Beyond the 12 Factor App Principles: 15 Factor Principles for Cloud-Native Applications
12-factor app principles have become the de facto standard for cloud-native applications. As cloud-native applications have advanced since the original creation of the 12-factor app principles, they have been revised to 15-factor app principles to take advantage of the latest advancements in cloud infrastructure.
In this article, I would like to talk about the additional principles added. The original 12-factor app principles are a great start to building and deploying cloud-native applications. If you are unfamiliar with the 12-factor app principles, please refer to this article.
Newly Added Factors
- API First
- Telemetry
- Authentication and Authorization
API First
An API-first approach is like defining your APIs with the agreed input and output parameter specifications by using an API description language like Open API Specification (Swagger). Defining or establishing the contract involves spending a good amount of time designing the API contracts.
By designing your API first, you are able to facilitate discussion with your stakeholders (your internal team, customers, or possibly other teams within your organization who want to consume your API) well before you might have coded yourself past the point of no return. This collaboration then allows you to build user stories, mock your APIs while consuming them, and generate documentation that can be used to further socialize the intent and functionality of the service you’re building. Most importantly, it minimizes dependencies between the teams as contracts are agreed upon and finalized much earlier.
Telemetry
When we are building applications in the cloud, we may not be able to debug and inspect the application to get visibility and understand its behavior as we do on our local workstations.
In the cloud, your app might be deployed anywhere and span multiple instances across multiple locations.
When it comes to monitoring the application, monitoring data is classified into three categories.
- Application performance monitoring (APM)
- Domain-specific telemetry
- Health and system logs
Application performance monitoring (APM): consists of a stream of events that can be used by tools outside the cloud to understand how well your application is performing. The data used to supply APM dashboards is usually fairly generic and can come from multiple applications across multiple lines of business.
Domain-specific telemetry: refers to the stream of events and data that makes sense to your business and that you can use for your own analytics and reporting. This type of event stream is often fed into a “big data” system for warehousing, analysis, and forecasting.
Health and system logs: Health and system logs are provided by your cloud provider. It consists of a stream of events, such as application start, shutdown, scaling, web request tracing, and the results of periodic health checks.
You may wonder why we need separate telemetry when a logging principle is already available as part of the 12-factor app principles. Logging is typically oriented around the internal structure of your app, rather than reflecting real-world customer usage. Telemetry, on the other hand, is focused on data collection once the app is released into the wild. Telemetry and real-time app monitoring enable developers to monitor their application’s performance, health, and key metrics in this complicated and highly distributed environment.
Authentication and Authorization: Security plays an integral role in any application's design. Security should be the first aspect that is focused on when talking about application design and deployment. Irrespective of where you are deploying your application, you should ensure this is factored into the design.
All the endpoints should be secured with role-based access control. Every request for an application’s resources should know who is making the request, and the roles to which that consumer belongs to. These roles dictate whether the calling client has sufficient permission for the application to honor the request.
ensure you are serving your application only on HTTPS and ensure security testing has been added as part of the regression.
With tools like OAuth2, OpenID Connect, and SSO, security can be enforced. JWT tokens play an integral role in securing your application.
References:
https://www.oreilly.com/library/view/beyond-the-twelve-factor/9781492042631/ch15.html
