid - A specification that lets people store their data securely in decentralized data stores called Pods

• Auth0 - In Celebration of Vittorio Bertocci