In multi-region (or multi-DC) architectures, the real problem isn’t “we have the service in two places”; the problem is this: which user goes to which region, when do they change direction, and when do they come back? If you leave those decisions to “DNS will figure it out,” at incident time you’ll meet three flavors of surprise:
- The health check looks “green” while users are getting errors (the check point is in the wrong place).
- Failover happens, but failback triggers at the wrong moment and creates a second incident wave.
- Because of DNS TTL / cache behavior, the change rolls out “slowly and unevenly”; triage gets messier.
In this article I describe the signal, hold-down, and runbook approach that takes a product-agnostic GSLB design (whether it’s a Cloud LB, an on-prem GTM, or an open-source solution) and makes it work in production.
1) Pin down the goal first: active-active or active-passive?
Before picking a GSLB, settle this decision:
- Active-active: Traffic is normally distributed across two (or more) regions. Goal: capacity + low latency + regional fault tolerance.
- Active-passive: Traffic normally lives in one region; the second region kicks in only during failure. Goal: simpler operations, less “cross-region” risk.
Both models share one truth: the moment of failback is just as risky as the moment of failover.
2) The most common mistake in health-checks: measuring from the wrong layer
Treat GSLB health-checks at three levels:
- L3/L4 reachability: does TCP/443 open? (the fastest, shallowest signal)
- L7 readiness: does
/healthzreturn 200? (still potentially superficial) - Critical path: a synthetic request close to “real user” behavior (covers dependencies like auth + cache + DB)
The problem I most often see in production: /healthz is green, but the application can’t actually do work because of its dependencies (DB, queue, upstream). If the GSLB doesn’t get the right signal, it pushes traffic “to the wrong place.”
2.1 A multi-signal approach instead of a single signal
Instead of tying the GSLB decision to a single check, think of it as a gate:
- If L7 readiness fails, mark the region as down.
- If readiness passes but error rate / latency is degraded, put the region into “degrade” mode (lower the weight).
- If only capacity pressure exists (CPU/mem), do “traffic shaping” (lower the weight, don’t fully turn off).
This approach takes the GSLB out of a “binary” mode and gives you more controlled maneuvering room during an incident.
3) The DNS reality: TTL alone is not control
Lowering TTL doesn’t “guarantee” cache behavior. Because:
- Some resolvers round TTLs up to a “minimum.”
- Mobile/enterprise caching layers delay decisions.
- Client applications can cache DNS in ways you didn’t expect.
So in your GSLB design, make propagation time measurable:
- After you change a record, “which IP” comes back from different ASNs/ISPs/regions?
- When you raise/lower the TTL, does the “shock wave” (instant cache miss) overload the upstream?
4) Hold-down and hysteresis: the key to preventing flap
The most expensive state in GSLB is the loop “down → up → down.” The cure:
- Hold-down: Once a region is marked down, it stays down for a fixed period (it doesn’t come back up immediately).
- Hysteresis: The threshold for marking down differs from the threshold for marking up (it’s harder to flip back to “up”).
Example (product-agnostic logic):
- Down criterion: 3 consecutive failed checks
- Up criterion: 10 consecutive successful checks + p95 latency under threshold
- Hold-down: 10 minutes
This stops a “small wobble” from becoming an incident.
5) Failback strategy: the return is a rhythm, not a single move
Design failback in stages:
- Cold validation: send synthetic (internal) traffic to the region; is the critical path passing?
- Canary: bring 1–5% of traffic back; are errors/latency holding?
- Gradual ramp: 10% → 25% → 50% → normal
- Rollback gate: at every stage, the “roll back” decision should be easy to take
This process turns “the region is back” from a sentence into operational reality.
6) Minimum viable runbook: what do I do during a GSLB incident?
You can use the following checklist as a practical starting point:
6.1 The first 5 minutes (triage)
- Is the problem global, or regional? (error/latency map)
- Which layer is the health-check looking at? (L4, L7, or critical path?)
- Are DNS answers actually changing? (measure from different resolvers/regions)
- Is there a per-region dependency outage? (DB, queue, auth, storage)
6.2 Failover decision
- What is the failover’s goal? Is it “bring the service back up” or “lower the error rate”?
- Does the second region have capacity headroom?
- Does the second region have a warm cache / warm pool? If not, expect an amplification effect.
6.3 Stabilization
- Is hold-down active? Is flap being prevented?
- Is rate-limit / load shedding required at the application layer?
- Communication: is the message about “which region is primary” clear?
6.4 Failback (controlled)
- Has the “up criterion” for failback been satisfied?
- Has a canary return been tried?
- After the return, are alarm thresholds tight enough against the “second wave” risk?
7) Closing: think of GSLB as an “operations system,” not as DNS
In multi-region architectures, GSLB isn’t a “DNS record management” job. Success comes from the right health signal, hold-down/hysteresis that prevents flap, and a controlled failback rhythm. Without those, GSLB just produces the feeling at incident time that “something is changing, but why?”
If you have to pick a single-sentence goal, choose this: make failover fast, make failback controlled, and make decisions measurable.