2023 Refresh overview
Our 2023 Refresh provides significant security, performance and reliability improvements as well as a number of new features.
This article discusses the new architecture and compares features in the 2023 Refresh with prior versions.
See 2023 Refresh Migration for more information about migrating to the 2023 Refresh.
Architecture
All resources have moved away from multi-tenancy to single tenant storage and compute resources, providing an exceptionally high level of isolation between tenants.
Dedicated resources
A Flowgear tenant is a deployment consisting of a set of backing stores and compute resources. With respect to the backing stores, a dedicated Azure Storage resource is provisioned as well as a dedicated Azure KeyVault resource.
Additionally, for customers opting in, Workflows can be stored in a Github repository (typically owned by the customer).
When configured to run in-cloud, workload executes on a dedicated Azure VM Scale Set (VMSS). A VMSS provides a far higher degree of isolation than containers alone and makes use of a scale-out strategy to achieve high availability.
On-Premise runtime
Under certain subscriptions, an installable runtime is available for deployment into the customers' on-premise environment or external data center.
This deployment model is used by customers in regulated industries where data must not be egressed from a specific geo or data center.
The on-premise runtime still makes use of the same Azure backing resources but employs extensive caching to enable the on-premise runtime to continue to service workload even in the absence of an Internet connection.
Runtime compatibility & new runtime
The component within Flowgear that is responsible for executing Workflows is referred to as the runtime. The V1 runtime present in prior versions has been ported into the new 2023 Refresh in order to preserve compatibility. This enables us to migrate all existing customers to the 2023 Refresh with little to no solution refactoring.
Additionally, a new V2 runtime is being built. This runtime supports streaming of data thereby removing limits on number of records processed in a batch or the maximum size of large blobs. The V2 runtime also compiles workflows to assemblies for faster load time and execution.
Networking and load balancing
Each tenant is placed into a dedicated VNet that is peered with an Application Gateway. On certain subscriptions, customers have the option of customizing the Web App Firewall (WAF) that filters incoming requests, allocating a dedicated IP address and fully custom domain names for HTTP invokes.
Key/Value & Reduce storage
New Key/Value and Reduce Nodes have been built. These are backed to Azure Storage instead of Microsoft SQL server. This approach has not only increased performance but also stabilized transaction times under load.
Key/Value and Reduce data are now scoped to the environment the Workflow runs on.
Features
Note: Some features result in behavior changes that are documented at 2023 Refresh behavior changes
Release management & version control
Our Release Management feature provides a control mechanism for promoting workflows across different Environments (for example Dev/Test to Staging to Production).
In the 2023 Refresh, we have taken this a step further and have enabled customers to use Github as a backing store for the Workflow definitions. Under this scenario, customers can continue to use the UI features built into the Console in order to promote Workflows or can opt to use version control features such as Pull Requests directly.
Authentication
Tenants can be configured to authenticate users via a Microsoft or Google ID using Open ID Connect.
When configured for Microsoft (Azure Entra), customers can optionally scope permitted users to a specific Entra Tenant ID.
Audit logging
An audit log of user-driven actions within the platform is maintained.
Relationships
Object relationships (formerly Dependency Insights) has been extended to include additional object types such as API Keys. Additional meta data such as last used time on objects such as API Keys, DropPoints and Connections is now also surfaced.
A new tree-based UI provides a recursive relationship explorer view.
Environments and sub-domains
The logical separation offered by Environments (e.g. Test/Staging/Production) has been made consistent throughout the platform.
- Each environment has a dedicated sub-domain for API invokes
- Site Configuration, Key-Value, and Reduce data is scoped to an Environment (not shared across Environments as was previously the case)
- API Keys must be scoped to a specific Environment when they are created and cannot be changed afterwards
Console App Authentication
The session-based authentication of Console Apps has been replaced with a new Cookie-based API Key that has been introduced to the API Keys area. This key type is used to enable Console apps to authenticate themselves for Workflow invokes.
Key differences:
- Administrators have fine-grained control of the specific Workflows that can be invoked from within an App as well as the specific set of Users who are permitted to invoke them
- Because the token is managed as a cookie, it is never accessible to the app directly
Workflow Logs
Workflow Logs have been moved from Microsoft SQL Server to Azure Storage in order to improve performance.
The Console search area for logs has been reworked to reduce the number of inputs that need to be configured prior to searching.
We have made additional improvements to ensure that log search performance remains near constant even in high workload tenants.
When a Property exceeds the maximum allowed size (10KB), its value is truncated except where the Property is on a Variable Bar or when the Workflow is being debugged. Note that the full Property value is available at runtime, it is just the log of the Property that is not fully recorded.
If it is necessary to retain a large Property value, ensure it is connected to a Variable Bar Property.
Workflow Node notes
It is now possible to add notes to a Node from the design canvas. Once added, a preview of the note is shown above the Node.
Cluster management
A new Cluster management area enables customers to see resource consumption information for their cluster, apply updates manually (optional) and control updates to Nodes manually (optional).
The Cluster management area also provides self-service features such as Node restart and the ability to download low-level logs for review using third party tools.
Object explorer enhancements
We refer to the UI that is used to manage lists of objects such as Workflows, Connections, DropPoints and API Keys as Explorers.
The Explorers has been enhanced to show more badge information including addition of meta-data like Last Used on objects such as API Keys and Connections.
Folder management and rename capabilities have also been applied across all Explorers.
Users can optionally also filter on Explorer badges such as Last Run
.
DropPoints
The DropPoint protocol has been retained for compatibility with existing customers but benefits from UX enhancements.
- Client-certificate authentication (mTLS) has been replaced with Client-certificate signing in order to simplify authorization of DropPoints across the Application Gateway
- DropPoints are now manually configured to connect to specific tenants by their assigned tenant sub-domains instead of via a centralized discovery service
- The DropPoint UI has been re-worked to make setup more intuitive
Breaking changes and unimplemented features
Feature | Status |
---|---|
DropPoint authentication via mTLS | mTLS has been replaced by DropPoint certificate-based signing. For this reason it is recommended that existing DropPoints are upgraded prior to migrating to the 2023 Refresh. |
API Key authentication via mTLS | We are not adding support for mTLS for API Keys by default as there has been very little uptake on this capability and is operationally more complex in the new platform. If you require support for Certificate-based API Keys, we can configure this for you but the certificates will need to be re-generated. |
Data Imports | We are not migrating this as a first party feature of the Console since there is very little uptake on it. We are considering migrating the existing Data Imports feature as a Flowgear App |
Node Debugging Test Harness | We will not be updating the Node Test Harness since it provides very limited utility. Nodes should be tested via Unit Test classes and sensitive data should be read into them (e.g. into Connection Properties) from outside of the code repository. |
Key-Value Management | We are in the process of rebuilding self-service storage management which will include both Key-Value and Reduce Store management. Currently we do not have a UI to manage culling of unwanted Key-Values. Use a service ticket to request this. |