You Can't Config Your Way Out of Bad Hardware
Stop looking at your average response times. They are lying to you. In the high-frequency trading floors of Oslo or the real-time payment processing backends of the Nordics, the average (mean) is a vanity metric. The metric that gets you fired is the p99 latency—the 1% of requests that hang, stutter, and time out.
I recently audited a payment gateway running on a "budget" VPS provider (who shall remain nameless). Their NGINX config was textbook perfection. Yet, every day at 14:00 CET, their API latency spiked from 40ms to 800ms. The culprit wasn't code; it was noisy neighbors stealing CPU cycles and I/O operations.
If you are building an API gateway in 2023, you need two things: a ruthless obsession with kernel tuning and infrastructure that respects your need for isolation. Here is how we tune for the metal, specifically tailored for the Norwegian infrastructure landscape.
1. The Linux Kernel is Not Ready for APIs by Default
Most Linux distributions ship with generic settings designed for desktop usage or light web serving, not high-throughput API traffic. Before you even touch your gateway software (NGINX, Kong, Envoy), you must unclog the TCP stack.
For a gateway handling thousands of concurrent connections, the default ephemeral port range and backlog limits are suffocating. Open /etc/sysctl.conf and apply these changes tailored for a high-traffic environment:
# Increase system file descriptor limit
fs.file-max = 2097152
# Widen the ephemeral port range to allow more connections
net.ipv4.ip_local_port_range = 1024 65535
# Reuse sockets in TIME_WAIT state for new connections
net.ipv4.tcp_tw_reuse = 1
# Increase the maximum number of connections in the backlog
net.core.somaxconn = 65535
net.ipv4.tcp_max_syn_backlog = 65535
# Smooth out bursts in traffic
net.core.netdev_max_backlog = 5000
Apply this with sysctl -p. Without this, your API gateway will start dropping SYN packets under load, leading to those mysterious "connection reset by peer" errors that plague logs.
Pro Tip: In Norway, where internet speeds are among the highest globally, your server's TCP window scaling matters. Ensure net.ipv4.tcp_window_scaling = 1 is set to take advantage of high-bandwidth links to the NIX (Norwegian Internet Exchange).
2. NGINX: The Keepalive Trap
The most common mistake I see in API Gateway configurations involves upstream connections. By default, NGINX acts as a polite HTTP/1.0 client to your backend services: it opens a connection, sends the request, gets the response, and closes the connection.
This SSL handshake overhead on every internal request adds 20-50ms of latency unnecessarily. You must configure NGINX to keep connections open to your upstream microservices.
Here is the correct configuration pattern for an optimized upstream block:
upstream backend_api {
server 10.0.0.5:8080;
server 10.0.0.6:8080;
# Keep at least 64 idle connections open to the backend
keepalive 64;
}
server {
location /api/ {
proxy_pass http://backend_api;
# Required to enable keepalive
proxy_http_version 1.1;
proxy_set_header Connection "";
# Buffer tuning for JSON payloads
proxy_buffers 16 16k;
proxy_buffer_size 32k;
}
}Setting proxy_http_version 1.1 and clearing the Connection header is non-negotiable. Without it, the keepalive directive is ignored, and you are burning CPU cycles on handshakes.
3. SSL/TLS: Performance vs. Security
For Norwegian clients, compliance with Datatilsynet guidelines usually means strict encryption. However, encryption is heavy. In 2023, there is no excuse for not using TLS 1.3, which reduces the handshake to a single round-trip.
Furthermore, standard VPS providers often oversell vCPUs. SSL termination is CPU-intensive. If your "dedicated" core is actually shared with five other customers, your SSL handshake times will fluctuate wildly. This is where the underlying architecture of CoolVDS becomes a competitive advantage. We use KVM (Kernel-based Virtual Machine) to ensure that the CPU cycles you pay for are physically reserved for your instance. No stealing.
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
# Optimize session cache to reduce handshake frequency
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
# OCSP Stapling (Vital for speed & privacy)
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 8.8.8.8 valid=300s;
resolver_timeout 5s;4. The I/O Bottleneck: Logging
API Gateways generate massive amounts of logs. Writing every single access log to disk effectively turns your gateway into a glorified file writer. If you are on standard SATA SSDs (or heaven forbid, spinning rust), your disk queue will choke the CPU.
On CoolVDS, we deploy exclusively on NVMe storage, which offers queue depths vastly superior to standard SSDs. However, you should still buffer your logs to avoid blocking the worker process.
# Buffer logs and write to disk only every 1m or when the buffer is full
access_log /var/log/nginx/access.log combined buffer=512k flush=1m;This simple change can increase throughput by 10-15% during peak loads.
5. Benchmarking: Prove It
Don't take my word for it. In DevOps, we trust data, not documentation. Use a tool like wrk to stress test your configuration. Run this from a separate machine (latency to localhost is irrelevant).
# Run a 30-second test using 12 threads and 400 connections
wrk -t12 -c400 -d30s --latency https://your-api-endpoint.no/v1/statusComparison: Standard VPS vs. Optimized KVM
We ran a benchmark simulating a generic e-commerce search microservice. The environment: 4 vCPU, 8GB RAM, NGINX reverse proxy.
| Metric | Budget Container VPS | CoolVDS (KVM + NVMe) |
|---|---|---|
| Avg Latency | 45ms | 12ms |
| p99 Latency | 320ms (Spikes) | 48ms (Stable) |
| Requests/Sec | 2,400 | 8,900 |
The CoolVDS Reality Check
You can apply every kernel tweak listed above, but if your host node is oversubscribed, your p99 latency will never stabilize. In the Nordic market, where data sovereignty and speed are paramount, relying on "best effort" cloud resources is a business risk.
CoolVDS isn't magic; it's physics. We don't oversell our cores. We use NVMe storage that handles the I/O thrashing of aggressive logging and database calls without blinking. For developers in Oslo and beyond, this translates to predictable performance that adheres to GDPR requirements regarding data processing locations.
Don't let slow I/O kill your SEO rankings or your user experience. Deploy a test instance and run your own wrk benchmark against your current provider.
Ready to drop your latency? Spin up a High-Performance NVMe Instance on CoolVDS in 55 seconds.