SYSTEM Cited by 1 source
Netflix Sonar¶
Sonar is Netflix's internal IP address tracking service. It emits an event whenever an IP address in Netflix's AWS VPCs is assigned to or unassigned from a workload. It works by crawling AWS resources to detect changes in IP assignments.
Original role¶
Sonar was the sole IP→workload source for Netflix's eBPF flow-log attribution pipeline. FlowCollector consumed the Sonar event stream and applied assignment / unassignment events to its in-memory IP-to-workload map, which it then queried at flow-attribution time.
Why it failed at scale¶
"The fundamental drawback of this method is that it can lead to misattribution. Delays and failures are inevitable in distributed systems, which may delay IP address change events from reaching FlowCollector. For instance, an IP address may initially be assigned to workload X but later reassigned to workload Y. However, if the change event for this reassignment is delayed, FlowCollector will continue to assume that the IP address belongs to workload X, resulting in misattributed flows."
A 15-minute holdback buffer reduced misattribution but did not eliminate it. For Zuul — Netflix's cloud gateway — approximately 40% of reported dependencies were misattributed. Canonical instance of event-stream attribution failing at scale.
Current role — ELB fallback only¶
The 2025 flow-log redesign replaced Sonar's role for workload IPs with a heartbeat-based pipeline (see FlowExporter + FlowCollector). But for AWS ELB IPs, FlowExporter cannot be deployed, so heartbeats don't exist. Sonar is retained for this subset — ELB IP reassignment is rare enough that Sonar's delay and ordering caveats produce acceptable accuracy.
Seen in¶
- sources/2025-04-08-netflix-how-netflix-accurately-attributes-ebpf-flow-logs — canonical reference; describes Sonar as the predecessor event source + its 40% Zuul misattribution rate + its current ELB-fallback role.