Covers why load balancers are used and how traffic is distributed across backend servers to avoid single server bottlenecks, enable horizontal scaling, and provide fault tolerance. Candidates should know common distribution algorithms such as round robin, least connections, weighted balancing, and consistent hashing, and understand trade offs among them. Explain the difference between layer four and layer seven load balancing and the implications for routing, request inspection, and protocol awareness. Discuss stateless design versus stateful services, the impact of session affinity and sticky sessions, and alternatives such as external session stores or token based sessions to preserve scalability. Describe high availability and resilience patterns to mitigate a single point of failure, including active active and active passive configurations, health checks, connection draining, and global routing options such as DNS based and geo aware routing. At senior and staff levels, cover advanced capabilities like request routing based on metadata or headers, weighted traffic shifting for canary and blue green deployments, traffic mirroring, rate limiting and throttling, integration with autoscaling, and strategies for graceful degradation and backpressure. Also include operational concerns such as secure termination of transport layer security, connection pooling, caching and consistent hashing for caches, monitoring and observability, capacity planning, and common debugging and failure modes.
MediumTechnical
42 practiced
Design tracing and telemetry around load balancers to capture request paths across tiers: include sampling strategy, trace propagation headers, span granularity, impact on performance and storage, and retention considerations for high-volume traffic.
Sample Answer
Requirements & constraints:- Capture end-to-end request paths across LB → services → downstream tiers for troubleshooting/SLA without overwhelming storage or adding latency.- Support heterogeneous stacks (HTTP/2, gRPC, TCP), multi-region, high QPS.Design summary:1) Trace propagation headers- Use W3C Trace Context (traceparent + tracestate) as primary for HTTP/gRPC. For legacy systems include B3 compat shim.- For TCP or non-HTTP, attach the trace id at connection establishment metadata or sidecar/x-envoy via metadata.2) Sampling strategy- Two-tier sampling: - Head-based probabilistic sampling at entry LB: default low-rate uniform sampling (e.g., 0.1–1% by trace) to bound volume. - Reservoir/event-based sampling: always-sample errors/latency anomalies (status >=500, slow > p95) and traces matching important endpoints (payments, auth). - Adaptive sampling: increase sample rate during incidents or per-service hotspots via control plane.- Keep sampled decision carried in traceparent to avoid downstream divergence.3) Span granularity- Instrument at meaningful boundaries: LB (listener + routing), ingress service, critical downstream RPCs, DB calls and external API calls.- Prefer coarse spans for high-volume internal calls (group multiple small hops) and fine-grained spans for business-critical operations.- Use span attributes/tags to avoid extra spans: add route, backend id, LB decision, latency buckets.4) Performance & storage trade-offs- Use asynchronous, batched export via sidecars (Envoy, OpenTelemetry collector) to avoid request-path latency.- Compress exported traces (protobuf, gzip) and apply server-side dedup / aggregation for repetitive spans.- Estimate size: average sampled trace ~2–10KB. With 1% sampling at 1M QPS -> 10k traces/s (~20–80MB/s). Adjust sampling accordingly.5) Retention & lifecycle- Hot storage (7–30 days) for full traces for debugging and SLAs.- Long-term storage: store aggregated metrics, traces for sampled errors, or indexed trace heads for 90+ days in cheaper blob/object storage; purge raw trace payload after hot window.- Provide on-demand deep-dive: keep a short-lived higher-sample buffer for 24–72 hours to investigate incidents.Operational considerations & recommendations:- Expose sampling controls to SREs and customers (dynamic config).- Instrument cost alerts and dashboards (ingest rate, storage).- Validate header propagation with automated tests and tracing smoke tests.- Prefer OpenTelemetry ecosystem to standardize collectors, processors (sampling, tail-sampling), and exporters.This approach balances observability, low latency, and cost while ensuring critical failures and business flows are always traceable.
MediumTechnical
41 practiced
You must remove sticky sessions from an e-commerce platform to improve scalability. Propose a migration plan using stateless tokens (JWT), an external session store (Redis) or sticky cookies with fallback. Include rollout steps (canary, toggle), performance validation, and rollback criteria.
Sample Answer
Goal: Remove sticky sessions while maintaining user experience and scale. I'll propose a phased migration that supports three alternatives (stateless JWT, Redis-backed session store, sticky-cookie fallback), with canary rollout, feature toggles, performance validation and clear rollback criteria.1) Strategy choice- Primary: Stateless JWTs for auth/short-lived session state (scales horizontally, no affinity).- Secondary: Redis session store for large mutable session data or server-side-only data.- Fallback: Sticky cookies (same-site affinity) for quick rollback during rollout.2) Preparation- Audit current session data shape: size, read/write rate, security-sensitive fields.- Define token format: JWT with minimal claims (user_id, exp, nonce), sign with rotating keys (KID).- Design server logic: prefer JWT; if payload too large or needs server-side mutation, store pointer to Redis (session_id) and keep session in Redis.- Implement encryption for sensitive claims; TTLs for both JWTs and Redis keys.- Add feature toggle (config/flag) per service to enable new session flow; support header to force mode for canary users.3) Rollout plan- Dev & QA: unit/integration tests, load-test both modes; create synthetic traffic mirroring checkout flows.- Canary (1–5% users): enable JWT path for small subset via feature toggle + routing header; monitor errors, latency, checkout conversion.- Gradual ramp: 5% → 25% → 50% → 100% over days with automated health gates.- Mixed-mode coexistence: Accept both legacy sticky sessions and new modes during transition. For users with legacy cookie, continue existing flow; for new or re-authenticated users, issue JWT or Redis pointer.- Migrate long-lived sessions: on next user activity, exchange legacy session for JWT/Redis session.4) Performance validation & metrics- Latency: p99 and p95 for auth, product browse, add-to-cart, checkout should remain within baseline + 5–10%.- Error rate: auth/session-related 5xx < baseline threshold (e.g., +1% absolute).- Throughput & resource: CPU/memory per app node, Redis ops/sec, network egress.- Business KPIs: cart abandonment, checkout conversion, session resume success.- Load tests: simulate peak traffic with and without JWT/Redis to measure tail latency and cache hit ratios.5) Observability- Add tracing for session path (legacy vs JWT vs Redis).- Expose metrics: JWT issuance rate, Redis hit/miss, average session size, TTL expirations.- Alerting: error spikes, latency regressions, Redis saturation.6) Rollback criteria & plan- Immediate rollback triggers: - Authentication failures >1% absolute or critical business flow breaks - p99 latency > baseline + 50% for >15 minutes - Redis CPU or memory >75% sustained (if using Redis) causing OOM/evictions- Rollback actions: - Flip feature toggle to route all users back to sticky sessions - If JWT key rotation caused failures, revert to previous signing key - Scale up nodes / Redis as emergency mitigation if resource-bound while investigating- Validate rollback by monitoring same KPIs until stable.7) Security & operational considerations- Short JWT lifetime + refresh token or re-auth on sensitive ops.- Key rotation with KID support to avoid invalidating active tokens.- Redis: enable persistence and eviction policy tuned to session TTL; TLS + auth.- Data privacy: don't embed PII in JWTs; encrypt if needed.8) Post-migration cleanup- Sunsetting sticky-cookie logic after 2–4 weeks of 100% stable operation.- Remove legacy session stores or repurpose Redis capacity.- Document architecture, runbook for incidents, and cost analysis.This plan balances scalability (JWT), practicality for large mutable state (Redis), and safe rollback (sticky cookies + toggles), with measurable gates and observability to protect business continuity.
HardSystem Design
38 practiced
Design a secure architecture where TLS is terminated at the edge and internal service-to-service communication uses mutual TLS (mTLS). Explain how load balancers handle edge termination and re-encryption to backends, certificate issuance and rotation (automation), trust chains, and integrating with a service mesh for internal mTLS enforcement.
Sample Answer
Requirements & constraints:- Terminate customer TLS at the edge (DDoS/HTTP inspection/WAF) while preserving end-to-end authenticity to backends.- Internal service-to-service must use mutual TLS (mTLS) with automated cert issuance/rotation.- Automated PKI, short-lived certs, and minimal manual ops.- Support multi-region, autoscaling, and zero-downtime rotation.High-level architecture:Client → Global Edge LB / WAF (eg. AWS ALB + WAF or GCP Cloud Load Balancer + Cloud Armor) → Regional Ingress (Envoy/NLB) → Service Mesh (Envoy sidecars + control plane e.g., Istio/Linkerd) → ServicesEdge termination & re-encryption:- Edge LB terminates client TLS (SNI-aware) to perform WAF, rate-limiting, CDN caching. For backends that require end-to-end TLS, edge re-encrypts: it establishes a new TLS connection to the regional ingress/or directly to Envoy ingress using server certs trusted by the edge.- Use TLS passthrough only for sensitive flows that must keep client certificate intact (rare). Prefer terminate+re-encrypt because mTLS inside preserves service identity.Certificate issuance & rotation (automation):- Use a central automated CA/PKI: options include HashiCorp Vault PKI, Step CA, or cloud-managed Certificate Authority (AWS Private CA).- For edge public certs, use ACME automation (Let's Encrypt or cloud CA) integrated into CI/CD or managed LB certs.- For internal certs, issue short-lived X.509 certs (1–24 hour TTL) via service identity system such as SPIFFE/SPIRE or Vault with Kubernetes cert-manager + cert-manager issuer backed by Vault/Step.- Use SDS (Secret Discovery Service) or the mesh’s Certificate Management to push new certs to Envoy sidecars and ingress gateways automatically. Rotate via graceful reload: sidecars fetch new certs before old expire; control plane propagates trust bundle updates.Trust chains & validation:- Internal services trust the internal CA root (or intermediate). Distribute trust bundles via mesh control plane or cluster bootstrap (kube secrets encrypted at rest).- Use separate roots: external public CA chain for client certs; internal private CA for service identities. Cross-validation avoided to limit blast radius.- Use SPIFFE IDs in cert SANs for identity-based authorization; map SPIFFE -> RBAC policies in the mesh.Service mesh integration for mTLS:- Deploy a service mesh control plane (Istio/Linkerd) that enforces mTLS at sidecar layer. Sidecars terminate client TLS from callers and initiate TLS to callee using short-lived certs.- Configure the mesh to be “strict mTLS” in production namespaces; use authentication policies and AuthorizationPolicies for RBAC.- Use egress/ingress gateways to translate edge re-encrypted TLS into mesh-native mTLS identities. The ingress gateway holds server certs issued by internal CA when backends require internal identity.Operational practices & hardening:- Use HSMs or cloud KMS (AWS KMS/CloudHSM) for root key material.- Rotate CA intermediates with overlap windows; issue new intermediates and re-sign before retiring old.- Monitor certificate expiry, rotation success, and mTLS handshake metrics; alert on rotate failures.- Zero-trust posture: enforce least privilege via mesh policies, use audit logging for TLS handshakes and cert issuance.Trade-offs:- Terminate+re-encrypt increases CPU/latency but enables WAF/CDN benefits. Passthrough reduces observability and prevents WAF.- Short-lived certs reduce compromise risk but increase CA load—automate aggressively.- Splitting public vs internal CA limits exposure but adds management complexity.This design provides edge-level protections while ensuring strong, automated internal mTLS with identity-driven access control and safe automated certificate lifecycle.
EasyTechnical
46 practiced
Explain the technical differences between Layer-4 (transport) and Layer-7 (application) load balancing. For each type describe what packet or request metadata is inspected, typical capabilities (e.g., TCP passthrough vs. header-based routing), performance and latency implications, and example use cases where one approach should be chosen over the other.
Sample Answer
Layer-4 (transport) vs Layer-7 (application) load balancing — key differences and when to use each.Layer-4 (Transport)- Metadata inspected: IP addresses, TCP/UDP ports, protocol fields, maybe source/dest tuples and connection state (no payload inspection).- Capabilities: TCP/UDP passthrough, NAT or proxying at connection level, simple session affinity via 5-tuple or source IP, fast health checks (TCP), connection forwarding without touching application headers.- Performance/latency: Very high throughput and low latency because it operates in kernel/transport layer and avoids parsing application payloads; scales well for raw TCP/UDP workloads.- Use cases: Database proxies, SMTP, generic TCP services, TLS passthrough where the LB must not terminate TLS (preserve end-to-end encryption), low-latency/high-throughput requirements.Layer-7 (Application)- Metadata inspected: Full HTTP(S) headers, URL path, cookies, host header, query params, JSON/XML bodies (if configured), and other application-layer semantics.- Capabilities: Host/path-based routing, header/cookie-based session affinity, content rewrites, request transformation, A/B testing, WAF rules, advanced health checks, per-request auth, TLS termination/inspection, rate-limiting.- Performance/latency: Higher CPU cost and slightly higher latency due to parsing/inspection and possible TLS termination; modern proxies and hardware offload mitigate cost but still heavier than L4.- Use cases: Microservice ingress, API gateways, CDN edge routing, canary releases, routing by URL/headers, web application firewalling, when you need visibility into HTTP semantics.Decision guidance:- Choose L4 when you need maximum throughput, preserve end-to-end encryption, or simply forward TCP/UDP connections.- Choose L7 when routing decisions require application context (host/path/headers), you need header-level policies, request transformation, or security inspection.- Hybrid approach: terminate TLS at L7 for web apps but use L4 for backend service meshes; many deployments use a mix to balance performance and functionality.
MediumTechnical
46 practiced
Design rate limiting at the edge to enforce per-user and global quotas while allowing bursts. Compare token-bucket and leaky-bucket algorithms and explain how you would implement consistent rate limiting across multiple LB instances (centralized counters, client-side leases, or approximate sketches). Discuss accuracy, latency and operational trade-offs.
Sample Answer
Start by clarifying requirements: per-user (or per-API key) and global quotas, allow short bursts, enforce at edge across many load‑balancer (LB) instances, and acceptable error bounds/latency. Given that, I’d pick a token‑bucket model for each quota because it naturally supports bursts (tokens accumulate up to a capacity) and maps well to permissive burst policies; leaky‑bucket enforces smoothing and constant drain which is better when you must strictly smooth traffic.Design options for multi‑instance consistency:1) Centralized counters (strong accuracy)- How: single rate service (or strongly-consistent datastore like Redis with INCR and TTL or Redis token-bucket via Lua) per edge region.- Pros: exact enforcement, easy auditing and dynamic config.- Cons: added round‑trip per request → higher latency and a single/region failure point; needs sharding and HA for scale.2) Client-side leases / local token caches (hybrid, low latency)- How: each LB maintains a local token bucket populated by periodic lease requests from a central allocator (e.g., “give me N tokens for user X”), or tokens are pre-allocated per second.- Pros: low latency on hot path, tolerates central outages for short time, supports bursts well.- Cons: complexity: need careful lease sizing to avoid overshoot; slightly relaxed accuracy.3) Approximate sketches (high scale, low coordination)- How: use distributed approximate counters (count‑min sketch, HyperLogLog variants) or probabilistic data structures combined with local buckets to detect heavy hitters and throttle.- Pros: extremely scalable and low coordination.- Cons: probabilistic errors (false positives/negatives) and harder to reason about per-user fairness.Trade-offs:- Accuracy vs latency: centralized gives strongest accuracy but worst latency; leases give best latency with bounded over‑issuance; sketches give best scale but weakest per-user guarantees.- Operational: centralized needs HA, autoscaling, and careful hot‑key handling; leases require allocator logic, lease expiry/reconciliation, and telemetry; sketches need calibration and explainability to customers.- Failure modes: use token expiry, negative tokens, and backoff to recover from clock skew and allocator failures. For global quotas, use hierarchical enforcement: local (fast) enforcement with periodic global reconciliation and hard caps at central service for long‑term compliance.Implementation recommendations:- Use token‑bucket semantics. Implement per-user local buckets on LB with periodic lease top‑ups from a regionally replicated Redis using Lua to atomically allocate tokens. For global quota, maintain a separate global allocator with larger time windows and tighter reconciliation.- Monitor error rates, rejected requests, and token allocation drift. Provide configurable strictness: “strict” (centralized) vs “best‑effort” (lease) modes per customer.This balanced approach gives low latency at the edge, supports bursts, and keeps global accuracy bounded while remaining operationally manageable.
Unlock Full Question Bank
Get access to hundreds of Load Balancing and Traffic Distribution interview questions and detailed answers.