ReviseAlgo Logo

Observability & Performance Tuning

Spring Boot Actuator — Health, Metrics, and Management Endpoints

Exposing /health, /info, /prometheus, and securing them in production.

Interview: Production monitoring. Expect questions on custom HealthIndicators, securing metrics endpoints, heapdump exposure hazards, and separate port mappings.

Last Updated: June 14, 2026 15 min read

Introduction

When running a Spring Boot application in production, you must monitor its internal health state without logging in or inspecting memory manually. Exposing custom API queries for thread status, database connection states, or memory allocations introduces security risks and requires boilerplate code.

**Spring Boot Actuator** simplifies this by exposing production-ready management endpoints. Out of the box, Actuator provides APIs for thread status (/actuator/threaddump), system health (/actuator/health), heap dumps (/actuator/heapdump), and metrics collection endpoints.

Why It Matters

Actuator endpoints integrate with Kubernetes health probes, enable real-time configuration tuning (like updating logging levels dynamically), and provide monitoring insights without application restarts.

Securing Actuator Endpoints

By default, sensitive endpoints are hidden to protect application configuration data. Exposing them requires explicit configuration in application.properties:

In production, secure these endpoints using Spring Security, limiting access to users with the role ROLE_ADMIN:

Quick Quiz

Q1: Which configuration setup is considered a production best practice for exposing sensitive Actuator endpoints?

A) Enable all endpoints using management.endpoints.web.exposure.include=* without security dependencies.

B) Restrict exposed endpoints, run Actuator on a separate internal port, and require authentication (e.g. ROLE_ADMIN) for access.

C) Disable the health endpoint entirely.

D) Only expose actuator endpoints via UDP.

Answer: B — Exposing all endpoints exposes database passwords (via /env) or JVM memory dumps (via /heapdump) to attackers. Securing endpoints and isolating their port mappings protects internal assets.

Scenario-Based Challenge

Production Scenario:

Your application connects to an external database. During network drops, your application continues running but the database is unreachable. You want Kubernetes to stop routing API traffic to the pod immediately during these drops. How do you implement this check using Actuator?

View Solution

To dynamically monitor database state and control traffic:

1. **Implement HealthIndicator:** Spring Boot Actuator automatically registers database health indicators (e.g. DataSourceHealthIndicator) if a DataSource bean is declared.
2. **Define readinessState Probes:** Ensure readiness probe checking is enabled in properties:
management.endpoint.health.probes.enabled=true
3. **Configure Kubernetes Readiness Probe:** Point the Kubernetes readiness probe to /actuator/health/readiness. During database outages, Actuator marks the readiness state as DOWN (HTTP 503), causing Kubernetes to remove the pod from service endpoints until the database recovers.

Interview Questions

1. How do you create a custom HealthIndicator in Spring Boot?

Implement the HealthIndicator interface and override the health() method. Inspect your custom resource dependencies (like an external API endpoint connection) and return a status: Health.up().withDetail("api_latency", latency).build() or Health.down(exception).build().

Production Considerations

Configure Actuator to run on a separate internal management port using management.server.port=8081. This allows you to restrict external internet traffic to port 8080 while keeping management access open on your internal virtual private network.