Skip to main content
Edstem Technologies company logo
Back to Case Studies

Hardening 55 Microservices for Millions of Citizens - Without a Single Maintenance Window

How a structured AWS platform engineering programme stabilised a large-scale state e-governance platform, serving millions of citizens, without a single planned maintenance window

Case Studies
Case Study Overview

Hardening 55 Microservices for Millions of Citizens - Without a Single Maintenance Window

How a structured AWS platform engineering programme stabilised a large-scale state e-governance platform, serving millions of citizens, without a single planned maintenance window

Last updated: May 30, 2026

an abstract image related to tech in blue color
Outcomes

Outcomes at a Glance

Business Outcome

Platform upgrades completed without disrupting services for millions of citizens

Supporting Metric

4 consecutive Kubernetes versions upgraded (1.31 → 1.35), zero downtime

Business Outcome

Eliminated risk of platform-wide outages caused by database connection exhaustion

Supporting Metric

HRMS peak connections reduced from 1,782 to 283 (−84%)

Business Outcome

Full platform stabilised under live citizen load

Supporting Metric

55 microservices running reliably in production

Business Outcome

Platform consistently handles peak citizen demand with minimal errors

Supporting Metric

~1,000 requests/min per service at busy-hour, 0.4% error rate

Business Outcome

Removed single-points of failure that had previously caused a 22-minute platform-wide outage

Supporting Metric

Blast-radius controls and automation guardrails applied across all production databases

Client Bio

About the Client

Client
State Government
Industry
Government / Public Sector
Situation

The Situation

The platform had been scaled rapidly to meet statutory rollout deadlines across local government bodies, with multiple delivery partners contributing modules in parallel. Feature velocity for citizen-facing services was, rightly, the priority of the early phase. Day-2 operational hardening had been planned as a follow-on workstream, and by early 2025 the accumulated technical debt across platform, data, and delivery layers had begun to surface as reliability risk.


Several patterns were common across the estate. Most services had been deployed without resource requests or limits, leaving Kubernetes without a basis on which to schedule or autoscale them. Autoscaling was either absent or inconsistently configured. RDS instances were absorbing 1,800+ concurrent JDBC connections, a direct consequence of pod churn opening connection pools faster than they were released.


The CI/CD estate reflected the same rapid-growth pattern. Container images were occasionally built for the wrong architecture and deployed onto incompatible nodes, producing silent startup failures. Infrastructure-as-code state had drifted in places: a stale configuration change had quietly re-provisioned a duplicate PostgreSQL database for the professional tax module, and a queued upsize for the pension database was sitting in the state file undetected. Branch-to-environment conventions varied across repositories, leaving room for deploys to land in the wrong cluster.


Health checks were configured against Spring Boot's root /health endpoint, which aggregates all downstream dependency checks. Under load, this endpoint regularly exceeded the ALB's 5-second timeout, causing target health to flap and triggering cascading 503s across multiple services.


None of these were unusual for a platform of this scale and pace. They were the operational gaps the next phase of the programme was commissioned to close.

Impact

The Impact

The operational gaps translated directly into citizen-facing service failures.


An attempt to reduce compute costs by lowering CPU limits on the birth service caused a cold-start cascade during the morning login rush. Birth certificate services went offline. The services could not complete their startup sequence under the reduced CPU limit, and the load balancer drained the target group before any instance became healthy.


Separately, an authorised team member manually invoked a database operations Lambda to test its behaviour in isolation. The function, designed to apply configuration changes across RDS instances, had no dry-run mode and no scope restrictions. A single invocation triggered an immediate, simultaneous restart across all 10 production databases, producing a 22-minute platform-wide outage. A legitimate, well-intentioned action against a tool with no guardrails had the blast radius of a full-scale incident.


Every deployment carried similar risk. Without reliable health checks, pinned container platforms, or Terraform state discipline, each release was as likely to introduce a new failure mode as it was to ship the intended change.

Resolution

The Resolution

Edstem was engaged as the platform engineering partner to close these gaps. The team, comprising a Senior Solution Architect, a DevOps Engineer, and a Senior Backend Engineer, executed a structured AWS platform engineering programme, validating every change against March busy-hour baselines before promoting to production.


Kubernetes platform hardening:

  • All four clusters upgraded from EKS 1.31 to 1.35 using a blue-green node group swap strategy, with old nodes continuing to serve traffic throughout
  • A single managed node group swap per version: no maintenance windows, no downtime
  • Prod nodes migrated to r7g.4xlarge Graviton (AL2023), resolving disk eviction issues caused by the previous undersized root disk configuration

The Result: a platform capable of absorbing infrastructure upgrades without scheduling maintenance windows or exposing citizens to service interruptions.


Database connection stability:

  • Five RDS Proxy instances deployed across the core, property tax, file management, civil registration, finance and HRMS service groups, collapsing 1,800+ app-side JDBC connections into stable, backend-pooled connections
  • HRMS peak connections reduced from 1,782 to 283, a reduction of 84%; CPU on the HRMS instance dropped from 16% to 7%
  • Migration executed with documented guardrails to avoid known proxy configuration traps that can destabilise connection pools during cutover

Stable connection pools eliminated the risk of database-layer outages cascading into citizen-facing service failures.

Autoscaling and reliability floors:

  • Autoscaling configured on all 55 services with CPU-based scaling and per-service minimum floors set to cold-burst capacity
  • JVM services floored at 500m CPU to prevent cold-start probe failures
  • A SAFE_MIN_FLOORS safety mechanism added to the nightly scale-down job, preventing a failure mode that had previously taken services offline during the peak login period

These changes ensured the platform could absorb the morning citizen login rush without pod failures or cascading service degradation.

ALB and health check standardisation:

  • All load balancer target groups migrated to a dedicated liveness endpoint, eliminating the downstream-aggregation timeout problem
  • WAF IP allowlists corrected to the NAT gateway address, resolving a misconfiguration that had been silently blocking internal traffic
  • Legacy node security group patched onto all new node ENIs after a node-group swap had left new nodes missing the load balancer ingress path

These fixes removed a class of silent misconfigurations that had been intermittently dropping citizen traffic without triggering any visible alerts.

CI/CD discipline:

  • Deployment workflows standardised via shared reusable pipelines with enforced architecture and build flags, eliminating silent startup failures caused by architecture mismatches
  • Infrastructure state locking and a CI gate implemented to address configuration drift
  • Commit convention enforced across all service repos, requiring simultaneous updates to version, changelog, and deployment configuration files

Every deployment across all 55 services became a traceable, repeatable operation, eliminating the category of human error that had previously caused production incidents.


The platform now runs 55 services at ~1,000 rpm each, absorbing Kubernetes upgrades without planned maintenance, and recovering from pod churn without database connection exhaustion, all on a 12-node Graviton cluster with headroom to scale to 50 nodes on demand.

For Your Org

What This Means for Your Organisation

If you're accountable for platform reliability on AWS, this engagement's experience shows that the most damaging failure modes (connection exhaustion, silent misconfigurations, deployment drift) are also the most preventable. A structured engineering programme, validated against real peak-load data, can improve platform stability without disrupting live services.

Ready to Stabilise Your Platform?

If your team is managing microservices on AWS and facing reliability, scaling, or deployment challenges, we can help you address your highest-risk gaps. Request a cloud architecture review and we'll map your platform's exposure against the patterns that stabilised this platform for millions of citizens.

Contact Us

MORE CASE STUDIES

Related Case Studies

contact us

Get started now

Get a quote for your project.

We use cookies to improve your experience and analyze site traffic. Read our Privacy Policy.