API Health Check Best Practices

Designing Robust Health Check Endpoints

by

API Health Check Best Practices function as the primary telemetry signal for automated service recovery and traffic steering within high availability architectures. These endpoints provide the required logic for load balancers, service meshes, and orchestrators to determine whether a target instance should receive ingress traffic or undergo lifecycle remediation. Without a structured health check implementation, infrastructure controllers risk routing requests to black hole processes that have survived as zombie entries in a routing table despite losing connectivity to backing data stores. These endpoints act as the interface between application state and network ingress controllers: bridgeing the gap between a process existing in the kernel process table and a process being functionally capable of executing its logic. Operational failure in this domain results in cascading outages where a single upstream dependency failure triggers a recursive health check failure across the entire service graph. High performance health check design requires balancing the granularity of dependency verification against the resource overhead of frequent execution: particularly regarding socket exhaustion, thread pool saturation, and database connection limits within the local runtime environment.

| Parameter | Value |
| :— | :— |
| Primary Protocol | HTTP/1.1 or HTTP/2 over TLS |
| Target Response Code | 200 OK (Healthy) / 503 Service Unavailable (Unhealthy) |
| Response Payload Format | JSON (RFC 8259) |
| Standard Timeout Window | 2.0 to 5.0 Seconds |
| Success Threshold | 2 Consecutive Passes |
| Failure Threshold | 3 Consecutive Failures |
| Resource Overhead | < 1 percent CPU / < 10MB RAM per probe cycle | | Default Management Port | 8081, 9000, or 9090 (Isolate from public traffic) | | Security Exposure | Internal VPC / mTLS restricted | | Minimum Probe Frequency | 5 Seconds to 30 Seconds | | Log Retention | 7 Days (Structured JSON logs) |

Environment Prerequisites

Effective implementation requires the environment to support granular process isolation and network segmentation. The host must run a kernel version supporting non blocking I/O for health check threads to ensure that a blocked application thread does not prevent the health check responder from firing. High availability controllers such as Kubernetes (v1.18+), HAProxy (v2.0+), or AWS Application Load Balancers must be configured with specific IAM permissions or RBAC roles to permit probe traffic. Network Security Groups must allow ingress on the designated management port from the load balancer CIDR range while blocking public internet access. The application runtime requires a dedicated connection pool for health check database queries to prevent the probe from failing due to application level connection exhaustion.

Implementation Logic

The engineering rationale behind a dual probe architecture (Liveness vs Readiness) centers on the failure domain separation. A Liveness probe determines if the process is in a non recoverable state: such as a deadlocked thread or a corrupted heap: necessitating a SIGTERM or SIGKILL. A Readiness probe determines if the process is temporarily unable to handle traffic: often due to cache warming, database migration, or upstream rate limiting.

Implementing these as separate logic paths prevents unnecessary container restarts during transient network partitions. The communication flow utilizes an idempotent GET request. Internally, the service executes a shallow check of local resources (memory, disk, thread count) and a scoped deep check of critical dependencies. To mitigate the thundering herd problem where 50 nodes simultaneously query a database for their health check, memoization is applied to the status results with a TTL (Time to Live) shorter than the probe interval. This ensures the health signal remains accurate without saturating backend resources.

Define the Liveness Endpoint

The liveness endpoint must be the simplest possible path to verify the process is alive. It should not check external dependencies but rather focus on internal runtime health.

“`bash

Example of a manual liveness check using curl

curl -I -X GET http://localhost:8081/live
“`
Implementation in the application code should return a 200 OK immediately upon the web server being able to accept a socket connection. This confirms the event loop is not blocked and the kernel is successfully scheduling the process.

System Note
Use netstat -an | grep :8081 to verify that the management port is listening independently of the main application port. If the application uses a global thread pool, ensure the health check listener runs on a dedicated thread to avoid false negatives during high CPU utilization.

Configure the Readiness Logic

The readiness check must validate that the service can fulfill requests. This includes checking database connectivity, message broker status, and presence of required local configuration files.

“`json
// Recommended JSON response for /ready
{
“status”: “UP”,
“components”: {
“database”: {
“status”: “UP”,
“latency_ms”: 12
},
“redis”: {
“status”: “UP”
}
}
}
“`

System Note
Use the nc -zv [db_host] [db_port] command or a simple SELECT 1 query to verify the path to the data store. Do not execute heavy analytical queries within the health check logic.

Establish Probe Geometry in the Orchestrator

Define the probe parameters in the infrastructure configuration. In a Kubernetes environment, this is defined within the container specification.

“`yaml
livenessProbe:
httpGet:
path: /live
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
readinessProbe:
httpGet:
path: /ready
port: 8081
initialDelaySeconds: 15
periodSeconds: 5
timeoutSeconds: 3
“`

System Note
The initialDelaySeconds for the readiness probe should exceed the average startup time of the application. Observe startup durations via journalctl -u [service_name] to calibrate this value.

Implement Circuit Breaker Integration

For microservices with deep dependency chains, the health check should reflect the state of the circuit breaker. If an upstream service is down and the local circuit is open, the readiness probe should return a 503.

“`bash

Check the state of local circuit breakers via management CLI

./app-cli status circuits
“`

System Note
Avoid circular dependencies where Service A waits for Service B, and Service B waits for Service A. Use a “Degraded” status if a non critical dependency is missing but the service can still function.

Dependency Fault Lines

Cascading Failure via Deep Health Checks
The root cause is a health check that fails if any downstream dependency is unreachable. If a shared database goes down, every service instance reports as unhealthy. The load balancer then removes all instances from the rotation, causing a total outage and potentially crashing the load balancer or preventing the services from recovering.

  • Symptoms: All instances return 503 simultaneously; 100 percent packet loss at the ingress.
  • Verification: Check nginx or haproxy logs for “no live upstreams”.
  • Remediation: Implement a “soft fail” or “partial health” state where the service remains ready if it can serve traffic from cache or if the dependency is non critical.

Connection Pool Exhaustion
This occurs when the health check logic opens a new database connection for every probe but fails to close it correctly, or when the connection pool is full and the probe hangs.

  • Symptoms: Probe timeouts in the orchestrator logs (e.g., “context deadline exceeded”).
  • Verification: Run lsof -i | grep :5432 to count open database sockets.
  • Remediation: Use a dedicated, single connection for health checks or check the pool status via the library’s metadata instead of initiating a full handshake.

Zombie Process Retention
A process enters a zombie state or a deadlock where the PID exists but the network stack is unresponsive.

  • Symptoms: Log output ceases, but the process is visible in ps aux.
  • Verification: Use strace -p [pid] to see if the process is making system calls.
  • Remediation: Ensure the liveness probe uses a strict timeout and that the orchestrator is configured to use a SIGKILL if SIGTERM fails.

Troubleshooting Matrix

| Symptom | Fault Code | Diagnostic Action | Tool |
| :— | :— | :— | :— |
| Probe Timeout | N/A | Check network path from LB to Node | traceroute |
| Periodic 503 | SERVICE_UNAVAILABLE | Inspect application logs for DB latency | journalctl |
| 404 on /healthz | NOT_FOUND | Verify endpoint registration in router | curl |
| Flapping Health | FLAP_DETECTION | Check for resource jitter/CPU spikes | top |
| 403 Forbidden | ACCESS_DENIED | Check WAF/Security Group rules | iptables |

Example Log Analysis
If journalctl -u kubelet shows:
`Liveness probe failed: Get “http://10.2.3.4:8081/live”: dial tcp 10.2.3.4:8081: connect: connection refused`
This indicates the process has crashed or the port is not bound.

If syslog shows:
`Out of memory: Kill process 1234 (java) score 950`
The service was terminated by the OOM killer, and the health check failed to trigger a restart before the host became unstable.

Optimization and Hardening

Performance Optimization
Reduce health check latency by using a shared memory segment or a volatile internal flag to store the health status. Instead of calculating the state upon every HTTP request, run a background thread that updates the internal flag every 10 seconds. This allows the /healthz endpoint to serve responses in microseconds, minimizing the impact of high frequency probes on the application’s overall throughput.

Security Hardening
Isolate health check endpoints to a secondary port. Configure the application to bind this port to a private network interface only. Implement IP whitelisting via iptables to ensure only the load balancer or the cluster’s internal network (e.g., 10.0.0.0/8) can reach the management port. Do not return detailed stack traces or internal IP addresses in the JSON response payload, as this facilitates reconnaissance during an internal breach.

Scaling Strategy
Design health checks to be aware of the “Warm up” period. During horizontal scaling events, new instances may be CPU bound while JIT compilers or caches initialize. The readiness probe should stay in a failed state until the instance’s internal latency metrics stabilize. This prevents the load balancer from overwhelming a new instance before it is capable of handling production traffic levels.

Admin Desk

How do I test a health check manually?
Use curl -v -X GET http://[IP]:[PORT]/healthz. Look for the HTTP 200 status. If the response is slow, use time curl to measure the latency and ensure it falls within the orchestrator’s timeout limits.

What is the best frequency for health probes?
Standard production deployments utilize a 10 second interval. For mission critical services where failover speed is paramount, 2 or 5 seconds is acceptable. Avoid sub second intervals to prevent self inflicted Denial of Service on the management port.

Should I check global dependencies like DNS?
No. Health checks should only validate the service instance’s capability. If a global dependency like DNS is down, all health checks would fail, causing the orchestrator to kill all instances, which does not solve the underlying DNS issue.

How do health checks affect autoscaling?
Orchestrators use readiness state to include or exclude pods from load balancer pools. If pods are unhealthy, the autoscaler may trigger the creation of more pods, thinking the load is too high for the remaining healthy instances.

Why is my service restarting repeatedly?
Check the liveness probe. If the application takes 30 seconds to start but the liveness probe starts checking after 5 seconds and fails twice, the orchestrator will kill the process before it ever becomes ready. Increase initialDelaySeconds.

Deep Dive & Technical References:

Leave a Comment