Professional Documents
Culture Documents
Microservices in the Brightspace Cloud
Contents
Contents
ABOUT MICROSERVICES IN THE BRIGHTSPACE CLOUD .................................................................................... 5
MICROSERVICES AND ON-PREMISE CLIENTS ................................................................................................... 6
MICROSERVICES AND DATA ............................................................................................................................ 6
MICROSERVICES ARCHITECTURE ..................................................................................................................... 7
OVERVIEW OF RELEASED MICROSERVICES ...................................................................................................... 8
Authentication Service ...................................................................................................................................... 10
Brightspace Assignment Grader Transcoding Service ....................................................................................... 11
Brightspace Binder Data Store .......................................................................................................................... 12
Caliper Gateway Service .................................................................................................................................... 13
Dates Service ..................................................................................................................................................... 14
Distributed Event Framework Service ............................................................................................................... 16
EduDentity Authentication Service ................................................................................................................... 18
Feed Service ...................................................................................................................................................... 19
Hypermedia Proxy Service ................................................................................................................................ 22
Landlord Service ................................................................................................................................................ 23
LMS Discovery Service ....................................................................................................................................... 25
User Info Service ............................................................................................................................................... 27
MICROSERVICES AND THE BRIGHTSPACE DATA PLATFORM ........................................................................... 28
ABOUT D2L .................................................................................................................................................... 30
Development and operations teams at D2L experience many of the direct benefits of microservices, but that change
and renewal also lets us further improve experiences and functionality for our users. These benefits flow from one key
idea: narrowly focused system components that exchange functional services with other components via well-defined
network API boundaries.
The narrowly focused and separated components give our teams the option to employ a variety of technologies and
scalability strategies, rather than settling for those intended for combined application. For example, the Brightspace
Data Platform takes advantage of the distributed processing provided by Apache Hadoop clusters when performing
its aggregation and analysis. This technique would not be relevant to other Brightspace product areas such as
discussion posts.
Additionally, the separation also helps our teams effectively and quickly adapt to new technologies and approaches as
they become available. For example, we have been able to create new user interfaces that leverage specialized
web-side user interface frameworks and interact directly with microservices. This flexibility allows our teams to develop
and refine new workflows for our users using the most effective technology.
Our test-focused staff also can make effective use of this architectural change because they can take advantage of
alternatives around testing microservices that emerge because of the formal service boundaries. Our Brightspace
Valence developer community can also take advantage of these boundaries, because each of them naturally becomes
an API candidate for users looking to develop custom workflows or tools that integrate into the Brightspace platform.
The implementation of microservices and the coordination of development and operations teams has enriched D2L's
approach to network infrastructure and deepened our expertise in a variety of more specialized technology platforms.
To access certain features in Brightspace platform 10.6, on-premise clients must agree to permit access to centrally
hosted microservices. For example, the Landlord Service and Authentication Service are required for accessing
Brightspace Insights and Brightspace Pulse. Specifics on how to do this depend on how each client's environment is
configured. For example, a client may have specific firewall restrictions that their IT department must adjust to permit
traffic to D2L microservices in AWS.
Health checks that report on the availability of D2L microservices in AWS are monitored by D2L and are not available to
on-premise clients.
Microservices architecture
The following architecture diagram displays current D2L microservices, their deployment locations in the Brightspace
Cloud, and the dependencies among them with new Brightspace products and other microservices. For detailed
information, refer to the sections for individual microservices in this guide.
Brightspace Data
Platform
Authentication Provides user and 10.5.0 1 global AWS Landlord Service Brightspace Pulse
Service service-level instance
Brightspace
authentication and
Insights
authorization via the
OAuth2 protocol. Brightspace Data
Platform
Caliper Gateway
Dates Service Provides an API for 10.5.1 1 global cluster AWS Landlord Service Brightspace Pulse
learners' personal
Authentication
dates. Currently, only
Service
used by Brightspace
Pulse. User Info Service
Feed Service Provides an API for 10.5.0 1 global cluster AWS Landlord Service Brightspace Pulse
learner updates to
Authentication
Announcements and
Service
Grades tools.
Currently, only used User Info Service
by Brightspace Pulse.
LMS Discovery Provides a list of 10.5.1 1 global AWS none Brightspace Pulse
Service Brightspace instances instance
so app users (i.e.
Brightspace Pulse)
don't need to know
their instance URL.
Distributed Event Provides awareness Available to 1 instance per D2L Data Landlord Service Brightspace Data
Framework Service of Brightspace clients on Data Center Center Platform
Learning 10.4+
Environment events
for other Brightspace
services such as
Brightspace Insights.
Caliper Gateway Provides an API for TBD 1 global AWS Authentication Brightspace Data
Service 3rd-party tools to instance Service Platform
send events to the
Brightspace Data
Platform.
User Info Service Provides storage of 10.5.5 1 global AWS none Brightspace Pulse
user preferences and instance
Dates Service
filters user
information between Feed Service
Brightspace Pulse
and Brightspace
Learning
Environment.
Hypermedia Proxy Acts as a proxy or 10.5.7 1 global AWS Landlord Service Brightspace
Service mediator to learning instance platform
Authentication
paths within
Service
Brightspace platform.
Brightspace Converts files from Pre 10.3 1 global Azure (West EduDentity Brightspace
Assignment Grader one format to instance US) Authentication Assignment Grader
Transcoding Service another for Service
Brightspace
Assignment Grader
to consume.
Brightspace Binder Not a service but a Pre 10.3 1 global cluster Azure n/a Brightspace Pulse
Data Store storage area for (South
Binder documents. Central US,
West US)
EduDentity Stores, manages, and Pre 10.3 1 global Azure n/a Brightspace Binder
Authentication authenticates users instance (South Data Store
Service independent of Central US,
Brightspace Learning West US)
Environment.
Authentication Service
The Authentication Service (or Auth) is an OAuth 2.0 security token microservice. Its primary responsibility is to issue
security tokens to authorized clients (software applications, including free-range apps) to enable them to interact with
D2L microservices.
By design, the Authentication Service, on which Brightspace Pulse is dependent, does not support self-signed, expired,
or invalid certificates. Organizations using any of these will not be able to use Brightspace Pulse.
The Authentication Service is enabled by default. As a result, Brightspace features or products that depend on the
Authentication Service, such as Brightspace Pulse, can be accessed. Currently, all features or products that depend on
the Authentication Service are turned off by default. If those features or products are enabled, it is possible for data to
flow into them.
Location
A globally accessible D2L microservice that resides in AWS.
Dependencies
Depends on the Landlord Service. Before using the Authentication Service, on-premise clients must register their
org with the Landlord Service.
Data Stored
The Authentication Service stores the URLs of authorized clients (software applications, including free-range apps) and
provisions access tokens for these clients for service-to-service authentication used by Brightspace products. It stores
the userId as part of the context for user authentication - for example, when authenticating a user of the data API for
the Brightspace Data Platform.
Using a proxy server with the Authentication Service for on-premise clients
The Authentication Service supports proxy servers. This allows on-premise clients that use proxy servers to take
advantage of Brightspace products that depend on the Authentication Service such as Brightspace Pulse.
For on-premise clients using a proxy server, allow outbound traffic from Brightspace Learning Environment to
https://auth.brightspace.com.
Important: You must specify the host name (not the IP address) and port 443.
2. The Learning Management System (LMS) contacts the Authentication Service, provisions an Auth token (JSON Web
Token) for the learner, and provides the Auth token to the tool/application.
3. While using the tool, JavaScript running in the learners browser can call secured D2L microservices directly,
providing the Auth token during each request.
4. Microservices extract and authenticate the Auth token, then ensure that the caller is authorized to perform the
requested operation before proceeding.
In this way, the learners browser is less tightly coupled to the LMS, which improves performance and robustness, and
facilitates the development of new Brightspace features.
Location
One global instance in Microsoft Azure West US.
Dependencies
Depends on EduDentity Authentication Service.
Data Transmitted/Stored
Data is cached for five days, after which is it is automatically deleted. There is no long term storage.
3. The file and associated data is deleted five days after the request is made.
Location
One global instance in Microsoft Azure South Central US and West US.
Dependencies
Depended on by Brightspace Binder.
Data Transmitted/Stored
A programmatic identifier for the user such as User ID = 123.
Location
One global instance in AWS.
Dependencies
Depends on the Authentication Service.
Data Transmitted/Stored
The Caliper Gateway Service does not store any client data. The service transmits data in the form of events, from a 3rd
party tool to the Brightspace Data Platform. The Caliper Gateway Service uses the HTTPS networking protocol. While in
transit, all events are encrypted. The events that are transmitted contain programmatic identifiers for the user, the
context of the event, and the type of the event. For example:
Events such as logins, tool access, and content visits are identified by the programmatic identifier for the user.
3. The Caliper Gateway Service sends events to the Brightspace Data Platform.
Figure 2: How the Caliper Gateway sends events to the Brightspace Data Platform
Dates Service
Description
The Dates Service provides an API for learner dates, for example, Brightspace Pulse uses the Dates Service to provide
details on assignment due dates and scheduled exams.
Location
A global cluster that resides in AWS. The Dates Service Database resides in IBM Cloudant.
Dependencies
Depends on the Authentication Service and Landlord Service, and User Info Service.
Data Transmitted/Stored
To communicate, devices and microservices use the HTTPS networking protocol. While in transit, all data is encrypted;
however, data at rest is not encrypted.
The userID in data is a composite key along with the course offering ID; it is not a universally accepted global ID for the
user. The user ID cannot be linked to a user's name or identity. In the database, user IDs appear as a series of repeated
numbers.
Regarding data retention, D2L requires the user ID to report on general user data; it is not used to report on the activity
of a specific user. For example, the user ID may be used to report on how many users have an average of three or more
dates per month. D2L would not use the data to report on how many times John Smith looks at his deadlines. D2L
retains the data as long as required to generate reports based on general user data. The reports are subject to change
at D2Ls discretion and client-specific data is subject to the terms specified in the MA, including data retention past
contract termination.
Calendar Course offering ID (key), All course offerings for all Not stored
title, description, date, type instances at a given data
(test, assignment) center
Grades (Weights and Course offering, grade item All course offerings for all Not stored
point values) instances at a given data
center
End-user personal date Title, description, date, User As long as required for
grade weight, type (test, analytical purposes
Note: End-user personal
assignment)
dates are created by
end-users (midterms,
assignments, etc.); the
information doesn't
currently exist in the
LMS. However, after
creation, the dates
persist between devices.
3. If the data is stored in Brightspace Learning Environment, the data is retrieved using the Valence API. If the data is
not stored in Brightspace Learning Environment, the data is retrieved from the Dates Service database.
Figure 3: How the Dates Service works when accessing dates from Brightspace Pulse
Location
One instance per Data Center.
Note D2L is evaluating a solution that will provide Brightspace Insights in the cloud for on-premise Brightspace
implementations. As such, the Distributed Event Framework Service is currently only available in D2L Data Centers.
Dependencies
Depends on the Landlord Service.
Data Stored
The Distributed Event Framework Service transmits and stores data in the form of events. The Distributed Event
Framework Service uses the Advanced Message Queuing Protocol (AMQP) with encryption. While in transit, all events
are encrypted. The events that are transmitted contain programmatic identifiers for the user, the context of the event,
and the type of the event. For example:
Events such as logins, tool access, and content visits are identified by the programmatic identifier for the user.
Events are stored in the Data Center and transmitted to services such as the Brightspace Data Platform (located in
AWS).
3. The Telegraph Service pulls batches of events from the Main DB split and prepares to publish them to the
Distributed Event Framework Service.
4. Before publishing events, the Telegraph Service must attach a TenantId to each event. It first looks for the TenantId
in the Memcache (where a cached copy of the TenantId may be stored). If the TenantId is not there, it requests it
from the Landlord Service.
5. The Landlord Service returns the unique TenantID to the Telegraph Service, which attaches the TenantId to each
event and then publishes the events to the Distributed Event Framework Service.
6. The Distributed Event Framework Service processes the events for usage by other products/services. For example,
the Distributed Event Framework Service streams events to the Brightspace Data Platform.
Figure 4: How the Distributed Event Framework Service works with Brightspace Insights
Location
One global instance in Microsoft Azure South Central US and West US.
Dependencies
Depended on by Brightspace Assignment Grader Transcoding Service.
Depended on by Brightspace Binder system, including the Brightspace Binder Data Store, Content Publishing
Service (CPS), Binder Store, and Binder apps.
Depended on by MyDesire2Learn.
Data Transmitted/Stored
For each user registered in the system:
A hash of the password (but not the password itself to prevent decryption).
A security question and three hashes for the answers (but not the answers themselves to prevent decryption).
Email address.
Whether or not the user has been verified and the deadline for verification.
Whether or not the user is currently active and the date of deactivation (if applicable).
The last successful login date, the number of failed login attempts, and the date the user was locked out (if
applicable).
Whether or not this is a dummy user and an expiry date (if applicable).
2. Alternatively, a separate solution requests the security question of the service. The response is checked against the
stored hashes.
Feed Service
Description
The Feed Service provides an API for learner updates to the Announcements, Grades, and Content tools. It sends user
notifications (the ones that appear in the minibar in Brightspace Learning Environment) to the Apple Push Notification
Service (APNS) and Google Cloud Messaging (GCM) for use by the Apple iOS and Google Android platforms,
respectively.
Note When users log in with Brightspace Pulse, data starts collecting automatically. To prevent data collection while
you are evaluating this product for your environment, disable the Feed Service.
Location
A global cluster that resides in AWS. The Feed Service Database resides in IBM Cloudant.
Dependencies
Depends on the Authentication Service.
Data Transmitted/Stored
The Feed Service stores Announcements notifications that are pushed from the LMS as they happen (in the LMS) for
Brightspace Pulse users. This service itself does not return to the LMS to retrieve historical data.
To communicate, devices and microservices use the HTTPS networking protocol. While in transit, all data is encrypted;
however, data at rest is not encrypted.
The user ID in data is a composite key along with the course offering ID; it is not a universally accepted global ID for the
user. The user ID cannot be linked to a user's name or identity. In the database, user IDs appear as a series of repeated
numbers.
Regarding data retention, D2L requires the user ID to report on general user data; it is not used to report on the activity
of a specific user. For example, the user ID may be used to report on how many users have an average of three or more
dates per month. D2L would not use the data to report on how many times John Smith looks at his deadlines. D2L
retains the data as long as required to generate reports based on general user data. The reports are subject to change
at D2Ls discretion and client-specific data is subject to the terms specified in the MA, including data retention past
contract termination.
Grades Event: Released Course offering ID (key), All users for all course As long as required for
Grade user ID (key), grade offerings for all instances analytical purposes
value globally
Grades Event: Updated Course offering ID (key), All users for all course As long as required for
Grade user ID (key), grade offerings for all instances analytical purposes
value globally
Announcements Event: Course offering ID (key), All course offerings for all As long as required for
New Announcements title, description, posted instances globally analytical purposes
Item date
Announcements Event: Course offering ID (key), All course offerings for all As long as required for
Updated title, description, posted instances globally analytical purposes
Announcements Item date
User/Device Mapping User ID (key), Device ID All devices for all users As long as required for
(key) globally analytical purposes
Note The Feed Service does not transmit information from courses with an End Date that has passed or that have the Is
Active setting disabled.
2. In Brightspace Learning Environment, events are generated that need to be sent to the Feed Service as push
notifications, for example, an exam grade.
4. The D2L Mobile Push Notification Service looks up the Device ID in the Mobile Push Notification Service Database
to determine who the intended recipient is.
5. The D2L Mobile Push Notification Service sends the Device ID to the third party Push Notification Service (i.e.
Apple, Google), which retrieves the event directly.
6. The 3rd party Push Notification Service sends a push notification to the device. No data is sent with the request,
only a notice that information is available such as an exam grade.
Figure 5: How the Brightspace Feed Service works when receiving notifications in Brightspace Pulse
Connections from the Hypermedia Proxy Service to Brightspace Learning Environment are made through the
Brightspace Valence API.
Location
A global cluster that resides in AWS.
Dependencies
Landlord Service - If unavailable, this service will also be unavailable.
Data Transmitted/Stored
No data is stored alongside this service. The data passed through this service is:
OrgUnitId
ID
Name
Completion state
Entity data representing files, links, LTI activity launch information, etc. Specifics depend on the entity type
and are dictated by Brightspace Learning Environment.
Landlord Service
Description
The Landlord Service is a global microservice that supports multi-tenancy and Service Oriented Architecture
(SOA)-based solutions. It provides each Brightspace instance with a TenantId, a permanent globally unique identifier.
Note If a Brightspace instance cannot connect to the Landlord Service, a unique TenantId is not assigned and any
features that require a TenantId are unavailable. Users receive a message that their organization's system is not set up.
Location
A global instance that resides in AWS.
Dependencies
Depended on by:
Authentication Service
Brightspace Insights
Brightspace Pulse
Data Stored
The TenantId.
The main database split server as configured in the instance.config file and the database name.
API Calls
Landlord allows the following public read-only API calls:
Given primary domain, database server name, and database, retrieve a TenantId. All three values are required to
get a TenantId.
the DNS CNAME, where the value is the database server name
Important The DNS CNAME and name of the main database split must match the
corresponding information in the instance.config file. The easiest method for providing this
information to D2L Support is to copy the connection string element from instance.config for
the main database split (excluding the password). For example:
Having your TenantID provisioned using a DNS CNAME instead of a host name ensures that if you need to make an
unplanned change to your database server, applications that rely on the TenantId are unaffected. For example, if your
site fails over to a mirror database, you update the CNAME value to the new host name. In this situation, no changes to
the TenantID are required. For example, Name: LVUDB, Type: CNAME, and Value: winsql01.lvu.com.
Add a firewall rule to allow outbound connections (port 80 and port 443) from all web and scalable servers to
https://landlord.brightspace.com (https://landlord.brightspace.com).
Configure a proxy server on the network by setting up the following configuration variables:
d2l.System.Infrastructure.ProxyAddress - The address of the proxy server. It normally takes the form
http://myproxy:8080/ or https://myproxy:8080/ where myproxy is the host name or IP address and 8080 is the
port. d2l.System.Infrastructure.ProxyBypassAddresses - Addresses or address patterns that should not go through
the proxy server. Address patterns take the form scheme://hostname:port/path where scheme is either http or
https; hostname can be set as a * wildcard; port can be a specific number or a * wildcard to apply to all port
numbers; and path is optional and can also contain a * wildcard.
If you need to change the primary domain of your Brightspace site, the database server name, or the name of the main
database split, contact your D2L Technical Account Manager.
Location
A service that resides in AWS.
Dependencies
Depended on by Brightspace Pulse.
Data Stored
Institution names (currently only Higher Education, US/Canada)
Brightspace instance name and URL, if applicable (non-D2L institution names are also stored)
2. After entering the URL in Brightspace Pulse, the learner logs in, authenticating directly with the schools
Brightspace instance.
Figure 6: How the LMS Discovery Service works with Brightspace Pulse
Modifying or filtering user information between Brightspace Pulse and other sources of information (currently,
Brightspace Learning Environment only).
Connections from the User Info Service to Brightspace Learning Environment are made through the Brightspace
Valence API. To allow connections from the User Info Service to Brightspace Learning Environment, on-premise clients
must ensure that the Brightspace Valence API is publicly accessible.
Location
A global cluster that resides in AWS. The User Info Service Database resides in IBM Cloudant.
Dependencies
No dependencies on other microservices.
Data Transmitted/Stored
The User Info Service stores the following user data for course offering enrollments in a User Info Service database in
IBM Cloudant:
orgUnitId
Active flag (Brightspace Pulse only - was returned in previous enrollments, but is no longer returned)
Location
A cluster of nodes in AWS regions, influenced by our client base. D2L works with customers in many regions,
jurisdictions, and markets with different needs and requirements for data privacy and residency.
Dependencies
Depends on the Distributed Event Framework Service.
Data Transmitted/Stored
The Brightspace Data Platform stores and transmits analytics events and aggregated data. Events provide information
about actions performed by the user. For example, a content visit event is triggered when a user opens a content topic.
These events are aggregated across meaningful dimensions, for example, course access by all students in a course. The
aggregated data can be transmitted via the Data API, for example, to a Brightspace Insights report.
Events contain programmatic identifiers for the user, the context of the event, and the type of the event. For example:
Stored data is encrypted with unique keys generated by D2L and are unique to each region. The data is stored on
encrypted volumes to guard against back-end services being compromised. When transmitting data, the Brightspace
Data Platform uses the HTTPS networking protocol. While in transit, all events are encrypted. Data access is restricted
on a per-customer basis using the TenantID of the originating Brightspace instance. API access is governed by user and
system-level permissions.
2. The Distributed Event Framework Service sends events to the Brightspace Data Platform.
4. The Brightspace Data Platform aggregates data, and stores the aggregated data in BDP Storage. For example, Login
Events could be aggregated along hourly, daily, and weekly dimensions.
5. Aggregated data is sent to Brightspace Learning Environment in response to API requests. For example, API
requests could be used to generate a report showing the Login Events generated for learners in a course.
About D2L
A global leader in EdTech, D2L is the creator of Brightspace, the worlds first integrated learning platform.
The company partners with thought-leading organizations to improve learning through data-driven technology that
helps deliver a personalized experience to every learner, regardless of geography or ability. D2Ls open and extensible
platform is used by more than 1,100 clients and almost 15 million individual learners in higher education, K12,
healthcare, government, and the enterprise sectorincluding Fortune 1000 companies.
The company has operations in the United States, Canada, Europe, Australia, Brazil, and Singapore.
www.brightspace.com (http://www.brightspace.com) | www.D2L.com (http://www.d2l.com)
Contact Us
1.800.656.210 (Australia)
0.800.891.4507 (Brazil)
Fax: 1.519.772.0324
Email: info@brightspace.com
Twitter: @Brightspace
Web: www.brightspace.com
(http://www.brightspace.com) | www.D2L.com
(http://www.d2l.com)
2016 D2L Corporation.
The D2L family of companies includes D2L Corporation, D2L Ltd, D2L Australia Pty Ltd, D2L Europe Ltd, D2L Asia Pte Ltd, and D2L Brasil Solues de
Tecnologia para Educao Ltda.
Brightspace, D2L, and other marks ("D2L marks") are trademarks of D2L Corporation, registered in the U.S. and other countries. Please visit
d2l.com/trademarks for a list of other D2L marks.
Amazon Web Services and AWS are trademarks, registered trademarks or trade dress of AWS in the U.S. and/or other countries.
Apache, Apache Hadoop, and Hadoop are trademarks of The Apache Software Foundation. Used with permission. No endorsement by The Apache
Software Foundation is implied by the use of these marks.
IBM and Cloudant are registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and
service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark
information" at www.ibm.com/legal/copytrade.shtml (www.ibm.com/legal/copytrade.shtml).
All other trademarks are property of their respective trademark holders.