Failure Modes and Edge Cases in L4/L7 Load Balancing

L4 load balancers face state exhaustion under high connection churn or Distributed Denial of Service (DDoS) attacks. Connection tracking (conntrack) or Network Address Translation (NAT) tables typically budget 200 to 500 bytes per active Transmission Control Protocol (TCP) flow; a proxy with 2 Gigabytes (GB) reserved can hold millions of flows but will drop new connections when full. HyperText Transfer Protocol (HTTP)/1.1 without keepalive or synchronize (SYN) floods cause rapid table turnover. Mitigations include SYN cookies (stateless handshake validation), aggressive timeout tuning, and horizontal scaling with consistent hashing to distribute state. Asymmetric routing in Equal Cost Multipath (ECMP) or anycast deployments can send return packets via different paths, causing stateful devices to drop mismatched flows; Direct Server Return (DSR) or symmetric routing policies are required. Hash imbalance from 5 tuple or Internet Protocol (IP) hashing can concentrate load behind large Carrier Grade Network Address Translation (CGNATs); weighted hashing and power of two choices algorithms help rebalance. L7 load balancers introduce application layer failure amplification. Naive retry logic across a fleet can create retry storms: if backends slow under load, clients timeout and retry, magnifying the original problem exponentially. Implement retry budgets (limit total retries fleet wide), jittered exponential backoff, and per route circuit breakers that open after threshold failures (for example, 5 consecutive errors) and enter half open state after cooldown. Head of line blocking occurs when HTTP/2 multiplexing serializes streams behind a slow request; large request or response bodies cause proxy buffering and memory spikes that can trigger Out Of Memory (OOM) kills. Transport Layer Security (TLS) termination at L7 introduces single points of failure: certificate expiration, rotation failures, or Online Certificate Status Protocol (OCSP) stapling issues can trigger global outages. Mutual TLS (mTLS) to backends adds Certificate Authority (CA) and Server Name Indication (SNI) management complexity. Sticky sessions via cookie based affinity can create hot backends; when a node fails, lost affinity impacts stateful applications if server side session state is not externalized to a cache. Protocol upgrades like WebSockets or gRPC streaming pin connections to specific upstreams; L7 proxies cannot reroute mid stream, degrading load balancing and complicating capacity planning. Header normalization differences (casing, duplicate headers, malformed requests) can cause security bypasses or routing errors; strict normalization may break legacy clients. Cross cutting issues affect both layers. Health check truthiness is a persistent problem: L4 port open checks pass while applications are unhealthy, and L7 synthetic checks can succeed while critical dependencies like databases or queues are degraded. Use multi signal checks with dependency aware gating. Zonal or Availability Zone (AZ) failover can incur unexpected cross zone data transfer costs and saturation; implement zone aware routing with surge protection and 20 to 30 percent capacity buffers. Metrics blind spots are common: L4 lacks request context, and L7 may undersample at high Queries Per Second (QPS), hiding tail latency regressions and leading to misleading Service Level Objectives (SLOs).

L4 NAT table exhaustion: HTTP/1.1 without keepalive at 100,000 requests per second creates 100,000 new flows per second; with 30 second timeout, table needs 3 million slots (1.5 GB at 500 bytes per flow)

L7 retry storm scenario: Backend latency increases from 100 ms to 2 seconds; clients with 1 second timeout retry; 10,000 QPS becomes 20,000 QPS, overwhelming backends further

Sticky session failure: 10 backends with cookie affinity; 1 backend fails losing 10 percent of sessions; stateful shopping carts lost unless externalized to Redis or Memcached