Observability & Performance Tuning
Spring Boot Actuator — Health, Metrics, and Management Endpoints
Exposing /health, /info, /prometheus, and securing them in production.
Interview: Production monitoring. Expect questions on custom HealthIndicators, securing metrics endpoints, heapdump exposure hazards, and separate port mappings.
Introduction
When running a Spring Boot application in production, you must monitor its internal health state without logging in or inspecting memory manually. Exposing custom API queries for thread status, database connection states, or memory allocations introduces security risks and requires boilerplate code.
**Spring Boot Actuator** simplifies this by exposing production-ready management endpoints. Out of the box, Actuator provides APIs for thread status (/actuator/threaddump), system health (/actuator/health), heap dumps (/actuator/heapdump), and metrics collection endpoints.
Why It Matters
Actuator endpoints integrate with Kubernetes health probes, enable real-time configuration tuning (like updating logging levels dynamically), and provide monitoring insights without application restarts.
Securing Actuator Endpoints
By default, sensitive endpoints are hidden to protect application configuration data. Exposing them requires explicit configuration in application.properties:
In production, secure these endpoints using Spring Security, limiting access to users with the role ROLE_ADMIN:
Quick Quiz
Q1: Which configuration setup is considered a production best practice for exposing sensitive Actuator endpoints?
A) Enable all endpoints using management.endpoints.web.exposure.include=* without security dependencies.
B) Restrict exposed endpoints, run Actuator on a separate internal port, and require authentication (e.g. ROLE_ADMIN) for access.
C) Disable the health endpoint entirely.
D) Only expose actuator endpoints via UDP.
Answer: B — Exposing all endpoints exposes database passwords (via /env) or JVM memory dumps (via /heapdump) to attackers. Securing endpoints and isolating their port mappings protects internal assets.
Scenario-Based Challenge
Production Scenario:
Your application connects to an external database. During network drops, your application continues running but the database is unreachable. You want Kubernetes to stop routing API traffic to the pod immediately during these drops. How do you implement this check using Actuator?
View Solution
To dynamically monitor database state and control traffic:
1. **Implement HealthIndicator:** Spring Boot Actuator automatically registers database health indicators (e.g. DataSourceHealthIndicator) if a DataSource bean is declared.
2. **Define readinessState Probes:** Ensure readiness probe checking is enabled in properties:
management.endpoint.health.probes.enabled=true
3. **Configure Kubernetes Readiness Probe:** Point the Kubernetes readiness probe to /actuator/health/readiness. During database outages, Actuator marks the readiness state as DOWN (HTTP 503), causing Kubernetes to remove the pod from service endpoints until the database recovers.
Interview Questions
1. How do you create a custom HealthIndicator in Spring Boot?
Implement the HealthIndicator interface and override the health() method. Inspect your custom resource dependencies (like an external API endpoint connection) and return a status: Health.up().withDetail("api_latency", latency).build() or Health.down(exception).build().
Production Considerations
Configure Actuator to run on a separate internal management port using management.server.port=8081. This allows you to restrict external internet traffic to port 8080 while keeping management access open on your internal virtual private network.