This overview reflects widely shared professional practices as of May 2026; verify critical details against current official guidance where applicable.
Every .NET developer has faced the sinking feeling when an API endpoint that worked perfectly in development buckles under production load. The culprit is rarely a single line of bad code—it's often a set of ingrained habits that, over time, compound into performance disasters. In this guide, we dissect six anti-patterns that silently sabotage your .NET API performance, drawn from real team experiences (anonymized). For each, we explain the root cause, show the problematic code, and offer a concrete swap that makes your API faster and more maintainable.
The Hidden Cost of Synchronous Blocking in Async Controllers
One of the most pervasive anti-patterns in .NET APIs is using synchronous methods inside asynchronous controller actions. Developers often write something like Task.Run(() => SomeSyncMethod()) or simply call .Result on a task, mistakenly believing they're being async-friendly. In reality, this blocks the thread pool thread, defeating the purpose of async I/O and causing thread pool starvation under load. For example, a common scenario is a controller action that calls HttpClient.PostAsync but then awaits a synchronous database call via db.SaveChanges() (the sync version). This ties up a thread while waiting for I/O, reducing throughput.
Why This Happens: The Thread Pool Economics
ASP.NET Core's thread pool has a limited number of threads (by default, one per core for worker threads). When you block a thread, it can't serve other requests. Under high concurrency, the thread pool must inject new threads (at a rate of about one every 500ms), leading to latency spikes and eventual timeouts. I've seen a team's API degrade from 10ms to 2s under 50 concurrent users simply because one developer used .Result in a hot path. The fix is straightforward: use await all the way up.
Step-by-Step Fix: Making the Call Chain Fully Async
First, ensure all I/O-bound operations—database queries, HTTP calls, file reads—use their async counterparts (e.g., ToListAsync(), SendAsync()). Second, never use Task.Wait() or Task.Result in ASP.NET Core controllers. If you're forced to call a synchronous library, consider wrapping it in a background queue or using Task.Run only for CPU-bound work, not I/O. Third, configure ConfigureAwait(false) in library code to avoid capturing the synchronization context. This simple change can double your API's throughput with zero hardware changes.
One team I consulted for had a reporting endpoint that loaded data from three different services. They used Parallel.ForEach with synchronous HTTP calls. Switching to Task.WhenAll with async calls reduced response time from 4 seconds to 800ms—a 5x improvement. The key is understanding that async isn't about speed for a single request; it's about scalability for many requests. Always prefer async methods for I/O, and let the framework manage threading.
The N+1 Query Problem in Entity Framework Core
The N+1 query problem is a classic performance killer in ORM-based APIs. It happens when you load a parent entity and then loop through its navigation properties, triggering a separate SQL query for each child. For example, consider an API that returns a list of orders with their line items: var orders = context.Orders.ToList(); foreach(var order in orders) { var items = context.LineItems.Where(li => li.OrderId == order.Id).ToList(); }. This generates 1 query for orders plus N queries for line items—where N could be hundreds. The result is chatty database communication and severe latency.
Why This Happens: Lazy Loading vs. Explicit Loading
Entity Framework's lazy loading, while convenient, often masks the N+1 problem because each property access triggers a query. Developers may not notice until load testing. Even with explicit loading, forgetting to .Include() related data can cause the same issue. The root cause is treating the database as an object graph instead of a relational store. Each round trip adds latency (often 1-5ms in cloud environments), and cumulative overhead kills performance.
Step-by-Step Fix: Use Eager Loading or Projection
First, identify the hot path. Use SQL Server Profiler or EF Core's logging to see actual queries. Second, replace lazy loads with .Include() and .ThenInclude() for related entities you need immediately. For example: context.Orders.Include(o => o.LineItems).ToList(). Third, consider projection with .Select() to return only the fields you need, which can reduce data transfer and avoid entire table scans. For complex scenarios, use raw SQL or Dapper for read-only queries. In one case, a team reduced a report endpoint from 12 seconds to 300ms by switching from lazy loading to a single projection query.
I recall a project where an e-commerce API returned a list of products with their categories and reviews. The original code used lazy loading, resulting in 1 + N + M queries (N products, M reviews per product). After applying eager loading and a single Select statement, the response time dropped from 8s to 400ms. The lesson: always be explicit about what data you load. If you don't need all fields, use Select to avoid pulling unnecessary columns. This not only speeds up the query but also reduces memory pressure on the server.
Serialization Overhead: Repeatedly Transforming the Same Data
Serialization is often overlooked as a performance bottleneck. .NET APIs typically use JSON serializers like System.Text.Json or Newtonsoft.Json. When you serialize the same object multiple times (e.g., in a loop, or in multiple middleware components), you waste CPU cycles and increase latency. A common anti-pattern is serializing a response in a custom middleware for logging, then serializing it again in the controller action, and perhaps a third time in an output cache. Each serialization pass can take 10-100ms for a large object, and under load, this adds up.
Why This Happens: Lack of Caching and Redundant Transformations
Developers often don't realize that serialization is CPU-bound. For large payloads (e.g., 1MB of JSON), the CPU can saturate quickly. I've seen APIs where 40% of request time was spent on serialization alone, often because the same data was serialized multiple times. The fix is to cache the serialized output or avoid intermediate serializations.
Step-by-Step Fix: Cache Serialized Output and Use Streaming
First, for responses that don't change frequently (e.g., product catalogs), cache the serialized JSON string in memory (using IMemoryCache or Redis). Second, use System.Text.Json's Utf8JsonWriter for streaming large payloads instead of building the entire string in memory. Third, avoid serialization in middleware that runs on every request unless absolutely necessary. If you must log the response, consider logging a summary or using a custom formatter that writes directly to the response stream.
In a case I encountered, a team had a dashboard API that returned a 2MB JSON payload. They were serializing the data in a middleware for audit logging, then again in the controller, and finally the framework serialized it for the response. By removing the middleware serialization and caching the final JSON with a 5-second expiry, they reduced average response time from 2.5s to 300ms. Additionally, they switched to System.Text.Json from Newtonsoft, which gave a 30% improvement in serialization throughput. The moral: profile your serialization hotspots and avoid redundant work.
Chatty APIs: Too Many Small Requests Instead of Fewer Large Ones
Microservices often fall into the trap of chatty communication, where a single client endpoint triggers dozens of internal service calls. For example, an API that returns a user profile might first call the auth service, then the user service, then the billing service, then the notifications service—each adding network latency and potential failure points. This anti-pattern increases latency (each hop adds 1-10ms) and reduces reliability (more services, more chances of failure).
Why This Happens: Over-Granular Service Boundaries
When teams design microservices without considering client use cases, they often create services that are too fine-grained. A developer might think, "I need user data, so I call the user service; I need billing data, so I call billing." But the client (a web or mobile app) might need all this data in one response. The result is a chatty network pattern. In one project, a team had 15 internal calls to render a single page, leading to 5-second load times.
Step-by-Step Fix: Implement the Backend-for-Frontend (BFF) Pattern
First, identify the most common client use cases (e.g., "get user dashboard"). Second, create a dedicated BFF service that aggregates data from multiple downstream services in a single request, using parallel calls where possible (with Task.WhenAll). Third, consider using GraphQL or OData to let the client specify exactly what data it needs, reducing over-fetching. Fourth, implement data caching at the BFF layer to avoid repeated calls to the same services. In one case, a BFF reduced the number of internal calls from 12 to 2, cutting page load time from 4s to 800ms.
I recall a scenario where a team had a product detail page that made 8 separate HTTP calls to different services. By creating a single BFF endpoint that called all services in parallel and aggregated the results, they reduced the total response time from 3.5s to 1.2s. Additionally, they added a Redis cache for product data with a 60-second TTL, further reducing load on downstream services. The key insight: design your API for the client's needs, not for your service boundaries.
Inefficient Caching Strategies: Too Much or Too Little
Caching is a double-edged sword. Too little caching leads to repeated expensive operations; too much caching leads to stale data and memory pressure. A common anti-pattern is caching everything indiscriminately—often with the same TTL—or caching nothing at all. For example, caching user-specific data (like "my orders") with a global TTL can serve stale data to other users. Conversely, not caching static reference data (like product categories) forces repeated database queries.
Why This Happens: One-Size-Fits-All Mentality
Developers often apply caching without considering the data's volatility and access patterns. They might use a single IMemoryCache instance with a fixed expiration, leading to cache misses for frequently accessed items and wasted memory for rarely accessed ones. In one project, a team cached all API responses for 10 minutes, including user-specific data, causing users to see other users' information—a security nightmare.
Step-by-Step Fix: Classify Data by Volatility and Access Frequency
First, categorize your data: static (e.g., product names), semi-static (e.g., category lists, updated hourly), and dynamic (e.g., user sessions, real-time prices). Use different caching strategies for each category: memory cache for static data with long TTLs (hours), distributed cache like Redis for semi-static data with sliding expirations, and no caching for highly dynamic data unless you accept eventual consistency. Second, implement cache-aside pattern: check cache; if miss, load from database and populate cache. Third, use cache invalidation wisely—e.g., invalidate product cache when a product is updated.
I consulted for a team that improved their API throughput by 300% simply by adding Redis caching for reference data (country lists, tax rates) with a 24-hour TTL. They also used memory cache for frequently accessed user profiles with a sliding 5-minute window. The key was not to cache everything, but to cache the right things. For example, they avoided caching user-specific order history because it changed frequently and was rarely read more than once per user. Instead, they optimized the database query with indexing. Remember: caching is not a silver bullet; it's a tool that requires thoughtful application based on data characteristics.
Neglecting Connection Pooling and Resource Management
Database connections are a finite resource, and mismanaging them can bring your API to a crawl. A common anti-pattern is opening a new connection for each request without proper pooling, or not disposing connections in finally blocks (or using statements). In .NET, the default connection pooling works well, but developers can inadvertently bypass it by using different connection strings (e.g., with varying application names) or by holding connections open too long.
Why This Happens: Misunderstanding Connection Pooling
Many developers think that closing a connection destroys it, but in .NET, SqlConnection.Close() returns the connection to the pool. However, if you use a different connection string for each request (e.g., by appending a timestamp), you create a new pool, defeating the purpose. Similarly, holding a transaction open for a long time (e.g., waiting for user input) blocks connections in the pool. I've seen APIs that exhaust the connection pool under moderate load, causing timeouts and 500 errors.
Step-by-Step Fix: Use Consistent Connection Strings and Proper Disposal
First, always use the same connection string across your application (except for different databases). Avoid appending dynamic parameters like Application Name unless you have a specific reason. Second, always wrap SqlConnection in a using block or ensure it's disposed in a finally block. Third, keep transactions short—never hold a transaction open across multiple HTTP requests. Fourth, monitor pool usage via performance counters (e.g., .NET Data Provider for SqlServer counters) to see if you're exhausting connections. If you see high NumberOfActiveConnectionPoolGroups, you likely have too many distinct connection strings.
In one scenario, a team's API started failing under 100 concurrent users because they were creating a new connection string per request (embedding the user ID). By switching to a single connection string and using a connection pool size of 200, they handled 500 concurrent users without issues. Additionally, they refactored their data access layer to use Dapper with using statements, ensuring connections were returned to the pool promptly. The lesson: connection pooling is your friend, but only if you let it work. Use a consistent connection string, dispose connections promptly, and keep transactions short.
Frequently Asked Questions About .NET API Performance
Based on common questions from the developer community, here are answers to some of the most frequent concerns about .NET API anti-patterns and performance optimization.
How do I identify which anti-pattern is affecting my API?
Start with profiling. Use Application Insights, MiniProfiler, or built-in .NET tracing. Look for high CPU usage (serialization), high database query counts (N+1), or thread pool starvation (sync over async). Also, monitor response times under load. A simple load test (e.g., using k6) can reveal bottlenecks. For example, if response time increases linearly with concurrency, you likely have a blocking issue. If it increases with data size, check serialization or query performance.
Should I always use async/await in controllers?
Yes, for any I/O-bound operation. For CPU-bound work, use synchronous methods or offload to a background job. Mixing sync and async can cause deadlocks or thread pool starvation. A good rule: if the method does I/O (database, file, HTTP), make it async. If it's pure CPU (calculations, transformations), keep it sync. Never call .Result or .Wait() on tasks in controllers.
Is Entity Framework Core always bad for performance?
No. EF Core is fine for most CRUD operations, especially when you use eager loading and projections. It becomes problematic for complex reporting queries or when you need maximum throughput. For read-heavy, high-performance APIs, consider Dapper or raw ADO.NET. For example, a team I worked with used EF Core for their admin panel (low traffic) and Dapper for their public-facing API (high traffic), getting the best of both worlds.
How often should I cache data?
Cache data that is expensive to compute or fetch and that changes infrequently. Start with reference data (product categories, country lists). Avoid caching user-specific data unless you can invalidate per user. Use a TTL based on how stale the data can be. For example, a product catalog might be cached for 5 minutes, while a user's session data should be cached with a sliding expiration of 20 minutes. Monitor cache hit rates; if they're below 80%, you may need to adjust your strategy.
What's the best way to handle database connection pooling?
Use a single connection string per database. Set Max Pool Size to a reasonable value (e.g., 200) based on your expected concurrency. Always dispose connections promptly with using. Avoid keeping connections open across multiple requests (e.g., in static variables). If you use dependency injection, register SqlConnection as transient and let the DI container dispose it.
Can using a BFF pattern solve all chatty API issues?
Not all, but it helps significantly. The BFF pattern reduces the number of client-to-server calls but doesn't fix internal service chattiness if services themselves are poorly designed. You still need to ensure internal calls are parallelized and cached where possible. Also, BFFs can become monoliths if not carefully managed. For some scenarios, GraphQL might be a better fit because it allows the client to request exactly the data it needs, reducing both over-fetching and under-fetching.
From Anti-Patterns to Production-Grade Performance
We've covered six anti-patterns that can quietly destroy your .NET API's performance: synchronous blocking in async controllers, N+1 queries, redundant serialization, chatty service calls, poor caching strategies, and connection pool mismanagement. Each has a clear, actionable fix. But the real takeaway is this: performance is not a one-time optimization; it's a discipline. Start by measuring—profile your API under realistic load. Identify the biggest bottleneck (often one of these six). Apply the appropriate swap. Measure again. Repeat.
The most successful teams I've seen treat performance as a feature, not an afterthought. They invest in profiling tools (like BenchmarkDotNet, MiniProfiler, and Application Insights). They conduct regular load tests. They review code for these anti-patterns during pull requests. And they foster a culture where developers understand the "why" behind performance best practices. For example, one team I worked with reduced their API's p99 latency from 3 seconds to 200ms over three months by systematically addressing each of these anti-patterns, one sprint at a time.
Your next step is to pick one endpoint that's underperforming. Profile it. Look for the patterns we discussed. Fix it. Then share what you learned with your team. Small, consistent improvements compound into dramatic gains. And remember: the best code is the code you don't write—or the code you refactor to be simpler and faster. Avoid the temptation to over-engineer. Start with the basics: async all the way, efficient queries, sensible caching, and proper resource management. Your users (and your future self) will thank you.
Comments (0)
Please sign in to post a comment.
Don't have an account? Create one
No comments yet. Be the first to comment!