Back to blog

Why Our Connection Governance Does Not Rely on Global Scans: How the Edge Kernel Turns Connection Reclamation into a Local Cost

Why recognizing and evicting invalid sessions is only half the problem, and how we designed localized connection governance so that reclaiming a small target set does not become a machine-wide scan cost.

Blog

When many systems talk about connection governance, most of the attention goes to the first half of the sentence.

  • Can the system recognize abnormal connections?
  • Can it react immediately after a policy change?
  • Can it kick sessions that should no longer exist?

All of that matters.

But what usually determines whether a system can remain stable under high concurrency for the long run is the second half of the question:

When you actually need to reclaim a batch of connections, is the cost local or global?

That is more important than many people realize.

Because the hardest moments in production are usually not simply that invalid connections exist. The hardest moments look more like this:

  • A source under one service has just been judged no longer valid.
  • A policy has just changed and a batch of established sessions now needs to be reclaimed immediately.
  • One local object needs to be cleaned quickly while the machine is already carrying a large number of live concurrent connections.

If the kernel can respond only by scanning the entire connection table to find those targets, then one thing becomes obvious very quickly:

A local problem has been wrongly escalated into a global cost.

That is one of the reasons many systems begin to jitter more and more under peak load. It is not that they lack governance capability. It is that the governance action itself is too heavy.

Our design takes the opposite view:

If the problem usually exists inside one service, one source, or one small target set, then the governance cost should stay in that same local scope instead of dragging the whole machine into a scan path.

That is what this article is about.

1. The problem in many systems is not that they cannot kick connections. It is that every kick looks like a global inspection

"Kick the connection" sounds simple enough.

Close the target connection and the problem is over, right?

The moment you move into a real implementation, the difficulties show up.

1. Connections are usually not organized by the way governance actions need to find them

In many runtime systems, the connection table is built primarily so that the system can remember connections, not so that it can govern them quickly.

Typical examples include structures organized like these:

  • Bucketed by user,
  • registered by shard,
  • linked by protocol object,
  • or designed only to ensure connection registration and release succeed.

Those structures work well enough in normal operation. But once the governance target becomes something like:

  • One IP under one service,
  • a small batch of TCP or packet connections under one source,
  • or one group of sessions attached to one local object,

you discover that the original runtime structure is not aligned with the governance target at all.

At that point, the system falls back to a very expensive answer:

Scan.

2. Scan-based governance turns a local problem into global interference

The moment a system needs to reclaim one local object by doing all of the following:

  • Iterate across every shard,
  • iterate across every bucket,
  • iterate across every connection,
  • and only then filter out the target connections,

the real cost of the action is no longer tied to how small the target set is. It becomes tied to how large the total connection population of the machine has grown.

That is the worst part of the whole pattern.

The system is trying to solve a local problem, but paying for it globally.

That leads to familiar symptoms.

  • A cleanup that should affect only a few dozen connections ends up walking tens of thousands or more.
  • Every local governance action during peak periods adds extra lock contention and cache pollution.
  • Corrective cleanup becomes a new source of latency by itself.
  • The larger the system grows, the clumsier governance becomes.

The most deceptive part is that this often does not show up in quiet periods. Once online connection scale rises and governance actions become more frequent, it begins to consume system stability continuously.

2. A mature governance design has to answer one question first: what is the most common key by which real cleanup actions are located?

If the goal is to push governance cost back into the local scope, the first step is not to optimize scanning. It is to redefine the governance entry point.

The first practical question we asked in this part of the design was this:

What key is most often used in production when the system actually needs to reclaim connections?

The answer is not "the whole machine," and it is not "all connections."

The more common real production target usually looks like this:

  • One service,
  • one source IP,
  • and the connection set for that source under that service.

In other words, the governance target is naturally local.

So the runtime structure should be allowed to get close to that local target instead of forcing the system to rediscover the answer from a global structure every time.

That is why our core question was never:

"How can we make global scanning a bit faster?"

It was this instead:

How can the most common local governance action avoid requiring a global scan from the start?

3. Our approach: keep the normal sharded connection registry, but add one more local index aligned with governance actions

The most important decision here was not to force all responsibility into one connection table.

We kept the ordinary sharded connection registry because it is the right structure for the base lifecycle management of large-scale concurrent connections.

At the same time, we added another layer of local indexing aligned much more closely with governance actions:

`service + IP -> connection set`

That index may sound straightforward, but it solves a very concrete problem.

Once the system already knows which service and which source it needs to govern, it should not have to search the entire machine again to find the relevant connections.

Once that index exists, the shape of a governance action changes completely.

The old path looked like this:

  1. Scan the whole connection structure.
  2. Find the objects whose service matches.
  3. Filter again for the matching IP.
  4. Close them one by one.

The new path looks like this instead:

  1. Hit the local index directly by `service + IP`.
  2. Obtain the relevant TCP or packet connection set immediately.
  3. Close only the objects that actually belong to the target.

On the surface, that may look like only a few fewer steps. In practice, the complexity profile, lock behavior, and cache behavior become completely different.

4. Why this is not a small optimization, but a change in the governance model itself

The first time many people see an index like this, they treat it as a simple acceleration trick.

What it really changes is not that one function got slightly faster. What it really changes is this:

It changes how the system defines the cost model of governance actions.

Without that extra index, governance actions naturally pay by global scale. The more connections the system holds, the more connections it has to examine, even when the actual target is only a few dozen objects.

With the index in place, governance actions move much closer to paying by target size.

That means:

  • If the target is small, the cost should also be small.
  • If the target lives inside one service and one source, the cost should stay there as much as possible.
  • Connections unrelated to the target should not be charged a scan tax for this governance event.

That is the mindset an edge runtime actually needs, because edge nodes do not mainly fear the existence of governance actions. They fear governance actions becoming the next hotspot during peak periods.

5. Why we still keep the sharded base structure instead of replacing everything with one `service + IP` table

If the local index is so useful for governance, many people naturally jump to another extreme:

"Why not just put every connection into one big table organized by `service + IP` and be done with it?"

The answer is that runtime connection management is serving two very different kinds of pressure at once.

  1. Registration, release, counting, and lifecycle maintenance for large-scale concurrent connections
  2. Fast localized lookup for specific governance actions

Those goals are not identical. If one structure is forced to serve them both perfectly, one side usually gets worse.

That is why we did not discard the sharded base structure. We used a more restrained design:

  • The sharded structure continues to carry the base connection-management workload.
  • The extra local index provides fast localization for governance actions.

That means the system does not cram all concurrent connections into one new global hotspot merely to simplify governance. At the same time, it also does not force every governance action to rescan the entire landscape just because the base structure is optimized for registration.

This kind of two-layer organization is very typical of high-concurrency kernel thinking:

The foundational runtime structure serves everyday throughput. The local index serves specific governance actions.

Not everything belongs in one universal table.

6. The most important value of this design: corrective governance no longer reattacks the hot path

A lot of platforms have already optimized the front half of the question, which is whether a connection can be admitted quickly.

  • Keep the first packet from blocking unnecessarily.
  • Make external checks asynchronous whenever possible.
  • Shorten the decision chain during session establishment.

But if later correction and reclamation still rely on global scans, then the problem has not really been solved. The cost has simply been moved from the front half to the back half.

Once an asynchronous judgment returns that some local object should be cleaned up, the system would still need to:

  • Scan all connections,
  • touch all shards,
  • and filter a large number of irrelevant objects.

That creates an awkward result:

The first-packet path looks faster, but the recovery path drags the system back into a heavy operation again.

What we care about more is something stricter:

Admission should not be too heavy, and correction afterward should not be too heavy either.

Only then can governance stay truly local instead of turning every local problem into a whole-machine expense.

7. Why this is worth writing about more than simply saying "we support kicking connections"

"Supports kicking connections" is not impressive by itself.

The more meaningful questions are deeper.

1. How do you find the connections that should be removed?

If the answer is "scan everything," then the system is functionally usable but its runtime design is not yet mature.

2. Is the governance cost organized by target granularity?

If the target is one source under one service, the governance cost should not spill outward into the entire connection space.

3. Does the governance structure align with the real strategy granularity used in production?

In real systems, reclaim actions often land naturally on dimensions such as `service + IP`. If the runtime structure does not align with that dimension at all, then scanning becomes the only available remedy.

4. Did you decouple high-concurrency connection management from localized governance?

A mature system does not expect one structure to solve every cost model elegantly. Good design usually means different structures serving different pressure profiles.

That is why we believe this topic is more worth discussing than many surface-level performance tweaks. It reflects not parameter tuning, but a runtime-governance philosophy:

A local problem should be solved locally.

8. What this optimization really improves in real production environments

Many people summarize designs like this with the word "faster."

What it really improves is more concrete than that.

1. Stability under frequent governance actions

As localized cleanup actions become more frequent, the system no longer keeps amplifying jitter through repeated scans.

2. Predictability when large numbers of connections are online

Governance cost stays closer to target size rather than total connection count, so the system is less likely to degrade as online scale rises.

3. Gentler corrective cleanup behavior

The machine does not need to revisit the entire runtime connection map just to shut down a small number of objects.

4. Clearer boundaries between the hot path and the governance path

The fast path is responsible for carrying traffic. The governance path is responsible for local violations and local reclamation. Poor structural design should not force the two to recouple.

That sense of boundary matters enormously in edge systems, because at real scale the final competition is rarely just about peak throughput. It is about whether the system remains stable while policy changes, local anomalies, and post-hoc corrections keep happening at the same time.

9. Why we consider this a kernel-level optimization rather than ordinary business logic

Because this design is not mainly about whether the management layer feels convenient. It is about how cost is distributed at the lowest runtime layer.

Ordinary business logic tends to care more about questions like these:

  • Does the capability exist?
  • Can an operator click the right button?
  • Does the outcome become correct after the policy changes?

Kernel-style optimization cares about something else:

While the result is correct, where does the cost actually land?

If the cost of every local governance action always spills across the whole machine, then even perfectly correct behavior becomes heavy under high concurrency.

A system only really enters runtime engineering territory once it starts treating questions like these seriously:

  • Which structures are for high-concurrency registration?
  • Which structures are for localized reclamation?
  • Which actions should pay by target size?
  • Which actions must never degrade into global scans?

That is the point we want to emphasize.

This is not merely:

"We know how to close connections."

It is this instead:

We turned connection governance from a global inspection-style operation into a localized, point-targeted operation.

10. If we had to summarize this optimization in one sentence

The right summary is not "we can kick invalid connections."

It is this:

We designed connection governance as a runtime mechanism that pays by target granularity, so that reclaiming one source under one service no longer turns into a scan across the entire connection space.

That is what we believe deserves to be called performance engineering.

Enjoyed this article?

Next →
Why Real ACL Hot Reload Should Not Make Every Connection Pay for It
Request a network assessment

Request a network assessment

Show us your current setup. We will point out likely issues and whether this service fits.

Request assessment