Skip to main content
KBY Technologies Logo
cd ../lexicon
sys/docs/lexicon/shuffle-sharding.md
Lexicon Entry

Shuffle Sharding

A sharding strategy that assigns each tenant a unique, randomly-selected combination of shards from a large pool, minimising overlap between tenants so failures affect only a small statistical fraction of the population.

Practical example

AWS Route 53 assigns each hosted zone a unique set of 4 name servers drawn from a much larger pool, so a DDoS or misconfiguration affecting one customer's name servers is highly unlikely to also affect another customer's distinct combination.

Conventional sharding (hash-mod-N, or consistent hashing onto a fixed ring) guarantees that every tenant assigned to shard k shares the exact same fault domain as every other tenant on k. If shard k degrades due to a hot key, a poison-pill request, or a hardware fault, 100% of tenants on that shard are affected. Shuffle sharding breaks this coupling by drawing, per-tenant, a combinatorial subset of size m from a pool of N physical workers (e.g., pick 8 of 512 available hosts using a hash of the tenant ID as a seed for a deterministic PRNG). Because the number of distinct m-of-N combinations grows combinatorially, the probability that two arbitrary tenants share all m shards approaches zero as N grows, even though pairwise overlap on individual shards is still common.

The critical architectural consequence is in how the client or router treats a shuffle-sharded assignment: a single degraded worker no longer implies a tenant outage. Instead, the client issues requests only to its full shard-set, and applies per-shard health tracking plus request routing that avoids known-bad shards within the set (often paired with a Circuit Breaker per shard-endpoint). A tenant is only fully unavailable if all members of its specific combination are simultaneously unhealthy — a much rarer event than any single shard being unhealthy. This is the mechanism AWS Route 53 and other multi-tenant control planes use to bound the ‘blast radius’ of a bad actor or correlated failure to a small, statistically-bounded fraction of the tenant population rather than an entire fleet.

Key design parameters and trade-offs:

  • Shard count per tenant (m): Larger m improves availability (more redundancy) but increases the probability of overlap with other tenants and increases per-request fan-out cost if the endpoint requires multi-shard coordination.
  • Pool size (N): Larger N reduces overlap probability but requires enough physical capacity and a stable, low-churn membership list — shard reassignment on scale-events must be deterministic and minimal (see rendezvous hashing) to avoid mass reshuffling.
  • Assignment determinism: The tenant-to-shard-set mapping must be a pure function of a stable tenant identifier (not sequence-dependent), so that reconnecting clients, retries, or failover paths recompute the identical shard set without needing a lookup service — this is what distinguishes it from arbitrary rebalancing schemes and keeps it stateless at the edge.
  • Correlated failure modeling: Shuffle sharding defends against independent shard failures (noisy neighbor, single-host degradation) but does not protect against correlated failures across the whole pool (e.g., a control-plane bug deployed fleet-wide, or an AZ-level outage) — it must be combined with AZ-aware placement constraints to avoid degenerate combinations that land entirely within one failure domain.

In practice, shuffle sharding is layered on top of existing primitives rather than replacing them: DNS resolvers, NAT gateway pools, and rate-limiter backends commonly use it to isolate tenants at the routing layer, while the underlying storage or compute nodes still rely on standard replication and consensus mechanisms. The technique is purely about failure-domain isolation via combinatorial diversity, not about consistency, ordering, or durability — it is a probability-shaping tool layered onto the routing/admission tier of a multi-tenant system.