The latest articles on Forem by InstaDevOps (@instadevops). https://forem.com/instadevops https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2952358%2F474aa7f4-09cf-409d-891e-cfc4f071d18a.png https://forem.com/instadevops en InstaDevOps Wed, 06 May 2026 13:48:03 +0000 https://forem.com/instadevops/aws-vpc-networking-transit-gateway-peering-privatelink-775 https://forem.com/instadevops/aws-vpc-networking-transit-gateway-peering-privatelink-775 <h2> AWS VPC Networking: Subnets, NAT Gateways, Transit Gateway, and PrivateLink </h2> <p>AWS networking is the foundation that everything else sits on, yet it is the area where most teams accumulate the most technical debt. A poorly designed VPC leads to security gaps, connectivity issues, and painful migrations later. Getting your network architecture right from the start - proper CIDR planning, subnet tiers, and connectivity patterns - saves enormous headaches as you scale.</p> <p>Every production VPC should have three subnet tiers across multiple availability zones: public subnets for load balancers and bastion hosts, private subnets for application workloads, and isolated subnets for databases with no internet access. NAT Gateways provide outbound internet access for private subnets - deploy one per AZ for high availability, but be aware they are one of the most expensive networking components. Use VPC endpoints (Gateway endpoints for S3/DynamoDB, Interface endpoints for other services) to keep traffic on the AWS backbone and reduce NAT Gateway costs.</p> <p>For multi-VPC architectures, Transit Gateway replaces the mesh of VPC peering connections that becomes unmanageable beyond 3-4 VPCs. Transit Gateway acts as a hub that all VPCs connect to, with route tables controlling which VPCs can communicate. PrivateLink exposes services across VPCs or to customers without traversing the public internet - essential for SaaS architectures and shared services platforms. Plan your CIDR ranges carefully to avoid overlaps, and use AWS RAM to share subnets across accounts in an AWS Organizations setup.</p> <p><strong>Need help designing your AWS network?</strong> <a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a> architects production-grade VPC layouts for startups and scale-ups. <a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a free consultation</a>.</p> aws networking vpc devops InstaDevOps Tue, 05 May 2026 13:47:55 +0000 https://forem.com/instadevops/terraform-state-management-remote-backends-locking-recovery-3ofe https://forem.com/instadevops/terraform-state-management-remote-backends-locking-recovery-3ofe <h2> Terraform State Management: Remote Backends, Locking, and State Surgery </h2> <p>Terraform state is the single most critical file in your infrastructure-as-code workflow. It maps your Terraform configuration to real-world resources, and corrupting or losing it means Terraform loses track of everything it manages. Yet many teams start with local state files, no locking, and no backup strategy - a recipe for disaster the moment two people run terraform apply simultaneously.</p> <p>Remote backends solve the fundamentals: store state in S3 with DynamoDB locking, or use Terraform Cloud for managed state with built-in versioning. Every remote backend should have encryption at rest, versioning enabled for rollback, and a DynamoDB table for state locking to prevent concurrent modifications. Structure your state files by environment and component - a single monolithic state file for your entire infrastructure creates blast radius problems and slows down every plan and apply.</p> <p>State surgery is the skill you need when things go wrong. <code>terraform state mv</code> renames resources without destroying them. <code>terraform state rm</code> removes resources from state without deleting them from your cloud provider. <code>terraform import</code> brings existing infrastructure under Terraform management. These commands are dangerous - always back up your state file before running them. For large-scale refactoring, <code>terraform state pull</code> and <code>terraform state push</code> let you manipulate state as JSON, but treat this as a last resort.</p> <p><strong>Need help with your Terraform setup?</strong> <a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a> specializes in production-grade infrastructure as code. <a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a free consultation</a> to discuss your IaC strategy.</p> terraform iac devops cloud InstaDevOps Mon, 04 May 2026 13:47:52 +0000 https://forem.com/instadevops/kubernetes-autoscaling-hpa-vpa-and-keda-deep-dive-32g7 https://forem.com/instadevops/kubernetes-autoscaling-hpa-vpa-and-keda-deep-dive-32g7 <h2> Kubernetes Autoscaling Deep Dive: HPA, VPA, KEDA, and Cluster Autoscaler </h2> <p>Kubernetes autoscaling is not a single feature - it is a layered system where four components work together to match your infrastructure to actual demand. Getting autoscaling wrong means either wasting money on idle resources or dropping traffic during load spikes. Understanding how HPA, VPA, KEDA, and the Cluster Autoscaler interact is essential for any production Kubernetes deployment.</p> <p>The Horizontal Pod Autoscaler (HPA) scales the number of pod replicas based on CPU, memory, or custom metrics. The Vertical Pod Autoscaler (VPA) adjusts resource requests and limits for individual containers based on observed usage - critical for right-sizing workloads you have not profiled yet. KEDA (Kubernetes Event-Driven Autoscaling) extends HPA with scalers for external event sources like SQS queue depth, Kafka consumer lag, or Prometheus queries, enabling scale-to-zero for workloads that do not need to run continuously. The Cluster Autoscaler adds or removes nodes when pods cannot be scheduled due to insufficient cluster capacity.</p> <p>The key to effective autoscaling is layering these components correctly. Run VPA in recommendation mode first to establish baseline resource requests. Configure HPA with appropriate metrics and thresholds - CPU utilization of 60-70% is a good starting point. Use KEDA for event-driven workloads like queue processors. And ensure Cluster Autoscaler is configured with appropriate node groups and scale-down policies to avoid unnecessary churn.</p> <p><strong>Struggling with Kubernetes scaling?</strong> <a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a> helps teams implement autoscaling strategies that balance performance and cost. <a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a free consultation</a>.</p> kubernetes autoscaling keda devops InstaDevOps Sun, 03 May 2026 13:47:49 +0000 https://forem.com/instadevops/hashicorp-vault-production-secrets-management-guide-387p https://forem.com/instadevops/hashicorp-vault-production-secrets-management-guide-387p <h2> HashiCorp Vault for DevOps: Dynamic Secrets, PKI, and Zero-Trust Infrastructure </h2> <p>Static secrets are a ticking time bomb. Hardcoded API keys, long-lived database passwords stored in environment variables, and shared credentials passed around in Slack channels - these are the security gaps that attackers exploit every day. HashiCorp Vault solves this by providing a centralized secrets management platform that generates short-lived, dynamic credentials on demand.</p> <p>Vault's power lies in its secrets engines. The database secrets engine generates unique credentials for each application instance with automatic expiration. The PKI engine issues TLS certificates programmatically, eliminating manual certificate management. The AWS engine creates temporary IAM credentials scoped to exactly the permissions each service needs. Combined with Vault Agent for automatic secret injection and renewal, you can build infrastructure where no secret lives longer than it needs to.</p> <p>Implementing zero-trust with Vault means every service authenticates independently - whether through Kubernetes service accounts, AWS IAM roles, or AppRole for CI/CD pipelines. Vault's audit log tracks every secret access, giving you a complete trail for compliance. The transit engine handles encryption-as-a-service without exposing keys to applications. For teams running Kubernetes, the Vault CSI provider and sidecar injector make integration seamless.</p> <p><strong>Need help securing your infrastructure?</strong> At <a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a>, we implement production-grade secrets management with HashiCorp Vault. <a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a free consultation</a> to discuss your security posture.</p> vault security secrets devops InstaDevOps Sat, 02 May 2026 13:47:45 +0000 https://forem.com/instadevops/microservices-communication-grpc-vs-rest-message-queues-and-sagas-337b https://forem.com/instadevops/microservices-communication-grpc-vs-rest-message-queues-and-sagas-337b <h2> Introduction </h2> <p>The moment you split a monolith into microservices, communication becomes your biggest challenge. In a monolith, a function call is nanoseconds, type-safe, and transactional. In microservices, every interaction is a network call that can fail, timeout, arrive out of order, or silently duplicate. The communication patterns you choose determine your system's reliability, latency, and operational complexity.</p> <p>This guide covers the practical decisions you face when designing microservice communication: synchronous vs asynchronous, gRPC vs REST, choosing the right message broker, implementing the saga pattern for distributed transactions, and building circuit breakers to prevent cascade failures.</p> <h2> Synchronous vs Asynchronous Communication </h2> <p>The first architectural decision is whether services communicate synchronously (request-response) or asynchronously (event-driven). Most systems need both.</p> <p><strong>Synchronous (request-response):</strong> Service A sends a request to Service B and waits for a response. Use for operations where the caller needs an immediate answer.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User → API Gateway → Order Service → Inventory Service (check stock) ← stock confirmed ← order created ← 201 Created </code></pre> </div> <p><strong>Asynchronous (event-driven):</strong> Service A publishes an event and moves on. Other services consume the event whenever they are ready. Use for operations where the caller does not need an immediate answer, or when you want to decouple services.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Order Service → publishes "OrderCreated" event → Message Queue ├→ Payment Service (processes payment) ├→ Notification Service (sends email) └→ Analytics Service (records metric) </code></pre> </div> <p><strong>When to use synchronous:</strong></p> <ul> <li>User-facing requests that need an immediate response</li> <li>Data reads where you need the latest state</li> <li>Simple request-response queries between two services</li> </ul> <p><strong>When to use asynchronous:</strong></p> <ul> <li>Operations that can happen in the background (email, analytics, audit logs)</li> <li>When you need to fan out to multiple consumers</li> <li>When services have different availability requirements</li> <li>When you need to handle traffic spikes (the queue acts as a buffer)</li> </ul> <p>The biggest mistake teams make is going 100% synchronous. If your order service synchronously calls payment, inventory, notification, and analytics services in sequence, a slowdown in any one of them degrades the entire order flow. Move non-critical steps to async processing.</p> <h2> gRPC vs REST </h2> <p>For synchronous service-to-service communication, you are choosing between REST (HTTP/JSON) and gRPC (HTTP/2, Protocol Buffers).</p> <p><strong>REST</strong> is the default because it is simple, well-understood, and debuggable with curl:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Express.js REST endpoint</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/inventory/:productId</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">stock</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span> <span class="dl">'</span><span class="s1">SELECT quantity FROM inventory WHERE product_id = $1</span><span class="dl">'</span><span class="p">,</span> <span class="p">[</span><span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">productId</span><span class="p">]</span> <span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">productId</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">productId</span><span class="p">,</span> <span class="na">quantity</span><span class="p">:</span> <span class="nx">stock</span><span class="p">.</span><span class="nx">rows</span><span class="p">[</span><span class="mi">0</span><span class="p">]?.</span><span class="nx">quantity</span> <span class="o">||</span> <span class="mi">0</span> <span class="p">});</span> <span class="p">});</span> <span class="c1">// Calling it from another service</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">http://inventory-service:3000/api/inventory/SKU-123</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> </code></pre> </div> <p><strong>gRPC</strong> uses Protocol Buffers for serialization and HTTP/2 for transport, giving you strong typing, smaller payloads, and bidirectional streaming:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight protobuf"><code><span class="c1">// inventory.proto</span> <span class="na">syntax</span> <span class="o">=</span> <span class="s">"proto3"</span><span class="p">;</span> <span class="kn">package</span> <span class="nn">inventory</span><span class="p">;</span> <span class="kd">service</span> <span class="n">InventoryService</span> <span class="p">{</span> <span class="k">rpc</span> <span class="n">CheckStock</span> <span class="p">(</span><span class="n">StockRequest</span><span class="p">)</span> <span class="k">returns</span> <span class="p">(</span><span class="n">StockResponse</span><span class="p">);</span> <span class="k">rpc</span> <span class="n">WatchStock</span> <span class="p">(</span><span class="n">StockRequest</span><span class="p">)</span> <span class="k">returns</span> <span class="p">(</span><span class="n">stream</span> <span class="n">StockUpdate</span><span class="p">);</span> <span class="c1">// Server streaming</span> <span class="p">}</span> <span class="kd">message</span> <span class="nc">StockRequest</span> <span class="p">{</span> <span class="kt">string</span> <span class="na">product_id</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="p">}</span> <span class="kd">message</span> <span class="nc">StockResponse</span> <span class="p">{</span> <span class="kt">string</span> <span class="na">product_id</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="kt">int32</span> <span class="na">quantity</span> <span class="o">=</span> <span class="mi">2</span><span class="p">;</span> <span class="kt">bool</span> <span class="na">in_stock</span> <span class="o">=</span> <span class="mi">3</span><span class="p">;</span> <span class="p">}</span> <span class="kd">message</span> <span class="nc">StockUpdate</span> <span class="p">{</span> <span class="kt">string</span> <span class="na">product_id</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="kt">int32</span> <span class="na">quantity</span> <span class="o">=</span> <span class="mi">2</span><span class="p">;</span> <span class="kt">string</span> <span class="na">timestamp</span> <span class="o">=</span> <span class="mi">3</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// gRPC server (Node.js)</span> <span class="kd">const</span> <span class="nx">grpc</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">@grpc/grpc-js</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">protoLoader</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">@grpc/proto-loader</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">packageDef</span> <span class="o">=</span> <span class="nx">protoLoader</span><span class="p">.</span><span class="nf">loadSync</span><span class="p">(</span><span class="dl">'</span><span class="s1">inventory.proto</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">proto</span> <span class="o">=</span> <span class="nx">grpc</span><span class="p">.</span><span class="nf">loadPackageDefinition</span><span class="p">(</span><span class="nx">packageDef</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">grpc</span><span class="p">.</span><span class="nc">Server</span><span class="p">();</span> <span class="nx">server</span><span class="p">.</span><span class="nf">addService</span><span class="p">(</span><span class="nx">proto</span><span class="p">.</span><span class="nx">inventory</span><span class="p">.</span><span class="nx">InventoryService</span><span class="p">.</span><span class="nx">service</span><span class="p">,</span> <span class="p">{</span> <span class="na">checkStock</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">call</span><span class="p">,</span> <span class="nx">callback</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">stock</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span> <span class="dl">'</span><span class="s1">SELECT quantity FROM inventory WHERE product_id = $1</span><span class="dl">'</span><span class="p">,</span> <span class="p">[</span><span class="nx">call</span><span class="p">.</span><span class="nx">request</span><span class="p">.</span><span class="nx">product_id</span><span class="p">]</span> <span class="p">);</span> <span class="nf">callback</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="p">{</span> <span class="na">product_id</span><span class="p">:</span> <span class="nx">call</span><span class="p">.</span><span class="nx">request</span><span class="p">.</span><span class="nx">product_id</span><span class="p">,</span> <span class="na">quantity</span><span class="p">:</span> <span class="nx">stock</span><span class="p">.</span><span class="nx">rows</span><span class="p">[</span><span class="mi">0</span><span class="p">]?.</span><span class="nx">quantity</span> <span class="o">||</span> <span class="mi">0</span><span class="p">,</span> <span class="na">in_stock</span><span class="p">:</span> <span class="p">(</span><span class="nx">stock</span><span class="p">.</span><span class="nx">rows</span><span class="p">[</span><span class="mi">0</span><span class="p">]?.</span><span class="nx">quantity</span> <span class="o">||</span> <span class="mi">0</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">,</span> <span class="p">});</span> <span class="p">},</span> <span class="p">});</span> <span class="nx">server</span><span class="p">.</span><span class="nf">bindAsync</span><span class="p">(</span><span class="dl">'</span><span class="s1">0.0.0.0:50051</span><span class="dl">'</span><span class="p">,</span> <span class="nx">grpc</span><span class="p">.</span><span class="nx">ServerCredentials</span><span class="p">.</span><span class="nf">createInsecure</span><span class="p">(),</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">gRPC server running on port 50051</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p><strong>Choose REST when:</strong></p> <ul> <li>External-facing APIs (browsers, mobile apps, third parties)</li> <li>Simple CRUD operations</li> <li>You want maximum debuggability</li> <li>Team is not familiar with protobuf</li> </ul> <p><strong>Choose gRPC when:</strong></p> <ul> <li>Internal service-to-service communication with high call volume</li> <li>You need streaming (real-time feeds, file uploads)</li> <li>Latency-sensitive paths where the ~30% serialization speedup matters</li> <li>You want strict API contracts enforced at compile time</li> </ul> <p>In practice, many teams use REST for their public API and gRPC for internal service mesh communication.</p> <h2> Choosing a Message Broker </h2> <p>For asynchronous communication, you need a message broker. The three most common choices are SQS, RabbitMQ, and Kafka, and they serve different use cases.</p> <p><strong>Amazon SQS</strong> - Managed queue, simplest to operate, no infrastructure to manage:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">{</span> <span class="nx">SQSClient</span><span class="p">,</span> <span class="nx">SendMessageCommand</span><span class="p">,</span> <span class="nx">ReceiveMessageCommand</span><span class="p">,</span> <span class="nx">DeleteMessageCommand</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">@aws-sdk/client-sqs</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">sqs</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SQSClient</span><span class="p">({</span> <span class="na">region</span><span class="p">:</span> <span class="dl">'</span><span class="s1">us-east-1</span><span class="dl">'</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">QUEUE_URL</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">https://sqs.us-east-1.amazonaws.com/123456789/order-events</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Producer: publish event</span> <span class="k">await</span> <span class="nx">sqs</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="k">new</span> <span class="nc">SendMessageCommand</span><span class="p">({</span> <span class="na">QueueUrl</span><span class="p">:</span> <span class="nx">QUEUE_URL</span><span class="p">,</span> <span class="na">MessageBody</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">eventType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">OrderCreated</span><span class="dl">'</span><span class="p">,</span> <span class="na">orderId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ord_abc123</span><span class="dl">'</span><span class="p">,</span> <span class="na">userId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">usr_456</span><span class="dl">'</span><span class="p">,</span> <span class="na">total</span><span class="p">:</span> <span class="mf">99.99</span><span class="p">,</span> <span class="na">timestamp</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">(),</span> <span class="p">}),</span> <span class="na">MessageGroupId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ord_abc123</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// FIFO queue: ensures ordering per order</span> <span class="na">MessageDeduplicationId</span><span class="p">:</span> <span class="s2">`order-created-ord_abc123`</span><span class="p">,</span> <span class="c1">// Prevents duplicates</span> <span class="p">}));</span> <span class="c1">// Consumer: poll for events</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">pollMessages</span><span class="p">()</span> <span class="p">{</span> <span class="k">while </span><span class="p">(</span><span class="kc">true</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">sqs</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="k">new</span> <span class="nc">ReceiveMessageCommand</span><span class="p">({</span> <span class="na">QueueUrl</span><span class="p">:</span> <span class="nx">QUEUE_URL</span><span class="p">,</span> <span class="na">MaxNumberOfMessages</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="na">WaitTimeSeconds</span><span class="p">:</span> <span class="mi">20</span><span class="p">,</span> <span class="c1">// Long polling</span> <span class="na">VisibilityTimeout</span><span class="p">:</span> <span class="mi">60</span><span class="p">,</span> <span class="p">}));</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">message</span> <span class="k">of</span> <span class="nx">response</span><span class="p">.</span><span class="nx">Messages</span> <span class="o">||</span> <span class="p">[])</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">event</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">message</span><span class="p">.</span><span class="nx">Body</span><span class="p">);</span> <span class="k">await</span> <span class="nf">processEvent</span><span class="p">(</span><span class="nx">event</span><span class="p">);</span> <span class="k">await</span> <span class="nx">sqs</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="k">new</span> <span class="nc">DeleteMessageCommand</span><span class="p">({</span> <span class="na">QueueUrl</span><span class="p">:</span> <span class="nx">QUEUE_URL</span><span class="p">,</span> <span class="na">ReceiptHandle</span><span class="p">:</span> <span class="nx">message</span><span class="p">.</span><span class="nx">ReceiptHandle</span><span class="p">,</span> <span class="p">}));</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>RabbitMQ</strong> - Feature-rich broker with flexible routing (exchanges, bindings, dead letter queues):</p> <p>Best when you need complex routing patterns (topic-based, headers-based), priority queues, or delayed messages. More operational overhead than SQS since you manage the broker yourself.</p> <p><strong>Apache Kafka</strong> - Distributed log for high-throughput event streaming:</p> <p>Best when you need event replay (consumers can re-read history), very high throughput (millions of events/second), or multiple consumer groups reading the same stream independently. Most complex to operate.</p> <p><strong>Decision matrix:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Requirement</th> <th>SQS</th> <th>RabbitMQ</th> <th>Kafka</th> </tr> </thead> <tbody> <tr> <td>Zero ops overhead</td> <td>Yes</td> <td>No</td> <td>No</td> </tr> <tr> <td>Message ordering</td> <td>FIFO queues</td> <td>Per queue</td> <td>Per partition</td> </tr> <tr> <td>Event replay</td> <td>No</td> <td>No</td> <td>Yes</td> </tr> <tr> <td>Complex routing</td> <td>No</td> <td>Yes</td> <td>No (use streams)</td> </tr> <tr> <td>Throughput</td> <td>High</td> <td>Medium</td> <td>Very high</td> </tr> <tr> <td>Latency</td> <td>~20ms</td> <td>~1ms</td> <td>~5ms</td> </tr> <tr> <td>Cost at low volume</td> <td>Cheapest</td> <td>Moderate</td> <td>Expensive</td> </tr> </tbody> </table></div> <p>For most startups: <strong>start with SQS</strong>. You can always migrate to Kafka later when you actually need event replay or million-message-per-second throughput.</p> <h2> The Saga Pattern for Distributed Transactions </h2> <p>In a monolith, creating an order means a single database transaction: deduct inventory, charge payment, create order - all or nothing. In microservices, each step is a different service with its own database. You cannot use a distributed transaction (2PC) because it does not scale and couples all services together.</p> <p>The saga pattern breaks a distributed transaction into a sequence of local transactions, each publishing an event that triggers the next step. If any step fails, compensating transactions undo the previous steps.</p> <p><strong>Choreography-based saga</strong> (each service reacts to events):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>OrderService PaymentService InventoryService │ │ │ ├─ Create order (PENDING) │ │ ├─ Publish "OrderCreated" ──►│ │ │ ├─ Charge payment │ │ ├─ Publish "PaymentCharged" ─►│ │ │ ├─ Reserve stock │ │ ├─ Publish "StockReserved" │◄───────────────────────────┼────────────────────────────┤ ├─ Update order → CONFIRMED │ │ │ │ │ │ --- If payment fails --- │ │ │ ├─ Publish "PaymentFailed" ──►│ │◄───────────────────────────┤ ├─ Release stock ├─ Update order → CANCELLED │ │ </code></pre> </div> <p><strong>Orchestration-based saga</strong> (a central coordinator manages the flow):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// saga-orchestrator.js</span> <span class="kd">class</span> <span class="nc">CreateOrderSaga</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">orderService</span><span class="p">,</span> <span class="nx">paymentService</span><span class="p">,</span> <span class="nx">inventoryService</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">steps</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span> <span class="na">execute</span><span class="p">:</span> <span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">inventoryService</span><span class="p">.</span><span class="nf">reserveStock</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">items</span><span class="p">),</span> <span class="na">compensate</span><span class="p">:</span> <span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">inventoryService</span><span class="p">.</span><span class="nf">releaseStock</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">items</span><span class="p">),</span> <span class="p">},</span> <span class="p">{</span> <span class="na">execute</span><span class="p">:</span> <span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">paymentService</span><span class="p">.</span><span class="nf">charge</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">userId</span><span class="p">,</span> <span class="nx">data</span><span class="p">.</span><span class="nx">total</span><span class="p">),</span> <span class="na">compensate</span><span class="p">:</span> <span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">paymentService</span><span class="p">.</span><span class="nf">refund</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">paymentId</span><span class="p">),</span> <span class="p">},</span> <span class="p">{</span> <span class="na">execute</span><span class="p">:</span> <span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">orderService</span><span class="p">.</span><span class="nf">confirmOrder</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">orderId</span><span class="p">),</span> <span class="na">compensate</span><span class="p">:</span> <span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">orderService</span><span class="p">.</span><span class="nf">cancelOrder</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">orderId</span><span class="p">),</span> <span class="p">},</span> <span class="p">];</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">execute</span><span class="p">(</span><span class="nx">orderData</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">completedSteps</span> <span class="o">=</span> <span class="p">[];</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">step</span> <span class="k">of</span> <span class="k">this</span><span class="p">.</span><span class="nx">steps</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">step</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="nx">orderData</span><span class="p">);</span> <span class="nx">orderData</span> <span class="o">=</span> <span class="p">{</span> <span class="p">...</span><span class="nx">orderData</span><span class="p">,</span> <span class="p">...</span><span class="nx">result</span> <span class="p">};</span> <span class="nx">completedSteps</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">step</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="s2">`Saga step failed: </span><span class="p">${</span><span class="nx">error</span><span class="p">.</span><span class="nx">message</span><span class="p">}</span><span class="s2">. Compensating...`</span><span class="p">);</span> <span class="c1">// Compensate in reverse order</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">completed</span> <span class="k">of</span> <span class="nx">completedSteps</span><span class="p">.</span><span class="nf">reverse</span><span class="p">())</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">completed</span><span class="p">.</span><span class="nf">compensate</span><span class="p">(</span><span class="nx">orderData</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">compError</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="s2">`Compensation failed: </span><span class="p">${</span><span class="nx">compError</span><span class="p">.</span><span class="nx">message</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="c1">// Alert on-call - manual intervention needed</span> <span class="p">}</span> <span class="p">}</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`Order saga failed: </span><span class="p">${</span><span class="nx">error</span><span class="p">.</span><span class="nx">message</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">orderData</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Choreography vs orchestration:</strong> Use choreography when you have 2-3 services in the saga and the flow is simple. Use orchestration when you have 4+ services or complex branching logic. Orchestration is easier to understand, debug, and monitor.</p> <h2> Circuit Breakers </h2> <p>When a downstream service is failing, you do not want every request to wait for a timeout. A circuit breaker detects failures and short-circuits requests to the failing service, returning an error immediately or falling back to a cached response.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// circuit-breaker.js</span> <span class="kd">class</span> <span class="nc">CircuitBreaker</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">options</span> <span class="o">=</span> <span class="p">{})</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">failureThreshold</span> <span class="o">=</span> <span class="nx">options</span><span class="p">.</span><span class="nx">failureThreshold</span> <span class="o">||</span> <span class="mi">5</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">resetTimeout</span> <span class="o">=</span> <span class="nx">options</span><span class="p">.</span><span class="nx">resetTimeout</span> <span class="o">||</span> <span class="mi">30000</span><span class="p">;</span> <span class="c1">// 30 seconds</span> <span class="k">this</span><span class="p">.</span><span class="nx">failureCount</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">lastFailureTime</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">state</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">CLOSED</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// CLOSED = normal, OPEN = failing, HALF_OPEN = testing</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">execute</span><span class="p">(</span><span class="nx">fn</span><span class="p">,</span> <span class="nx">fallback</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">state</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">OPEN</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">-</span> <span class="k">this</span><span class="p">.</span><span class="nx">lastFailureTime</span> <span class="o">&gt;</span> <span class="k">this</span><span class="p">.</span><span class="nx">resetTimeout</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">state</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">HALF_OPEN</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">fallback</span><span class="p">)</span> <span class="k">return</span> <span class="nf">fallback</span><span class="p">();</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Circuit breaker is OPEN</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fn</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">state</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">HALF_OPEN</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">state</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">CLOSED</span><span class="dl">'</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">failureCount</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">result</span><span class="p">;</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">failureCount</span><span class="o">++</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">lastFailureTime</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">failureCount</span> <span class="o">&gt;=</span> <span class="k">this</span><span class="p">.</span><span class="nx">failureThreshold</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">state</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">OPEN</span><span class="dl">'</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">warn</span><span class="p">(</span><span class="dl">'</span><span class="s1">Circuit breaker tripped to OPEN</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">fallback</span><span class="p">)</span> <span class="k">return</span> <span class="nf">fallback</span><span class="p">();</span> <span class="k">throw</span> <span class="nx">error</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Usage</span> <span class="kd">const</span> <span class="nx">inventoryBreaker</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">CircuitBreaker</span><span class="p">({</span> <span class="na">failureThreshold</span><span class="p">:</span> <span class="mi">3</span><span class="p">,</span> <span class="na">resetTimeout</span><span class="p">:</span> <span class="mi">15000</span><span class="p">,</span> <span class="p">});</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">checkStock</span><span class="p">(</span><span class="nx">productId</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">inventoryBreaker</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="c1">// Primary: call inventory service</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`http://inventory-service:3000/api/stock/</span><span class="p">${</span><span class="nx">productId</span><span class="p">}</span><span class="s2">`</span><span class="p">).</span><span class="nf">then</span><span class="p">(</span><span class="nx">r</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">r</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`Inventory service returned </span><span class="p">${</span><span class="nx">r</span><span class="p">.</span><span class="nx">status</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="k">return</span> <span class="nx">r</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="p">}),</span> <span class="c1">// Fallback: return cached/default value</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="nx">productId</span><span class="p">,</span> <span class="na">quantity</span><span class="p">:</span> <span class="kc">null</span><span class="p">,</span> <span class="na">in_stock</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">source</span><span class="p">:</span> <span class="dl">'</span><span class="s1">fallback</span><span class="dl">'</span> <span class="p">})</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>In production, use a library like <a href="https://github.com/nodeshift/opossum" rel="noopener noreferrer">opossum</a> for Node.js or rely on your service mesh (Istio, Linkerd) to handle circuit breaking at the infrastructure level:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Istio DestinationRule with circuit breaking</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.istio.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">DestinationRule</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">inventory-service</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">inventory-service</span> <span class="na">trafficPolicy</span><span class="pi">:</span> <span class="na">connectionPool</span><span class="pi">:</span> <span class="na">tcp</span><span class="pi">:</span> <span class="na">maxConnections</span><span class="pi">:</span> <span class="m">100</span> <span class="na">http</span><span class="pi">:</span> <span class="na">h2UpgradePolicy</span><span class="pi">:</span> <span class="s">DEFAULT</span> <span class="na">http1MaxPendingRequests</span><span class="pi">:</span> <span class="m">50</span> <span class="na">http2MaxRequests</span><span class="pi">:</span> <span class="m">100</span> <span class="na">maxRequestsPerConnection</span><span class="pi">:</span> <span class="m">10</span> <span class="na">outlierDetection</span><span class="pi">:</span> <span class="na">consecutive5xxErrors</span><span class="pi">:</span> <span class="m">3</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">baseEjectionTime</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">maxEjectionPercent</span><span class="pi">:</span> <span class="m">50</span> </code></pre> </div> <h2> Observability for Distributed Communication </h2> <p>Debugging microservice communication without proper observability is like debugging a distributed system blindfolded. Implement these three pillars:</p> <p><strong>Distributed tracing</strong> - propagate trace IDs across service boundaries:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Using OpenTelemetry</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">trace</span><span class="p">,</span> <span class="nx">context</span><span class="p">,</span> <span class="nx">propagation</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">@opentelemetry/api</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// When making an outbound request, propagate context</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">callService</span><span class="p">(</span><span class="nx">url</span><span class="p">,</span> <span class="nx">data</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">headers</span> <span class="o">=</span> <span class="p">{};</span> <span class="nx">propagation</span><span class="p">.</span><span class="nf">inject</span><span class="p">(</span><span class="nx">context</span><span class="p">.</span><span class="nf">active</span><span class="p">(),</span> <span class="nx">headers</span><span class="p">);</span> <span class="k">return</span> <span class="nf">fetch</span><span class="p">(</span><span class="nx">url</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span><span class="p">,</span> <span class="p">...</span><span class="nx">headers</span><span class="p">,</span> <span class="c1">// Includes traceparent header</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">data</span><span class="p">),</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p><strong>Structured logging</strong> - include correlation IDs in every log line:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Every log entry includes the trace/request ID</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="dl">'</span><span class="s1">Processing order</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">traceId</span><span class="p">:</span> <span class="nx">span</span><span class="p">.</span><span class="nf">spanContext</span><span class="p">().</span><span class="nx">traceId</span><span class="p">,</span> <span class="na">orderId</span><span class="p">:</span> <span class="nx">order</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">service</span><span class="p">:</span> <span class="dl">'</span><span class="s1">order-service</span><span class="dl">'</span><span class="p">,</span> <span class="na">action</span><span class="p">:</span> <span class="dl">'</span><span class="s1">create_order</span><span class="dl">'</span><span class="p">,</span> <span class="na">duration_ms</span><span class="p">:</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">-</span> <span class="nx">startTime</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p><strong>Metrics</strong> - track request rate, error rate, and latency (the RED method):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Prometheus metrics</span> <span class="kd">const</span> <span class="nx">httpRequestDuration</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">promClient</span><span class="p">.</span><span class="nc">Histogram</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">http_request_duration_seconds</span><span class="dl">'</span><span class="p">,</span> <span class="na">help</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Duration of HTTP requests</span><span class="dl">'</span><span class="p">,</span> <span class="na">labelNames</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">method</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">route</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">status</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">target_service</span><span class="dl">'</span><span class="p">],</span> <span class="na">buckets</span><span class="p">:</span> <span class="p">[</span><span class="mf">0.01</span><span class="p">,</span> <span class="mf">0.05</span><span class="p">,</span> <span class="mf">0.1</span><span class="p">,</span> <span class="mf">0.5</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">5</span><span class="p">],</span> <span class="p">});</span> </code></pre> </div> <h2> Need Help with Your DevOps? </h2> <p>Designing and implementing microservices communication patterns - from choosing the right broker to implementing sagas and circuit breakers - requires deep infrastructure expertise. At <a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a>, we help startups and SMBs build reliable, scalable microservice architectures - starting at $2,999/mo.</p> <p><a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a free 15-minute consultation</a> to discuss your microservices architecture and communication challenges.</p> microservices architecture devops grpc InstaDevOps Fri, 01 May 2026 13:47:40 +0000 https://forem.com/instadevops/backup-and-disaster-recovery-rtorpo-planning-and-aws-backup-41hn https://forem.com/instadevops/backup-and-disaster-recovery-rtorpo-planning-and-aws-backup-41hn <h2> Introduction </h2> <p>Every startup says they have backups. Very few have actually tested restoring from them. Even fewer have a documented disaster recovery plan with defined recovery objectives. Then something goes wrong - a developer runs a destructive migration against production, a region goes down, ransomware encrypts your EBS volumes - and the team discovers their "backup strategy" was an untested assumption.</p> <p>Disaster recovery does not have to be complicated or expensive, especially on AWS. But it does have to be intentional. This guide walks through building a real DR strategy: defining your recovery objectives, implementing the 3-2-1 backup rule, configuring AWS Backup, setting up cross-region replication, and most importantly, testing that everything actually works.</p> <h2> Understanding RTO and RPO </h2> <p>Before you configure a single backup, you need two numbers:</p> <p><strong>Recovery Point Objective (RPO):</strong> How much data can you afford to lose? If your RPO is 1 hour, you need backups at least every hour. If your RPO is zero, you need synchronous replication.</p> <p><strong>Recovery Time Objective (RTO):</strong> How long can your service be down before the business impact becomes unacceptable? If your RTO is 4 hours, you need a recovery process that can restore full service within 4 hours.</p> <p>These numbers vary by system. Here is a realistic example for a SaaS startup:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>System</th> <th>RPO</th> <th>RTO</th> <th>Strategy</th> </tr> </thead> <tbody> <tr> <td>Primary database (PostgreSQL)</td> <td>5 minutes</td> <td>30 minutes</td> <td>Continuous WAL archiving + read replica</td> </tr> <tr> <td>User uploads (S3)</td> <td>0 (no loss)</td> <td>1 hour</td> <td>Cross-region replication</td> </tr> <tr> <td>Application servers</td> <td>N/A (stateless)</td> <td>15 minutes</td> <td>Auto-scaling group, multi-AZ</td> </tr> <tr> <td>Redis cache</td> <td>1 hour</td> <td>15 minutes</td> <td>Rebuild from DB if needed</td> </tr> <tr> <td>Elasticsearch</td> <td>24 hours</td> <td>4 hours</td> <td>Nightly snapshots to S3</td> </tr> <tr> <td>Configuration/secrets</td> <td>0 (no loss)</td> <td>30 minutes</td> <td>Versioned in AWS Secrets Manager</td> </tr> </tbody> </table></div> <p>The key insight: not everything needs the same level of protection. Your production database needs 5-minute RPO. Your Elasticsearch cluster (which can be rebuilt from the database) can tolerate 24-hour RPO. Treating everything equally means overspending on DR for low-criticality systems.</p> <h2> The 3-2-1 Backup Rule </h2> <p>The 3-2-1 rule is decades old and still the best framework for backup strategy:</p> <ul> <li> <strong>3</strong> copies of your data</li> <li> <strong>2</strong> different storage media/types</li> <li> <strong>1</strong> copy offsite (different region or provider)</li> </ul> <p>In AWS terms:</p> <ol> <li> <strong>Copy 1:</strong> Production data (RDS instance, EBS volumes, S3 buckets)</li> <li> <strong>Copy 2:</strong> AWS Backup vault in the same region (different storage from production)</li> <li> <strong>Copy 3:</strong> Cross-region backup copy (different region entirely)</li> </ol> <p>For truly critical data, consider a fourth copy outside AWS entirely (GCP bucket, Azure blob, or even Backblaze B2). This protects against the unlikely but possible scenario of an AWS account compromise.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Example: backup RDS snapshot to an external provider using pg_dump</span> pg_dump <span class="nt">-h</span> your-rds-endpoint.region.rds.amazonaws.com <span class="se">\</span> <span class="nt">-U</span> dbadmin <span class="nt">-d</span> production <span class="se">\</span> <span class="nt">--format</span><span class="o">=</span>custom <span class="se">\</span> <span class="nt">--file</span><span class="o">=</span>production-<span class="si">$(</span><span class="nb">date</span> +%Y%m%d<span class="si">)</span>.dump <span class="c"># Encrypt and upload to external storage</span> gpg <span class="nt">--symmetric</span> <span class="nt">--cipher-algo</span> AES256 production-<span class="si">$(</span><span class="nb">date</span> +%Y%m%d<span class="si">)</span>.dump aws s3 <span class="nb">cp </span>production-<span class="si">$(</span><span class="nb">date</span> +%Y%m%d<span class="si">)</span>.dump.gpg s3://offsite-backups/ <span class="nt">--storage-class</span> GLACIER_IR </code></pre> </div> <h2> Configuring AWS Backup </h2> <p>AWS Backup provides a centralized service to manage backups across RDS, EBS, EFS, DynamoDB, S3, and more. Here is a production-ready configuration using Terraform:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Backup vault</span> <span class="nx">resource</span> <span class="s2">"aws_backup_vault"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"production-vault"</span> <span class="nx">kms_key_arn</span> <span class="p">=</span> <span class="nx">aws_kms_key</span><span class="p">.</span><span class="nx">backup</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"production"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Cross-region vault for DR</span> <span class="nx">resource</span> <span class="s2">"aws_backup_vault"</span> <span class="s2">"dr"</span> <span class="p">{</span> <span class="nx">provider</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">dr_region</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"production-vault-dr"</span> <span class="nx">kms_key_arn</span> <span class="p">=</span> <span class="nx">aws_kms_key</span><span class="p">.</span><span class="nx">backup_dr</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="c1"># Backup plan</span> <span class="nx">resource</span> <span class="s2">"aws_backup_plan"</span> <span class="s2">"production"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"production-backup-plan"</span> <span class="c1"># Hourly backups retained for 24 hours</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">rule_name</span> <span class="p">=</span> <span class="s2">"hourly"</span> <span class="nx">target_vault_name</span> <span class="p">=</span> <span class="nx">aws_backup_vault</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">name</span> <span class="nx">schedule</span> <span class="p">=</span> <span class="s2">"cron(0 * * * ? *)"</span> <span class="nx">start_window</span> <span class="p">=</span> <span class="mi">60</span> <span class="nx">completion_window</span> <span class="p">=</span> <span class="mi">120</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">delete_after</span> <span class="p">=</span> <span class="mi">1</span> <span class="c1"># days</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Daily backups retained for 30 days</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">rule_name</span> <span class="p">=</span> <span class="s2">"daily"</span> <span class="nx">target_vault_name</span> <span class="p">=</span> <span class="nx">aws_backup_vault</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">name</span> <span class="nx">schedule</span> <span class="p">=</span> <span class="s2">"cron(0 3 * * ? *)"</span> <span class="nx">start_window</span> <span class="p">=</span> <span class="mi">60</span> <span class="nx">completion_window</span> <span class="p">=</span> <span class="mi">180</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">cold_storage_after</span> <span class="p">=</span> <span class="mi">7</span> <span class="nx">delete_after</span> <span class="p">=</span> <span class="mi">30</span> <span class="p">}</span> <span class="c1"># Copy to DR region</span> <span class="nx">copy_action</span> <span class="p">{</span> <span class="nx">destination_vault_arn</span> <span class="p">=</span> <span class="nx">aws_backup_vault</span><span class="p">.</span><span class="nx">dr</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">delete_after</span> <span class="p">=</span> <span class="mi">30</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Weekly backups retained for 1 year</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">rule_name</span> <span class="p">=</span> <span class="s2">"weekly"</span> <span class="nx">target_vault_name</span> <span class="p">=</span> <span class="nx">aws_backup_vault</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">name</span> <span class="nx">schedule</span> <span class="p">=</span> <span class="s2">"cron(0 4 ? * SUN *)"</span> <span class="nx">start_window</span> <span class="p">=</span> <span class="mi">60</span> <span class="nx">completion_window</span> <span class="p">=</span> <span class="mi">300</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">cold_storage_after</span> <span class="p">=</span> <span class="mi">30</span> <span class="nx">delete_after</span> <span class="p">=</span> <span class="mi">365</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Assign resources to backup plan</span> <span class="nx">resource</span> <span class="s2">"aws_backup_selection"</span> <span class="s2">"production"</span> <span class="p">{</span> <span class="nx">iam_role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">backup</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"production-resources"</span> <span class="nx">plan_id</span> <span class="p">=</span> <span class="nx">aws_backup_plan</span><span class="p">.</span><span class="nx">production</span><span class="p">.</span><span class="nx">id</span> <span class="c1"># Backup everything tagged with Backup=true</span> <span class="nx">selection_tag</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"STRINGEQUALS"</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"Backup"</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Tag your resources to include them in the backup plan:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_db_instance"</span> <span class="s2">"production"</span> <span class="p">{</span> <span class="c1"># ... other config</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Backup</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"production"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_ebs_volume"</span> <span class="s2">"data"</span> <span class="p">{</span> <span class="c1"># ... other config</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Backup</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"production"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Cross-Region Replication </h2> <p>For services where you need faster recovery than restoring from backups, set up active replication:</p> <p><strong>RDS Cross-Region Read Replica:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Primary in us-east-1</span> <span class="nx">resource</span> <span class="s2">"aws_db_instance"</span> <span class="s2">"primary"</span> <span class="p">{</span> <span class="nx">identifier</span> <span class="p">=</span> <span class="s2">"production-primary"</span> <span class="nx">engine</span> <span class="p">=</span> <span class="s2">"postgres"</span> <span class="nx">engine_version</span> <span class="p">=</span> <span class="s2">"16.2"</span> <span class="nx">instance_class</span> <span class="p">=</span> <span class="s2">"db.r6g.xlarge"</span> <span class="nx">multi_az</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">backup_retention_period</span> <span class="p">=</span> <span class="mi">7</span> <span class="nx">backup_window</span> <span class="p">=</span> <span class="s2">"03:00-04:00"</span> <span class="p">}</span> <span class="c1"># Cross-region replica in us-west-2</span> <span class="nx">resource</span> <span class="s2">"aws_db_instance"</span> <span class="s2">"dr_replica"</span> <span class="p">{</span> <span class="nx">provider</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">dr_region</span> <span class="nx">identifier</span> <span class="p">=</span> <span class="s2">"production-dr-replica"</span> <span class="nx">replicate_source_db</span> <span class="p">=</span> <span class="nx">aws_db_instance</span><span class="p">.</span><span class="nx">primary</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">instance_class</span> <span class="p">=</span> <span class="s2">"db.r6g.large"</span> <span class="c1"># Can be smaller to save cost</span> <span class="c1"># Can be promoted to primary during DR</span> <span class="nx">auto_minor_version_upgrade</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <p><strong>S3 Cross-Region Replication:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"primary"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"myapp-uploads-primary"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket_versioning"</span> <span class="s2">"primary"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">primary</span><span class="p">.</span><span class="nx">id</span> <span class="nx">versioning_configuration</span> <span class="p">{</span> <span class="nx">status</span> <span class="p">=</span> <span class="s2">"Enabled"</span> <span class="c1"># Required for replication</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket_replication_configuration"</span> <span class="s2">"primary"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">primary</span><span class="p">.</span><span class="nx">id</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">replication</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">=</span> <span class="s2">"replicate-all"</span> <span class="nx">status</span> <span class="p">=</span> <span class="s2">"Enabled"</span> <span class="nx">destination</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">dr</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">storage_class</span> <span class="p">=</span> <span class="s2">"STANDARD_IA"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>DynamoDB Global Tables:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_dynamodb_table"</span> <span class="s2">"sessions"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"sessions"</span> <span class="nx">billing_mode</span> <span class="p">=</span> <span class="s2">"PAY_PER_REQUEST"</span> <span class="nx">hash_key</span> <span class="p">=</span> <span class="s2">"session_id"</span> <span class="nx">attribute</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"session_id"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"S"</span> <span class="p">}</span> <span class="nx">replica</span> <span class="p">{</span> <span class="nx">region_name</span> <span class="p">=</span> <span class="s2">"us-west-2"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Testing Your DR Plan </h2> <p>This is where most organizations fail. A backup strategy without tested recovery procedures is not a strategy - it is a hope.</p> <p><strong>Quarterly DR drill checklist:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="gu">## DR Drill - Q2 2026</span> <span class="gu">### Pre-drill</span> <span class="p">-</span> [ ] Schedule 4-hour maintenance window <span class="p">-</span> [ ] Notify stakeholders <span class="p">-</span> [ ] Document current production state (record counts, latest transactions) <span class="gu">### Database Recovery</span> <span class="p">-</span> [ ] Restore RDS from latest cross-region snapshot <span class="p">-</span> [ ] Verify restore completed without errors <span class="p">-</span> [ ] Compare row counts against production <span class="p">-</span> [ ] Run application smoke tests against restored DB <span class="p">-</span> [ ] Record actual restore time: _____ minutes (RTO target: 30 min) <span class="p">-</span> [ ] Record data loss window: _____ minutes (RPO target: 5 min) <span class="gu">### Application Recovery</span> <span class="p">-</span> [ ] Deploy application stack in DR region using Terraform <span class="p">-</span> [ ] Verify DNS failover configuration works <span class="p">-</span> [ ] Run full integration test suite <span class="p">-</span> [ ] Record actual application recovery time: _____ minutes <span class="gu">### S3 Data Verification</span> <span class="p">-</span> [ ] Compare object counts between primary and DR bucket <span class="p">-</span> [ ] Download and verify random sample of objects <span class="p">-</span> [ ] Verify replication lag: _____ seconds <span class="gu">### Post-drill</span> <span class="p">-</span> [ ] Document any issues encountered <span class="p">-</span> [ ] Update runbooks based on findings <span class="p">-</span> [ ] File tickets for gaps identified <span class="p">-</span> [ ] Update RTO/RPO estimates based on actual times </code></pre> </div> <p>Automate what you can. This script verifies your RDS backup is restorable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># dr-test-rds-restore.sh</span> <span class="nb">set</span> <span class="nt">-euo</span> pipefail <span class="nv">SNAPSHOT_ID</span><span class="o">=</span><span class="si">$(</span>aws rds describe-db-snapshots <span class="se">\</span> <span class="nt">--db-instance-identifier</span> production-primary <span class="se">\</span> <span class="nt">--query</span> <span class="s1">'reverse(sort_by(DBSnapshots, &amp;SnapshotCreateTime))[0].DBSnapshotIdentifier'</span> <span class="se">\</span> <span class="nt">--output</span> text<span class="si">)</span> <span class="nb">echo</span> <span class="s2">"Restoring from snapshot: </span><span class="nv">$SNAPSHOT_ID</span><span class="s2">"</span> aws rds restore-db-instance-from-db-snapshot <span class="se">\</span> <span class="nt">--db-instance-identifier</span> dr-test-restore <span class="se">\</span> <span class="nt">--db-snapshot-identifier</span> <span class="s2">"</span><span class="nv">$SNAPSHOT_ID</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--db-instance-class</span> db.t3.medium <span class="se">\</span> <span class="nt">--no-multi-az</span> <span class="nb">echo</span> <span class="s2">"Waiting for instance to be available..."</span> aws rds <span class="nb">wait </span>db-instance-available <span class="nt">--db-instance-identifier</span> dr-test-restore <span class="nb">echo</span> <span class="s2">"Running verification queries..."</span> <span class="nv">ENDPOINT</span><span class="o">=</span><span class="si">$(</span>aws rds describe-db-instances <span class="se">\</span> <span class="nt">--db-instance-identifier</span> dr-test-restore <span class="se">\</span> <span class="nt">--query</span> <span class="s1">'DBInstances[0].Endpoint.Address'</span> <span class="se">\</span> <span class="nt">--output</span> text<span class="si">)</span> <span class="nv">RESTORED_COUNT</span><span class="o">=</span><span class="si">$(</span>psql <span class="nt">-h</span> <span class="s2">"</span><span class="nv">$ENDPOINT</span><span class="s2">"</span> <span class="nt">-U</span> dbadmin <span class="nt">-d</span> production <span class="nt">-tAc</span> <span class="s2">"SELECT count(*) FROM users"</span><span class="si">)</span> <span class="nv">PROD_COUNT</span><span class="o">=</span><span class="si">$(</span>psql <span class="nt">-h</span> prod-endpoint <span class="nt">-U</span> dbadmin <span class="nt">-d</span> production <span class="nt">-tAc</span> <span class="s2">"SELECT count(*) FROM users"</span><span class="si">)</span> <span class="nb">echo</span> <span class="s2">"Production users: </span><span class="nv">$PROD_COUNT</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Restored users: </span><span class="nv">$RESTORED_COUNT</span><span class="s2">"</span> <span class="c"># Cleanup</span> aws rds delete-db-instance <span class="se">\</span> <span class="nt">--db-instance-identifier</span> dr-test-restore <span class="se">\</span> <span class="nt">--skip-final-snapshot</span> </code></pre> </div> <h2> Common DR Mistakes to Avoid </h2> <p><strong>1. Backing up data but not configuration.</strong> Your database backup is useless if you cannot recreate the VPC, security groups, IAM roles, and application configuration needed to run your service. Infrastructure as code (Terraform, CloudFormation) is a DR requirement, not a nice-to-have.</p> <p><strong>2. Not encrypting backups.</strong> Unencrypted backups in S3 are a security liability. Use KMS encryption on all backup vaults and S3 buckets.</p> <p><strong>3. Using the same KMS key for primary and DR.</strong> If your primary region's KMS key becomes unavailable, you cannot decrypt backups in the DR region. Use separate KMS keys in each region, or use multi-region KMS keys.</p> <p><strong>4. Ignoring DNS TTL.</strong> If you need to failover DNS to a DR region, a 24-hour TTL means clients will keep hitting the dead primary for up to 24 hours. Set TTLs to 60 seconds for any record that might need to change during DR.</p> <p><strong>5. No communication plan.</strong> When production goes down, people panic. Document who gets notified, how (Slack, PagerDuty, phone), and who has the authority to initiate DR procedures. Practice this too.</p> <h2> Need Help with Your DevOps? </h2> <p>Building a disaster recovery strategy that actually works when you need it requires planning, implementation, and regular testing. At <a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a>, we help startups and SMBs implement production-grade backup and DR infrastructure - starting at $2,999/mo.</p> <p><a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a free 15-minute consultation</a> to discuss your backup and disaster recovery needs.</p> aws disasterrecovery devops backup InstaDevOps Thu, 30 Apr 2026 13:47:36 +0000 https://forem.com/instadevops/argocd-gitops-deployment-guide-app-of-apps-and-progressive-delivery-7c7 https://forem.com/instadevops/argocd-gitops-deployment-guide-app-of-apps-and-progressive-delivery-7c7 <h2> Introduction </h2> <p>GitOps is the practice of using Git as the single source of truth for your infrastructure and application configuration. ArgoCD is the most widely adopted GitOps operator for Kubernetes, and for good reason - it watches your Git repositories and automatically reconciles your cluster state to match what is defined in your manifests.</p> <p>But installing ArgoCD is the easy part. The hard part is structuring your repositories, managing multi-environment deployments, implementing progressive delivery, and setting up proper RBAC so your platform team does not become a bottleneck. This guide covers all of that with production-tested patterns.</p> <h2> Installing and Configuring ArgoCD </h2> <p>Start with a production-ready ArgoCD installation using the HA manifest:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create namespace</span> kubectl create namespace argocd <span class="c"># Install ArgoCD HA (recommended for production)</span> kubectl apply <span class="nt">-n</span> argocd <span class="nt">-f</span> https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/ha/install.yaml <span class="c"># Wait for all pods to be ready</span> kubectl <span class="nb">wait</span> <span class="nt">--for</span><span class="o">=</span><span class="nv">condition</span><span class="o">=</span>ready pod <span class="nt">-l</span> app.kubernetes.io/part-of<span class="o">=</span>argocd <span class="nt">-n</span> argocd <span class="nt">--timeout</span><span class="o">=</span>300s <span class="c"># Get initial admin password</span> kubectl <span class="nt">-n</span> argocd get secret argocd-initial-admin-secret <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s2">"{.data.password}"</span> | <span class="nb">base64</span> <span class="nt">-d</span> </code></pre> </div> <p>Expose ArgoCD via an Ingress (assuming you have an ingress controller and cert-manager):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Ingress</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">argocd-server</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">nginx.ingress.kubernetes.io/ssl-passthrough</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">nginx.ingress.kubernetes.io/backend-protocol</span><span class="pi">:</span> <span class="s2">"</span><span class="s">HTTPS"</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ingressClassName</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">tls</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">argocd.yourcompany.com</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">argocd-tls</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="s">argocd.yourcompany.com</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">argocd-server</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">443</span> </code></pre> </div> <p>Configure ArgoCD to connect to your Git repositories. For private repos, use SSH deploy keys:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>argocd repo add git@github.com:yourorg/k8s-manifests.git <span class="se">\</span> <span class="nt">--ssh-private-key-path</span> ~/.ssh/argocd_deploy_key </code></pre> </div> <h2> The App-of-Apps Pattern </h2> <p>The app-of-apps pattern is the standard way to manage multiple ArgoCD applications declaratively. Instead of manually creating each Application resource through the UI or CLI, you define a single root Application that points to a directory of Application manifests.</p> <p>Repository structure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>k8s-manifests/ ├── apps/ # Root app-of-apps directory │ ├── api.yaml # Application manifest for API service │ ├── frontend.yaml # Application manifest for frontend │ ├── worker.yaml # Application manifest for worker │ ├── redis.yaml # Application manifest for Redis │ └── monitoring.yaml # Application manifest for monitoring stack ├── services/ │ ├── api/ │ │ ├── base/ │ │ │ ├── deployment.yaml │ │ │ ├── service.yaml │ │ │ └── kustomization.yaml │ │ └── overlays/ │ │ ├── staging/ │ │ │ └── kustomization.yaml │ │ └── production/ │ │ └── kustomization.yaml │ ├── frontend/ │ │ └── ... │ └── worker/ │ └── ... └── infrastructure/ ├── redis/ └── monitoring/ </code></pre> </div> <p>The root application:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># root-app.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Application</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">root</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">project</span><span class="pi">:</span> <span class="s">default</span> <span class="na">source</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">git@github.com:yourorg/k8s-manifests.git</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s">main</span> <span class="na">path</span><span class="pi">:</span> <span class="s">apps</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://kubernetes.default.svc</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">syncPolicy</span><span class="pi">:</span> <span class="na">automated</span><span class="pi">:</span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">selfHeal</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <p>An individual app manifest within the <code>apps/</code> directory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># apps/api.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Application</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">argocd.argoproj.io/sync-wave</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2"</span> <span class="na">finalizers</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">resources-finalizer.argocd.argoproj.io</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">project</span><span class="pi">:</span> <span class="s">default</span> <span class="na">source</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">git@github.com:yourorg/k8s-manifests.git</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s">main</span> <span class="na">path</span><span class="pi">:</span> <span class="s">services/api/overlays/production</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://kubernetes.default.svc</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">production</span> <span class="na">syncPolicy</span><span class="pi">:</span> <span class="na">automated</span><span class="pi">:</span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">selfHeal</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">syncOptions</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">CreateNamespace=true</span> </code></pre> </div> <p>When you add a new service, you just add a new YAML file to the <code>apps/</code> directory and push to Git. ArgoCD picks it up automatically.</p> <h2> Sync Waves and Resource Ordering </h2> <p>Sync waves control the order in which ArgoCD applies resources. This is critical when you have dependencies - you need namespaces before deployments, CRDs before custom resources, and databases before applications.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Wave -1: Namespaces and CRDs first</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Namespace</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">production</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">argocd.argoproj.io/sync-wave</span><span class="pi">:</span> <span class="s2">"</span><span class="s">-1"</span> <span class="nn">---</span> <span class="c1"># Wave 0: Infrastructure (databases, caches)</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Application</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">redis</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">argocd.argoproj.io/sync-wave</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0"</span> <span class="na">spec</span><span class="pi">:</span> <span class="c1"># ... Redis application config</span> <span class="nn">---</span> <span class="c1"># Wave 1: Shared services (service mesh, secrets)</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Application</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">external-secrets</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">argocd.argoproj.io/sync-wave</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1"</span> <span class="na">spec</span><span class="pi">:</span> <span class="c1"># ... External Secrets Operator config</span> <span class="nn">---</span> <span class="c1"># Wave 2: Application services</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Application</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">argocd.argoproj.io/sync-wave</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2"</span> <span class="na">spec</span><span class="pi">:</span> <span class="c1"># ... API application config</span> </code></pre> </div> <p>Combine sync waves with resource hooks for even finer control:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Run database migration before deploying new version</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">batch/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Job</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">db-migrate</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">argocd.argoproj.io/hook</span><span class="pi">:</span> <span class="s">PreSync</span> <span class="na">argocd.argoproj.io/hook-delete-policy</span><span class="pi">:</span> <span class="s">BeforeHookCreation</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">migrate</span> <span class="na">image</span><span class="pi">:</span> <span class="s">yourorg/api:latest</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">node"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">migrate.js"</span><span class="pi">]</span> <span class="na">restartPolicy</span><span class="pi">:</span> <span class="s">Never</span> <span class="na">backoffLimit</span><span class="pi">:</span> <span class="m">3</span> </code></pre> </div> <h2> Progressive Delivery with Argo Rollouts </h2> <p>ArgoCD handles syncing manifests to your cluster, but it does not manage how traffic shifts to new versions. That is where Argo Rollouts comes in. It replaces the standard Kubernetes Deployment with a Rollout resource that supports canary and blue-green deployment strategies.</p> <p>Install Argo Rollouts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create namespace argo-rollouts kubectl apply <span class="nt">-n</span> argo-rollouts <span class="nt">-f</span> https://github.com/argoproj/argo-rollouts/releases/latest/download/install.yaml </code></pre> </div> <p>A canary rollout with automated analysis:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Rollout</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">production</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">5</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">api</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">api</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api</span> <span class="na">image</span><span class="pi">:</span> <span class="s">yourorg/api:v2.1.0</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">250m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">256Mi</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">500m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">512Mi</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">canary</span><span class="pi">:</span> <span class="na">canaryService</span><span class="pi">:</span> <span class="s">api-canary</span> <span class="na">stableService</span><span class="pi">:</span> <span class="s">api-stable</span> <span class="na">trafficRouting</span><span class="pi">:</span> <span class="na">nginx</span><span class="pi">:</span> <span class="na">stableIngress</span><span class="pi">:</span> <span class="s">api-ingress</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">setWeight</span><span class="pi">:</span> <span class="m">10</span> <span class="pi">-</span> <span class="na">pause</span><span class="pi">:</span> <span class="pi">{</span> <span class="nv">duration</span><span class="pi">:</span> <span class="nv">5m</span> <span class="pi">}</span> <span class="pi">-</span> <span class="na">analysis</span><span class="pi">:</span> <span class="na">templates</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">templateName</span><span class="pi">:</span> <span class="s">success-rate</span> <span class="pi">-</span> <span class="na">setWeight</span><span class="pi">:</span> <span class="m">30</span> <span class="pi">-</span> <span class="na">pause</span><span class="pi">:</span> <span class="pi">{</span> <span class="nv">duration</span><span class="pi">:</span> <span class="nv">5m</span> <span class="pi">}</span> <span class="pi">-</span> <span class="na">analysis</span><span class="pi">:</span> <span class="na">templates</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">templateName</span><span class="pi">:</span> <span class="s">success-rate</span> <span class="pi">-</span> <span class="na">setWeight</span><span class="pi">:</span> <span class="m">60</span> <span class="pi">-</span> <span class="na">pause</span><span class="pi">:</span> <span class="pi">{</span> <span class="nv">duration</span><span class="pi">:</span> <span class="nv">5m</span> <span class="pi">}</span> <span class="pi">-</span> <span class="na">setWeight</span><span class="pi">:</span> <span class="m">100</span> </code></pre> </div> <p>The analysis template that gates each promotion step:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">AnalysisTemplate</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">success-rate</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">metrics</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">success-rate</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">60s</span> <span class="na">count</span><span class="pi">:</span> <span class="m">5</span> <span class="na">successCondition</span><span class="pi">:</span> <span class="s">result[0] &gt;= </span><span class="m">0.99</span> <span class="na">failureLimit</span><span class="pi">:</span> <span class="m">2</span> <span class="na">provider</span><span class="pi">:</span> <span class="na">prometheus</span><span class="pi">:</span> <span class="na">address</span><span class="pi">:</span> <span class="s">http://prometheus.monitoring:9090</span> <span class="na">query</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">sum(rate(http_requests_total{app="api",status=~"2.."}[5m]))</span> <span class="s">/</span> <span class="s">sum(rate(http_requests_total{app="api"}[5m]))</span> </code></pre> </div> <p>If the success rate drops below 99% during any analysis phase, Argo Rollouts automatically rolls back to the stable version. No human intervention required at 3 AM.</p> <h2> RBAC and Multi-Tenancy </h2> <p>For teams with multiple projects or environments, ArgoCD's RBAC system controls who can see and sync what. Define projects to create boundaries:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">AppProject</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">team-payments</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Payments</span><span class="nv"> </span><span class="s">team</span><span class="nv"> </span><span class="s">applications"</span> <span class="na">sourceRepos</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">git@github.com:yourorg/payments-*'</span> <span class="na">destinations</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s1">'</span><span class="s">payments-*'</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://kubernetes.default.svc</span> <span class="na">clusterResourceWhitelist</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">group</span><span class="pi">:</span> <span class="s1">'</span><span class="s">'</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Namespace</span> <span class="na">namespaceResourceWhitelist</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">group</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">kind</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">roles</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">developer</span> <span class="na">description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Payments</span><span class="nv"> </span><span class="s">team</span><span class="nv"> </span><span class="s">developers"</span> <span class="na">policies</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">p, proj:team-payments:developer, applications, get, team-payments/*, allow</span> <span class="pi">-</span> <span class="s">p, proj:team-payments:developer, applications, sync, team-payments/*, allow</span> <span class="na">groups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">payments-team</span> <span class="c1"># Maps to SSO group</span> </code></pre> </div> <p>Configure SSO integration (Dex with GitHub example):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># argocd-cm ConfigMap</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">argocd-cm</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">data</span><span class="pi">:</span> <span class="na">url</span><span class="pi">:</span> <span class="s">https://argocd.yourcompany.com</span> <span class="na">dex.config</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">connectors:</span> <span class="s">- type: github</span> <span class="s">id: github</span> <span class="s">name: GitHub</span> <span class="s">config:</span> <span class="s">clientID: $dex.github.clientID</span> <span class="s">clientSecret: $dex.github.clientSecret</span> <span class="s">orgs:</span> <span class="s">- name: yourorg</span> </code></pre> </div> <h2> Repository Structure Best Practices </h2> <p>After working with dozens of ArgoCD deployments, here are the patterns that hold up:</p> <p><strong>Separate app manifests from app source code.</strong> Keep your Kubernetes manifests in a dedicated repository, not alongside your application code. This gives you independent versioning, cleaner git history, and prevents application CI from triggering ArgoCD syncs.</p> <p><strong>Use Kustomize overlays for environments.</strong> Do not duplicate manifests for staging and production. Use a base with overlays:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># services/api/overlays/production/kustomization.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kustomize.config.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Kustomization</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">../../base</span> <span class="na">patches</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">patch</span><span class="pi">:</span> <span class="pi">|-</span> <span class="s">- op: replace</span> <span class="s">path: /spec/replicas</span> <span class="s">value: 5</span> <span class="na">target</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api</span> <span class="na">images</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">yourorg/api</span> <span class="na">newTag</span><span class="pi">:</span> <span class="s">v2.1.0</span> <span class="c1"># Updated by CI pipeline</span> </code></pre> </div> <p><strong>Automate image tag updates.</strong> Your application CI pipeline should update the image tag in the manifests repo after a successful build. Use <code>kustomize edit set image</code> or a tool like ArgoCD Image Updater:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># In your application CI pipeline (GitHub Actions example)</span> - name: Update manifest repo run: | git clone git@github.com:yourorg/k8s-manifests.git <span class="nb">cd </span>k8s-manifests/services/api/overlays/production kustomize edit <span class="nb">set </span>image yourorg/api<span class="o">=</span>yourorg/api:<span class="k">${</span><span class="p">{ github.sha </span><span class="k">}</span><span class="o">}</span> git add <span class="nb">.</span> git commit <span class="nt">-m</span> <span class="s2">"Update api image to </span><span class="k">${</span><span class="p">{ github.sha </span><span class="k">}</span><span class="s2">}"</span> git push </code></pre> </div> <h2> Need Help with Your DevOps? </h2> <p>Implementing GitOps with ArgoCD properly - from repository structure to progressive delivery to RBAC - takes experience and planning. At <a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a>, we help startups and SMBs set up production-grade Kubernetes infrastructure and deployment pipelines - starting at $2,999/mo.</p> <p><a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a free 15-minute consultation</a> to discuss your Kubernetes and deployment challenges.</p> argocd gitops kubernetes devops InstaDevOps Wed, 29 Apr 2026 13:47:33 +0000 https://forem.com/instadevops/elasticsearch-operations-guide-cluster-sizing-and-performance-tuning-361j https://forem.com/instadevops/elasticsearch-operations-guide-cluster-sizing-and-performance-tuning-361j <h2> Introduction </h2> <p>Elasticsearch is one of those tools that is easy to set up but notoriously difficult to operate at scale. A basic single-node cluster handles your first million documents fine, then things start breaking: slow queries, disk pressure alerts, unbalanced shards, and the dreaded cluster yellow or red status at 3 AM.</p> <p>This guide covers the operational side of Elasticsearch - the things you learn after running it in production for years. We will go through cluster sizing, index lifecycle management (ILM), shard allocation strategies, snapshot and restore procedures, and performance tuning techniques that actually matter.</p> <h2> Cluster Sizing and Hardware Planning </h2> <p>The most common mistake in Elasticsearch sizing is starting with too few nodes and too little memory. Here are the numbers that matter:</p> <p><strong>Memory:</strong> Elasticsearch lives and dies by its JVM heap and filesystem cache. The rule of thumb: give Elasticsearch 50% of available RAM as JVM heap (capped at 31GB to stay under compressed oops threshold), and leave the other 50% for the OS filesystem cache.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># jvm.options</span> <span class="s">-Xms16g</span> <span class="s">-Xmx16g</span> <span class="c1"># Never set heap above 31g - you lose compressed ordinary object pointers</span> </code></pre> </div> <p><strong>For a production logging cluster handling ~100GB/day of logs:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Role</th> <th>Nodes</th> <th>CPU</th> <th>RAM</th> <th>Storage</th> </tr> </thead> <tbody> <tr> <td>Master-eligible</td> <td>3</td> <td>2 vCPU</td> <td>8 GB</td> <td>50 GB SSD</td> </tr> <tr> <td>Data (hot)</td> <td>3</td> <td>8 vCPU</td> <td>64 GB</td> <td>2 TB NVMe SSD</td> </tr> <tr> <td>Data (warm)</td> <td>2</td> <td>4 vCPU</td> <td>32 GB</td> <td>8 TB HDD</td> </tr> <tr> <td>Coordinating</td> <td>2</td> <td>4 vCPU</td> <td>16 GB</td> <td>100 GB SSD</td> </tr> </tbody> </table></div> <p><strong>Dedicated master nodes are non-negotiable</strong> for any production cluster. Master nodes handle cluster state, shard allocation, and index creation. If your master nodes are also serving queries and indexing data, cluster instability follows.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># elasticsearch.yml - dedicated master node</span> <span class="na">node.roles</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">master</span><span class="pi">]</span> <span class="na">cluster.name</span><span class="pi">:</span> <span class="s">production-logs</span> <span class="na">node.name</span><span class="pi">:</span> <span class="s">master-1</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># elasticsearch.yml - hot data node</span> <span class="na">node.roles</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">data_hot</span><span class="pi">,</span> <span class="nv">data_content</span><span class="pi">,</span> <span class="nv">ingest</span><span class="pi">]</span> <span class="na">node.attr.data_tier</span><span class="pi">:</span> <span class="s">hot</span> <span class="na">cluster.name</span><span class="pi">:</span> <span class="s">production-logs</span> <span class="na">node.name</span><span class="pi">:</span> <span class="s">hot-data-1</span> </code></pre> </div> <p><strong>AWS-specific sizing:</strong> On EC2, use <code>r6g</code> instances for data nodes (memory-optimized, Graviton for cost savings) and <code>m6g</code> for master/coordinating nodes. Use gp3 EBS volumes - they offer 3000 baseline IOPS regardless of volume size, which is more cost-effective than gp2 for most Elasticsearch workloads.</p> <h2> Index Lifecycle Management (ILM) </h2> <p>ILM automates the progression of indices through hot, warm, cold, and delete phases. Without ILM, you end up with hundreds of indices eating resources forever, or someone writes a fragile cron job to delete old indices.</p> <p>Here is a production ILM policy for application logs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">PUT</span><span class="w"> </span><span class="err">_ilm/policy/logs-lifecycle</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"policy"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"phases"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"hot"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"min_age"</span><span class="p">:</span><span class="w"> </span><span class="s2">"0ms"</span><span class="p">,</span><span class="w"> </span><span class="nl">"actions"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"rollover"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"max_primary_shard_size"</span><span class="p">:</span><span class="w"> </span><span class="s2">"50gb"</span><span class="p">,</span><span class="w"> </span><span class="nl">"max_age"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1d"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"set_priority"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"priority"</span><span class="p">:</span><span class="w"> </span><span class="mi">100</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"warm"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"min_age"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2d"</span><span class="p">,</span><span class="w"> </span><span class="nl">"actions"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"shrink"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"number_of_shards"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"forcemerge"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"max_num_segments"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"allocate"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"require"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:</span><span class="w"> </span><span class="s2">"warm"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"set_priority"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"priority"</span><span class="p">:</span><span class="w"> </span><span class="mi">50</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"cold"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"min_age"</span><span class="p">:</span><span class="w"> </span><span class="s2">"30d"</span><span class="p">,</span><span class="w"> </span><span class="nl">"actions"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"allocate"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"require"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cold"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"set_priority"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"priority"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"delete"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"min_age"</span><span class="p">:</span><span class="w"> </span><span class="s2">"90d"</span><span class="p">,</span><span class="w"> </span><span class="nl">"actions"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"delete"</span><span class="p">:</span><span class="w"> </span><span class="p">{}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Apply the policy to an index template:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">PUT</span><span class="w"> </span><span class="err">_index_template/logs-template</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"index_patterns"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"logs-*"</span><span class="p">],</span><span class="w"> </span><span class="nl">"template"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"settings"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"number_of_shards"</span><span class="p">:</span><span class="w"> </span><span class="mi">3</span><span class="p">,</span><span class="w"> </span><span class="nl">"number_of_replicas"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"index.lifecycle.name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"logs-lifecycle"</span><span class="p">,</span><span class="w"> </span><span class="nl">"index.lifecycle.rollover_alias"</span><span class="p">:</span><span class="w"> </span><span class="s2">"logs-write"</span><span class="p">,</span><span class="w"> </span><span class="nl">"index.routing.allocation.require.data"</span><span class="p">:</span><span class="w"> </span><span class="s2">"hot"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Key ILM tuning tips:</strong></p> <ul> <li>Rollover on shard size (50GB max primary shard) rather than document count - shard size is what affects performance</li> <li>Force merge to 1 segment in the warm phase to reclaim disk and improve query performance on read-only indices</li> <li>Shrink indices in warm phase if you started with multiple shards for write throughput but no longer need them</li> </ul> <h2> Shard Allocation and Rebalancing </h2> <p>Sharding is where most Elasticsearch performance problems originate. The guidelines are straightforward but frequently violated:</p> <p><strong>Rule 1: Keep shards between 10GB and 50GB.</strong> Shards under 1GB waste resources on overhead. Shards over 50GB make recovery slow and rebalancing painful.</p> <p><strong>Rule 2: Aim for fewer than 20 shards per GB of heap.</strong> A node with 16GB heap should host no more than ~300 shards. Each shard consumes memory for metadata, field data, and segment info regardless of whether it is being queried.</p> <p>Check your current shard distribution:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Shard count per node</span> curl <span class="nt">-s</span> localhost:9200/_cat/allocation?v <span class="c"># Shards sorted by size</span> curl <span class="nt">-s</span> localhost:9200/_cat/shards?v<span class="se">\&amp;</span><span class="nv">s</span><span class="o">=</span>store:desc <span class="c"># Identify hot spots - nodes with too many shards</span> curl <span class="nt">-s</span> localhost:9200/_cat/nodes?v<span class="se">\&amp;</span><span class="nv">h</span><span class="o">=</span>name,heap.percent,disk.used_percent,shards </code></pre> </div> <p>When shards are unevenly distributed, you can adjust allocation awareness:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">PUT</span><span class="w"> </span><span class="err">_cluster/settings</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"persistent"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"cluster.routing.allocation.awareness.attributes"</span><span class="p">:</span><span class="w"> </span><span class="s2">"zone"</span><span class="p">,</span><span class="w"> </span><span class="nl">"cluster.routing.allocation.awareness.force.zone.values"</span><span class="p">:</span><span class="w"> </span><span class="s2">"us-east-1a,us-east-1b,us-east-1c"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This ensures that primary and replica shards land in different availability zones, giving you zone-failure resilience.</p> <h2> Snapshot and Restore </h2> <p>Snapshots are your safety net. Without them, a bad mapping change, accidental index deletion, or cluster corruption means data loss. Set up automated snapshots to S3:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">PUT</span><span class="w"> </span><span class="err">_snapshot/s</span><span class="mi">3</span><span class="err">-backup</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3"</span><span class="p">,</span><span class="w"> </span><span class="nl">"settings"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"bucket"</span><span class="p">:</span><span class="w"> </span><span class="s2">"my-es-snapshots"</span><span class="p">,</span><span class="w"> </span><span class="nl">"region"</span><span class="p">:</span><span class="w"> </span><span class="s2">"us-east-1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"base_path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"production"</span><span class="p">,</span><span class="w"> </span><span class="nl">"max_snapshot_bytes_per_sec"</span><span class="p">:</span><span class="w"> </span><span class="s2">"200mb"</span><span class="p">,</span><span class="w"> </span><span class="nl">"max_restore_bytes_per_sec"</span><span class="p">:</span><span class="w"> </span><span class="s2">"200mb"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Create a snapshot lifecycle management (SLM) policy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">PUT</span><span class="w"> </span><span class="err">_slm/policy/nightly-backup</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"schedule"</span><span class="p">:</span><span class="w"> </span><span class="s2">"0 0 2 * * ?"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&lt;nightly-snap-{now/d}&gt;"</span><span class="p">,</span><span class="w"> </span><span class="nl">"repository"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3-backup"</span><span class="p">,</span><span class="w"> </span><span class="nl">"config"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"indices"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"logs-*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"metrics-*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"app-*"</span><span class="p">],</span><span class="w"> </span><span class="nl">"ignore_unavailable"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"include_global_state"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"retention"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"expire_after"</span><span class="p">:</span><span class="w"> </span><span class="s2">"30d"</span><span class="p">,</span><span class="w"> </span><span class="nl">"min_count"</span><span class="p">:</span><span class="w"> </span><span class="mi">7</span><span class="p">,</span><span class="w"> </span><span class="nl">"max_count"</span><span class="p">:</span><span class="w"> </span><span class="mi">30</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Test your restores regularly.</strong> A snapshot you have never restored is a backup you do not have. Schedule a quarterly restore drill:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Restore a specific index to verify backup integrity</span> curl <span class="nt">-X</span> POST <span class="s2">"localhost:9200/_snapshot/s3-backup/nightly-snap-2026.04.01/_restore"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Content-Type: application/json'</span> <span class="nt">-d</span> <span class="s1">'{ "indices": "logs-2026.03.31", "rename_pattern": "(.+)", "rename_replacement": "restored-$1" }'</span> <span class="c"># Verify document count matches</span> curl <span class="nt">-s</span> <span class="s2">"localhost:9200/restored-logs-2026.03.31/_count"</span> curl <span class="nt">-s</span> <span class="s2">"localhost:9200/logs-2026.03.31/_count"</span> </code></pre> </div> <h2> Performance Tuning </h2> <p>Here are the performance levers that have the biggest real-world impact, ranked by effort-to-benefit ratio:</p> <p><strong>1. Use bulk indexing, always.</strong> Single-document indexing is orders of magnitude slower. Aim for bulk requests of 5-15MB.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Bad: indexing one document at a time</span> curl <span class="nt">-X</span> POST <span class="s2">"localhost:9200/logs/_doc"</span> <span class="nt">-d</span> <span class="s1">'{"message": "log entry"}'</span> <span class="c"># Good: bulk indexing</span> curl <span class="nt">-X</span> POST <span class="s2">"localhost:9200/_bulk"</span> <span class="nt">-H</span> <span class="s1">'Content-Type: application/x-ndjson'</span> <span class="nt">--data-binary</span> @bulk-data.ndjson </code></pre> </div> <p><strong>2. Tune refresh interval for write-heavy indices.</strong> The default 1-second refresh creates a new Lucene segment every second, which is expensive. For logging use cases where near-real-time search is not critical:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">PUT</span><span class="w"> </span><span class="err">logs-write/_settings</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"index"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"refresh_interval"</span><span class="p">:</span><span class="w"> </span><span class="s2">"30s"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>3. Use doc_values and avoid fielddata.</strong> For aggregations and sorting on text fields, use the <code>keyword</code> type or multi-field mapping. Never enable fielddata on analyzed text fields - it loads the entire inverted index into heap memory.</p> <p><strong>4. Profile slow queries.</strong> Enable slow log to catch queries that degrade cluster performance:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">PUT</span><span class="w"> </span><span class="err">logs-*/_settings</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"index.search.slowlog.threshold.query.warn"</span><span class="p">:</span><span class="w"> </span><span class="s2">"5s"</span><span class="p">,</span><span class="w"> </span><span class="nl">"index.search.slowlog.threshold.query.info"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2s"</span><span class="p">,</span><span class="w"> </span><span class="nl">"index.search.slowlog.threshold.fetch.warn"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1s"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>5. Disable swapping entirely.</strong> Swapped JVM heap is a death sentence for Elasticsearch performance. Configure this at the OS level:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># /etc/sysctl.conf</span> vm.swappiness <span class="o">=</span> 1 <span class="c"># elasticsearch.yml</span> bootstrap.memory_lock: <span class="nb">true</span> </code></pre> </div> <h2> Monitoring and Alerting </h2> <p>At minimum, monitor these metrics (Prometheus with elasticsearch_exporter, Datadog, or Elastic's own monitoring):</p> <ul> <li> <strong>Cluster health</strong> - yellow means missing replicas, red means missing primaries</li> <li> <strong>JVM heap pressure</strong> - alert at 75%, panic at 85%</li> <li> <strong>Disk watermark</strong> - ES stops allocating at 85% (low), marks read-only at 95% (flood)</li> <li> <strong>Thread pool rejections</strong> - search, write, and bulk thread pool rejections indicate saturation</li> <li> <strong>GC pause time</strong> - young GC pauses over 100ms or old GC pauses over 1s are problems </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Quick health check script</span> curl <span class="nt">-s</span> localhost:9200/_cluster/health | jq <span class="s1">'{ status, number_of_nodes, active_primary_shards, relocating_shards, unassigned_shards }'</span> <span class="c"># Thread pool rejections</span> curl <span class="nt">-s</span> localhost:9200/_cat/thread_pool/search,write?v<span class="se">\&amp;</span><span class="nv">h</span><span class="o">=</span>node_name,name,active,rejected,completed </code></pre> </div> <h2> Need Help with Your DevOps? </h2> <p>Running Elasticsearch in production requires ongoing attention to cluster health, capacity planning, and performance optimization. At <a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a>, we help startups and SMBs manage complex infrastructure like Elasticsearch clusters without the cost of a full-time hire - starting at $2,999/mo.</p> <p><a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a free 15-minute consultation</a> to discuss your Elasticsearch challenges.</p> elasticsearch devops performance operations InstaDevOps Tue, 28 Apr 2026 13:47:28 +0000 https://forem.com/instadevops/git-branching-strategies-trunk-based-vs-gitflow-vs-github-flow-4ejb https://forem.com/instadevops/git-branching-strategies-trunk-based-vs-gitflow-vs-github-flow-4ejb <h2> Introduction </h2> <p>Your Git branching strategy directly impacts how fast you ship code, how often deployments break, and how much time your team wastes on merge conflicts. Yet most teams pick a branching model once and never revisit it, even as their team size, deployment frequency, and product complexity change.</p> <p>In this guide, we will compare the three most popular branching strategies - trunk-based development, GitFlow, and GitHub Flow - with honest assessments of when each works and when each falls apart. We will also cover feature flags, release management, and monorepo-specific considerations that most branching guides skip entirely.</p> <h2> Trunk-Based Development </h2> <p>Trunk-based development (TBD) means everyone commits to a single branch (main/trunk), either directly or through very short-lived feature branches that last no more than a day or two. Google, Meta, and Netflix all practice trunk-based development at massive scale.</p> <p>The core rules are simple:</p> <ul> <li>The main branch is always deployable</li> <li>Feature branches live less than 24-48 hours</li> <li>Broken code is hidden behind feature flags, not long-lived branches</li> <li>CI runs on every commit and blocks merges on failure</li> </ul> <p>Here is a typical workflow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Start work</span> git checkout main git pull origin main git checkout <span class="nt">-b</span> feature/add-retry-logic <span class="c"># Work for a few hours, then push</span> git add <span class="nt">-A</span> git commit <span class="nt">-m</span> <span class="s2">"Add exponential backoff to API client"</span> git push origin feature/add-retry-logic <span class="c"># Open PR, get review, merge same day</span> <span class="c"># Delete branch immediately after merge</span> </code></pre> </div> <p><strong>When it works:</strong> Teams with strong CI/CD pipelines, good test coverage (70%+ meaningful coverage), and engineers comfortable with feature flags. Ideal for continuous deployment where you ship multiple times per day.</p> <p><strong>When it breaks down:</strong> Teams without automated testing, regulated industries requiring formal release sign-off, or junior-heavy teams where code review bottlenecks cause branches to pile up.</p> <p>The biggest misconception about trunk-based development is that it means no code review. You absolutely still review code - you just review smaller, more frequent changes rather than massive PRs that touch 50 files.</p> <h2> GitFlow </h2> <p>GitFlow uses long-lived branches to manage releases: <code>main</code> holds production code, <code>develop</code> holds the next release, <code>feature/*</code> branches come off develop, <code>release/*</code> branches stabilize a release, and <code>hotfix/*</code> branches patch production emergencies.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>main ───────────────────────────────────────────── │ ▲ ▲ │ │ │ └──▶ develop ────────────────────────────────── │ ▲ │ ▲ │ │ │ │ └── feature/x ──┘ └── feature/y ──┘ </code></pre> </div> <p>A typical GitFlow release cycle:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Start a feature</span> git checkout develop git checkout <span class="nt">-b</span> feature/new-dashboard <span class="c"># ... work for days/weeks ...</span> <span class="c"># Merge back to develop</span> git checkout develop git merge <span class="nt">--no-ff</span> feature/new-dashboard <span class="c"># Cut a release</span> git checkout <span class="nt">-b</span> release/2.4.0 develop <span class="c"># Stabilize (bug fixes only)</span> git commit <span class="nt">-m</span> <span class="s2">"Fix date formatting in dashboard"</span> <span class="c"># Finalize release</span> git checkout main git merge <span class="nt">--no-ff</span> release/2.4.0 git tag <span class="nt">-a</span> v2.4.0 <span class="nt">-m</span> <span class="s2">"Release 2.4.0"</span> git checkout develop git merge <span class="nt">--no-ff</span> release/2.4.0 </code></pre> </div> <p><strong>When it works:</strong> Teams shipping versioned software (desktop apps, mobile apps, SDKs, on-prem installations), teams with scheduled release cycles (bi-weekly, monthly), and teams that need to maintain multiple release versions simultaneously.</p> <p><strong>When it breaks down:</strong> Web applications deploying continuously, small teams (under 5 engineers) where the overhead is not justified, and teams that end up with feature branches living for weeks, creating merge hell.</p> <p>The honest truth about GitFlow in 2026: it was designed for a world where shipping software meant burning a CD. If you deploy a web application, GitFlow is almost certainly more process than you need.</p> <h2> GitHub Flow </h2> <p>GitHub Flow is the middle ground. You have one long-lived branch (main), create feature branches off it, open pull requests, and merge back to main after review. Main is always deployable.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create feature branch from main</span> git checkout main git pull origin main git checkout <span class="nt">-b</span> add-health-check-endpoint <span class="c"># Work, commit, push</span> git add src/health.ts git commit <span class="nt">-m</span> <span class="s2">"Add /health endpoint with dependency checks"</span> git push origin add-health-check-endpoint <span class="c"># Open PR on GitHub</span> gh <span class="nb">pr </span>create <span class="nt">--title</span> <span class="s2">"Add health check endpoint"</span> <span class="se">\</span> <span class="nt">--body</span> <span class="s2">"Adds /health endpoint that checks DB and Redis connectivity"</span> <span class="c"># After review and CI passes, merge via GitHub UI</span> <span class="c"># Deploy automatically from main</span> </code></pre> </div> <p><strong>When it works:</strong> Most web application teams. It is simple enough for small teams, scales well to medium teams (5-30 engineers), and pairs naturally with CI/CD pipelines that deploy on every merge to main.</p> <p><strong>When it breaks down:</strong> When feature branches live too long (the same problem as GitFlow but less structured), or when you need to maintain multiple production versions.</p> <h2> Feature Flags as a Branching Strategy </h2> <p>Feature flags are not a replacement for branching - they are a complement that makes trunk-based development and GitHub Flow viable for complex features that take weeks to build.</p> <p>Here is a practical implementation using environment variables for simple flags and a feature flag service for anything more complex:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Simple approach: environment-based flags</span> <span class="c1"># docker-compose.yml</span> <span class="na">services</span><span class="pi">:</span> <span class="na">api</span><span class="pi">:</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">FEATURE_NEW_BILLING=false</span> <span class="pi">-</span> <span class="s">FEATURE_V2_SEARCH=true</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Application code</span> <span class="kd">function</span> <span class="nf">getSearchResults</span><span class="p">(</span><span class="nx">query</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">FEATURE_V2_SEARCH</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">true</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">searchV2</span><span class="p">(</span><span class="nx">query</span><span class="p">);</span> <span class="c1">// New implementation</span> <span class="p">}</span> <span class="k">return</span> <span class="nf">searchV1</span><span class="p">(</span><span class="nx">query</span><span class="p">);</span> <span class="c1">// Existing implementation</span> <span class="p">}</span> </code></pre> </div> <p>For production systems, use a proper feature flag service (LaunchDarkly, Unleash, Flagsmith, or even a simple Redis-backed solution):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Using Unleash (open source)</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">initialize</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">unleash-client</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">unleash</span> <span class="o">=</span> <span class="nf">initialize</span><span class="p">({</span> <span class="na">url</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://unleash.yourcompany.com/api</span><span class="dl">'</span><span class="p">,</span> <span class="na">appName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">api-service</span><span class="dl">'</span><span class="p">,</span> <span class="na">customHeaders</span><span class="p">:</span> <span class="p">{</span> <span class="na">Authorization</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">UNLEASH_TOKEN</span> <span class="p">},</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/dashboard</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">unleash</span><span class="p">.</span><span class="nf">isEnabled</span><span class="p">(</span><span class="dl">'</span><span class="s1">new-dashboard</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span> <span class="p">}))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="k">await</span> <span class="nf">getNewDashboard</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">));</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="k">await</span> <span class="nf">getLegacyDashboard</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">));</span> <span class="p">});</span> </code></pre> </div> <p>The critical rule with feature flags: <strong>clean them up</strong>. Every flag should have an expiration date. Dead flags are technical debt that makes code harder to reason about. Set a calendar reminder to remove each flag within 2 weeks of full rollout.</p> <h2> Release Management Patterns </h2> <p>Regardless of your branching strategy, you need a release management approach. Here are three patterns ranked by deployment frequency:</p> <p><strong>Pattern 1: Continuous Deployment (trunk-based or GitHub Flow)</strong></p> <p>Every merge to main deploys to production automatically. Requires:</p> <ul> <li>Full automated tests</li> <li>Feature flags for incomplete work</li> <li>Canary or blue-green deployments</li> <li>Fast rollback capability </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># GitHub Actions - deploy on every merge to main</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci &amp;&amp; npm test</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm run build</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy to production</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">aws ecs update-service \</span> <span class="s">--cluster production \</span> <span class="s">--service api \</span> <span class="s">--force-new-deployment</span> </code></pre> </div> <p><strong>Pattern 2: Release Trains (GitHub Flow with scheduled deploys)</strong></p> <p>Merge to main anytime, but deploy on a schedule (daily, twice a week). Good for teams building confidence in their pipeline.</p> <p><strong>Pattern 3: Versioned Releases (GitFlow)</strong></p> <p>Cut release branches, stabilize, tag, and deploy. Necessary for software with multiple live versions.</p> <h2> Monorepo Branching Considerations </h2> <p>Monorepos add complexity to any branching strategy because a single branch may contain changes to multiple services. Key considerations:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>monorepo/ ├── services/ │ ├── api/ │ ├── worker/ │ └── frontend/ ├── packages/ │ ├── shared-types/ │ └── utils/ └── infrastructure/ ├── terraform/ └── k8s/ </code></pre> </div> <p>Use path-based CI triggers so changes to one service do not trigger builds for unrelated services:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># GitHub Actions with path filters</span> <span class="na">name</span><span class="pi">:</span> <span class="s">API CI</span> <span class="na">on</span><span class="pi">:</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">services/api/**'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">packages/shared-types/**'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">packages/utils/**'</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">cd services/api &amp;&amp; npm ci &amp;&amp; npm test</span> </code></pre> </div> <p>For monorepos, trunk-based development or GitHub Flow works far better than GitFlow. Long-lived feature branches in a monorepo are a recipe for merge conflicts across service boundaries.</p> <h2> Choosing the Right Strategy for Your Team </h2> <p>Here is a decision framework:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Factor</th> <th>Trunk-Based</th> <th>GitHub Flow</th> <th>GitFlow</th> </tr> </thead> <tbody> <tr> <td>Team size</td> <td>Any</td> <td>2-30</td> <td>5-50+</td> </tr> <tr> <td>Deploy frequency</td> <td>Multiple/day</td> <td>Daily-weekly</td> <td>Weekly-monthly</td> </tr> <tr> <td>Test coverage</td> <td>High (required)</td> <td>Medium-high</td> <td>Any</td> </tr> <tr> <td>Feature flag maturity</td> <td>High</td> <td>Low-medium</td> <td>Not needed</td> </tr> <tr> <td>Multiple live versions</td> <td>No</td> <td>No</td> <td>Yes</td> </tr> <tr> <td>Regulatory requirements</td> <td>Works with flags</td> <td>Works fine</td> <td>Natural fit</td> </tr> </tbody> </table></div> <p><strong>For most startups and SMBs deploying web applications:</strong> Start with GitHub Flow. It has the lowest overhead and the fewest ways to shoot yourself in the foot. Move to trunk-based development when your CI/CD pipeline and test coverage are mature enough to support it.</p> <p><strong>Avoid GitFlow unless</strong> you are shipping versioned software (mobile apps, SDKs, on-prem products) or you have regulatory requirements that demand formal release branches.</p> <h2> Need Help with Your DevOps? </h2> <p>Setting up the right branching strategy, CI/CD pipeline, and deployment workflow is just the beginning. At <a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a>, we help startups and SMBs build production-grade DevOps infrastructure at a fraction of the cost of a full-time hire - starting at $2,999/mo.</p> <p><a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a free 15-minute consultation</a> to discuss your team's workflow and deployment challenges.</p> git devops workflow cicd InstaDevOps Mon, 27 Apr 2026 13:47:26 +0000 https://forem.com/instadevops/dns-and-cdn-architecture-building-fast-resilient-global-infrastructure-55h4 https://forem.com/instadevops/dns-and-cdn-architecture-building-fast-resilient-global-infrastructure-55h4 <h2> Introduction </h2> <p>DNS is the most critical and least understood part of most infrastructure. When DNS is working, nobody thinks about it. When it breaks, everything breaks. Your application, your API, your email, your monitoring dashboards that would help you debug the DNS issue, all of them depend on DNS resolution.</p> <p>CDN configuration is similarly important but often treated as an afterthought. Teams deploy CloudFront or Cloudflare, accept the defaults, and never think about cache hit ratios, edge computing, or failover behavior until there is an incident.</p> <p>This guide covers the DNS and CDN architecture decisions that matter for production systems, from basic setup through multi-region failover, with specific configurations for Route 53, CloudFront, and Cloudflare.</p> <h2> DNS Fundamentals That Matter in Production </h2> <p>Before diving into architecture, let us establish the DNS concepts that directly affect your infrastructure decisions.</p> <p><strong>Record types you will use most:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Type</th> <th>Purpose</th> <th>Example</th> </tr> </thead> <tbody> <tr> <td>A</td> <td>Maps domain to IPv4 address</td> <td><code>api.example.com → 203.0.113.50</code></td> </tr> <tr> <td>AAAA</td> <td>Maps domain to IPv6 address</td> <td><code>api.example.com → 2001:db8::1</code></td> </tr> <tr> <td>CNAME</td> <td>Alias to another domain</td> <td><code>www.example.com → example.com</code></td> </tr> <tr> <td>ALIAS/ANAME</td> <td>CNAME-like at zone apex</td> <td><code>example.com → d1234.cloudfront.net</code></td> </tr> <tr> <td>MX</td> <td>Mail server routing</td> <td><code>example.com → 10 mail.example.com</code></td> </tr> <tr> <td>TXT</td> <td>Verification and policy</td> <td>SPF, DKIM, DMARC records</td> </tr> <tr> <td>NS</td> <td>Nameserver delegation</td> <td><code>example.com → ns-1234.awsdns-12.org</code></td> </tr> </tbody> </table></div> <p><strong>TTL (Time To Live)</strong> controls how long resolvers cache your records. Lower TTL means faster propagation of changes but more DNS queries hitting your nameservers. Higher TTL means better performance but slower failover.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check current TTL and propagation</span> dig +noall +answer api.example.com A <span class="c"># Check from multiple locations</span> dig @8.8.8.8 api.example.com A <span class="c"># Google DNS</span> dig @1.1.1.1 api.example.com A <span class="c"># Cloudflare DNS</span> dig @208.67.222.222 api.example.com A <span class="c"># OpenDNS</span> </code></pre> </div> <p>Production TTL recommendations:</p> <ul> <li> <strong>Static content CDN domains</strong>: 86400 (24 hours)</li> <li> <strong>API endpoints (stable)</strong>: 300-600 (5-10 minutes)</li> <li> <strong>API endpoints (failover-ready)</strong>: 60 (1 minute)</li> <li> <strong>During migrations</strong>: 60 or lower, set 24-48 hours before the change</li> </ul> <h2> Route 53 Configuration for Production </h2> <p>Route 53 is AWS's DNS service and the most common choice for teams running on AWS. Its killer feature is routing policies that go beyond simple DNS records.</p> <p><strong>Basic hosted zone setup:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create a hosted zone</span> aws route53 create-hosted-zone <span class="se">\</span> <span class="nt">--name</span> example.com <span class="se">\</span> <span class="nt">--caller-reference</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">date</span> +%s<span class="si">)</span><span class="s2">"</span> <span class="c"># The output includes nameservers - update these at your domain registrar</span> </code></pre> </div> <p><strong>Health checks and failover routing:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create a health check for the primary endpoint</span> aws route53 create-health-check <span class="nt">--caller-reference</span> <span class="s2">"primary-api"</span> <span class="se">\</span> <span class="nt">--health-check-config</span> <span class="s1">'{ "IPAddress": "203.0.113.50", "Port": 443, "Type": "HTTPS", "ResourcePath": "/health", "RequestInterval": 10, "FailureThreshold": 3, "EnableSNI": true, "FullyQualifiedDomainName": "api.example.com" }'</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">Primary</span><span class="w"> </span><span class="err">record</span><span class="w"> </span><span class="err">(us-east</span><span class="mi">-1</span><span class="err">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"api.example.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"A"</span><span class="p">,</span><span class="w"> </span><span class="nl">"SetIdentifier"</span><span class="p">:</span><span class="w"> </span><span class="s2">"primary"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Failover"</span><span class="p">:</span><span class="w"> </span><span class="s2">"PRIMARY"</span><span class="p">,</span><span class="w"> </span><span class="nl">"TTL"</span><span class="p">:</span><span class="w"> </span><span class="mi">60</span><span class="p">,</span><span class="w"> </span><span class="nl">"ResourceRecords"</span><span class="p">:</span><span class="w"> </span><span class="p">[{</span><span class="nl">"Value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"203.0.113.50"</span><span class="p">}],</span><span class="w"> </span><span class="nl">"HealthCheckId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"abcd-1234-health-check-id"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Secondary</span><span class="w"> </span><span class="err">record</span><span class="w"> </span><span class="err">(eu-west</span><span class="mi">-1</span><span class="err">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"api.example.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"A"</span><span class="p">,</span><span class="w"> </span><span class="nl">"SetIdentifier"</span><span class="p">:</span><span class="w"> </span><span class="s2">"secondary"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Failover"</span><span class="p">:</span><span class="w"> </span><span class="s2">"SECONDARY"</span><span class="p">,</span><span class="w"> </span><span class="nl">"TTL"</span><span class="p">:</span><span class="w"> </span><span class="mi">60</span><span class="p">,</span><span class="w"> </span><span class="nl">"ResourceRecords"</span><span class="p">:</span><span class="w"> </span><span class="p">[{</span><span class="nl">"Value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"198.51.100.25"</span><span class="p">}]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>When the primary health check fails (3 consecutive failures at 10-second intervals = 30 seconds), Route 53 automatically starts returning the secondary IP. With a 60-second TTL, most clients will failover within 90 seconds.</p> <p><strong>Latency-based routing</strong> sends users to the closest region:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">US</span><span class="w"> </span><span class="err">East</span><span class="w"> </span><span class="err">record</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"api.example.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"A"</span><span class="p">,</span><span class="w"> </span><span class="nl">"SetIdentifier"</span><span class="p">:</span><span class="w"> </span><span class="s2">"us-east-1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Region"</span><span class="p">:</span><span class="w"> </span><span class="s2">"us-east-1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"TTL"</span><span class="p">:</span><span class="w"> </span><span class="mi">60</span><span class="p">,</span><span class="w"> </span><span class="nl">"AliasTarget"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"HostedZoneId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Z35SXDOTRQ7X7K"</span><span class="p">,</span><span class="w"> </span><span class="nl">"DNSName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"us-east-alb-1234.us-east-1.elb.amazonaws.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"EvaluateTargetHealth"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">EU</span><span class="w"> </span><span class="err">West</span><span class="w"> </span><span class="err">record</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"api.example.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"A"</span><span class="p">,</span><span class="w"> </span><span class="nl">"SetIdentifier"</span><span class="p">:</span><span class="w"> </span><span class="s2">"eu-west-1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Region"</span><span class="p">:</span><span class="w"> </span><span class="s2">"eu-west-1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"TTL"</span><span class="p">:</span><span class="w"> </span><span class="mi">60</span><span class="p">,</span><span class="w"> </span><span class="nl">"AliasTarget"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"HostedZoneId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Z32O12XQLNTSW2"</span><span class="p">,</span><span class="w"> </span><span class="nl">"DNSName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"eu-west-alb-5678.eu-west-1.elb.amazonaws.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"EvaluateTargetHealth"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Route 53 determines the user's region based on the location of the DNS resolver they are using. This works well for most cases but can route incorrectly when users use public DNS resolvers (like 8.8.8.8) that are anycast and may resolve from a different location than the user.</p> <h2> CloudFront CDN Configuration </h2> <p>CloudFront is AWS's CDN with 600+ edge locations globally. For static websites and API acceleration, proper CloudFront configuration can reduce latency by 50-80% for geographically distributed users.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create a CloudFront distribution for a static website on S3</span> aws cloudfront create-distribution <span class="nt">--distribution-config</span> <span class="s1">'{ "CallerReference": "static-site-2026", "Origins": { "Quantity": 1, "Items": [{ "Id": "S3-static-site", "DomainName": "my-site-bucket.s3.amazonaws.com", "S3OriginConfig": { "OriginAccessIdentity": "" }, "OriginAccessControlId": "E2QWRUHEXAMPLE" }] }, "DefaultCacheBehavior": { "TargetOriginId": "S3-static-site", "ViewerProtocolPolicy": "redirect-to-https", "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6", "Compress": true, "AllowedMethods": { "Quantity": 2, "Items": ["GET", "HEAD"] } }, "Aliases": { "Quantity": 1, "Items": ["www.example.com"] }, "ViewerCertificate": { "ACMCertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/abc123", "SSLSupportMethod": "sni-only", "MinimumProtocolVersion": "TLSv1.2_2021" }, "HttpVersion": "http2and3", "DefaultRootObject": "index.html", "Enabled": true, "Comment": "Production static site" }'</span> </code></pre> </div> <p><strong>Cache policies</strong> control what CloudFront caches and for how long. The default policies work for most cases, but for APIs you need custom policies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"CachePolicyConfig"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"API-Cache-Policy"</span><span class="p">,</span><span class="w"> </span><span class="nl">"DefaultTTL"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nl">"MaxTTL"</span><span class="p">:</span><span class="w"> </span><span class="mi">86400</span><span class="p">,</span><span class="w"> </span><span class="nl">"MinTTL"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nl">"ParametersInCacheKeyAndForwardedToOrigin"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"EnableAcceptEncodingGzip"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"EnableAcceptEncodingBrotli"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"HeadersConfig"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"HeaderBehavior"</span><span class="p">:</span><span class="w"> </span><span class="s2">"whitelist"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Headers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Quantity"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"Items"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"Authorization"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"QueryStringsConfig"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"QueryStringBehavior"</span><span class="p">:</span><span class="w"> </span><span class="s2">"all"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"CookiesConfig"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"CookieBehavior"</span><span class="p">:</span><span class="w"> </span><span class="s2">"none"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Origin failover</strong> provides automatic failover between origin servers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"OriginGroups"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Quantity"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"Items"</span><span class="p">:</span><span class="w"> </span><span class="p">[{</span><span class="w"> </span><span class="nl">"Id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"api-origin-group"</span><span class="p">,</span><span class="w"> </span><span class="nl">"FailoverCriteria"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StatusCodes"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Quantity"</span><span class="p">:</span><span class="w"> </span><span class="mi">4</span><span class="p">,</span><span class="w"> </span><span class="nl">"Items"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="mi">500</span><span class="p">,</span><span class="w"> </span><span class="mi">502</span><span class="p">,</span><span class="w"> </span><span class="mi">503</span><span class="p">,</span><span class="w"> </span><span class="mi">504</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Members"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Quantity"</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="nl">"Items"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"OriginId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"api-us-east-1"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"OriginId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"api-eu-west-1"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>When CloudFront gets a 5xx from the primary origin, it automatically retries the request against the secondary origin. This failover is per-request and happens at the edge, so it is much faster than DNS failover.</p> <h2> Cloudflare as an Alternative </h2> <p>Cloudflare offers a compelling alternative to CloudFront, especially for teams that are not all-in on AWS. Its free tier is generous, the dashboard is more intuitive, and features like Workers, automatic image optimization, and DDoS protection are included.</p> <p>Key Cloudflare configurations for production:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Using Cloudflare API to configure DNS records</span> curl <span class="nt">-X</span> POST <span class="s2">"https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$CF_API_TOKEN</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">--data</span> <span class="s1">'{ "type": "A", "name": "api.example.com", "content": "203.0.113.50", "ttl": 1, "proxied": true }'</span> </code></pre> </div> <p>When <code>proxied: true</code>, traffic flows through Cloudflare's network, enabling caching, DDoS protection, and WAF rules. When <code>proxied: false</code> (DNS-only), Cloudflare just serves DNS.</p> <p><strong>Page Rules and Cache Rules</strong> control caching behavior:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Cache everything on the static assets subdomain</span> curl <span class="nt">-X</span> POST <span class="s2">"https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$CF_API_TOKEN</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">--data</span> <span class="s1">'{ "name": "Static Assets Cache", "kind": "zone", "phase": "http_request_cache_settings", "rules": [{ "expression": "(http.host eq \"static.example.com\")", "action": "set_cache_settings", "action_parameters": { "cache": true, "edge_ttl": { "mode": "override_origin", "default": 2592000 }, "browser_ttl": { "mode": "override_origin", "default": 86400 } } }] }'</span> </code></pre> </div> <p><strong>Cloudflare Workers</strong> run JavaScript at the edge, enabling powerful patterns like A/B testing, request routing, and API response transformation without touching your origin:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// worker.js - Edge-side API response caching with stale-while-revalidate</span> <span class="k">export</span> <span class="k">default</span> <span class="p">{</span> <span class="k">async</span> <span class="nf">fetch</span><span class="p">(</span><span class="nx">request</span><span class="p">,</span> <span class="nx">env</span><span class="p">,</span> <span class="nx">ctx</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">cacheKey</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Request</span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">,</span> <span class="nx">request</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">cache</span> <span class="o">=</span> <span class="nx">caches</span><span class="p">.</span><span class="k">default</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">cache</span><span class="p">.</span><span class="nf">match</span><span class="p">(</span><span class="nx">cacheKey</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">response</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Return cached response immediately</span> <span class="c1">// Revalidate in the background if older than 60 seconds</span> <span class="kd">const</span> <span class="nx">age</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">-</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">x-cache-time</span><span class="dl">'</span><span class="p">)).</span><span class="nf">getTime</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="nx">age</span> <span class="o">&gt;</span> <span class="mi">60000</span><span class="p">)</span> <span class="p">{</span> <span class="nx">ctx</span><span class="p">.</span><span class="nf">waitUntil</span><span class="p">(</span><span class="nf">revalidate</span><span class="p">(</span><span class="nx">request</span><span class="p">,</span> <span class="nx">cacheKey</span><span class="p">,</span> <span class="nx">cache</span><span class="p">));</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">response</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="k">await</span> <span class="nf">revalidate</span><span class="p">(</span><span class="nx">request</span><span class="p">,</span> <span class="nx">cacheKey</span><span class="p">,</span> <span class="nx">cache</span><span class="p">);</span> <span class="p">}</span> <span class="p">};</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">revalidate</span><span class="p">(</span><span class="nx">request</span><span class="p">,</span> <span class="nx">cacheKey</span><span class="p">,</span> <span class="nx">cache</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="nx">request</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">newResponse</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Response</span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">body</span><span class="p">,</span> <span class="nx">response</span><span class="p">);</span> <span class="nx">newResponse</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">x-cache-time</span><span class="dl">'</span><span class="p">,</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">());</span> <span class="nx">newResponse</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Cache-Control</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">public, max-age=120</span><span class="dl">'</span><span class="p">);</span> <span class="k">await</span> <span class="nx">cache</span><span class="p">.</span><span class="nf">put</span><span class="p">(</span><span class="nx">cacheKey</span><span class="p">,</span> <span class="nx">newResponse</span><span class="p">.</span><span class="nf">clone</span><span class="p">());</span> <span class="k">return</span> <span class="nx">newResponse</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h2> Caching Headers and Cache Control Strategy </h2> <p>Your CDN is only as effective as your caching headers. If your origin sends <code>Cache-Control: no-cache</code> on everything, your CDN is just an expensive reverse proxy.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="c1"># Nginx configuration for optimal caching headers</span> <span class="k">server</span> <span class="p">{</span> <span class="kn">listen</span> <span class="mi">443</span> <span class="s">ssl</span> <span class="s">http2</span><span class="p">;</span> <span class="kn">server_name</span> <span class="s">api.example.com</span><span class="p">;</span> <span class="c1"># Static assets - cache aggressively (hashed filenames for cache busting)</span> <span class="kn">location</span> <span class="p">~</span><span class="sr">*</span> <span class="err">\</span><span class="s">.(js|css|png|jpg|jpeg|gif|svg|woff2|ico)</span>$ <span class="p">{</span> <span class="kn">expires</span> <span class="s">1y</span><span class="p">;</span> <span class="kn">add_header</span> <span class="s">Cache-Control</span> <span class="s">"public,</span> <span class="s">max-age=31536000,</span> <span class="s">immutable"</span><span class="p">;</span> <span class="kn">add_header</span> <span class="s">Vary</span> <span class="s">"Accept-Encoding"</span><span class="p">;</span> <span class="p">}</span> <span class="c1"># HTML pages - short cache, revalidate</span> <span class="kn">location</span> <span class="p">~</span><span class="sr">*</span> <span class="err">\</span><span class="s">.html</span>$ <span class="p">{</span> <span class="kn">add_header</span> <span class="s">Cache-Control</span> <span class="s">"public,</span> <span class="s">max-age=300,</span> <span class="s">must-revalidate"</span><span class="p">;</span> <span class="kn">add_header</span> <span class="s">Vary</span> <span class="s">"Accept-Encoding"</span><span class="p">;</span> <span class="p">}</span> <span class="c1"># API responses - no CDN cache, allow browser cache</span> <span class="kn">location</span> <span class="n">/api/</span> <span class="p">{</span> <span class="kn">add_header</span> <span class="s">Cache-Control</span> <span class="s">"private,</span> <span class="s">max-age=0,</span> <span class="s">must-revalidate"</span><span class="p">;</span> <span class="kn">add_header</span> <span class="s">Vary</span> <span class="s">"Authorization,</span> <span class="s">Accept-Encoding"</span><span class="p">;</span> <span class="p">}</span> <span class="c1"># API responses that are cacheable (public, non-personalized)</span> <span class="kn">location</span> <span class="n">/api/products</span> <span class="p">{</span> <span class="kn">add_header</span> <span class="s">Cache-Control</span> <span class="s">"public,</span> <span class="s">max-age=60,</span> <span class="s">s-maxage=300"</span><span class="p">;</span> <span class="kn">add_header</span> <span class="s">Vary</span> <span class="s">"Accept-Encoding"</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The distinction between <code>max-age</code> and <code>s-maxage</code> is important:</p> <ul> <li> <code>max-age</code> controls browser cache duration.</li> <li> <code>s-maxage</code> controls CDN/proxy cache duration (overrides <code>max-age</code> for shared caches).</li> </ul> <p>This lets you cache at the CDN for 5 minutes while telling browsers to cache for only 1 minute, giving you a balance between performance and freshness.</p> <p><strong>Cache invalidation</strong> when you deploy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># CloudFront invalidation</span> aws cloudfront create-invalidation <span class="se">\</span> <span class="nt">--distribution-id</span> E1234ABCDEF <span class="se">\</span> <span class="nt">--paths</span> <span class="s2">"/*"</span> <span class="c"># Targeted invalidation (faster and cheaper)</span> aws cloudfront create-invalidation <span class="se">\</span> <span class="nt">--distribution-id</span> E1234ABCDEF <span class="se">\</span> <span class="nt">--paths</span> <span class="s2">"/index.html"</span> <span class="s2">"/api/products*"</span> <span class="c"># Cloudflare cache purge</span> curl <span class="nt">-X</span> POST <span class="s2">"https://api.cloudflare.com/client/v4/zones/{zone_id}/purge_cache"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$CF_API_TOKEN</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">--data</span> <span class="s1">'{"purge_everything": true}'</span> <span class="c"># Cloudflare targeted purge</span> curl <span class="nt">-X</span> POST <span class="s2">"https://api.cloudflare.com/client/v4/zones/{zone_id}/purge_cache"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$CF_API_TOKEN</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">--data</span> <span class="s1">'{"files": ["https://example.com/styles.css", "https://example.com/app.js"]}'</span> </code></pre> </div> <h2> Multi-Region Failover Architecture </h2> <p>For services that require high availability across regions, combine DNS routing with CDN origin failover for defense in depth.</p> <p>A strong multi-region architecture:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User Request │ ▼ Cloudflare/CloudFront (Global Edge) │ ├─ Cache HIT → Return immediately │ ├─ Cache MISS → Origin Request │ │ │ ▼ │ Route 53 Latency-Based Routing │ │ │ ├─ US users → us-east-1 ALB │ │ │ │ │ └─ Health check fails → eu-west-1 ALB (failover) │ │ │ └─ EU users → eu-west-1 ALB │ │ │ └─ Health check fails → us-east-1 ALB (failover) </code></pre> </div> <p>Implementation checklist for multi-region failover:</p> <ol> <li> <strong>DNS TTL at 60 seconds</strong> for all records involved in failover.</li> <li> <strong>Health checks every 10 seconds</strong> with a failure threshold of 3 (30-second detection).</li> <li> <strong>CDN origin failover</strong> for per-request resilience (faster than DNS failover).</li> <li> <strong>Database replication</strong> across regions (Aurora Global Database or DynamoDB Global Tables).</li> <li> <strong>Session management</strong> in a shared store (ElastiCache Global Datastore or DynamoDB).</li> <li> <strong>Monitoring from multiple regions</strong> to distinguish between regional and global outages. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Monitor DNS resolution from your CI/CD or monitoring system</span> <span class="c"># Check that failover is working by querying from multiple locations</span> <span class="k">for </span>resolver <span class="k">in </span>8.8.8.8 1.1.1.1 208.67.222.222<span class="p">;</span> <span class="k">do </span><span class="nb">echo</span> <span class="s2">"Resolver </span><span class="nv">$resolver</span><span class="s2">:"</span> dig +short @<span class="nv">$resolver</span> api.example.com A <span class="k">done</span> <span class="c"># Monitor CDN cache hit ratio</span> aws cloudwatch get-metric-statistics <span class="se">\</span> <span class="nt">--namespace</span> AWS/CloudFront <span class="se">\</span> <span class="nt">--metric-name</span> CacheHitRate <span class="se">\</span> <span class="nt">--dimensions</span> <span class="nv">Name</span><span class="o">=</span>DistributionId,Value<span class="o">=</span>E1234ABCDEF <span class="se">\</span> <span class="nt">--start-time</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">date</span> <span class="nt">-u</span> <span class="nt">-d</span> <span class="s1">'1 hour ago'</span> +%Y-%m-%dT%H:%M:%SZ<span class="si">)</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--end-time</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">date</span> <span class="nt">-u</span> +%Y-%m-%dT%H:%M:%SZ<span class="si">)</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--period</span> 300 <span class="se">\</span> <span class="nt">--statistics</span> Average </code></pre> </div> <p>A healthy CDN should have a cache hit ratio above 80% for static content. If it is lower, review your caching headers and cache key configuration. Every cache miss is a request to your origin, which means more load on your infrastructure and higher latency for your users.</p> <h2> Need Help with Your DevOps? </h2> <p>DNS and CDN architecture is foundational infrastructure that directly impacts your application's performance, reliability, and user experience. At InstaDevOps, we design and implement global infrastructure architectures with multi-region failover, CDN optimization, and DNS strategies that keep your applications fast and available.</p> <p>We offer fractional DevOps engineering starting at $2,999/month with no long-term contracts. Book a free 15-minute call to discuss your infrastructure needs: <a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">https://calendly.com/instadevops/15min</a></p> dns cdn infrastructure devops InstaDevOps Sun, 26 Apr 2026 13:47:22 +0000 https://forem.com/instadevops/load-testing-with-k6-from-first-script-to-ci-pipeline-integration-58e3 https://forem.com/instadevops/load-testing-with-k6-from-first-script-to-ci-pipeline-integration-58e3 <h2> Introduction </h2> <p>Most teams do not load test their applications until something breaks in production. A marketing campaign drives 10x traffic, the API starts returning 503s, and suddenly everyone is scrambling to figure out how many requests the system can actually handle.</p> <p>k6 by Grafana Labs has become the go-to load testing tool for DevOps teams, and for good reason. It uses JavaScript for test scripts, runs efficiently on minimal hardware, has built-in support for protocols beyond HTTP (gRPC, WebSocket, browser), and integrates cleanly into CI/CD pipelines.</p> <p>This guide takes you from writing your first k6 script to running automated performance tests in your CI pipeline with threshold-based pass/fail gates.</p> <h2> Writing Your First k6 Script </h2> <p>k6 scripts are JavaScript (ES6 modules) that define virtual user behavior. Each virtual user (VU) runs the default function repeatedly for the duration of the test.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// load-test.js</span> <span class="k">import</span> <span class="nx">http</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">k6/http</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">check</span><span class="p">,</span> <span class="nx">sleep</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">k6</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Test configuration</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">options</span> <span class="o">=</span> <span class="p">{</span> <span class="na">vus</span><span class="p">:</span> <span class="mi">50</span><span class="p">,</span> <span class="c1">// 50 virtual users</span> <span class="na">duration</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2m</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Run for 2 minutes</span> <span class="p">};</span> <span class="c1">// Default function - each VU runs this in a loop</span> <span class="k">export</span> <span class="k">default</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="c1">// GET request</span> <span class="kd">const</span> <span class="nx">listRes</span> <span class="o">=</span> <span class="nx">http</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.example.com/products</span><span class="dl">'</span><span class="p">);</span> <span class="nf">check</span><span class="p">(</span><span class="nx">listRes</span><span class="p">,</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">list status is 200</span><span class="dl">'</span><span class="p">:</span> <span class="p">(</span><span class="nx">r</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">r</span><span class="p">.</span><span class="nx">status</span> <span class="o">===</span> <span class="mi">200</span><span class="p">,</span> <span class="dl">'</span><span class="s1">list response time &lt; 500ms</span><span class="dl">'</span><span class="p">:</span> <span class="p">(</span><span class="nx">r</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">r</span><span class="p">.</span><span class="nx">timings</span><span class="p">.</span><span class="nx">duration</span> <span class="o">&lt;</span> <span class="mi">500</span><span class="p">,</span> <span class="dl">'</span><span class="s1">list returns products</span><span class="dl">'</span><span class="p">:</span> <span class="p">(</span><span class="nx">r</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">r</span><span class="p">.</span><span class="nx">body</span><span class="p">).</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// POST request with JSON body</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Test Product</span><span class="dl">'</span><span class="p">,</span> <span class="na">price</span><span class="p">:</span> <span class="mf">29.99</span><span class="p">,</span> <span class="na">category</span><span class="p">:</span> <span class="dl">'</span><span class="s1">electronics</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">createRes</span> <span class="o">=</span> <span class="nx">http</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.example.com/products</span><span class="dl">'</span><span class="p">,</span> <span class="nx">payload</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Authorization</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Bearer </span><span class="dl">'</span> <span class="o">+</span> <span class="nx">__ENV</span><span class="p">.</span><span class="nx">API_TOKEN</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="nf">check</span><span class="p">(</span><span class="nx">createRes</span><span class="p">,</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">create status is 201</span><span class="dl">'</span><span class="p">:</span> <span class="p">(</span><span class="nx">r</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">r</span><span class="p">.</span><span class="nx">status</span> <span class="o">===</span> <span class="mi">201</span><span class="p">,</span> <span class="dl">'</span><span class="s1">create response time &lt; 1000ms</span><span class="dl">'</span><span class="p">:</span> <span class="p">(</span><span class="nx">r</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">r</span><span class="p">.</span><span class="nx">timings</span><span class="p">.</span><span class="nx">duration</span> <span class="o">&lt;</span> <span class="mi">1000</span><span class="p">,</span> <span class="p">});</span> <span class="nf">sleep</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="c1">// Think time between iterations</span> <span class="p">}</span> </code></pre> </div> <p>Run it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Basic run</span> k6 run load-test.js <span class="c"># Pass environment variables</span> k6 run <span class="nt">-e</span> <span class="nv">API_TOKEN</span><span class="o">=</span>your-token load-test.js <span class="c"># Override options from CLI</span> k6 run <span class="nt">--vus</span> 100 <span class="nt">--duration</span> 5m load-test.js </code></pre> </div> <p>The <code>sleep(1)</code> at the end simulates real user think time. Without it, each VU fires requests as fast as possible, which does not represent realistic traffic patterns and will skew your results.</p> <h2> Ramping Strategies for Realistic Load Profiles </h2> <p>Constant VU count is fine for quick smoke tests, but production load testing requires more sophisticated patterns. k6 supports multiple execution scenarios with different ramping strategies.</p> <p><strong>Ramp-up/ramp-down</strong> (most common for load tests):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">options</span> <span class="o">=</span> <span class="p">{</span> <span class="na">stages</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">duration</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2m</span><span class="dl">'</span><span class="p">,</span> <span class="na">target</span><span class="p">:</span> <span class="mi">50</span> <span class="p">},</span> <span class="c1">// Ramp up to 50 VUs over 2 minutes</span> <span class="p">{</span> <span class="na">duration</span><span class="p">:</span> <span class="dl">'</span><span class="s1">5m</span><span class="dl">'</span><span class="p">,</span> <span class="na">target</span><span class="p">:</span> <span class="mi">50</span> <span class="p">},</span> <span class="c1">// Stay at 50 VUs for 5 minutes</span> <span class="p">{</span> <span class="na">duration</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2m</span><span class="dl">'</span><span class="p">,</span> <span class="na">target</span><span class="p">:</span> <span class="mi">100</span> <span class="p">},</span> <span class="c1">// Ramp up to 100 VUs</span> <span class="p">{</span> <span class="na">duration</span><span class="p">:</span> <span class="dl">'</span><span class="s1">5m</span><span class="dl">'</span><span class="p">,</span> <span class="na">target</span><span class="p">:</span> <span class="mi">100</span> <span class="p">},</span> <span class="c1">// Stay at 100 VUs for 5 minutes</span> <span class="p">{</span> <span class="na">duration</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2m</span><span class="dl">'</span><span class="p">,</span> <span class="na">target</span><span class="p">:</span> <span class="mi">0</span> <span class="p">},</span> <span class="c1">// Ramp down to 0</span> <span class="p">],</span> <span class="p">};</span> </code></pre> </div> <p><strong>Spike test</strong> (sudden traffic surge):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">options</span> <span class="o">=</span> <span class="p">{</span> <span class="na">stages</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">duration</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1m</span><span class="dl">'</span><span class="p">,</span> <span class="na">target</span><span class="p">:</span> <span class="mi">10</span> <span class="p">},</span> <span class="c1">// Normal load</span> <span class="p">{</span> <span class="na">duration</span><span class="p">:</span> <span class="dl">'</span><span class="s1">30s</span><span class="dl">'</span><span class="p">,</span> <span class="na">target</span><span class="p">:</span> <span class="mi">500</span> <span class="p">},</span> <span class="c1">// Spike to 500 VUs</span> <span class="p">{</span> <span class="na">duration</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2m</span><span class="dl">'</span><span class="p">,</span> <span class="na">target</span><span class="p">:</span> <span class="mi">500</span> <span class="p">},</span> <span class="c1">// Sustain spike</span> <span class="p">{</span> <span class="na">duration</span><span class="p">:</span> <span class="dl">'</span><span class="s1">30s</span><span class="dl">'</span><span class="p">,</span> <span class="na">target</span><span class="p">:</span> <span class="mi">10</span> <span class="p">},</span> <span class="c1">// Return to normal</span> <span class="p">{</span> <span class="na">duration</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2m</span><span class="dl">'</span><span class="p">,</span> <span class="na">target</span><span class="p">:</span> <span class="mi">10</span> <span class="p">},</span> <span class="c1">// Recovery period</span> <span class="p">],</span> <span class="p">};</span> </code></pre> </div> <p><strong>Soak test</strong> (find memory leaks and degradation over time):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">options</span> <span class="o">=</span> <span class="p">{</span> <span class="na">stages</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">duration</span><span class="p">:</span> <span class="dl">'</span><span class="s1">5m</span><span class="dl">'</span><span class="p">,</span> <span class="na">target</span><span class="p">:</span> <span class="mi">50</span> <span class="p">},</span> <span class="c1">// Ramp up</span> <span class="p">{</span> <span class="na">duration</span><span class="p">:</span> <span class="dl">'</span><span class="s1">4h</span><span class="dl">'</span><span class="p">,</span> <span class="na">target</span><span class="p">:</span> <span class="mi">50</span> <span class="p">},</span> <span class="c1">// Sustained load for 4 hours</span> <span class="p">{</span> <span class="na">duration</span><span class="p">:</span> <span class="dl">'</span><span class="s1">5m</span><span class="dl">'</span><span class="p">,</span> <span class="na">target</span><span class="p">:</span> <span class="mi">0</span> <span class="p">},</span> <span class="c1">// Ramp down</span> <span class="p">],</span> <span class="p">};</span> </code></pre> </div> <p><strong>Multiple scenarios</strong> (simulate different user types simultaneously):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">options</span> <span class="o">=</span> <span class="p">{</span> <span class="na">scenarios</span><span class="p">:</span> <span class="p">{</span> <span class="na">browse</span><span class="p">:</span> <span class="p">{</span> <span class="na">executor</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ramping-vus</span><span class="dl">'</span><span class="p">,</span> <span class="na">startVUs</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="na">stages</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">duration</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2m</span><span class="dl">'</span><span class="p">,</span> <span class="na">target</span><span class="p">:</span> <span class="mi">100</span> <span class="p">},</span> <span class="p">{</span> <span class="na">duration</span><span class="p">:</span> <span class="dl">'</span><span class="s1">5m</span><span class="dl">'</span><span class="p">,</span> <span class="na">target</span><span class="p">:</span> <span class="mi">100</span> <span class="p">},</span> <span class="p">{</span> <span class="na">duration</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2m</span><span class="dl">'</span><span class="p">,</span> <span class="na">target</span><span class="p">:</span> <span class="mi">0</span> <span class="p">},</span> <span class="p">],</span> <span class="na">exec</span><span class="p">:</span> <span class="dl">'</span><span class="s1">browseProducts</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="na">purchase</span><span class="p">:</span> <span class="p">{</span> <span class="na">executor</span><span class="p">:</span> <span class="dl">'</span><span class="s1">constant-arrival-rate</span><span class="dl">'</span><span class="p">,</span> <span class="na">rate</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="c1">// 10 iterations per timeUnit</span> <span class="na">timeUnit</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1s</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// = 10 requests per second</span> <span class="na">duration</span><span class="p">:</span> <span class="dl">'</span><span class="s1">9m</span><span class="dl">'</span><span class="p">,</span> <span class="na">preAllocatedVUs</span><span class="p">:</span> <span class="mi">50</span><span class="p">,</span> <span class="na">maxVUs</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">exec</span><span class="p">:</span> <span class="dl">'</span><span class="s1">purchaseFlow</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">};</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">browseProducts</span><span class="p">()</span> <span class="p">{</span> <span class="nx">http</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.example.com/products</span><span class="dl">'</span><span class="p">);</span> <span class="nf">sleep</span><span class="p">(</span><span class="nb">Math</span><span class="p">.</span><span class="nf">random</span><span class="p">()</span> <span class="o">*</span> <span class="mi">3</span> <span class="o">+</span> <span class="mi">1</span><span class="p">);</span> <span class="c1">// 1-4 second think time</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">purchaseFlow</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">products</span> <span class="o">=</span> <span class="nx">http</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.example.com/products</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">productId</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">products</span><span class="p">.</span><span class="nx">body</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="nx">id</span><span class="p">;</span> <span class="nx">http</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.example.com/cart</span><span class="dl">'</span><span class="p">,</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="nx">productId</span> <span class="p">}),</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">},</span> <span class="p">});</span> <span class="nx">http</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.example.com/checkout</span><span class="dl">'</span><span class="p">,</span> <span class="kc">null</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>The <code>constant-arrival-rate</code> executor is important. Instead of controlling the number of VUs, it controls the request rate. This gives you a consistent load regardless of how fast or slow the server responds, which is better for finding the breaking point.</p> <h2> Threshold-Based SLOs </h2> <p>Thresholds are k6's most powerful feature for CI integration. They define pass/fail criteria for your test. If any threshold is violated, k6 exits with a non-zero code, which fails your CI pipeline.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">options</span> <span class="o">=</span> <span class="p">{</span> <span class="na">stages</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">duration</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2m</span><span class="dl">'</span><span class="p">,</span> <span class="na">target</span><span class="p">:</span> <span class="mi">50</span> <span class="p">},</span> <span class="p">{</span> <span class="na">duration</span><span class="p">:</span> <span class="dl">'</span><span class="s1">5m</span><span class="dl">'</span><span class="p">,</span> <span class="na">target</span><span class="p">:</span> <span class="mi">50</span> <span class="p">},</span> <span class="p">{</span> <span class="na">duration</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2m</span><span class="dl">'</span><span class="p">,</span> <span class="na">target</span><span class="p">:</span> <span class="mi">0</span> <span class="p">},</span> <span class="p">],</span> <span class="na">thresholds</span><span class="p">:</span> <span class="p">{</span> <span class="c1">// 95th percentile response time must be under 500ms</span> <span class="dl">'</span><span class="s1">http_req_duration</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">p(95)&lt;500</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">p(99)&lt;1000</span><span class="dl">'</span><span class="p">],</span> <span class="c1">// Error rate must be under 1%</span> <span class="dl">'</span><span class="s1">http_req_failed</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">rate&lt;0.01</span><span class="dl">'</span><span class="p">],</span> <span class="c1">// Custom metrics per endpoint</span> <span class="dl">'</span><span class="s1">http_req_duration{name:list_products}</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">p(95)&lt;300</span><span class="dl">'</span><span class="p">],</span> <span class="dl">'</span><span class="s1">http_req_duration{name:create_order}</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">p(95)&lt;800</span><span class="dl">'</span><span class="p">],</span> <span class="c1">// Check pass rate must be above 98%</span> <span class="dl">'</span><span class="s1">checks</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">rate&gt;0.98</span><span class="dl">'</span><span class="p">],</span> <span class="c1">// Custom counter threshold</span> <span class="dl">'</span><span class="s1">payment_errors</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">count&lt;5</span><span class="dl">'</span><span class="p">],</span> <span class="p">},</span> <span class="p">};</span> </code></pre> </div> <p>Use tags to set different thresholds for different endpoints:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Counter</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">k6/metrics</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">paymentErrors</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Counter</span><span class="p">(</span><span class="dl">'</span><span class="s1">payment_errors</span><span class="dl">'</span><span class="p">);</span> <span class="k">export</span> <span class="k">default</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="c1">// Tag requests for per-endpoint thresholds</span> <span class="kd">const</span> <span class="nx">listRes</span> <span class="o">=</span> <span class="nx">http</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.example.com/products</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">tags</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">list_products</span><span class="dl">'</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">orderRes</span> <span class="o">=</span> <span class="nx">http</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.example.com/orders</span><span class="dl">'</span><span class="p">,</span> <span class="nx">payload</span><span class="p">,</span> <span class="p">{</span> <span class="na">tags</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">create_order</span><span class="dl">'</span> <span class="p">},</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">orderRes</span><span class="p">.</span><span class="nx">status</span> <span class="o">!==</span> <span class="mi">201</span><span class="p">)</span> <span class="p">{</span> <span class="nx">paymentErrors</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Map your thresholds directly to your SLOs. If your SLO states that 99.9% of API requests must complete within 500ms, your k6 threshold should reflect that. This turns load testing from a manual exercise into an automated contract verification.</p> <h2> Integrating k6 into CI/CD Pipelines </h2> <p>The real value of k6 emerges when you run it on every deployment. Here is a complete GitHub Actions workflow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/load-test.yml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Load Test</span> <span class="na">on</span><span class="pi">:</span> <span class="na">deployment_status</span><span class="pi">:</span> <span class="c1"># Run after successful deployment to staging</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">target_url</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Target</span><span class="nv"> </span><span class="s">URL</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">load</span><span class="nv"> </span><span class="s">test'</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">load-test</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">if</span><span class="pi">:</span> <span class="s">github.event.deployment_status.state == 'success' || github.event_name == 'workflow_dispatch'</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install k6</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">sudo gpg -k</span> <span class="s">sudo gpg --no-default-keyring --keyring /usr/share/keyrings/k6-archive-keyring.gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys C5AD17C747E3415A3642D57D77C6C491D6AC1D69</span> <span class="s">echo "deb [signed-by=/usr/share/keyrings/k6-archive-keyring.gpg] https://dl.k6.io/deb stable main" | sudo tee /etc/apt/sources.list.d/k6.list</span> <span class="s">sudo apt-get update</span> <span class="s">sudo apt-get install k6</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run load test</span> <span class="na">env</span><span class="pi">:</span> <span class="na">API_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.STAGING_API_TOKEN }}</span> <span class="na">TARGET_URL</span><span class="pi">:</span> <span class="s">${{ github.event.inputs.target_url || 'https://staging-api.example.com' }}</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">k6 run \</span> <span class="s">--out json=results.json \</span> <span class="s">--env TARGET_URL=$TARGET_URL \</span> <span class="s">--env API_TOKEN=$API_TOKEN \</span> <span class="s">tests/load/api-load-test.js</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Upload results</span> <span class="na">if</span><span class="pi">:</span> <span class="s">always()</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/upload-artifact@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">k6-results</span> <span class="na">path</span><span class="pi">:</span> <span class="s">results.json</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Post results to PR</span> <span class="na">if</span><span class="pi">:</span> <span class="s">failure() &amp;&amp; github.event.pull_request</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/github-script@v7</span> <span class="na">with</span><span class="pi">:</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">github.rest.issues.createComment({</span> <span class="s">issue_number: context.issue.number,</span> <span class="s">owner: context.repo.owner,</span> <span class="s">repo: context.repo.repo,</span> <span class="s">body: '## Load Test Failed\n\nPerformance thresholds were violated. Check the [workflow run](' + context.serverUrl + '/' + context.repo.owner + '/' + context.repo.repo + '/actions/runs/' + context.runId + ') for details.'</span> <span class="s">});</span> </code></pre> </div> <p>For GitLab CI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">load_test</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">test</span> <span class="na">image</span><span class="pi">:</span> <span class="s">grafana/k6:latest</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">k6 run --out json=results.json tests/load/api-load-test.js</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">when</span><span class="pi">:</span> <span class="s">always</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">results.json</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_PIPELINE_SOURCE == "merge_request_event"</span> </code></pre> </div> <h2> Interpreting Results and Finding Bottlenecks </h2> <p>k6 outputs a summary at the end of each run. Here is how to read it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>http_req_duration..............: avg=245.3ms min=12ms med=198ms max=4521ms p(90)=412ms p(95)=523ms http_req_failed................: 0.34% 345 out of 100234 http_req_waiting...............: avg=240.1ms min=10ms med=193ms max=4518ms p(90)=407ms p(95)=518ms http_reqs......................: 100234 557.96/s iteration_duration.............: avg=1.25s min=1.01s med=1.2s max=5.52s p(90)=1.41s p(95)=1.53s vus............................: 50 min=1 max=50 </code></pre> </div> <p>Key metrics to focus on:</p> <ul> <li> <strong>p(95) and p(99) duration</strong>: These matter more than average. A 200ms average with a 5-second p99 means 1% of your users are having a terrible experience.</li> <li> <strong>http_req_failed rate</strong>: Any non-zero failure rate under load deserves investigation.</li> <li> <strong>http_req_waiting vs http_req_duration</strong>: The difference is the time spent receiving the response body. A large gap suggests large response payloads.</li> <li> <strong>iteration_duration</strong>: If this is much higher than your request durations, check your think times and test logic.</li> </ul> <p>When performance degrades under load, correlate k6 results with server-side metrics:</p> <ul> <li> <strong>CPU saturation</strong>: If CPU hits 100%, you need horizontal scaling or code optimization.</li> <li> <strong>Memory pressure</strong>: Climbing memory with eventual OOM kills points to memory leaks.</li> <li> <strong>Database connections</strong>: Connection pool exhaustion causes sudden latency spikes.</li> <li> <strong>Network I/O</strong>: Check for bandwidth limits between your services and dependencies.</li> </ul> <p>Export results to Grafana for visualization:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Stream results to Prometheus via remote write</span> k6 run <span class="nt">--out</span> experimental-prometheus-rw <span class="se">\</span> <span class="nt">--env</span> <span class="nv">K6_PROMETHEUS_RW_SERVER_URL</span><span class="o">=</span>http://prometheus:9090/api/v1/write <span class="se">\</span> load-test.js <span class="c"># Or output to InfluxDB</span> k6 run <span class="nt">--out</span> <span class="nv">influxdb</span><span class="o">=</span>http://influxdb:8086/k6 load-test.js </code></pre> </div> <h2> Advanced Patterns and Tips </h2> <p><strong>Parameterize with CSV data</strong> for realistic test data:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">papaparse</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">https://jslib.k6.io/papaparse/5.1.1/index.js</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">SharedArray</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">k6/data</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">users</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SharedArray</span><span class="p">(</span><span class="dl">'</span><span class="s1">users</span><span class="dl">'</span><span class="p">,</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">papaparse</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nf">open</span><span class="p">(</span><span class="dl">'</span><span class="s1">./test-users.csv</span><span class="dl">'</span><span class="p">),</span> <span class="p">{</span> <span class="na">header</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}).</span><span class="nx">data</span><span class="p">;</span> <span class="p">});</span> <span class="k">export</span> <span class="k">default</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="nx">users</span><span class="p">[</span><span class="nb">Math</span><span class="p">.</span><span class="nf">floor</span><span class="p">(</span><span class="nb">Math</span><span class="p">.</span><span class="nf">random</span><span class="p">()</span> <span class="o">*</span> <span class="nx">users</span><span class="p">.</span><span class="nx">length</span><span class="p">)];</span> <span class="kd">const</span> <span class="nx">loginRes</span> <span class="o">=</span> <span class="nx">http</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.example.com/login</span><span class="dl">'</span><span class="p">,</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">email</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">password</span><span class="p">,</span> <span class="p">}),</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">loginRes</span><span class="p">.</span><span class="nx">body</span><span class="p">).</span><span class="nx">token</span><span class="p">;</span> <span class="nx">http</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.example.com/dashboard</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Authorization</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Bearer </span><span class="dl">'</span> <span class="o">+</span> <span class="nx">token</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p><strong>Group related requests</strong> for logical organization:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">group</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">k6</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="nf">group</span><span class="p">(</span><span class="dl">'</span><span class="s1">User Login Flow</span><span class="dl">'</span><span class="p">,</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="nx">http</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://app.example.com/login</span><span class="dl">'</span><span class="p">);</span> <span class="nx">http</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.example.com/auth/login</span><span class="dl">'</span><span class="p">,</span> <span class="nx">credentials</span><span class="p">);</span> <span class="p">});</span> <span class="nf">group</span><span class="p">(</span><span class="dl">'</span><span class="s1">Dashboard Load</span><span class="dl">'</span><span class="p">,</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="nx">http</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.example.com/dashboard/summary</span><span class="dl">'</span><span class="p">);</span> <span class="nx">http</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.example.com/dashboard/notifications</span><span class="dl">'</span><span class="p">);</span> <span class="nx">http</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.example.com/dashboard/recent-activity</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p><strong>Test WebSocket connections</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">ws</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">k6/ws</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">url</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">wss://api.example.com/ws</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="nx">url</span><span class="p">,</span> <span class="p">{},</span> <span class="nf">function </span><span class="p">(</span><span class="nx">socket</span><span class="p">)</span> <span class="p">{</span> <span class="nx">socket</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">open</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">socket</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">subscribe</span><span class="dl">'</span><span class="p">,</span> <span class="na">channel</span><span class="p">:</span> <span class="dl">'</span><span class="s1">updates</span><span class="dl">'</span> <span class="p">}));</span> <span class="p">});</span> <span class="nx">socket</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">message</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">msg</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">data</span><span class="p">);</span> <span class="nf">check</span><span class="p">(</span><span class="nx">msg</span><span class="p">,</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">received update</span><span class="dl">'</span><span class="p">:</span> <span class="p">(</span><span class="nx">m</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">m</span><span class="p">.</span><span class="nx">type</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">update</span><span class="dl">'</span> <span class="p">});</span> <span class="p">});</span> <span class="nx">socket</span><span class="p">.</span><span class="nf">setTimeout</span><span class="p">(</span><span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="nx">socket</span><span class="p">.</span><span class="nf">close</span><span class="p">();</span> <span class="p">},</span> <span class="mi">30000</span><span class="p">);</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <h2> Need Help with Your DevOps? </h2> <p>Performance testing is most valuable when it is part of your development workflow, not an afterthought before a launch. At InstaDevOps, we help teams build performance testing pipelines that catch regressions before they reach production, including k6 setup, realistic test scenarios, and CI integration.</p> <p>We offer fractional DevOps engineering starting at $2,999/month with no long-term contracts. Book a free 15-minute call to discuss your performance testing needs: <a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">https://calendly.com/instadevops/15min</a></p> testing k6 performance devops InstaDevOps Sat, 25 Apr 2026 13:47:17 +0000 https://forem.com/instadevops/aws-lambda-best-practices-cold-starts-memory-tuning-and-cost-optimization-351l https://forem.com/instadevops/aws-lambda-best-practices-cold-starts-memory-tuning-and-cost-optimization-351l <h2> Introduction </h2> <p>AWS Lambda changed how we think about infrastructure. No servers to manage, automatic scaling, pay-per-invocation pricing. But Lambda is not magic, and teams that treat it as a black box end up with slow, expensive, and hard-to-debug serverless applications.</p> <p>After managing Lambda functions processing millions of invocations per day across multiple production environments, I have learned that the difference between a well-optimized Lambda and a naive one can be a 10x difference in both latency and cost. Cold starts that take 5 seconds can be reduced to 200ms. Monthly bills of $500 can drop to $50 with the same throughput.</p> <p>This guide covers the practices that make the biggest difference in real-world Lambda deployments.</p> <h2> Understanding and Reducing Cold Starts </h2> <p>A cold start happens when Lambda needs to create a new execution environment for your function. This involves downloading your deployment package, starting the runtime, and running your initialization code. For Python and Node.js, cold starts typically add 200-500ms. For Java and .NET, they can exceed 5 seconds.</p> <p>The factors that affect cold start duration, in order of impact:</p> <ol> <li> <strong>Runtime choice</strong>: Node.js and Python cold-start fastest. Java and .NET are slowest.</li> <li> <strong>Package size</strong>: Larger deployment packages take longer to download and extract.</li> <li> <strong>Initialization code</strong>: Database connections, SDK clients, and config loading during init.</li> <li> <strong>VPC configuration</strong>: Functions in a VPC used to add 8-10 seconds. Since AWS added Hyperplane ENIs, this is down to ~1 second on first invocation.</li> <li> <strong>Memory allocation</strong>: More memory means more CPU, which speeds up initialization.</li> </ol> <p>Practical steps to reduce cold starts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// GOOD: Initialize SDK clients outside the handler (runs once per cold start)</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">DynamoDBClient</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">@aws-sdk/client-dynamodb</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">DynamoDBDocumentClient</span><span class="p">,</span> <span class="nx">GetCommand</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">@aws-sdk/lib-dynamodb</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">DynamoDBClient</span><span class="p">({</span> <span class="na">region</span><span class="p">:</span> <span class="dl">"</span><span class="s2">us-east-1</span><span class="dl">"</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">docClient</span> <span class="o">=</span> <span class="nx">DynamoDBDocumentClient</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">client</span><span class="p">);</span> <span class="c1">// GOOD: Reuse database connections across invocations</span> <span class="kd">let</span> <span class="nx">dbConnection</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getDbConnection</span><span class="p">()</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">dbConnection</span><span class="p">)</span> <span class="p">{</span> <span class="nx">dbConnection</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">createConnection</span><span class="p">({</span> <span class="na">host</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DB_HOST</span><span class="p">,</span> <span class="c1">// ... connection config</span> <span class="p">});</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">dbConnection</span><span class="p">;</span> <span class="p">}</span> <span class="nx">exports</span><span class="p">.</span><span class="nx">handler</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Handler code uses the pre-initialized clients</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">docClient</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="k">new</span> <span class="nc">GetCommand</span><span class="p">({</span> <span class="na">TableName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">users</span><span class="dl">"</span><span class="p">,</span> <span class="na">Key</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">pathParameters</span><span class="p">.</span><span class="nx">userId</span> <span class="p">}</span> <span class="p">}));</span> <span class="k">return</span> <span class="p">{</span> <span class="na">statusCode</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">Item</span><span class="p">)</span> <span class="p">};</span> <span class="p">};</span> </code></pre> </div> <p>For latency-sensitive functions, use Provisioned Concurrency. This keeps a specified number of execution environments warm and ready:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Set provisioned concurrency on a Lambda alias</span> aws lambda put-provisioned-concurrency-config <span class="se">\</span> <span class="nt">--function-name</span> my-api-handler <span class="se">\</span> <span class="nt">--qualifier</span> prod <span class="se">\</span> <span class="nt">--provisioned-concurrent-executions</span> 10 <span class="c"># Use Application Auto Scaling to adjust based on utilization</span> aws application-autoscaling register-scalable-target <span class="se">\</span> <span class="nt">--service-namespace</span> lambda <span class="se">\</span> <span class="nt">--resource-id</span> <span class="s2">"function:my-api-handler:prod"</span> <span class="se">\</span> <span class="nt">--scalable-dimension</span> lambda:function:ProvisionedConcurrency <span class="se">\</span> <span class="nt">--min-capacity</span> 5 <span class="se">\</span> <span class="nt">--max-capacity</span> 50 </code></pre> </div> <p>Provisioned Concurrency costs money even when idle, so only use it for functions that are user-facing and latency-sensitive. For background processing, async invocations, and SQS consumers, cold starts do not matter.</p> <h2> Memory and CPU Tuning </h2> <p>Lambda allocates CPU proportional to memory. At 1,769 MB, you get one full vCPU. At 10,240 MB, you get six vCPUs. This means increasing memory does not just give you more RAM; it gives you more compute power, which can make CPU-bound functions faster and cheaper.</p> <p>The AWS Lambda Power Tuning tool automates finding the optimal memory setting:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Deploy the power tuning state machine</span> aws serverlessrepo create-cloud-formation-change-set <span class="se">\</span> <span class="nt">--application-id</span> arn:aws:serverlessrepo:us-east-1:451282441545:applications/aws-lambda-power-tuning <span class="se">\</span> <span class="nt">--stack-name</span> lambda-power-tuning <span class="se">\</span> <span class="nt">--capabilities</span> CAPABILITY_IAM <span class="c"># Run the tuning (tests your function at different memory levels)</span> aws stepfunctions start-execution <span class="se">\</span> <span class="nt">--state-machine-arn</span> arn:aws:states:us-east-1:123456789012:stateMachine:powerTuningStateMachine <span class="se">\</span> <span class="nt">--input</span> <span class="s1">'{ "lambdaARN": "arn:aws:lambda:us-east-1:123456789012:function:my-function", "powerValues": [128, 256, 512, 1024, 1769, 3008], "num": 50, "payload": "{}", "parallelInvocation": true, "strategy": "cost" }'</span> </code></pre> </div> <p>I have seen cases where increasing memory from 128 MB to 512 MB made a function 4x faster and actually cheaper because the per-millisecond cost increase was offset by the dramatic reduction in execution time. Always benchmark before assuming less memory means lower cost.</p> <h2> Lambda Powertools for Production Observability </h2> <p>AWS Lambda Powertools is a toolkit that should be in every Lambda function you deploy to production. It provides structured logging, distributed tracing, custom metrics, and parameter management with minimal boilerplate.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">{</span> <span class="nx">Logger</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">@aws-lambda-powertools/logger</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">Tracer</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">@aws-lambda-powertools/tracer</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">Metrics</span><span class="p">,</span> <span class="nx">MetricUnit</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">@aws-lambda-powertools/metrics</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">injectLambdaContext</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">@aws-lambda-powertools/logger/middleware</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">captureLambdaHandler</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">@aws-lambda-powertools/tracer/middleware</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">logMetrics</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">@aws-lambda-powertools/metrics/middleware</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">middy</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">@middy/core</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">logger</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Logger</span><span class="p">({</span> <span class="na">serviceName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">payment-api</span><span class="dl">"</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">tracer</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Tracer</span><span class="p">({</span> <span class="na">serviceName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">payment-api</span><span class="dl">"</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">metrics</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Metrics</span><span class="p">({</span> <span class="na">namespace</span><span class="p">:</span> <span class="dl">"</span><span class="s2">PaymentService</span><span class="dl">"</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">lambdaHandler</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Structured logging with automatic Lambda context</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="dl">"</span><span class="s2">Processing payment</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">orderId</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">orderId</span><span class="p">,</span> <span class="na">amount</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">amount</span><span class="p">,</span> <span class="na">currency</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">currency</span> <span class="p">});</span> <span class="c1">// Custom business metrics</span> <span class="nx">metrics</span><span class="p">.</span><span class="nf">addMetric</span><span class="p">(</span><span class="dl">"</span><span class="s2">PaymentProcessed</span><span class="dl">"</span><span class="p">,</span> <span class="nx">MetricUnit</span><span class="p">.</span><span class="nx">Count</span><span class="p">,</span> <span class="mi">1</span><span class="p">);</span> <span class="nx">metrics</span><span class="p">.</span><span class="nf">addMetric</span><span class="p">(</span><span class="dl">"</span><span class="s2">PaymentAmount</span><span class="dl">"</span><span class="p">,</span> <span class="nx">MetricUnit</span><span class="p">.</span><span class="nx">None</span><span class="p">,</span> <span class="nx">event</span><span class="p">.</span><span class="nx">amount</span><span class="p">);</span> <span class="c1">// Annotate traces for filtering in X-Ray</span> <span class="nx">tracer</span><span class="p">.</span><span class="nf">putAnnotation</span><span class="p">(</span><span class="dl">"</span><span class="s2">orderId</span><span class="dl">"</span><span class="p">,</span> <span class="nx">event</span><span class="p">.</span><span class="nx">orderId</span><span class="p">);</span> <span class="nx">tracer</span><span class="p">.</span><span class="nf">putMetadata</span><span class="p">(</span><span class="dl">"</span><span class="s2">orderDetails</span><span class="dl">"</span><span class="p">,</span> <span class="nx">event</span><span class="p">);</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">processPayment</span><span class="p">(</span><span class="nx">event</span><span class="p">);</span> <span class="nx">metrics</span><span class="p">.</span><span class="nf">addMetric</span><span class="p">(</span><span class="dl">"</span><span class="s2">PaymentSucceeded</span><span class="dl">"</span><span class="p">,</span> <span class="nx">MetricUnit</span><span class="p">.</span><span class="nx">Count</span><span class="p">,</span> <span class="mi">1</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">statusCode</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">result</span><span class="p">)</span> <span class="p">};</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">metrics</span><span class="p">.</span><span class="nf">addMetric</span><span class="p">(</span><span class="dl">"</span><span class="s2">PaymentFailed</span><span class="dl">"</span><span class="p">,</span> <span class="nx">MetricUnit</span><span class="p">.</span><span class="nx">Count</span><span class="p">,</span> <span class="mi">1</span><span class="p">);</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Payment failed</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="nx">error</span><span class="p">.</span><span class="nx">message</span><span class="p">,</span> <span class="na">orderId</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">orderId</span> <span class="p">});</span> <span class="k">throw</span> <span class="nx">error</span><span class="p">;</span> <span class="p">}</span> <span class="p">};</span> <span class="c1">// Middy middleware chain adds context to every invocation</span> <span class="nx">exports</span><span class="p">.</span><span class="nx">handler</span> <span class="o">=</span> <span class="nf">middy</span><span class="p">(</span><span class="nx">lambdaHandler</span><span class="p">)</span> <span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">injectLambdaContext</span><span class="p">(</span><span class="nx">logger</span><span class="p">))</span> <span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">captureLambdaHandler</span><span class="p">(</span><span class="nx">tracer</span><span class="p">))</span> <span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">logMetrics</span><span class="p">(</span><span class="nx">metrics</span><span class="p">));</span> </code></pre> </div> <p>This gives you structured JSON logs that you can query in CloudWatch Logs Insights, X-Ray traces for distributed tracing, and CloudWatch custom metrics for business dashboards and alarms, all without writing any plumbing code.</p> <h2> Lambda Layers for Dependency Management </h2> <p>Lambda Layers let you package shared dependencies separately from your function code. This reduces deployment package size, speeds up deployments, and ensures consistent dependency versions across functions.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create a layer with shared Node.js dependencies</span> <span class="nb">mkdir</span> <span class="nt">-p</span> layer/nodejs <span class="nb">cd </span>layer/nodejs npm init <span class="nt">-y</span> npm <span class="nb">install</span> @aws-sdk/client-dynamodb @aws-sdk/lib-dynamodb @aws-lambda-powertools/logger @aws-lambda-powertools/tracer <span class="nb">cd</span> .. zip <span class="nt">-r</span> shared-deps-layer.zip nodejs/ aws lambda publish-layer-version <span class="se">\</span> <span class="nt">--layer-name</span> shared-deps <span class="se">\</span> <span class="nt">--description</span> <span class="s2">"Shared dependencies for backend Lambda functions"</span> <span class="se">\</span> <span class="nt">--zip-file</span> fileb://shared-deps-layer.zip <span class="se">\</span> <span class="nt">--compatible-runtimes</span> nodejs20.x nodejs22.x <span class="c"># Attach the layer to a function</span> aws lambda update-function-configuration <span class="se">\</span> <span class="nt">--function-name</span> my-function <span class="se">\</span> <span class="nt">--layers</span> arn:aws:lambda:us-east-1:123456789012:layer:shared-deps:3 </code></pre> </div> <p>A few rules for effective Layer usage:</p> <ul> <li>Keep layers under 50 MB unzipped for fast cold starts.</li> <li>Version your layers and pin functions to specific layer versions in production.</li> <li>Use one layer for AWS SDK dependencies, another for your own shared utilities.</li> <li>Do not put business logic in layers. Layers are for dependencies and utilities.</li> </ul> <h2> Event-Driven Architecture Patterns </h2> <p>Lambda functions are most effective as part of event-driven architectures. Instead of building monolithic Lambda functions that try to do everything, decompose your system into small, focused functions triggered by events.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># SAM template for an event-driven order processing pipeline</span> <span class="na">AWSTemplateFormatVersion</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2010-09-09'</span> <span class="na">Transform</span><span class="pi">:</span> <span class="s">AWS::Serverless-2016-10-31</span> <span class="na">Resources</span><span class="pi">:</span> <span class="c1"># API receives order, puts it on SQS queue</span> <span class="na">OrderQueue</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::SQS::Queue</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">VisibilityTimeout</span><span class="pi">:</span> <span class="m">300</span> <span class="na">RedrivePolicy</span><span class="pi">:</span> <span class="na">deadLetterTargetArn</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">OrderDLQ.Arn</span> <span class="na">maxReceiveCount</span><span class="pi">:</span> <span class="m">3</span> <span class="na">OrderDLQ</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::SQS::Queue</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">MessageRetentionPeriod</span><span class="pi">:</span> <span class="m">1209600</span> <span class="c1"># 14 days</span> <span class="c1"># Process orders from queue (batch processing, auto-scaling)</span> <span class="na">ProcessOrderFunction</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Serverless::Function</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Handler</span><span class="pi">:</span> <span class="s">handlers/process-order.handler</span> <span class="na">Runtime</span><span class="pi">:</span> <span class="s">nodejs20.x</span> <span class="na">MemorySize</span><span class="pi">:</span> <span class="m">512</span> <span class="na">Timeout</span><span class="pi">:</span> <span class="m">60</span> <span class="na">Events</span><span class="pi">:</span> <span class="na">SQSEvent</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">SQS</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Queue</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">OrderQueue.Arn</span> <span class="na">BatchSize</span><span class="pi">:</span> <span class="m">10</span> <span class="na">MaximumBatchingWindowInSeconds</span><span class="pi">:</span> <span class="m">5</span> <span class="na">FunctionResponseTypes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ReportBatchItemFailures</span> <span class="c1"># Partial batch failure handling</span> <span class="c1"># On successful processing, emit event to EventBridge</span> <span class="na">OrderEventBus</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Events::EventBus</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="s">orders</span> <span class="c1"># Send confirmation email on order.completed event</span> <span class="na">SendConfirmationFunction</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Serverless::Function</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Handler</span><span class="pi">:</span> <span class="s">handlers/send-confirmation.handler</span> <span class="na">Runtime</span><span class="pi">:</span> <span class="s">nodejs20.x</span> <span class="na">MemorySize</span><span class="pi">:</span> <span class="m">256</span> <span class="na">Timeout</span><span class="pi">:</span> <span class="m">30</span> <span class="na">Events</span><span class="pi">:</span> <span class="na">OrderCompleted</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">EventBridgeRule</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">EventBusName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">OrderEventBus</span> <span class="na">Pattern</span><span class="pi">:</span> <span class="na">detail-type</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">order.completed"</span> </code></pre> </div> <p>This pattern gives you several advantages: each function scales independently, failures in one step do not block others, and the DLQ catches any messages that fail processing three times for manual review.</p> <h2> Cost Optimization Strategies </h2> <p>Lambda pricing is based on three factors: number of invocations ($0.20 per million), duration (GB-seconds at $0.0000166667), and any provisioned concurrency. Most teams overpay because they have not optimized duration.</p> <p>Quick wins for reducing Lambda costs:</p> <p><strong>Right-size memory</strong>: Use Power Tuning as described above. The optimal memory setting minimizes cost, not memory usage.</p> <p><strong>Reduce execution time</strong>: Every millisecond counts. Cache expensive lookups, use connection pooling, and avoid synchronous waits.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// BAD: Sequential external calls</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getUser</span><span class="p">(</span><span class="nx">userId</span><span class="p">);</span> <span class="c1">// 50ms</span> <span class="kd">const</span> <span class="nx">orders</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getOrders</span><span class="p">(</span><span class="nx">userId</span><span class="p">);</span> <span class="c1">// 80ms</span> <span class="kd">const</span> <span class="nx">prefs</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getPreferences</span><span class="p">(</span><span class="nx">userId</span><span class="p">);</span> <span class="c1">// 30ms</span> <span class="c1">// Total: 160ms</span> <span class="c1">// GOOD: Parallel external calls</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">user</span><span class="p">,</span> <span class="nx">orders</span><span class="p">,</span> <span class="nx">prefs</span><span class="p">]</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">Promise</span><span class="p">.</span><span class="nf">all</span><span class="p">([</span> <span class="nf">getUser</span><span class="p">(</span><span class="nx">userId</span><span class="p">),</span> <span class="c1">// 50ms</span> <span class="nf">getOrders</span><span class="p">(</span><span class="nx">userId</span><span class="p">),</span> <span class="c1">// 80ms (runs in parallel)</span> <span class="nf">getPreferences</span><span class="p">(</span><span class="nx">userId</span><span class="p">)</span> <span class="c1">// 30ms (runs in parallel)</span> <span class="p">]);</span> <span class="c1">// Total: 80ms (limited by slowest call)</span> </code></pre> </div> <p><strong>Use ARM64 (Graviton2)</strong>: Lambda functions on ARM64 are 20% cheaper and typically 10-20% faster. Switching is a one-line change in most cases:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws lambda update-function-configuration <span class="se">\</span> <span class="nt">--function-name</span> my-function <span class="se">\</span> <span class="nt">--architectures</span> arm64 </code></pre> </div> <p><strong>Batch SQS processing</strong>: Instead of invoking one Lambda per message, process batches. With <code>ReportBatchItemFailures</code>, failed messages get retried individually while successful ones are removed.</p> <p><strong>Review CloudWatch Logs costs</strong>: Lambda logging to CloudWatch can cost more than the Lambda invocations themselves at scale. Set log retention policies and filter what you log:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Set log retention to 14 days (default is never expire)</span> aws logs put-retention-policy <span class="se">\</span> <span class="nt">--log-group-name</span> /aws/lambda/my-function <span class="se">\</span> <span class="nt">--retention-in-days</span> 14 </code></pre> </div> <h2> Monitoring and Alerting Essentials </h2> <p>Every production Lambda function needs these CloudWatch alarms:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># CloudFormation for essential Lambda alarms</span> <span class="na">ErrorRateAlarm</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::CloudWatch::Alarm</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">AlarmName</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${FunctionName}-error-rate"</span> <span class="na">MetricName</span><span class="pi">:</span> <span class="s">Errors</span> <span class="na">Namespace</span><span class="pi">:</span> <span class="s">AWS/Lambda</span> <span class="na">Statistic</span><span class="pi">:</span> <span class="s">Sum</span> <span class="na">Period</span><span class="pi">:</span> <span class="m">300</span> <span class="na">EvaluationPeriods</span><span class="pi">:</span> <span class="m">2</span> <span class="na">Threshold</span><span class="pi">:</span> <span class="m">5</span> <span class="na">ComparisonOperator</span><span class="pi">:</span> <span class="s">GreaterThanThreshold</span> <span class="na">Dimensions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Name</span><span class="pi">:</span> <span class="s">FunctionName</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ProcessOrderFunction</span> <span class="na">ThrottleAlarm</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::CloudWatch::Alarm</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">AlarmName</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${FunctionName}-throttles"</span> <span class="na">MetricName</span><span class="pi">:</span> <span class="s">Throttles</span> <span class="na">Namespace</span><span class="pi">:</span> <span class="s">AWS/Lambda</span> <span class="na">Statistic</span><span class="pi">:</span> <span class="s">Sum</span> <span class="na">Period</span><span class="pi">:</span> <span class="m">60</span> <span class="na">EvaluationPeriods</span><span class="pi">:</span> <span class="m">1</span> <span class="na">Threshold</span><span class="pi">:</span> <span class="m">0</span> <span class="na">ComparisonOperator</span><span class="pi">:</span> <span class="s">GreaterThanThreshold</span> <span class="na">DurationAlarm</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::CloudWatch::Alarm</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">AlarmName</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${FunctionName}-duration-p99"</span> <span class="na">MetricName</span><span class="pi">:</span> <span class="s">Duration</span> <span class="na">Namespace</span><span class="pi">:</span> <span class="s">AWS/Lambda</span> <span class="na">ExtendedStatistic</span><span class="pi">:</span> <span class="s">p99</span> <span class="na">Period</span><span class="pi">:</span> <span class="m">300</span> <span class="na">EvaluationPeriods</span><span class="pi">:</span> <span class="m">3</span> <span class="na">Threshold</span><span class="pi">:</span> <span class="m">5000</span> <span class="na">ComparisonOperator</span><span class="pi">:</span> <span class="s">GreaterThanThreshold</span> <span class="na">IteratorAgeAlarm</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::CloudWatch::Alarm</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">AlarmName</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${FunctionName}-iterator-age"</span> <span class="na">MetricName</span><span class="pi">:</span> <span class="s">IteratorAge</span> <span class="na">Namespace</span><span class="pi">:</span> <span class="s">AWS/Lambda</span> <span class="na">Statistic</span><span class="pi">:</span> <span class="s">Maximum</span> <span class="na">Period</span><span class="pi">:</span> <span class="m">60</span> <span class="na">EvaluationPeriods</span><span class="pi">:</span> <span class="m">5</span> <span class="na">Threshold</span><span class="pi">:</span> <span class="m">60000</span> <span class="na">ComparisonOperator</span><span class="pi">:</span> <span class="s">GreaterThanThreshold</span> </code></pre> </div> <p>The Iterator Age alarm is critical for functions consuming from Kinesis or DynamoDB Streams. A rising iterator age means your function is falling behind the event stream, which eventually leads to data loss.</p> <h2> Need Help with Your DevOps? </h2> <p>Lambda is deceptively simple to start with but requires real expertise to run efficiently at scale. At InstaDevOps, we help teams design and optimize serverless architectures that are fast, reliable, and cost-effective. From cold start optimization to event-driven architecture design, we have seen it all.</p> <p>We offer fractional DevOps engineering starting at $2,999/month with no long-term contracts. Book a free 15-minute call to discuss your serverless infrastructure: <a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">https://calendly.com/instadevops/15min</a></p> aws lambda serverless devops