HTTP/2 connection lifecycle: max lifetime with per-connection jitter + PING health probing

[jeet1995]

HTTP connection lifecycle management: max lifetime + PING keepalive for Gateway V2

Summary

This PR adds two independent HTTP connection lifecycle features for Cosmos DB Gateway V2 (thin client) endpoints: max connection lifetime (forces periodic DNS re-resolution by evicting long-lived connections) and HTTP/2 PING keepalive (prevents L7 middleboxes from silently reaping idle connections). Both HTTP/1.1 and HTTP/2 coexist on the same account — Kusto telemetry shows 43.8M HTTP/2 vs 1.1M HTTP/1.1 requests in a 6-hour window — so max lifetime applies to both protocols while PING keepalive targets HTTP/2 only. All settings are internal system properties (no public API changes) with conservative defaults chosen for safe production rollout.

---

1. Purpose / Motivation

Problem	Impact
Stale DNS pinning — TCP connections never re-resolve DNS on their own	When Cosmos DB frontend federations scale out or fail over, traffic stays pinned to stale IPs indefinitely. New backends receive zero load until clients reconnect.
L7 idle connection reaping — NAT gateways, firewalls, and load balancers silently drop idle HTTP/2 connections	TCP keepalive operates at L4 and is invisible to L7 middleboxes. The client believes the connection is alive, sends a request, and gets a RST or hangs.

Solution: Two orthogonal features address these independently:

• Max connection lifetime → forces DNS re-resolution by evicting connections after a configurable duration, regardless of health. Applies to both HTTP/1.1 and HTTP/2.
• PING keepalive → sends periodic HTTP/2 PING frames to keep connections alive at L7 and detect degraded connections (ACK timeout → eviction). HTTP/2 only.

Both HTTP/1.1 and HTTP/2 coexist on the same Cosmos DB account (confirmed by Kusto evidence: 43.8M HTTP/2 and 1.1M HTTP/1.1 requests in a 6-hour window), so the implementation must handle both protocols.

---

2. Implementation Approach

Max Lifetime Eviction (HTTP/1.1 + HTTP/2)

Custom evictionPredicate in ConnectionProvider.Builder implements a 3-phase eviction order: dead channels → idle channels → lifetime-expired channels.

For HTTP/2, a two-phase lifetime eviction avoids sending RST_STREAM on active streams:

1. Mark pending — set PENDING_EVICTION_NANOS attribute on the channel
2. Drain grace period (10 seconds) — allow in-flight streams to complete
3. Evict — close the connection

Per-connection subtractive jitter [base - 30s, base] prevents thundering-herd reconnection storms. Each connection independently computes its expiry time at creation, so connections opened at the same time expire at different times.

PING Keepalive (HTTP/2 only)

Uses a custom Http2PingHandler (ChannelDuplexHandler) installed on HTTP/2 parent channels via doOnConnected. The handler:

• Sends PING frames at configurable intervals (default 30s) when the connection has been idle
• Tracks the last activity time (any read/write) to avoid sending PINGs on active connections
• Checks Configs.isHttp2PingHealthEnabled() dynamically, allowing runtime toggle without client restart
• Installation is best-effort — any ChannelPipelineException (e.g., duplicate handler from Netty regressions) is swallowed

Why not native reactor-netty pingAckTimeout? reactor-netty 1.2.13 bypasses its built-in maxIdleTime handling when a custom evictionPredicate is configured. Since we must use a custom eviction predicate for max-lifetime, the native PING path is never triggered. The custom Http2PingHandler is independent of the eviction predicate and works correctly alongside it.

Eviction Rate Limiter

At most 1 connection evicted per sweep cycle (dead channels are exempt from this limit). This is a defense-in-depth measure alongside jitter to prevent mass eviction.

Sweep Interval

Dynamically derived: clamp(min(idleTimeout, baseMaxLifetime) / 2, 1s, 5s)

Dynamic Runtime Toggle

Both features check their enable flag at runtime (not at client construction time):

• Eviction predicate: Always installed, checks Configs.isHttpConnectionMaxLifetimeEnabled() on every sweep — returns false for lifetime-expired connections when disabled
• Http2PingHandler: Always installed, checks Configs.isHttp2PingHealthEnabled() in maybeSendPing() — skips PING when disabled

This allows safe production rollout: flip system properties to disable either feature without restarting the application.

IHttpClientInterceptor Pattern

Test-time injection of AddressResolverGroup and doOnConnected callbacks uses the IHttpClientInterceptor interface (following the pattern from PR #47231). Netty-specific types stay off the public ConnectionPolicy class — the interceptor is wired through ImplementationBridgeHelpers and is null in production (zero overhead).

Configuration

All settings are internal system properties (not public API):

System Property	Default	Description
COSMOS.HTTP_CONNECTION_MAX_LIFETIME_ENABLED	true	Enable/disable max lifetime eviction
COSMOS.HTTP_CONNECTION_MAX_LIFETIME_IN_SECONDS	1800 (30 min)	Base max connection lifetime
COSMOS.HTTP2_PING_HEALTH_ENABLED	true	Enable/disable PING keepalive
COSMOS.HTTP2_PING_INTERVAL_IN_SECONDS	30	Interval between PING frames

The default 30 min max lifetime is deliberately conservative compared to .NET's 5 min — we will tune after production validation.

---

3. Key Files Changed

File	Change
HttpClient.java	Eviction predicate with 3-phase logic, rate limiter, sweep interval derivation, dynamic toggle
HttpConnectionLifecycleUtil.java	NEW — channel attribute stamping (CONNECTION_EXPIRY_NANOS, PENDING_EVICTION_NANOS)
Http2PingHandler.java	NEW — custom HTTP/2 PING keepalive handler with dynamic Configs check
ReactorNettyClient.java	doOnConnected expiry stamping + PING handler install, resolver group support
Configs.java	System properties for max lifetime and PING settings
IHttpClientInterceptor.java	NEW — test-time injection interface for AddressResolverGroup + doOnConnected
CosmosInterceptorHelper.java	NEW — helper to register interceptors via ImplementationBridgeHelpers
CosmosClientBuilder.java	IHttpClientInterceptor accessor via bridge helpers
ConnectionPolicy.java	IHttpClientInterceptor propagation (no Netty types on public API)
RxDocumentClientImpl.java	Wires interceptor from ConnectionPolicy → HttpClientConfig
NetworkFaultInjector.java	NEW — shared utility for tc netem / iptables fault injection in tests
FilterableDnsResolverGroup.java	NEW — test fixture for DNS-level IP filtering
Http2ConnectionLifecycleTests.java	9 tests covering lifecycle scenarios
Http2ConnectTimeoutBifurcationTests.java	5 tests covering connection timeout survival
tests.yml	CI pipeline stage for network fault tests
HTTP_CONNECTION_LIFECYCLE_SPEC.md	Design specification

---

4. Benchmark Results

Test matrix: {c10, c2} × {ReadThroughput, WriteThroughput} + {c1 sparse} × {ReadThroughput, WriteThroughput}, GATEWAY mode, 2h per scenario (721 × 10s-interval samples), 30 min per sparse scenario. All endpoints route through Azure Traffic Manager (Central US region, 4 backend IPs). Both main and dev branch tested on the same VM sequentially.

Infrastructure: Standard_D2s_v3 (2 vCPU, 8 GB, Central US), JDK 21, Maven 3.8.7. Account abhm-cfp-region-test (3 regions: East US, West US, Central US), container at autoscale 100K RU/s. Dev branch config: maxLifetime=300s (5 min), pingInterval=30s.

Throughput & Latency

Config	Concurrency	Operation	main (ops/s)	dev (ops/s)	Δ ops	main mean (ms)	dev mean (ms)
Read	c10	ReadThroughput	2,128	2,046	-3.8%	4.3	4.4
Write	c10	WriteThroughput	260	276	+5.9%	38.0	35.4
Read	c2	ReadThroughput	641	605	-5.6%	3.0	3.0
Write	c2	WriteThroughput	58	54	-6.4%	33.7	37.9
Read	c1 sparse	ReadThroughput	0.20	0.20	0%	—	—
Write	c1 sparse	WriteThroughput	0.20	0.20	0%	—	—

Note on c10 reads: Both main and dev are CPU-saturated at 92–93% on this 2-vCPU VM. The -3.8% delta is within noise for CPU-bound workloads.

Note on c2: At low concurrency, each connection rotation (every 5 min) has proportionally larger impact — the TLS handshake + HTTP/2 setup overhead is amortized over fewer concurrent streams. This is the expected cost of DNS re-resolution.

Federation Distribution (ComputeRequest5M Kusto Validation)

Kusto confirms the key finding: main pins all traffic to 1 federation; dev with maxLifetime distributes across 4 federations.

Time Window	Scenario	fe43	fe11	fe39	fe38	Federations
00:00–02:00	main (baseline)	100% (14.8M)	0%	0%	0%	1
02:00–02:30	dev (maxLife=5m)	30%	51%	19%	0%	3
02:30–03:00	dev	30%	37%	17%	16%	4
03:00–03:30	dev	31%	36%	23%	10%	4
03:30–04:00	dev	34%	11%	22%	34%	4

IP Rotation Validation

IpRotationHarness on VM (Central US, maxLife=60s, 15 min runtime, 3 phases with FilterableDnsResolverGroup IP blocking):

Phase	Duration	IPs Seen	Blocked IP Traffic	Result
1: Normal	5 min	4 CUS IPs	N/A	✅ Load balanced across 4 IPs via DNS rotation
2: Block .38	5 min	3 CUS IPs	0 connections (0%)	✅ Traffic fully shifted away from blocked IP
3: Unblock	5 min	2 new IPs	N/A	✅ Traffic rebalanced to fresh DNS-resolved IPs

59 connection rotations in Phase 1 alone (maxLife=60s + jitter). Each rotation forced a DNS re-resolve, discovering different backend IPs behind Azure Traffic Manager.

DNS Behavior Validation

DefaultAddressResolverGroup delegates to InetAddress.getByName() with no additional cache — only the JVM DNS cache (30s TTL) sits between the SDK and Azure Traffic Manager. When ATM removes a dead federation, new connections get healthy IPs within ~30 seconds.

Conclusion

• No regression at high concurrency (c10): Reads within noise (CPU-saturated), writes improved +5.9% likely due to better federation load balancing from connection rotation
• Small overhead at low concurrency (c2): 5–6% throughput delta is the expected cost of rotating connections every 5 min — acceptable trade-off for DNS re-resolution benefits
• Zero-error sparse workload: MaxLifetime + PING produce no errors under sparse traffic (concurrency=1, 5s between ops)
• Federation distribution: main pins 100% traffic to 1 federation; dev distributes across 4 federations — confirming max-lifetime achieves its core design goal
• DNS resolution chain validates: DefaultAddressResolverGroup → JVM cache (30s) → Azure Traffic Manager (10–14s TTL) — no additional cache layers to defeat ATM health-based routing

---

5. Testing Methodology

Tests use real network fault injection (not SDK synthetic faults) via tc netem and iptables on Linux VMs. Shared NetworkFaultInjector utility handles sudo detection, tc netem delay, iptables drop, and cleanup.

Connection Timeout Survival (tc netem — 5 tests)

Test	What it proves
connectionReuseAfterRealNettyTimeout	Parent TCP connection survives a stream-level ReadTimeoutException
multiParentChannelConnectionReuse	All parent channels survive under concurrent load
retryUsesConsistentParentChannelId	Retry attempts are tracked across gateway stats
connectionSurvivesE2ETimeoutWithRealDelay	End-to-end cancel doesn't close the parent connection
parentChannelSurvivesE2ECancelWithoutReadTimeout	3s e2e cancel before 6s ReadTimeout doesn't kill parent

Max Lifetime Eviction (3 tests)

Test	What it proves
connectionRotatedAfterMaxLifetimeExpiry	Connection is evicted after lifetime + jitter expires
perConnectionJitterStaggersEviction	Connections don't all expire in the same sweep cycle
connectionEvictedAfterMaxLifetimeEvenWithHealthyPings	Lifetime eviction works even when PINGs are healthy

PING Health (1 test)

Test	What it proves
degradedConnectionEvictedByPingHealthCheck	iptables blackhole → PING ACK timeout → connection evicted

DNS Rotation (1 test)

Test	What it proves
dnsRotationAfterMaxLifetimeExpiry	FilterableDnsResolverGroup blocks IP1; max lifetime eviction forces DNS re-resolution to IP2

CI Integration

New Cosmos_Live_Test_HttpNetworkFault stage in tests.yml:

• Ubuntu VMs with tc/iptables prerequisites
• MaxParallel=1 (network faults are host-global)
• Thin client test account

---

6. .NET Parity

Aspect	.NET	Java (this PR)
Base lifetime	5 min	30 min (defensive — tune after validation)
Jitter	Per-pool [0s, 30s)	Per-connection [0s, 30s] (subtractive)
PING keepalive	No	Yes (custom Http2PingHandler)
PING-based eviction	No	Yes (ACK timeout → connection close)
HTTP/2 fallback	Explicit error path	Graceful ALPN negotiation (reactor-netty auto-configures)

---

7. Configuration Quick Reference

Enable/disable max lifetime:

-DCOSMOS.HTTP_CONNECTION_MAX_LIFETIME_ENABLED=false   # disable (default: true)
-DCOSMOS.HTTP_CONNECTION_MAX_LIFETIME_IN_SECONDS=900   # override to 15 min (default: 1800)

Enable/disable PING keepalive:

-DCOSMOS.HTTP2_PING_HEALTH_ENABLED=false               # disable (default: true)
-DCOSMOS.HTTP2_PING_INTERVAL_IN_SECONDS=30              # override interval (default: 30)

To fully disable both features, set both ENABLED properties to false.

---

8. Future Work

• reactor-netty 1.3.4: Replace custom lifetime logic with native maxLifeTime() + maxLifeTimeVariance() once we upgrade
• HTTP/1.1 application-layer keepalive: No PING equivalent exists for HTTP/1.1 — investigate OPTIONS or HEAD probes
• PING tuning: Adjust interval and ACK timeout after production validation with real middlebox behavior data

---

All SDK Contribution checklist:

• The pull request does not introduce [breaking changes]
• CHANGELOG is updated for new features, bug fixes or other significant changes.
• I have read the contribution guidelines.

General Guidelines and Best Practices

• Title of the pull request is clear and informative.
• There are a small number of commits, each of which have an informative message.

Testing Guidelines

• Pull request includes test coverage for the included changes.

[jeet1995]

/azp run java - cosmos - tests

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[jeet1995]

/azp run java - cosmos - tests

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[jeet1995]

/azp run java - cosmos - tests

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[jeet1995]

/azp run java - cosmos - tests

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[jeet1995]

/azp run java - cosmos - tests

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[jeet1995]

/azp run java - cosmos - tests

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[jeet1995]

Silent degradation detection affects both sparse and non-sparse workloads.

[jeet1995]

Add an item to track maxLifeTimeVariance integration too.

[jeet1995]

Ensure the overview is up to date w.r.t rest of spec (section 9.1 and 9.2 changes should be reflected here). Design choices should precede the overview.

[jeet1995]

Update section 3 with section 9.1 and 9.2 changes.

[FabianMeiswinkel]

LGTM

[xinlian12]

why not use Netty native support ping mechanism?

  .http2Settings(settings -> settings
                    .pingAckTimeout(Duration.ofSeconds(10))
                    .pingAckDropThreshold(3)

[jeet1995]

I think my initial design was if pings are not responded to then to also evict the channel (which requires a custom ChannelDuplexHandler). Since pings are purely for extending idleness, I could use this.

[xinlian12]

.pingAckDropThreshold(3) -> this will cause the connection to drop?

[xinlian12]

and also I feel if service side support http2 ping, we probably should enable it by default - helps with the timeout detection part as well

[xinlian12]

just thinking loud-> with the jitter in place, do we still need the rate limiting? jitter should already helped that the connections will not be closed all at the same time.

[jeet1995]

This is me being defensive but valid point. I feel we can make a test-driven decision.

[xinlian12]

since the config here will be maxLifeTime, maybe we should [29:30, 30:0] etc

[jeet1995]

/azp run java - cosmos - tests

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[jeet1995]

/azp run java - cosmos - tests

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).