Great stuff, but the same generally beneficial approach taken too far can run into its own problems.<p><a href="http://hackingdistributed.com/2014/02/14/chainsets/" rel="nofollow">http://hackingdistributed.com/2014/02/14/chainsets/</a><p>To put it simply, seven million is not a big number, and it's the wrong number anyway. The author confused permutations and combinations; the correct number of four-card hands from a deck including jokers is only 316251. For the more common N=3 it's a paltry 24804. If you're doing "pick any N" to choose replica sets for millions of objects (for example) then pretty quickly every node will have a sharding relationship with every other. The probability of a widespread failure wiping out every member of <i>some</i> shard - leading to loss of data or service - approaches one. You're better off constraining the permutations somehow, certainly not all the way down to the bare minimum, but so that the total probability of data/service loss after N failures remains small.<p>I really hope people actually do the math instead of just cargo-culting an idea with a catchy name.
Our approach has turned out to work really well, and very simply.<p>We have N servers in round-robin DNS. When our mobile client starts up, it does a DNS lookup, fetches the entire list of servers, and then picks one to connect to. If that connection fails, it tries another one, etc. until it runs out (which has never happened).<p>We also ship the client with a pre-populated list of IP addresses (the current server list as of build time) and the client caches the list it gets from DNS whenever it does a lookup. This means that even in the event of a complete DNS failure, even for hours at a time, our clients are still able to connect. This was quite handy when GoDaddy's DNS was inaccessible a year or two ago due to what I recall was a DDoS attack.<p>A few weeks ago my ISP's DNS servers went down, and since I have the same mobile and DSL provider, I was completely unable to do anything on the internet — except play our game. It was then that I wondered 'why don't more apps do this?' It seems like a simple problem; if you can't do a DNS lookup, assume the previous IP is still valid. Assuming you're using HTTPS, there should be no more exposure from a security perspective unless someone takes control of your IP address <i>and</i> fakes your SSL certificate, at which point you're screwed anyway.
Quick note about client retry, I highly suggest some type of guard on side effecting operations, either rejecting duplicate transaction ids (generated by the client or retrieved from the server before the side effecting operation) or returning the previous result if the transaction id was recently processed.<p>Obviously being stateful and correctly routing the request across shards becomes harder and can hurt this scale out solution. It also depends on the functionality of the request, for example an update of the same data may not cause any damage, but a double submit of an order could be.<p><a href="https://en.wikipedia.org/wiki/Idempotence#Computer_science_meaning" rel="nofollow">https://en.wikipedia.org/wiki/Idempotence#Computer_science_m...</a>