Code Room
System designHardsd-g659
Subject Tls ingress protocol routerLevel Senior–Staff~45 minCommon in Networking & APIs interviewsIndustries Technology

Question

Design a TLS-terminating ingress that serves 500k custom customer domains (vanity hostnames) on shared infrastructure at 120k requests/sec, routing each connection to the right backend by SNI. It must present the correct per-domain certificate (issued/renewed automatically via ACME), terminate TLS with p99 handshake overhead under 10ms, support both HTTP/1.1 and HTTP/2, and route based on SNI before any application-layer data. A misissued or expired cert for one domain must not affect others. Walk through the ingress architecture, the cert/SNI model, and the central trade-off.

What a strong answer looks like

Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.

Narrate your design
Loading whiteboard…
Run or narrate your approach, then ask the coach.