What Is a Single Point of Failure?
A single point of failure (SPOF) is any component whose failure alone brings down your service. The tricky part: SPOFs aren't always obvious. A redundant app cluster can still have a SPOF if all nodes share one database primary, one DNS provider, or one network switch.
The goal isn't zero risk — it's ensuring no single thing can cause a full outage.
Where SPOFs Commonly Hide
DNS
DNS is the first thing a user's browser touches, and it's frequently overlooked. If you're using a single DNS provider and they have an outage (it happens — even large providers go down), your site becomes unreachable regardless of how healthy your infrastructure is.
What to do:
- Use at least two authoritative DNS providers with the same zone data.
- Tools like NS1, Cloudflare, and Route 53 can be combined using secondary DNS delegation or a DNS load-balancing service.
- Keep TTLs reasonably low (300–900 seconds) on records you may need to failover quickly.
Load Balancers
A single load balancer is itself a SPOF. Most cloud providers offer managed, highly-available load balancer services (AWS ALB, GCP Cloud Load Balancing, etc.) that run redundantly across zones under the hood. If you're running your own HAProxy or NGINX instance on a single VM, add a standby with a shared virtual IP using something like Keepalived.
Database Layer
A standalone database primary is one of the most common SPOFs. The typical progression:
- Add a replica. A read replica doesn't help with primary failure unless you promote it. Configure automated failover from the start.
- Use managed failover. AWS RDS Multi-AZ, Cloud SQL with HA, or Patroni for self-managed Postgres all handle automatic promotion.
- Understand your RPO and RTO. Automated failover usually means a brief outage (30–60 seconds is common with Patroni or RDS Multi-AZ). Decide whether that's acceptable, or whether you need something like CockroachDB or Vitess for near-zero failover.
Application Servers
Running a single app server is an obvious SPOF, but scaling horizontally also means ensuring your app is stateless. Session state stored locally on one instance will be lost if that instance fails. Move sessions to Redis or a database, and make sure file uploads go to object storage (S3, GCS) rather than local disk.
Caches
If your app falls over when Redis is unavailable, Redis is a SPOF. Either:
- Run Redis Sentinel or Redis Cluster for HA, or
- Code defensively so cache misses degrade gracefully to the database.
The second option is often underestimated — resilient cache design means an outage becomes a slowdown, not a crash.
External Dependencies
Third-party APIs, payment gateways, CDNs, and SaaS services can all be SPOFs in disguise. For each external call, ask: what happens if this returns a 500 or times out?
- Add timeouts and circuit breakers (libraries like
resilience4jfor JVM,pybreakerfor Python, or built-in support in service meshes like Istio). - Where feasible, have a fallback path — cached data, a degraded UI, or a secondary provider.
Multi-Region vs. Multi-AZ
Multi-AZ (placing resources across availability zones in one region) protects against datacenter-level failures. Multi-region protects against regional outages, which are rarer but do happen.
For most production services, multi-AZ is the minimum bar. Multi-region adds significant complexity — data replication lag, conflict resolution, and higher cost — but is worth it for services where even a 10-minute regional outage is unacceptable.
Monitoring Across Regions
Once you've built redundancy in, you need to verify it's actually working. A monitoring check from a single location can miss issues that only affect users in specific geographies — a BGP routing problem or a CDN PoP failure, for example.
Running uptime checks from multiple regions (which is what Pingy does) means you can distinguish "our site is down everywhere" from "our site is unreachable from eu-west" — which points to very different root causes and remediation steps.
Pre-Launch SPOF Checklist
- DNS: two or more authoritative providers
- Load balancer: managed HA or active/passive with VIP failover
- Database: automated failover configured and tested
- App servers: stateless, horizontally scalable
- Cache: graceful degradation on failure
- External APIs: timeouts, retries, and circuit breakers in place
- Monitoring: checks running from multiple geographic regions
- Runbooks: documented failover steps for each component
Key Takeaways
- A system is only as available as its weakest single component.
- Redundancy at the app tier means nothing if DNS or the database is a SPOF.
- Automated failover is not the same as tested failover — run drills.
- Graceful degradation (returning stale data, disabling features) is often more practical than full redundancy for external dependencies.
- Multi-region monitoring gives you signal that single-location checks will miss.