Performance
N+1 at scale: pool exhaustion, plan changes, and denormalisation
A service with 50 queries per request and a connection pool of 25 starts returning 503s under load. The individual queries are fast. The database is healthy. The pool is saturated — each request holds a connection across 50 serial queries, and the pool cannot rotate fast enough to serve the traffic.
Connection pool exhaustion
An N+1-bound endpoint holds a database connection through many serialised queries. With a connection pool size of 25 and 50 queries per request at ~2 ms each, each request holds a connection for ~100 ms.
Throughput per connection: ~10 requests/s. Total pool throughput: 250 requests/s. Once load exceeds 250 requests/s, new requests queue waiting for a connection. The queue adds latency; latency tails spiral; eventual 503s.
Diagnostic signature: connection pool saturation metric high, individual query latency stable, request queue growing. The root cause is not the database — it is the application holding connections too long.
# pgbouncer metrics — a leading indicator
cl_waiting > 0 for more than a few seconds → N+1 likely
server_active / max_server_connections > 80% sustained → pool pressureThe fix is the N+1 fix: reduce queries per request from 50 to 2–3. Each request now holds the connection for ~10 ms instead of 100 ms. Pool throughput goes from 250 to 2 500 requests/s — a 10× relief with the same pool size.
The same shape applies to HTTP client pools, gRPC connection pools, Redis pools: any pooled resource where hold-time drives exhaustion.
Query plan changes after N+1 fixes
N+1 fixes change the shape of queries, which changes query plans. A query that was WHERE id = 1 is now WHERE id IN (1, 2, ..., 1000). Postgres may switch from index scan to bitmap scan to sequential scan depending on selectivity estimates and list size.
-- Before: fast index scan
EXPLAIN SELECT * FROM tasks WHERE project_id = 1;
-- Index Scan using tasks_project_id_idx (cost=0.43..8.45 rows=10 width=80)
-- After fix: large IN list, plan may change
EXPLAIN SELECT * FROM tasks WHERE project_id IN (1, 2, ..., 500);
-- Bitmap Heap Scan on tasks (cost=12.55..350.00 rows=5000 width=80)Senior production discipline: after fixing N+1, run EXPLAIN ANALYZE on the new query under representative production data sizes. Verify the plan does not degrade for edge cases (very small parent sets, very large parent sets, special parameter values). A fix that works at 50 rows may flip the plan at 5 000.
# Postgres tooling for plan monitoring
pg_stat_statements — track query execution counts and durations
auto_explain — log plans for queries exceeding a thresholdHibernate subselect loading strategy generates SELECT * FROM child WHERE parent_id IN (SELECT id FROM parent WHERE ...) — a correlated subquery that can produce very different plans from the parent’s main query. After applying Hibernate batch-size or subselect loading, verify plan stability.
Security: query amplification as DoS
An N+1 code path can be an attack vector. If a public endpoint allows the user to request N items and the handler fires N+1 queries per item, the attacker can saturate the database with one large request.
Real incidents: Strapi 2021 (CVE-2021-32820) — a deeply nested filter could amplify queries 1 000×. Various GraphQL providers — cyclic queries cause exponential resolver expansion. Early Hasura versions — permission filters not bounded.
Mitigations:
// GraphQL — depth and complexity limits
import depthLimit from 'graphql-depth-limit';
import { createComplexityRule } from 'graphql-query-complexity';
const server = new ApolloServer({
validationRules: [
depthLimit(5),
createComplexityRule({ maxComplexity: 200 }),
],
});Per-request query budget enforced at framework level: Rails strict_loading + max-queries middleware. Hasura automatic complexity analysis. Any user-controlled parameter that multiplies query count is a DoS vector. Senior code review for ORM-using code includes: “could this allow query amplification under hostile input?”
Prepared statements reduce overhead even when N+1 persists
When N+1 is unavoidable (legacy code, exploratory queries), prepared statements reduce the per-query overhead. Each parameterised query WHERE id = ? is parsed and planned once; subsequent executions skip parse and plan.
-- Postgres explicit:
PREPARE get_task AS SELECT * FROM tasks WHERE id = $1;
EXECUTE get_task(42);
-- ORMs use prepared statements by default for parameterised queries.
-- The ORM's ? or $1 parameter syntax IS the prepared statement protocol.Savings: ~30–50% per repeated query on Postgres. For a service running thousands of repeat queries per second, prepared statements alone can cut DB CPU 10–30%.
Tradeoff: connection-pool affinity. Prepared statements are connection-scoped in some setups. pgbouncer transaction mode disables server-side prepared statements (use PgBouncer statement-level pooling or the pgbouncer_params prepared statement passthrough if you need both).
| Metric | N+1 baseline | After fix |
|---|---|---|
| Queries per request | 51 | 2 |
| Connection hold time | ~100 ms | ~4 ms |
| Pool throughput (pool=25) | ~250 req/s | ~6 000 req/s |
| p99 latency (intra-DC) | ~800 ms | ~40 ms |
When denormalisation is the right answer
For paths with extreme latency SLOs — HFT, real-time bidding, sub-50 ms p99 on heavy joins — even 2–3 queries are too many.
Counter cache: stores derived data on the parent. Instead of count(*) per request, one SELECT of a field.
# Rails counter_cache
belongs_to :project, counter_cache: true
# project.tasks_count is maintained automatically on create/destroyMaterialised view (Postgres): precomputes a complex join + aggregation. The page fetches one query against a fully-ready view.
CREATE MATERIALIZED VIEW product_summary AS
SELECT p.id, p.name, c.name AS category,
COUNT(r.id) AS review_count,
AVG(r.score) AS avg_score
FROM products p
JOIN categories c ON p.category_id = c.id
LEFT JOIN reviews r ON r.product_id = p.id
GROUP BY p.id, p.name, c.name;
REFRESH MATERIALIZED VIEW CONCURRENTLY product_summary;CQRS read model: the write side updates a normalised schema; an event handler writes to a read-optimised table with pre-joined data. The read path fetches one query.
Tradeoffs: staleness (read view lags writes by milliseconds to seconds), storage duplication, maintenance cost (derivation logic must stay correct as schema evolves).
When to apply: read p99 SLO < 50 ms on heavy joins AND read load is 1 000× or more the write load. For balanced workloads, ORM eager loading is simpler and sufficient. Denormalisation is the right answer only when measurement shows eager loading cannot meet the SLO.
Why this works
Production failures linked to N+1: Shopify 2016 — checkout page regressed to N+1 on shipping calculations; outage. Slack 2018 — message search hit a deeply nested join that exploded under search-result fan-out. Discord 2020 — GraphQL N+1 caused per-channel resolvers to fan out to the permissions service; DataLoader retrofit cut DB load 40%. GitHub 2021 — repo settings page loaded 200+ queries per render after a refactor introduced lazy loading. LinkedIn 2023 — feed aggregator ran 8-way serial RPC fan-out; parallelised, p99 dropped 6×. Every large engineering org has an N+1 retrospective. The runbook entry exists in every mature team: “page slow → check query count first.”
A team applies .includes to fix N+1. Query count drops from 50 to 2, but p99 worsens by 30%. What is the most likely explanation?
A service is seeing connection pool saturation: active connections near 100%, request queue growing, but individual query latency is stable. What is the most likely root cause and fix?
- 01Describe how an N+1 problem cascades into a connection pool exhaustion incident, and what observability signals to alert on.
- 02Explain when denormalisation (counter cache, materialised view, CQRS read model) is the right fix for N+1, and when it is premature.
At production scale, N+1 has three second-order effects beyond slow page loads. First: connection pool exhaustion — each request holding a connection through 50 serial queries saturates the pool far faster than 2-query requests do. Fix the N+1, multiply pool throughput by 10×. Second: query plan instability — IN lists and batch queries can flip from index scan to bitmap scan to sequential scan; always EXPLAIN ANALYZE the new query after fixing. Third: DoS amplification — any user-controlled parameter that multiplies query count is an attack vector; add depth limits, complexity analysis, and per-request query budgets for public endpoints. Denormalisation (counter caches, materialised views, CQRS read models) is the right answer only when measurement confirms eager loading cannot meet an extreme latency SLO.
appears again in159
- The journey of a request: seven stops from socket to responsejunior
- Accept and parse: from kernel queue to a typed requestmiddle
- Routing and middleware: choosing what runs, and in what ordermiddle
- Handler and response: from business logic to bytes on the wiremiddle
- Streaming and backpressure: when the client reads slower than you writesenior
- Timeouts and tail latency: budgets, deadlines, and the fan-out trapsenior
- Middleware and DI: the two patterns that shape every backendjunior
- Writing middleware: signatures, next(), and the three framework modelsmiddle
- Inversion of control: how dependencies reach a classmiddle
- DI scopes and lifecycles: singleton, request, transientmiddle
- DI as a testing seam: fakes, mocks, and the boundary that matterssenior
- DI containers in production: resolution graphs, circular deps, and when not tosenior
- Blocking vs non-blocking I/O: two ways to waitjunior
- The event loop: one thread, ordered phasesmiddle
- What blocks the loop: CPU work and sync callsmiddle
- Offloading CPU work: worker threads and the libuv poolmiddle
- Backpressure and bounded concurrencysenior
- Throughput under load: tail latency and saturationsenior
- Why pool: the cost of creating a connectionjunior
- Pool sizing: why bigger is not fastermiddle
- Acquisition and timeouts: the wait queue is the real latency dialmiddle
- Retry strategies: backoff, jitter, and thundering herdmiddle
- Observability, production failures, and global-scale designsenior
- Tasks, microtasks, and scheduler.yield()middle
- Timer accuracy, throttling, and idle workmiddle
- Node.js event loop: phases, nextTick, and loop lagsenior
- Rendering strategies: SSG, SSR, ISR, streaming, and hydrationjunior
- SSG, SSR, ISR, streaming, and RSC — how each worksmiddle
- Hydration cost: selective, progressive, islands, resumabilitymiddle
- Core Web Vitals: what LCP, INP, and CLS measurejunior
- LCP: four phases, one dominant costmiddle
- INP: input delay, processing, presentationmiddle
- Lab vs field: why the two disagree and how to use eachmiddle
- Metric tradeoffs, RUM attribution, and the CI+field loopsenior
- The full picture: URL to LCP to INP as a relay racejunior
- Eight layers traced: from the service worker to the second navigationmiddle
- Five canonical breaks: where production reliably diessenior
- The three-track method: reading traces and building a monitored systemsenior
- What an index is and how it speeds up queriesjunior
- The leading-column rule and composite index designmiddle
- Partial, expression, and covering indexesmiddle
- Index types: GIN, GiST, BRIN, Hash, Bloom, and HOT updatesmiddle
- Index-only scans, the Visibility Map, and INCLUDEsenior
- Production failure modes and the index audit playbooksenior
- Index design exercise: full-text search strategysenior
- EXPLAIN and execution plans: what the planner decides and whyjunior
- Scan types: Seq, Index, Bitmap, Index-Onlymiddle
- Join algorithms and the row-estimate cascademiddle
- pg_statistic, ANALYZE, and production observabilitymiddle
- Extended statistics: fixing correlated-column estimate failuressenior
- Plan cache, cost-constant tuning, and planner internalssenior
- Production failure modes and plan stabilitysenior
- Connection pools: amortising the cost of a Postgres backendjunior
- PgBouncer session, transaction, and statement modesmiddle
- Pool sizing: the (cores × 2) + spindles formula and the two-layer stackmiddle
- Pool exhaustion and idle-in-transaction: the 3 AM failure modemiddle
- Migrating to transaction mode: rollout playbook and PgBouncer 1.21 prepared statementsmiddle
- The Postgres process model and why raising max_connections degrades throughputsenior
- Pooler landscape 2026, serverless connection storms, and the full failure-mode taxonomysenior
- ADD COLUMN: instant in PG 11+ vs rewrite in older Postgresjunior
- The lock-queue failure mode: why instant DDL can freeze the databasemiddle
- Safe DDL patterns: NOT VALID, CONCURRENTLY, and unsafe-op fixesmiddle
- Migration failure taxonomy and production disciplinesenior
- Shard-key selection: hash, range, list, and directory strategiesmiddle
- Co-location and Citus: the invariant that makes sharding usablemiddle
- The hot-shard failure mode: detection, isolation, and durable policymiddle
- Online resharding, 2PC, and the operational cost of shardingsenior
- The seven acts: from CREATE TABLE to Citusjunior
- Acts 1–3 in depth: schema, indexes, and planner statisticsmiddle
- Acts 4–6 in depth: MVCC bloat, connection pooling, and safe migrationsmiddle
- Act 7 in depth: sharding, co-location, and the seven-tier tradeoff cascademiddle
- Observability, anti-patterns, and production triagesenior
- Bits on the wirejunior
- Latency mathmiddle
- Bufferbloat and congestionsenior
- The physical frontiersenior
- Sequence numbers and connection statemiddle
- Flow control and congestion controlmiddle
- BBR, production observability, and beyond TCPsenior
- CDN: putting content next doorjunior
- Anycast and GeoDNS: routing to the nearest edgemiddle
- Tiered cache and Cache-Controlmiddle
- Vary header and cache keysmiddle
- Stale-while-revalidate and cache stampedesenior
- Edge workers and edge-side compositionsenior
- CDN operations and observabilitysenior
- WebSocket: the HTTP upgrade handshakejunior
- WebSocket vs SSE vs long-polling: choosing the right transportmiddle
- WebSocket backpressure: when clients can''''t keep upmiddle
- Reconnection: jittered backoff, thundering herd, message resumptionsenior
- WebSocket at scale: HTTP/2 multiplexing, permessage-deflate, C10Msenior
- WebSocket in production: proxies, security, and distributed architecturesenior
- What reverse proxies dojunior
- Balancing algorithms: round-robin to power-of-two-choicesmiddle
- L4 vs L7 load balancing and client-IP preservationmiddle
- Health checks, connection draining, and slow startmiddle
- Retry storms, circuit breakers, and load sheddingsenior
- Resilient LB architecture: anycast, zone-aware routing, and observabilitysenior
- Why QUIC and not TCP+TLSjunior
- QUIC streams and head-of-line blockingjunior
- Integrated handshake and 1-RTTmiddle
- Connection IDs and network migrationmiddle
- Loss detection and congestion controlmiddle
- 0-RTT resumption and packet encryptionsenior
- Deployment tradeoffs and CPU costsenior
- DDoS: what it is and why it worksjunior
- Amplification attacks and state exhaustionmiddle
- Rate limiting: algorithms and architecturemiddle
- WAFs, firewalls, mTLS, and HSTSmiddle
- DNS cache poisoning and BGP hijackingsenior
- Defense-in-depth architecture and attack economicssenior
- The twelve layers: one URL, seven actorsjunior
- DNS, TCP, TLS in sequence: where the milliseconds gomiddle
- Critical render path and Core Web Vitalsmiddle
- Proxy intercepts and security gates: rate limiters, WAF, mTLSmiddle
- Alternate paths: QUIC 0-RTT, WebSocket upgrade, connection migrationmiddle
- Observability: distributed traces, USE/RED, and samplingsenior
- Resilience: cascading retries, circuit breakers, and error budgetssenior
- What the three signals are: logs, metrics, and tracesjunior
- Metrics and cardinality: the cost model of a time-series databasemiddle
- Logs and volume: the cost model of structured loggingmiddle
- Traces and sampling: the cost model of distributed tracingmiddle
- Join keys and exemplars: making the three signals composemiddle
- Observability 2.0: wide events and the cost shiftsenior
- Failure modes and engineering practice: cardinality budgets, PII, and samplingsenior
- Why structured logs exist: the diary vs the spreadsheetjunior
- The production log schema: fields every line must carrymiddle
- Log levels and alert routingmiddle
- Sampling strategies and log costmiddle
- PII redaction and log injectionsenior
- Trace context propagation in logssenior
- OTel Logs Data Model and audit logs as a subsystemsenior
- OTel signals, Semantic Conventions, and the OTLP wire formatmiddle
- Auto-instrumentation and manual spans: the 80/20 of OTelmiddle
- The OTel Collector: receivers, processors, exporters, and deployment patternsmiddle
- Sampling strategies: head, tail, and parent-basedmiddle
- Vendor neutrality, eBPF instrumentation, the Operator, and browser/serverless OTelsenior
- Operating the OTel Collector: reliability, version skew, failure modes, and governancesenior
- RED and USE: two checklists, one triage disciplinejunior
- Instrumenting RED in Prometheus: counters, histograms, and cardinality disciplinemiddle
- USE on Linux: CPU, memory, disk, network, and PSImiddle
- Golden signals, dashboard layout, and service mesh auto-REDmiddle
- Cardinality as a cost driver: labels, PII, exemplars, and samplingmiddle
- Native histograms, SLO tie-in, and production failure patternsmiddle
- Choosing SLIs and SLO targets: ratios, not feelingsmiddle
- Multi-window multi-burn-rate alerting: why AND beats ORmiddle
- Error budget policy, latency SLOs, and composite journeysmiddle
- Iceberg SLIs, composite SLO math, and SLA vs SLOsenior
- Flame graphs: reading the picture that shows where time goesjunior
- Sampling vs instrumentation profiling: why 99 Hz wins in productionmiddle
- Profile types: CPU, memory, off-CPU, mutex — which one to reach formiddle
- Continuous profiling: always-on flame graphs with eBPF and trace-id correlationmiddle
- How flame graphs are built from samples, and the production workflows that use themmiddle
- Linux perf, eBPF internals, PGO, and the limits of samplingsenior
- Profiling in production: security, war stories, OTel profiles, and the infrastructure designsenior
- The debugging funnel: SLO → RED → trace → profilejunior
- OTel architecture: one SDK, four signals, one wire formatmiddle
- Cost discipline: keeping observability under 5% of infra spendmiddle
- Scale, security, and the ROI of observable systemssenior