Capstone — Diagnosing a Real Multi-Service Outage

Cloud Troubleshooting & Support

Chapter 10 · Capstone — Diagnosing a Real Multi-Service Outage

One full incident, worked end to end, combining every technique from this course's nine prior chapters — and, throughout, the Course 1 material each of those techniques was originally built on.

The Scenario

TechShop, a mid-size e-commerce company, launches a major flash sale. Twenty minutes in, checkout starts failing intermittently for a growing share of customers.

Step 1 — Detect & Triage

An error-rate alarm fires on the checkout service (cloud1-8's alerting). Severity triage (Chapter 6) is immediate: checkout is directly revenue-generating, a large and growing share of customers are affected, there's no workaround, and it's happening during a promotional event — this is a Sev1 without hesitation. An incident commander is declared.

Step 2 — Scope Before Diving Into Logs

Following Chapter 4's first-five-minutes discipline: what changed, when did it start, how widespread is it. The picture that emerges — errors are intermittent, not total, and started almost exactly when flash-sale traffic began climbing. This intermittent pattern is the same diagnostic signal cloud2-1's own exercise walked through: a symptom pointing at something failing under load, not a total, clean outage.

Step 3 — Diagnosing Connectivity? Ruled Out Quickly

Applying Chapter 2's flowchart briefly: security groups, NACLs, and route tables are all checked and confirmed unchanged recently — no networking deployment in the relevant window. This step returns clean fast, which is itself useful information: it's genuinely fine, and expected, for a flowchart step to rule something out quickly rather than assuming every incident must be a networking problem.

Step 4 — Correlating Logs Across Services

Using Chapter 4's correlation-ID technique: request IDs are traced from the load balancer, through the application servers, to the database layer. The pattern that emerges — every failing request shows a connection timeout from the application server to the database, specifically.

Step 5 — Recognizing the Failure Pattern

This matches Chapter 5's catalog directly: database connection exhaustion. Confirmed by checking the database's current connection count against its configured maximum — sitting at 100%. Applying "what changed": a deployment two days earlier changed the application's connection pooling library. Normal, pre-sale traffic never came close to the new pool's limit, so the change went unnoticed until flash-sale traffic pushed it over.

Step 6 — Applying the 5 Whys

"Checkout is failing." Why? -- Requests are timing out connecting to the database. Why? -- The database connection pool is exhausted. Why? -- The pool size was left at the new library's small default value. Why? -- Nobody noticed, because normal traffic never approached that limit. Why? -- The deployment two days ago was never load-tested at flash-sale-level traffic before release.

The genuine root cause: a missing load-testing step in the deployment process — not simply "the pool was too small," which is only a symptom of that deeper gap.

Step 7 — Immediate Mitigation vs. Long-Term Fix

Per Chapter 5's own distinction: the immediate mitigation is increasing the connection pool size and restarting affected instances to clear stuck connections, restoring service quickly. The long-term fix — adding load-testing to the deployment process — is the actual root cause from Step 6. Both matter; stopping at the mitigation alone, per Chapter 5's warn-box, leaves the underlying gap ready to cause the same failure again.

Step 8 — Communicating Throughout

Per Chapter 6: an early "we're investigating" update goes out within minutes of the Sev1 declaration. Regular updates follow on a set cadence. No public speculation about cause happens until Step 5-6 actually confirm it. A clear resolution update follows once the mitigation is applied.

Step 9 — A Related Cost Question Surfaces

During the investigation, someone notices the auto-scaling group scaled out significantly. Is this legitimate cost from genuine load, or cloud1-3's own auto-scaling-masking-a-root-cause gotcha? Here, it's honestly both — the scaling was a reasonable reaction to real load, but it was also masking the connection pool issue underneath the whole time, exactly the pattern cloud1-3 warned about. Per cloud1-9's idle-compute material, the extra instances should be scaled back down once the real fix is in place, not left running unnecessarily.

Step 10 — Was This Us, or the Provider?

Applying Chapter 1's shared responsibility model, checked early per Chapter 8: the provider's account-specific health dashboard showed nothing. This was entirely a customer-side application and configuration issue — not a provider outage — closing off the provider-support escalation path from Chapter 8 as unnecessary here.

The Postmortem

A blameless postmortem (Chapter 6) is written: timeline, the 5 Whys root cause chain from Step 6, and an honest note on contributing factors (Chapter 5) — both the small default pool size and the missing load-testing process contributed, not one clean single cause. Action items with owners:

  1. Immediately fix the connection pool size — done, during the incident.
  2. Add load-testing to the deployment pipeline — owned by the platform team, with a due date.
  3. Add a dedicated connection-count alert (cloud1-8), so this shows up as its own early signal next time, rather than only manifesting as checkout errors after the fact.

What This Capstone Demonstrated

StepChapter applied
1, 8Chapter 6 — severity triage, communication, postmortem
2Chapter 4 — scope before logs
3Chapter 2 — connectivity flowchart
4Chapter 4 — correlation IDs
5, 6, 7Chapter 5 — failure catalog, 5 Whys, mitigation vs. fix
9Chapter 7 — cost investigation
10Chapter 8 — provider vs. customer triage

And underneath every one of those: Course 1's own material — cloud1-1's shared responsibility, cloud1-3's auto-scaling and connection concepts, cloud1-7's connection management, cloud1-8's monitoring, cloud1-9's cost management — the foundation this entire course was built to turn into practiced, applied skill.

Why a full worked scenario, not just isolated exercises
Real incidents rarely respect chapter boundaries — this capstone deliberately shows every technique from this course being reached for in sequence, in the order a genuine investigation would actually use them, rather than practiced in isolation.

Hands-On Exercises

Exercise 1

Identify which specific chapter of this course each of the following investigation actions came from: (a) checking metrics before opening logs, (b) using a request ID to trace across services, (c) confirming this wasn't a provider-side issue via the health dashboard.

📄 View solution
Exercise 2

In this capstone's own root cause chain, identify the difference between the immediate mitigation and the long-term fix, and explain why a postmortem needs to include both rather than being satisfied with just the mitigation.

📄 View solution
Exercise 3

A colleague suggests: "since the auto-scaling actually kept the site technically online during the incident, maybe we don't need to change anything." Using this chapter's and cloud1-3's material, explain what's wrong with this reasoning.

📄 View solution

Chapter 10 Quick Reference — Course Complete

  • Full incident lifecycle applied end to end: detect → triage → scope → investigate (connectivity, logs, failure patterns) → 5 Whys → mitigate + fix → communicate → cost check → provider-vs-customer triage → postmortem
  • A mitigation restores service; a fix addresses the actual root cause — postmortems need both named separately
  • Auto-scaling "keeping the site online" can still be masking an unaddressed root cause underneath (cloud1-3)
  • Course complete — Cloud Troubleshooting & Support, 10 chapters, completing the full Cloud Platforms track (Course 1 + Course 2, 22 chapters)