Hi! I’m Kyosuke, a Project Manager at Flagship. Today, I’ll be introducing the common pitfalls of load testing for high-traffic stores and practical solutions using the modern tool "k6."

Many businesses using Shopify Plus think that "since Shopify is a cloud (SaaS) service, there's no need for load management."

However, this is only half true and half a very dangerous misunderstanding.

In this article, based on materials from an in-house load testing study group, we will thoroughly explain the ``points that enterprise companies that are facing large-scale access and data processing on a scale of millions of items'' should test.

1. Why does Shopify need load testing?

Shopify's servers (for displaying products and making payments) have the world's highest level of scalability, so users generally don't need to worry about expanding their infrastructure. However, in an enterprise environment, it's rare to be able to get by with just the standard features.

The real target we need to test is the user-implemented part of the Shared Responsibility Model : custom elements .

• App Proxy : A system that seamlessly displays proprietary functions on the front end.
• External API Integration : A point of contact that exchanges inventory, customer, and order data with external systems such as ERP and CRM in real time.
• Proprietary database : An external database prepared for specific business logic or advanced personalization.

If even one of these processes gets stuck, it could completely halt the customer's purchasing experience, even if Shopify itself is functioning normally. One of the main purposes of load testing is to identify in advance where and at what level of load a SPOF (Single Point of Failure) will occur.

2. Practical tool "k6" and key points of scenario design

Flagship uses k6 , a modern load testing tool. Its engine is written in Go, but test scenarios can be written in JavaScript, allowing development teams to build tests intuitively and flexibly.

When conducting testing, rather than simply sending a large number of hits to the top page, we extract custom functions from the following Critical User Journey (CUJ) and create scripts for the relevant sections.

• Login/Authentication : During large-scale sales, the load on the authentication database increases when existing customers try to log in all at once.
• Product search and filtering : Will complex search queries overwhelm external APIs or databases?
• Add to Cart and Add Custom Attributes : Check for write latency via App Proxy.
• Transition to checkout : System integration just before handing over to Shopify's standard functions.

"Where the response delays (Latency)" and "Where the error rate jumps (Error Rate)" The load is measured quantitatively by gradually increasing it.

3. Blind spots of custom app deployment: Summary of Shopify API Limits and Solutions

Before an event where you expect a large number of orders, be sure to check the Shopify API Limits for any custom features you have implemented on your site.
The Shopify API has a limit on the number of requests that can be made per second. The tricky thing is that this limit varies depending on the type of API you use (REST/GraphQL) and the Shopify plan you have subscribed to.
To avoid a situation where your custom features stop working due to heavy traffic just as the sale begins, we strongly recommend that you check in advance whether your current implementation will reach its limit.

4. Bypassing Shopify WAF (Security Wall)

Shopify has a powerful WAF (Web Application Firewall) to protect your store from DDoS attacks and bots. While this is usually a great help, it can be a major hurdle when it comes to load testing.

If you apply load to a proxy URL such as /a/proxy/... in the same way as normal user access, Shopify will automatically determine this as a "malicious attack by a bot" and immediately block the IP address of the server you are testing on. This makes it impossible to perform a proper load test.

Technical Workaround:

When performing load testing, we target the "raw server endpoints" of our backend servers directly, bypassing Shopify's proxy.

This allows us to safely measure the "pure limits" of the APIs and DBs we have developed without being blocked by the WAF. This workaround is essential know-how when planning infrastructure capacity.

5. Capacity Planning and Reporting

The results of a load test are not simply a "pass or fail" decision. The goal is to use the data obtained to define:

• Maximum RPS (Requests Per Second) : How many requests per second can the current configuration withstand?
• Identifying the bottleneck : Is it a lack of CPU, a DB connection limit (Connection Pool), or inefficient loop processing in the source code?
• Autoscaling threshold : When should server resources be automatically increased?

By visualizing these, we can assert with technical evidence that promotions that require advertising investments of tens of millions of yen and migrations of large-scale sites with millions of members are "safe."

Summary: Optimize "data flow" instead of physical servers

The essence of Shopify Plus's load management is to improve the design precision of the "connections between systems (data flow)" by freeing you from the need for physical server management.

API rate limits, DB query efficiency, and SPOFs in custom implementations. Scientifically verifying and continually optimizing these with tools like k6 is the way to build true reliability in an enterprise. If you're planning a large-scale business event, start by performing a health check on your company's custom endpoints.

In addition to the k6, we have a track record of conducting load tests using the optimal method for each function's characteristics. If you have any concerns about load test countermeasures, please feel free to contact us.

Related article (back to the front page) Shopify Load Management: Preparing for Large Orders and Large Data