System Design Concepts

No fluff — visual, concise, interview-ready

📨 8 · MESSAGING

Message Queues (RabbitMQ / SQS)

Messages wait in a queue for consumers to process — task distribution & load balancing with retry + DLQ

Guarantees: At-least-once delivery (consumer must be idempotent). Ordering per queue (FIFO). Dead Letter Queue — after N retries, message moved to DLQ. Visibility timeout — message invisible to others while being processed.
Limitations: No message replay. Limited throughput for high-volume streaming. Fan-out harder than Kafka. No long-term retention.
RabbitMQ exchanges: Direct (exact key) · Fanout (broadcast) · Topic (pattern: order.*.created) · Headers. SQS: Standard (at-least-once, best-effort order) vs FIFO (exactly-once, strict order, 3K msg/sec).

Message Streams - Apache Kafka

Messages continuously appended to a durable ordered log1M+ events/sec, replayable history, multiple independent readers.

How Kafka Works
Producer 1 Producer 2 Producer 3 Kafka Cluster Partition 0 Partition 1 Partition 2 offsets → Group A C1 C2 Group B C3 C4 Each group reads ALL independently Partitions replicated (ISR) acks=all → no data loss
Top Kafka Use Cases

Event Streaming

📱🌐🖥️ Kafka Spark Stream 📊 Real-time analytics, ML pipelines

Log Aggregation

Srv1 Srv2 Connect Kafka ELK Stack Centralize logs from all services

Message Queuing

Prod 1 Prod 2 Kafka Cons 1 Cons 2 Decouple services, async processing

Web Activity Tracking

📱🖥️ Connect Kafka Spark 📊 Clicks, views → real-time dashboards

Data Replication (CDC)

DB1 DB2 Connect Kafka DB3 DB4 Debezium CDC → replicate across DCs
ConceptDetailGuarantee
PartitionUnit of parallelism. Append-only log.Ordered within partition, not across.
OffsetSequential ID per message.Consumer can rewind/replay from any offset.
ISRIn-Sync Replicas caught up with leader.acks=all + min.insync.replicas=2 = no data loss.
Consumer GroupEach partition → exactly 1 consumer per group.Multiple groups = independent reads.
Compacted TopicKeep latest value per key.State snapshots, changelogs.
KRaftReplaces ZooKeeper (Kafka 3.3+).Simpler operations.
Delivery Guarantees: At-most-once (acks=0, lossy). At-least-once (acks=all, may duplicate). Exactly-once (idempotent producer + transactions).
Limitations: Operational complexity. Ordering per partition only. No per-message acking. Overkill for low volume.
Real-world: LinkedIn 4T+ events/day. Uber — trip events, surge pricing. Netflix — recommendations pipeline.
Real-World: Uber Ride Events in Kafka — Complete Flow
Uber Ride Lifecycle — Events Produced to Kafka E1 RIDE_REQUESTED E2 DRIVER_MATCHED E3 DRIVER_EN_ROUTE E4 RIDER_PICKED_UP E5 TRIP_IN_PROGRESS E6 GPS_UPDATE ×N E7 TRIP_COMPLETED E8 FARE_CALCULATED E9 PAYMENT_CHARGED E10 RATING_SUBMITTED Producers Rider App Driver App Trip Service Payment Service key = trip_id hash(trip_id) % 3 Kafka Cluster — Topic: "uber.ride-events" 3 Partitions × RF=3 | acks=all | min.insync.replicas=2 | retention=7d Partition 0 (Leader: Broker 1) key: trip_101 → hash % 3 = 0 RIDE_REQ offset 0 DRV_MATCH offset 1 EN_ROUTE offset 2 PICKED_UP offset 3 IN_PROG offset 4 COMPLETE offset 5 FARE_CALC offset 6 ← ORDERED: all trip_101 events in sequence (same partition) → Partition 1 (Leader: Broker 2) key: trip_202 → hash % 3 = 1 RIDE_REQ offset 0 DRV_MATCH offset 1 GPS ×3 offset 2-4 COMPLETE offset 5 PAYMENT offset 6 RATING offset 7 HW=8 ← ORDERED: all trip_202 events in sequence → Partition 2 (Leader: Broker 3) key: trip_303 → hash % 3 = 2 RIDE_REQ offset 0 DRV_MATCH offset 1 GPS ×5 offset 2-6 IN_PROG offset 7 LEO=8 ← trip_303 still in progress... more events coming → RF=3: Each partition replicated to ALL 3 brokers (1 Leader ★ + 2 ISR followers) ISR = In-Sync Replicas | HW = High Watermark (committed) | LEO = Log End Offset (latest written) KRaft Controller Quorum — leader election, partition assignment (no ZooKeeper) Consumer Group: surge-pricing Flink — count rides/zone/5min → dynamic pricing C1 → P0 committed: 5 C2 → P1 committed: 7 C3 → P2 committed: 6 lag: P0=1 | P1=1 | P2=2 (events behind) __consumer_offsets topic stores committed positions Consumer Group: analytics Spark batch — daily trip reports → BigQuery C4 → P0 committed: 3 C5 → P1,P2 committed: 4, 5 lag: P0=3 | P1=4 | P2=3 (batch behind real-time) auto.offset.reset=earliest → replay from beginning on new deploy Consumer Group: eta-service Real-time ETA → push notification to rider C6 → P0 committed: 6 C7 → P1 committed: 8 C8 → P2 committed: 8 lag: P0=0 | P1=0 | P2=0 (fully caught up!) max.poll.interval.ms=300000 | session.timeout.ms=10000 Offset Mechanics — How Consumers Track Position Partition 0: 0 1 2 3 4 5 6 ... analytics (C4) committed=3 surge (C1) committed=5 eta (C6) committed=6 HW=6 LEO=7 Offset Concepts: Committed Offset: last offset consumer confirmed processing (stored in __consumer_offsets) High Watermark (HW): last offset replicated to ALL ISR replicas (consumers can only read up to HW) Log End Offset (LEO): last offset written to leader (not yet replicated to all ISR) Consumer Lag: HW - committed offset = messages behind (monitor with Burrow/Kafka Lag Exporter) End-to-End Flow: trip_101 Lifecycle Through Kafka ① Rider App produce(key=trip_101 val=RIDE_REQUESTED) acks=all ② Partitioner hash(trip_101) % 3 = Partition 0 batch + lz4 compress ③ Leader (B1) append to P0 log offset=0, LEO=1 write to .log segment ④ ISR Replicate B2, B3 fetch from B1 both ACK → HW=1 min.insync.replicas=2 ✓ ⑤ ACK Producer acks=all satisfied producer callback OK idempotent: seq=0 ⑥ Consumer Poll C1 polls P0 from offset 0 (or last+1) max.poll.records=500 ⑦ Process + Commit process event → commit offset=1 stored in __consumer_offsets at-least-once (process then commit) ORDERING GUARANTEE: All events for trip_101 arrive at P0 in exact producer order (E1→E2→E3→...→E10) Different trips (trip_202, trip_303) may be on different partitions — NO ordering across partitions, only WITHIN Every Kafka Concept in This Diagram Partitioning: key=trip_id → same partition RF=3 + ISR: 3 copies, min 2 must ACK Offsets: per-consumer position tracking HW/LEO: committed vs written boundary Consumer Groups: independent reads, own offsets KRaft: controller quorum, no ZooKeeper Ordering: guaranteed within partition only Lag: HW - committed = consumer behind
Kafka: Producers, Consumers, Brokers

Producers

Acks: 0=fire-forget · 1=leader ACK · all=all ISR ACK (safest)
Retries: On failure, retry with backoff. Idempotent producer (enable.idempotence=true) deduplicates retries via sequence numbers.
Batching: linger.ms (wait to fill batch) + batch.size (max bytes). Bigger batch = higher throughput, slight latency.
Compression: snappy (fast), lz4 (balanced), zstd (best ratio). Compress at producer, decompress at consumer.
Partitioner: Default = hash(key) % partitions. Sticky partitioner for null keys (batch to one partition, then rotate).

Consumers

Consumer Group: Each partition → exactly 1 consumer in group. Add consumers = parallel. Max consumers = partitions.
Offsets: Track position per partition. Committed to __consumer_offsets topic. auto.offset.reset: earliest (replay all) / latest (new only).
Delivery: At-most-once (commit before process) · At-least-once (process then commit, may re-read) · Exactly-once (transactions).
Rebalance: Consumer joins/leaves → partitions reassigned. Cooperative/incremental rebalance (Kafka 2.4+) avoids stop-the-world.
Poll: max.poll.records, max.poll.interval.ms. Too slow = kicked from group.

Brokers & Topics

Broker: Single Kafka server. Cluster = N brokers. Each broker stores subset of partitions.
Replication: RF=3 → 3 copies. Leader handles reads/writes. Followers in ISR (In-Sync Replicas) replicate. min.insync.replicas=2 + acks=all = no data loss.
Segments: Partition = ordered log split into segment files (1GB default). Each segment has .log + .index + .timeindex.
Retention: Time-based (retention.ms=7 days) or size-based (retention.bytes=1TB). Log compaction = keep latest value per key (state snapshots).
KRaft: Replaces ZooKeeper (Kafka 3.3+). Controller quorum via Raft. Simpler ops, faster failover.
ConfigSettingEffect
acks=all + min.insync=2Producer waits for 2+ replicasZero data loss (even if 1 broker dies)
enable.idempotence=trueSequence numbers per producerNo duplicates on retry
TransactionsAtomic multi-partition writesExactly-once end-to-end
Unclean leader election=falseOnly ISR members can become leaderNo data loss (may reduce availability)
Log compactionKeep latest value per keyState snapshots, changelogs (KTable)

Pub/Sub (SNS / Google Pub/Sub)

Publishers broadcast (fan-out) to a topic — every subscriber receives its own independent copy

Producer publishes to TOPIC (not a queue)
       ↓ topic: "order-events"
  ┌────┼────────┬────────────┐
  ↓    ↓        ↓            ↓
 Sub A  Sub B   Sub C       Sub D
(Email) (Analytics) (Audit) (Webhook)

Each subscriber gets its OWN copy of every message.
Subscribers are independent — different speeds, different retry logic.
Guarantees: At-least-once delivery to every subscriber. Independent processing. Fully managed. Google Pub/Sub: seek to timestamp, ordering keys, exactly-once delivery. SNS: push to SQS/Lambda/HTTP/email/SMS.
Limitations: No long retention by default. No consumer-side replay in SNS. Ordering not guaranteed by default. Not suited for point-to-point work queues.
Real-world: Spotify — Google Pub/Sub for event-driven microservices. Shopify — SNS+SQS for order event fan-out. Uber — Google Pub/Sub for cross-service event propagation.

Message Queues vs Event Streams vs Pub/Sub

Three fundamentally different messaging patterns

┌──────────────────────────────────────────────────────────────┐
│ MESSAGE QUEUE (Point-to-Point)                               │
└──────────────────────────────────────────────────────────────┘
Producer → [ Queue ] → Consumer A
                         (message deleted after ACK)
        One message → one consumer (ownership)
┌──────────────────────────────────────────────────────────────┐
│ EVENT STREAM (Log/replay-based)                              │
└──────────────────────────────────────────────────────────────┘
Producer → [ Append-only Log ] → offset 0 → offset 5 → offset 9
                                  │            │            │
                              Group A      Group B      Group C
      Data is NEVER removed, only appended
┌──────────────────────────────────────────────────────────────┐
│ PUB/SUB (Fan-out)                                            │
└──────────────────────────────────────────────────────────────┘
Producer → [ Topic ]
              ├→ Subscriber A → receives COPY (independent)
              ├→ Subscriber B → receives COPY (independent)
              └→ Subscriber C → receives COPY (independent)
      One event → many independent receivers
FeatureMessage QueueEvent StreamPub/Sub
DefinitionMessages wait in a queue for a consumer to pick up & processMessages appended to a durable ordered log — replayable historyPublisher broadcasts to a topic; every subscriber gets its own copy
Core IdeaQueue of tasks / jobsDurable ordered event logBroadcast events to subscribers
Concrete Question"Which worker should process this image upload / email / payment retry?""What exactly happened in this system / user journey over time?""Which systems should know that an order was placed?"
Why this fits bestBest when exactly one worker should process a task / jobBest when events must be retained as an ordered replayable historyBest when one event must be broadcast (fan-out) to many independent subscribers
Why others don't fitPub/Sub broadcasts to many consumers causing duplicate processing; Streams retain/replay history — unnecessary for one-time task executionQueue removes messages after processing; Pub/Sub focuses on live delivery rather than durable replayable event historyQueue is designed for task distribution where only one consumer gets the message; Streams add retention/replay/ordering overhead when only real-time notification is needed
ModelCompeting consumers — task distribution & load balancingIndependent readers — each group reads the full log at its own paceFan-out — one publish, N independent deliveries
ConsumptionOne consumer per messageMultiple groups, each reads allAll subscribers get copy
After readDeletedRetainedGone (SNS) or short retention
DeliveryAt-least-once (consumer must be idempotent)At-least-once · exactly-once (idempotent producer + transactions)At-least-once to every subscriber
RetentionNo long-term retention — gone after ACKConfigurable (days / size / compaction)Short (SNS: none · Pub/Sub: 7 days)
Replay✓ (rewind to any offset)Limited
Ordering✓ per queue (FIFO)✓ per partition✗ by default
Throughput~10K-100K msg/sec~1M+ msg/sec~100K-1M msg/sec
Best forTask distribution, job queuesEvent sourcing, CDC, analyticsNotifications, fan-out, triggers
ExampleRabbitMQ, SQSKafka, Kinesis, Redis StreamsSNS, Google Pub/Sub
Key Insight: The fundamental difference is the consumption model. Queues are competing consumers (work distribution). Streams are independent consumers (each reads everything). Pub/Sub is broadcast (everyone gets a copy). Many real systems combine them — e.g., SNS → SQS → Lambda.

Dead Letter Queue (DLQ)

Quarantine poison messages so the main queue keeps flowing — critical for fault isolation & observability

DLQ Lifecycle — Retry, Quarantine & Recovery
Producer publishes msg Main Queue maxReceiveCount = 5 visibilityTimeout = 30s retention = 14 days Consumer process message ACK on success NACK on failure retry (back-off: 1s → 2s → 4s → 8s → 16s) after 5 failures receiveCount > max ☠ DLQ poison messages retention = 14 days ⚠ ALARM: depth > 0 🔔 CloudWatch PagerDuty / Slack alert ♻ Redrive fix bug → replay back to main queue 🔍 Inspect debug payload archive to S3 🗑 Purge discard if obsolete ✓ ACK msg deleted Legend happy path failure path retry loop recovery optional
ConceptDetailBest Practice
maxReceiveCountNumber of delivery attempts before moving to DLQ3–5 retries with exponential back-off
Visibility TimeoutTime message is hidden from other consumers during processingSet to 6× avg processing time
Redrive PolicyConfig linking source queue to its DLQAlways configure — never lose messages silently
Redrive Allow PolicyControls which source queues can target this DLQRestrict to specific source queues
Retention PeriodHow long DLQ keeps messages before auto-deletion14 days (max for SQS) — gives time to investigate
DLQ Implementation by Broker
BrokerMechanismConfigurationRecovery
SQSSource queue → redrive policy → DLQ (separate queue)RedrivePolicy: {deadLetterTargetArn, maxReceiveCount}StartMessageMoveTask API (redrive)
RabbitMQDead-letter exchange (DLX) on TTL/reject/nackx-dead-letter-exchange + x-dead-letter-routing-keyShovel plugin or manual republish
KafkaApp writes failed events to topic.DLTSpring Kafka: @RetryableTopic(attempts=3) + @DltHandlerReplay from DLT topic (seek to beginning)
Azure SBBuilt-in $DeadLetterQueue sub-queueMaxDeliveryCount on subscription/queueService Bus Explorer — peek & resubmit
GCP Pub/SubDead-letter topic on subscriptiondeadLetterPolicy: {deadLetterTopic, maxDeliveryAttempts}Pull from dead-letter subscription
Why Messages End Up in DLQ

Poison Messages

  • Malformed payload (invalid JSON/XML)
  • Schema mismatch (missing required fields)
  • Encoding errors (wrong charset)
  • Message too large for consumer buffer

Transient Failures

  • Downstream service unavailable
  • Database connection timeout
  • Rate limiting / throttling
  • Network partition (temporary)

Logic Errors

  • Unhandled exception in consumer code
  • Business rule violation
  • Referential integrity failure
  • Idempotency key collision
Best Practices: Always alarm on DLQ depth > 0 — even 1 message means something is broken. Set up CloudWatch / Prometheus metrics on ApproximateNumberOfMessagesVisible. Include correlation IDs and original timestamps in message headers for debugging. Use separate DLQs per source queue to isolate failure domains.
Recovery Playbook: ① Alert fires → ② Inspect DLQ messages (peek, don't consume) → ③ Identify root cause (schema? downstream? bug?) → ④ Fix the consumer/downstream → ⑤ Redrive messages back to source queue → ⑥ Verify processing succeeds → ⑦ Post-mortem if recurring.
Anti-patterns: Ignoring DLQ — messages expire silently. No alarm — failures go unnoticed for days. Infinite retries without DLQ — blocks the entire queue. Same retention on DLQ as source — messages may expire before investigation. No metadata — can't trace why message failed.
Real-world: Uber — DLQ per microservice, auto-redrive after circuit breaker resets. Netflix — DLQ + S3 archival for compliance audit trail. Stripe — webhook DLQ with exponential backoff (5 retries over 3 days).

Event Sourcing

Persist facts (events) as the source of truth — derive state by replaying the event log. Never mutate, only append.

Event Sourcing Architecture — Append, Replay, Project
Command CreateOrder Aggregate validate business rules emit event(s) optimistic concurrency Event Store append-only, immutable log OrderCreated v1 | seq 0 ItemAdded v1 | seq 1 OrderPaid v2 | seq 2 stream: order-{orderId} expectedVersion for concurrency control retention: forever (or compacted snapshots) 📸 Snapshot state @ seq N speeds up replay every 100 events subscribe / poll Projections (Read Models) Order List PostgreSQL denormalized view Search Index Elasticsearch full-text search Analytics ClickHouse OLAP aggregates Query GetOrderById ⏪ Time Travel / Replay Rebuild projection from event 0 Debug: "what was state at 3pm yesterday?" Fix bug → replay → corrected view 📋 Audit Trail (Free) Every state change is an event Who did what, when, why Compliance: SOX, GDPR, PCI-DSS 🔄 Temporal Queries Point-in-time state reconstruction Bi-temporal: valid time + transaction time Retroactive corrections possible
ConceptDetailImplementation
EventImmutable fact that happened — past tense namingOrderCreated, PaymentReceived, ItemShipped
StreamOrdered sequence of events for one aggregateorder-{orderId} — one stream per entity instance
AggregateConsistency boundary — validates commands, emits eventsLoad from stream → apply events → check invariants → emit
ProjectionRead model built by processing eventsSubscribe to stream → update denormalized view (async)
SnapshotMaterialized state at a point in timeStore every N events — replay only from snapshot forward
IdempotencyProcessing same event twice must produce same resultTrack last processed position / use event ID as dedup key
Event Store Technologies
StoreTypeStrengthsConsiderations
EventStoreDBPurpose-builtNative projections, subscriptions, optimistic concurrencySmaller community, self-hosted
KafkaLog-basedHigh throughput, built-in replication, ecosystemNo per-stream concurrency, compaction ≠ snapshots
PostgreSQLRDBMSACID, familiar, NOTIFY for subscriptionsManual stream management, polling for projections
DynamoDBNoSQLServerless, DynamoDB Streams for projections25-item transaction limit, cost at scale
MartenLibrary (.NET)PostgreSQL-backed, projections built-in.NET ecosystem only
Key Patterns & Challenges

Schema Evolution

  • Upcasting: transform old events to new schema on read
  • Versioning: OrderCreated_v2 with migration
  • Weak schema: add optional fields (backward compatible)
  • Never delete/modify stored events

Snapshotting Strategy

  • Snapshot every N events (e.g., 100)
  • Snapshot on time interval (e.g., daily)
  • Snapshot on aggregate complexity threshold
  • Store snapshot + version in separate stream

Handling Side Effects

  • Process managers / sagas for multi-aggregate workflows
  • Outbox pattern: event + side-effect in same transaction
  • Idempotent handlers: safe to replay
  • Compensating events for "undo" (not delete)

Common Pitfalls

  • GDPR: "right to erasure" conflicts with immutability → crypto-shredding
  • Large aggregates: too many events → slow replay → need snapshots
  • Event granularity: too fine = noise, too coarse = lost info
  • Projection lag: eventual consistency confuses users
Wins: Perfect audit trail — every state change recorded. Time-travel debugging — reconstruct state at any point. Rebuild projections — fix bugs, replay, get corrected views. Natural fit for financial ledgers, order systems, collaboration tools.
Costs: Schema evolution of events is hard (upcasting, versioning). Eventual consistency on read models. Snapshot/compaction strategy needed for long-lived aggregates. Steeper learning curve — team must think in events, not state.
Real-world: Stripe — payment state machine as events. Datomic — immutable database (event-sourced by design). LMAX Exchange — event-sourced trading engine (6M orders/sec). Git — commits are events, working tree is projection.

CQRS (Command Query Responsibility Segregation)

Separate the write model (commands) from the read model (queries) — scale, optimize, and evolve them independently

CQRS Architecture — Write Path vs Read Path
WRITE SIDE (Command Path) Client POST /orders Command Handler validate input load aggregate apply business rules Write Store normalized schema optimized for writes PostgreSQL / EventStore Event Bus publish domain events Kafka / SNS / EventBridge guaranteed delivery async sync (eventual consistency) READ SIDE (Query Path) Projector consume events update read models Read Stores Redis Elastic DynamoDB Materialized Query Handler GET /orders?status= optimized reads Client GET (fast) Key Benefits ✓ Scale reads independently ✓ Optimize each store for its job ✓ Multiple read models per write ✓ Evolve independently Tradeoffs ⚠ Eventual consistency ⚠ More infrastructure ⚠ Sync failure handling
ConceptWrite SideRead Side
ModelDomain model / aggregates — enforces invariantsDenormalized views — optimized for specific queries
StoreNormalized RDBMS or event storeRedis, Elasticsearch, DynamoDB, materialized views
ScaleVertical (consistency matters)Horizontal (read replicas, caches, CDN)
ConsistencyStrong (ACID transactions)Eventual (async projection updates)
Schema3NF — no redundancyDenormalized — pre-joined, pre-computed
When to Use (and When NOT to)

✓ Good Fit

  • Read/write ratio heavily skewed (100:1 reads)
  • Complex queries need different data shapes
  • Write model has complex business rules
  • Multiple read representations needed (search, reports, API)
  • Event sourcing already in use
  • Microservices with separate read/write services

✗ Bad Fit

  • Simple CRUD — overhead not justified
  • Strong consistency required on reads (banking UI)
  • Small team — dual model doubles maintenance
  • Low traffic — no scaling benefit
  • Read-after-write needed immediately
  • Domain is simple with no complex queries
CQRS + Event Sourcing (Power Combo)
Pattern: Commands → Aggregate → Events persisted → Projectors subscribe → Read models updated async. The event store IS the write model. Projections ARE the read models. Rebuild any projection by replaying events from the beginning.
Consistency strategies: Pull-based: query handler checks if projection is up-to-date (compare position). Push-based: projector publishes "ready" event. Hybrid: serve stale + indicate "updating" in UI. Inline projection: update synchronously in same transaction (sacrifices scalability for consistency).
Anti-patterns: Querying the write model — defeats the purpose. Bidirectional sync — creates conflicts. Shared database for read/write — coupling returns. Over-engineering — CQRS for a TODO app.
Real-world: Microsoft — Azure architecture patterns (official CQRS guidance). Uber — trip service (write) + rider-facing API (read from cache). Netflix — catalog writes vs personalized read views. Shopify — order writes vs merchant dashboard reads.

Ordering Guarantees

Where order is preserved — and where it is not. Critical for financial transactions, state machines, and causal consistency.

Partition-Based Ordering — How Keys Determine Order
Topic: "orders" — 3 partitions, key = orderId Producers order-A → P0 order-B → P1 order-C → P2 murmur2(key) % N P0 (order-A) CREATED off:0 PAID off:1 SHIPPED off:2 DELIVERED off:3 ✓ ORDERED P1 (order-B) CREATED off:0 CANCELLED off:1 ✓ ORDERED P2 (order-C) CREATED off:0 PAID off:1 SHIPPED off:2 ✓ ORDERED ⚠ NO ordering across partitions (A vs B vs C independent) Consumer Group C1 ← P0 C2 ← P1 C3 ← P2 1 partition : 1 consumer Ordering Strategies ✓ Same key = same partition = ordered ⚡ Single partition = global order (no parallelism) 🔢 Sequence numbers for cross-partition
BrokerOrder ScopeMechanismThroughput Impact
KafkaPer-partition (key → partition)murmur2(key) % numPartitionsMore partitions = more parallelism, less global order
SQS StandardBest effort — may reorderDistributed architecture, no ordering guaranteeUnlimited throughput
SQS FIFOStrict per MessageGroupIdDeduplication + sequencing per group3,000 msg/sec (batching: 30K)
RabbitMQPer queue (single consumer)FIFO within a single queuePrefetch count affects perceived order
Pub/SubOptional ordering keysorderingKey on publishOrdered messages go to same region
KinesisPer shard (partition key)MD5(partitionKey) → shard1 MB/sec or 1000 records/sec per shard
Azure Event HubsPer partitionPartition key → consistent hash1 MB/sec ingress per throughput unit
Patterns for Maintaining Order

Partition Key Design

  • userId: all user events ordered (profile, orders, sessions)
  • orderId: order lifecycle events in sequence
  • accountId: financial transactions ordered per account
  • deviceId: IoT telemetry ordered per device
  • ⚠ Hot keys: popular users → partition hotspot

Cross-Partition Ordering

  • Sequence numbers: embed monotonic seq in payload
  • Vector clocks: causal ordering across partitions
  • Lamport timestamps: logical ordering
  • Single partition: sacrifice parallelism for global order
  • External sequencer: Redis INCR or DB sequence
Key Insight: Use a stable partition key (userId, accountId, orderId) so all related events land in the same partition and stay ordered. Choose the key based on your consistency boundary — what entity needs its events in order?
Rebalancing risk: When partitions are added/removed, key-to-partition mapping changes. Use sticky partitioning or consistent hashing to minimize disruption. During rebalance, consumers may see temporary out-of-order delivery — handle with buffering + reordering window.
Anti-patterns: Random partition key — destroys ordering. Too few partitions — bottleneck on throughput. Assuming global order in multi-partition topics. Processing out-of-order without idempotency — corrupted state.

Schema Registry

Central contract for event payloads — prevents "it broke prod". Enforces backward/forward compatibility across producer and consumer versions.

Schema Registry — Serialize, Register, Validate
Producer serialize payload embed schema ID [magic byte][schema_id][data] ① register schema ② produce Schema Registry stores schema versions validates compatibility returns schema ID v1 → v2 → v3 (Avro/Protobuf/JSON) Kafka Topic [0][schema_id=42][avro bytes...] schema ID embedded in every message Consumer read schema ID fetch schema deserialize with schema ④ fetch schema by ID ③ consume CI/CD Pipeline validate schema before merge compatibility check Compatibility Modes BACKWARD FORWARD FULL NONE (dangerous) Serialization Formats Avro — compact binary, schema evolution Protobuf — typed, fast, gRPC native JSON Schema — human readable Thrift — legacy, Facebook origin Plain JSON — no schema (risky)
CompatibilityRuleProducers MayConsumers MayUse Case
BackwardNew schema can read old dataAdd optional fields, remove fieldsRead old data with new codeMost common — consumers upgrade first
ForwardOld schema can read new dataAdd fields, remove optional fieldsRead new data with old codeProducers upgrade first
FullBoth backward + forwardOnly add/remove optional fieldsBoth directions workSafest — independent deployments
TransitiveCompatible with ALL previous versionsStrictest constraintsAny version reads any otherLong-lived topics, many consumers
NoneNo checksAnythingMay breakDevelopment only — never in prod
Schema Registry Implementations
ToolFormatsIntegrationKey Feature
Confluent Schema RegistryAvro, Protobuf, JSON SchemaKafka native, REST APIDe facto standard, subject strategies, schema references
AWS Glue Schema RegistryAvro, JSON Schema, ProtobufMSK, Kinesis, LambdaServerless, IAM integration, auto-registration
Apicurio RegistryAvro, Protobuf, JSON, OpenAPI, GraphQLKafka, HTTP, gRPCOpen source, CNCF, multi-format
Azure Schema RegistryAvroEvent HubsAzure-native, RBAC, client-side caching
Buf (BSR)ProtobufgRPC, ConnectBreaking change detection, linting, code gen
Schema Evolution Best Practices

Safe Changes (Backward Compatible)

  • Add optional field with default value
  • Add new enum value (if consumer ignores unknown)
  • Widen numeric type (int → long)
  • Add new union member (Avro)
  • Deprecate field (keep, stop writing)

Breaking Changes (Avoid)

  • Remove required field
  • Rename field (without alias)
  • Change field type (string → int)
  • Remove enum value
  • Change field from optional to required
Best Practices: Enforce compatibility in CI — reject PRs that break schema contracts. Use subject naming strategies (TopicNameStrategy, RecordNameStrategy) to control scope. Cache schemas on producer/consumer side (schema ID → schema). Set FULL_TRANSITIVE for critical topics.
Subject Strategies: TopicNameStrategy (default) — one schema per topic. RecordNameStrategy — schema per record type (multiple types in one topic). TopicRecordNameStrategy — schema per topic+record combo (most flexible).
Anti-patterns: No schema registry — "just use JSON" leads to silent breakage. Compatibility = NONE in prod — ticking time bomb. Not versioning schemas — can't roll back. Tight coupling — producer and consumer must deploy simultaneously.
Real-world: LinkedIn — Avro + Confluent SR for all Kafka topics (thousands of schemas). Uber — Protobuf + custom registry for gRPC services. Netflix — Avro schemas with automated compatibility testing in CI. Shopify — Protobuf for event-driven architecture with Buf for linting.