Impacts testing of SSL encryption on the instance performance-ApsaraDB for MongoDB(MongoDB)-阿里云帮助中心

Test environment

Create an ECS instance and an ApsaraDB for MongoDB instance. For more information, see Create a replica set instance and Create and manage an ECS instance in the console (express version).

The following configurations are used in the test.

ApsaraDB for MongoDB instance
- Instance architecture: replica set instance
- Number of primary and secondary nodes: three nodes
- Number of read-only nodes: one node
- Instance specifications: 1 core and 2 GB of memory (general-purpose)
- Instance version: MongoDB 4.2
ECS Instance
- Instance type: ecs.e-c1m2.large (2 cores and 4 GB of memory)

Test method

Import test data

Yahoo! Cloud Serving Benchmark (YCSB) is used to import 1,000,000 entries into a collection named usertable in a database named ycsb. Run the following command to import the entries:

./bin/ycsb load mongodb -s -p workload=site.ycsb.workloads.CoreWorkload -p recordcount=1000000 -p mongodb.url="mongodb://root:******@dds-bp103175eafac****.mongodb.rds.aliyuncs.com:3717,dds-bp103175eafac****.mongodb.rds.aliyuncs.com:3717,dds-bp103175eafac****.mongodb.rds.aliyuncs.com:3717/admin?readPreference=secondary&replicaSet=mgset-82894753" -threads 8

The collection generated by YCSB has the following structure:

{
  "_id": "user1352498093671118016",
  "field1": "BinData(0,\"L1s/KS8+MlYhISUuIz8qNVx9PTRuNiooNlolPVMzJCE0ODNuP15zLjB6NSU4LV0pPC98LkovOFttOyQkL1chNV8tOlxrKlstPkp3IzkiLTcuLU93ITRqOzEwPScsIEx5L1o5JQ==\")",
  "field0": "BinData(0,\"I0I/NDAmNUkrLFA3PEA5IEI3KC4qKEJ1LCc6JV8rJlo7KUR3MDRqMk95KjhoIlUjLy1qMls9OFU7PTpuKTZsNlUpMVYvNSI4KDlwK1trIUpnMlInKSAmNDg8LSpmOl85PkozMA==\")",
  "field7": "BinData(0,\"NzxyPjUkNiYsOEp1MUIpIDA0M1U/JE1nMjMmODhkIko/LEh1NSRqKl1jKDBqJjMqMiw8PSc6KjgsNEwrLFkpKFh9OzQ+MS86LiB4P1oxLVxjIiQgMCdsM0AhO0QzNTFqI1dpMw==\")",
  "field6": "BinData(0,\"MVhpIj1uI0RlJ1AtP0t/LkAxMVp9MlU3KFJpK0Z3M0M/OE55IFBhPyA6Njp+L1tnJjh4Iic4K1F/Oi9gKz44PFFpPE5jNydqKUJrPyV4KDY2LDd0Nic6PC9wPDhgNykwOj10Iw==\")",
  "field9": "BinData(0,\"OEA/NDRwLilwLzVoMz5oIzVuLStoPlF9NVU5MVd3PDUkPV0nPl07OU05LkYnKDQ8L0VrIkwlJDg+NCRuIitoNjV4PkM9NCt0LyE4PCFkKUI/LVwxKjdsMkgnICsgKFQrJit8Lg==\")",
  "field8": "BinData(0,\"P0J/P0ozMCBwIjJwP0IpJUMlPkhhIkI3MU91OjUmMFM9NEBhJD8+OEdpJDh2OyxmMCQkKUgnJjYoKC0kKVMnKTQuODp6JjVwKSRwI1FhJy88PVAhPiE2OCMsKlYvJF1xOEUrJA==\")",
  "field3": "BinData(0,\"Mjc6KE4zJTEuJCJ4P18lNCZ4NkAtKTAwLFUvMDEsOzUkIEs3MVEzKT4mL1Q5IVF9N0N3O1snIUZ1L0k9IUY7IV8nNiQ+KTJ0I097Llg1MjE0PCQ4KDV2KzYsIDtwNzhuKkQrMA==\")",
  "field2": "BinData(0,\"Jit6L0olLTByJzpuPygyKSE8Li9iK00xIig4PVQhKTBqLkI/O0N9Izs+NVk/ISVmIy14Nko3NyxoI1Z1Pyo4JVt/MylsK1t9PS9yP1kzJFMjPF43P1l5P1xtPDAqLF57IiAsPQ==\")",
  "field5": "BinData(0,\"NSd2NiskPzcmITU4Oz58NzliP0ZpOz5wKiI0OVhlNDx0PlV1OllnNzJiOyMmOF45IEg7OD90KUZnP0g5OUJzK0M/OyN4O15lPzA6LTUgNUw9NDVoL0QrOTssISQ2KCw6KUJlKg==\")",
  "field4": "BinData(0,\"NDNkKjFuPyxsJzEmNzMqLVJzL0YpMTNwMjs8MTRiNEYtLE05P0I9NEU1LS4yNEFpNjUsOUs9JEs1IU5jOF5vIjpiNTMuKSY6K0s1LDp2JEp9KyFiIS1+J1U/LkoxMEp5OzJiIw==\")"
}

Run a test script

YCSB does not support stress testing with SSL encryption enabled. The following Python script is used instead.

import time
import pymongo
import datetime
import logging as log
from functools import wraps

log.basicConfig(
    level=log.INFO, format='%(asctime)s - [line %(lineno)d] : %(levelname)s - %(message)s')
console = log.StreamHandler()
console.setLevel(log.INFO)
formatter = log.Formatter(
    '%(asctime)s - [line %(lineno)d] : %(levelname)s - %(message)s')
console.setFormatter(formatter)


def time_recorder():
    def inner(func):
        @wraps(func)
        def wrapper(*args, **kwargs):
            start_time = time.time()
            result = func(*args, **kwargs)
            end_time = time.time()
            elapsed_time = (end_time - start_time) * 1000

            print_latency = kwargs.get("print_latency", False)
            return_latency = kwargs.get("return_latency", False)

            if print_latency:
                log.info(
                    f"Function {func.__name__} took {elapsed_time:.4f} millseconds to execute.")

            if return_latency:
                return result, elapsed_time
            return result
        return wrapper
    return inner


@time_recorder()
def build_client_without_ssl(**kwargs):
    client = pymongo.MongoClient(
        "mongodb://root:******@dds-bp103175eafac****.mongodb.rds.aliyuncs.com:3717,dds-bp103175eafac****.mongodb.rds.aliyuncs.com:3717,dds-bp103175eafac****.mongodb.rds.aliyuncs.com:3717/admin?readPreference=secondary&replicaSet=mgset-82894753")
    return client


@time_recorder()
def build_client_with_ssl(**kwargs):
    client = pymongo.MongoClient(
        "mongodb://root:******@dds-bp103175eafac****.mongodb.rds.aliyuncs.com:3717,dds-bp103175eafac****.mongodb.rds.aliyuncs.com:3717,dds-bp103175eafac****.mongodb.rds.aliyuncs.com:3717/admin?readPreference=secondary&replicaSet=mgset-82894753&tls=true&tlsAllowInvalidHostnames=true&tlsCAFile=/root/ApsaraDB-CA-Chain.pem")
    return client


@time_recorder()
def find_one(client, **kwargs):
    client["ycsb"]["usertable"].find_one()


def test_connection():
    client = build_client_without_ssl(print_latency=True)
    find_one(client)

    client = build_client_with_ssl(print_latency=True)
    find_one(client)


test_connection()


@time_recorder()
def test(with_ssl=False, repeat=5000, **kwargs):
    log.info(f"test, with_ssl: {with_ssl}, repeat: {repeat}")
    ssl_suffix = "without-ssl"
    if with_ssl:
        ssl_suffix = "with-ssl"
    suffix = f"{repeat}-{ssl_suffix}.log"
    only_connection_file = f"only-connection-{suffix}"
    first_query_file = f"first-query-{suffix}"
    connection_and_first_query_file = f"connection-and-first-query-{suffix}"

    only_connection_f = open(only_connection_file, 'w')
    first_query_f = open(first_query_file, 'w')
    connection_and_first_query_f = open(connection_and_first_query_file, 'w')

    for _ in range(repeat):
        client = None
        connection_latency = 0

        if with_ssl:
            client, connection_latency = build_client_with_ssl(
                return_latency=True)
        else:
            client, connection_latency = build_client_without_ssl(
                return_latency=True)

        _, query_latency = find_one(client, return_latency=True)

        only_connection_f.write(f"{connection_latency}\n")
        first_query_f.write(f"{query_latency}\n")
        connection_and_first_query_f.write(f"{connection_latency + query_latency}\n")

    only_connection_f.close()
    first_query_f.close()
    connection_and_first_query_f.close()

    log.info(f"test end, write to {only_connection_file}, {first_query_file} and {connection_and_first_query_file}")


test(False, 5000, print_latency=True)
test(True, 5000, print_latency=True)


@time_recorder()
def run(client, log_file, repeat=5000, **kwargs):
    start = time.time()
    log.info(f"start to query, repeat: {repeat}")

    with open(log_file, 'w') as f:
        for _ in range(repeat):
            latency = find_one(client, return_latency=True)
            f.write(f"{latency}\n")

    end = time.time()
    total = (end - start) * 1000
    avg = total / repeat
    log.info(
        f"end query, repeat: {repeat}, total: {total} millseconds, avg: {avg} millseconds")


client = build_client_without_ssl()
run(client, "without-ssl.log")

client = build_client_with_ssl()
run(client, "with-ssl.log")

You can modify the following parameters as needed:

client: Replace the connection string, username, and password in pymongo.MongoClient() with the actual values of your ApsaraDB for MongoDB instance.
repeat: the number of test iterations. Default value: 5,000. You can change this value as needed.

The script outputs the following metrics:

only-connection: the time consumed to establish a connection.
first-query: the duration of the first query after a connection is established.
connection-and-first-query: the total duration from connection establishment to the completion of the first query. This value equals the sum of only-connection and first-query.
latency: the average duration of 5,000 queries when the client specified by pymongo.MongoClient() is reused.

Test results

The following table shows the average values across 5,000 iterations.

Item	Consumed time with SSL encryption disabled (ms)	Consumed time with SSL encryption enabled (ms)
Time consumed to establish a connection	3.7009	19.8515
Duration of the first query after a connection is established	20.7456	43.5884
Total duration from the connection establishment to the completion of the first query	24.4465	63.4399
Average query duration when the specified client is reused	0.7506	0.7643

The performance difference between SSL-enabled and SSL-disabled connections is primarily in connection establishment. When existing connections are reused, the average query durations are nearly identical. The main reasons are:

Transport Layer Security (TLS) adds extra round-trip time (RTT) during connection establishment.

With connection pooling, this RTT overhead is amortized across connections. Reusing an existing client after enabling SSL minimizes the TLS handshake overhead.
SSL encryption and decryption add overhead to each message transmitted over an established connection.

Modern CPUs handle encryption and decryption quickly. Other factors such as disk I/O and queue waiting consume more time during a query, so the performance impact of encryption is relatively small.