Backend Architecture
Outbox and inbox: effectively-once across the dual-write boundary
Crux Direct dual-write to DB + Kafka breaks in either order. The outbox pattern writes the event inside the DB transaction; the inbox pattern deduplicates on the consumer side. Together they give effectively-once delivery.
Your altitude — climbing toward senior
ZeroJuniorMiddleSenior
You are at middle altitude — in the skyAn order service writes the order row to Postgres, then publishes an “order.created” event to Kafka. Between the commit and the publish, the pod crashes. The order exists in the database. The downstream inventory service never sees the event. The order is stuck.
Why dual-write always fails
Any sequence of “write to database, then publish to message broker” has a crash window between the two:
| Sequence | Crash point | Result |
|---|---|---|
| Write DB → publish Kafka | After DB, before Kafka | DB updated, Kafka silent — consumers miss the event |
| Publish Kafka → write DB | After Kafka, before DB | Phantom event in Kafka — consumers see a write that never happened |
Both sequences are broken. There is no version of “two separate writes” that is atomic.
The outbox pattern: use the database as the broker
Key insight: write the event to the database, inside the same transaction as the business write. The database becomes the single source of truth.
BEGIN;
-- Business write
INSERT INTO orders (id, customer_id, total) VALUES ($1, $2, $3);
-- Outbox write (same transaction)
INSERT INTO outbox (id, event_type, payload, published)
VALUES (gen_random_uuid(), 'order.created', $payload, false);
COMMIT;
-- Kafka publish happens AFTER the transaction commitsA separate outbox-relay process polls the outbox table (or tails the Write-Ahead Log via Debezium) and publishes unpublished rows to Kafka, marking them published on broker ACK.
Crash scenarios are now safe:
- Crash before COMMIT → transaction rolls back. Neither the order nor the outbox row exists. No phantom event.
- Crash after COMMIT, before relay publishes → order exists, outbox row
published=false. Relay picks it up on next poll. - Kafka is down → relay retries. Outbox accumulates. Order is safe in DB.
| Approach | Crash-safe? | Kafka required? | Pattern |
|---|---|---|---|
| DB then Kafka | No — silent event loss | Yes | Anti-pattern |
| Kafka then DB | No — phantom event | Yes | Anti-pattern |
| Outbox (DB only) | Yes | No (async relay) | Correct |
Relay implementations
Poll-based relay: queries WHERE published = false ORDER BY id LIMIT 1000 every few seconds. Simple, adds latency equal to poll interval (typically 1–5 s).
Debezium (CDC relay): tails the Postgres Write-Ahead Log via logical replication. Publishes as soon as the row commits. Sub-second lag. No polling overhead. Production standard for high-throughput services.
AWS SAM variant: DynamoDB Streams → Lambda → EventBridge — managed CDC without running a relay process.
The inbox pattern: deduplicate on the consumer
The relay delivers at-least-once (it may publish twice if it restarts after publishing but before marking the row). The consumer must be idempotent.
Inbox pattern: before applying the event’s business effect, write the event’s id into a processed_events table inside the same transaction as the business write.
BEGIN;
-- Check if already processed
INSERT INTO processed_events (event_id) VALUES ($1)
ON CONFLICT (event_id) DO NOTHING;
-- If 0 rows affected, this event was already processed — skip
IF found THEN
UPDATE inventory SET reserved = reserved - $qty WHERE sku = $sku;
END IF;
COMMIT;If the event arrives twice, the second attempt hits the UNIQUE constraint on event_id and the business write is skipped. Effectively-once behavior from the consumer’s perspective.
Inbox table maintenance: partition by event_timestamp and drop partitions older than the broker’s retention window (7–14 days). Without cleanup, the inbox grows forever.
Dead-letter queues: handling unrecoverable failures
Not every failure is recoverable by retry. Malformed data, schema breaks, or violated business invariants are poison messages — no amount of retry will fix them.
After N processing attempts (typically 3–5), move the message to a dead-letter queue (DLQ). The main pipeline keeps flowing; humans review the DLQ.
Main queue → [N retry attempts] → DLQ → human review
→ manual replay (after fix)
→ formal rejection (business rule)Production settings: N = 3–5 attempts, DLQ retention 7–30 days, alert on DLQ depth growth. A growing DLQ is a compliance liability — every entry is a record of an operation that may have partial effects.
Why this works
Why is the outbox-relay’s at-least-once delivery acceptable even for payment events? Because the consumer runs the inbox pattern — it deduplicates by event ID before applying any business effect. The composition is: Postgres atomicity (guarantees the outbox row exists if and only if the business write committed) + at-least-once relay + idempotent consumer = effectively-once. No single component needs to be exactly-once; the guarantee emerges from the composition.
Quiz
Completed
Why is the outbox pattern necessary if the application can publish to Kafka directly from the API handler?
Heads-up Kafka producers are synchronous from the caller's perspective. The pattern is not about transport.
Heads-up AMQP is a separate protocol. Outbox is a pattern, not a protocol mandate.
Heads-up Encryption is unrelated. Outbox solves dual-write atomicity.
Order the steps
Completed
Put the outbox publish flow in correct order:
- 1 Application opens a database transaction
- 2 Application performs the business write (e.g., insert order row)
- 3 Same transaction inserts an outbox row recording the event-to-be-published
- 4 Application commits — business write and outbox row visible atomically
- 5 Outbox-relay process scans for unpublished outbox rows and publishes to Kafka
- 6 Relay marks the outbox row as published after receiving broker ACK
Quiz
Completed
The outbox relay crashes after publishing to Kafka but before marking the outbox row as published. What happens when the relay restarts?
Heads-up Kafka already has the event. The relay will publish it again — at-least-once is a feature, not a bug, because the consumer's inbox pattern deduplicates.
Heads-up The relay does not query Kafka for existing messages. It trusts the outbox row's published flag.
Heads-up The transaction already committed. Rolling back is not possible after a commit.
- 01A team wants exactly-once delivery to Kafka from a Postgres write. They consider: (a) write Postgres then publish, (b) publish then write Postgres, (c) outbox. Why is (c) correct?
- 02What is the inbox pattern and what does it protect against?
- 03When should a message go to the dead-letter queue instead of being retried?
Recap
The dual-write problem — writing to two systems atomically — cannot be solved by sequencing the writes. The outbox pattern solves it by writing the event into the database as an outbox row inside the same transaction as the business write, making atomicity the database’s responsibility. A relay (poll-based or Debezium CDC) delivers events at-least-once to Kafka. The consumer uses the inbox pattern — deduplicating by event ID within its own transaction — to achieve effectively-once processing. Poison messages that cannot be processed go to a dead-letter queue after N attempts; the main pipeline continues.
Connected lessons
appears again in179
- Why GraphQL gets N+1junior
- DataLoader mechanics: tick-boundary batchingmiddle
- Batch function contracts: ordering, shapes, errorsmiddle
- Federation and lookahead: batching beyond DataLoadermiddle
- Query complexity defences: depth, cost, persisted queriesmiddle
- Senior GraphQL API: scheduling contract, tenant isolation, observabilitysenior
- The event loop: one thread, three queuesjunior
- Tasks, microtasks, and scheduler.yield()middle
- Microtask starvation, Long Tasks, and LoAFsenior
- Node.js event loop: phases, nextTick, and loop lagsenior
- React, Vue, and INP observability in productionsenior
- The render pipeline: six stages from bytes to pixelsjunior
- Stage costs and the renderer process modelmiddle
- Invalidation, dirty bits, and containmiddle
- Compositor layers: promotion, overlap, and GPU memorymiddle
- DevTools flame strip and the frame lifecyclemiddle
- Layout thrash: forced synchronous layoutsenior
- BeginMainFrame, compositor-driven animations, and GPU memorysenior
- Production observability: LoAF, INP, and the full attack surfacesenior
- What V8 is and why performance varies 100×junior
- V8''''s four-tier JIT pipeline and profile-guided tieringmiddle
- Hidden classes, transition trees, and memory layoutmiddle
- Inline caches, IC states, and deoptimizationmiddle
- Orinoco GC: parallel scavenger, concurrent marking, and write barriersmiddle
- TurboFan''''s speculative engine and the deopt-loop trapsenior
- V8 in production: isolates, pointer compression, and real failuressenior
- Service worker lifecycle and cache strategiesmiddle
- Service worker edge cases: version skew, durability, and navigation trapssenior
- What the reconciler does: render vs commitjunior
- The fiber object and the double-buffer treemiddle
- Render phase purity and commit phase sub-stepsmiddle
- Reconciliation: diffing heuristics and the key trapmiddle
- Priority lanes, time-slicing, and useTransitionmiddle
- Bailout, memoisation, and tearingsenior
- React Profiler, the Compiler, and production observabilitysenior
- Rendering strategies: SSG, SSR, ISR, streaming, and hydrationjunior
- SSG, SSR, ISR, streaming, and RSC — how each worksmiddle
- Hydration cost: selective, progressive, islands, resumabilitymiddle
- Hydration mismatch: causes, detection, and the determinism rulesenior
- RSC, per-route strategy, and production observabilitysenior
- Core Web Vitals: what LCP, INP, and CLS measurejunior
- CLS: why layout shifts happen and how to stop themmiddle
- Metric tradeoffs, RUM attribution, and the CI+field loopsenior
- The full picture: URL to LCP to INP as a relay racejunior
- Eight layers traced: from the service worker to the second navigationmiddle
- Five canonical breaks: where production reliably diessenior
- The three-track method: reading traces and building a monitored systemsenior
- What is a cache stampede and why it makes things worsejunior
- Lock and single-flight: bounding concurrent rebuildsmiddle
- XFetch: coordination-free probabilistic early expirationmiddle
- Stale-while-revalidate and CDN request coalescingmiddle
- Detecting stampedes and designing TTL for productionmiddle
- Metastable failure, fencing tokens, and production postmortemssenior
- What a relation is: tables, rows, keys, and constraintsjunior
- Constraints, keys, and Postgres data typesmiddle
- Normal forms, denormalization, and why schemas stickmiddle
- JSONB, arrays, and when a side table winsmiddle
- Heap storage, TOAST, and column alignmentsenior
- Schema integrity: deferral, versioning, and production failure modessenior
- Relational vs document, wide-column, graph, and key-valuesenior
- Index-only scans, the Visibility Map, and INCLUDEsenior
- Production failure modes and the index audit playbooksenior
- pg_statistic, ANALYZE, and production observabilitymiddle
- Production failure modes and plan stabilitysenior
- MVCC: why readers and writers never wait for each otherjunior
- Row versions and snapshots: the on-disk mechanicsmiddle
- HOT updates and isolation levels: what you gain and what you paymiddle
- Vacuum and bloat: keeping the storage tax boundedmiddle
- CLOG, XID wraparound, and MultiXact: deep visibility internalssenior
- SSI internals and production autovacuum tuningsenior
- Real-world MVCC failures, deployment patterns, and distributed snapshotssenior
- Connection pools: amortising the cost of a Postgres backendjunior
- PgBouncer session, transaction, and statement modesmiddle
- Pool sizing: the (cores × 2) + spindles formula and the two-layer stackmiddle
- Pool exhaustion and idle-in-transaction: the 3 AM failure modemiddle
- Migrating to transaction mode: rollout playbook and PgBouncer 1.21 prepared statementsmiddle
- The Postgres process model and why raising max_connections degrades throughputsenior
- Pooler landscape 2026, serverless connection storms, and the full failure-mode taxonomysenior
- What a schema migration is and why it replaces ad-hoc DDLjunior
- ADD COLUMN: instant in PG 11+ vs rewrite in older Postgresjunior
- The lock-queue failure mode: why instant DDL can freeze the databasemiddle
- Safe DDL patterns: NOT VALID, CONCURRENTLY, and unsafe-op fixesmiddle
- Expand-contract: zero-downtime for breaking schema changesmiddle
- Advisory locks, migration tools, and deploy coordinationsenior
- Migration failure taxonomy and production disciplinesenior
- Why sharding exists: the single-Postgres ceilingjunior
- Shard-key selection: hash, range, list, and directory strategiesmiddle
- Partitioning vs sharding: same word, two different thingsmiddle
- Co-location and Citus: the invariant that makes sharding usablemiddle
- The hot-shard failure mode: detection, isolation, and durable policymiddle
- Schema-based sharding and multi-tenancy alternativessenior
- Online resharding, 2PC, and the operational cost of shardingsenior
- The seven acts: from CREATE TABLE to Citusjunior
- Acts 1–3 in depth: schema, indexes, and planner statisticsmiddle
- Acts 4–6 in depth: MVCC bloat, connection pooling, and safe migrationsmiddle
- Act 7 in depth: sharding, co-location, and the seven-tier tradeoff cascademiddle
- Observability, anti-patterns, and production triagesenior
- Raft roles, terms, and why majority quorums prevent split brainjunior
- How Raft replicates a log entry and decides it is safe to commitmiddle
- Raft leader election: timeouts, voting rules, and the four safety propertiesmiddle
- Raft in the real world: partitions, slow disks, and client routingmiddle
- Raft extensions: pre-vote, learners, snapshots, and linearizable readssenior
- Raft in production: membership changes, Multi-Raft, and observabilitysenior
- Where data fetching happens — and why it decides LCPjunior
- Fetch waterfalls — diagnosis and the Promise.all curemiddle
- React Server Components and Suspense streamingmiddle
- Client-side cache: TanStack Query, SWR, and stale-while-revalidatemiddle
- LCP, prefetch, and race conditions in interactive fetchingmiddle
- Senior internals: RSC payload, caching layers, and production failure modessenior
- The three-way handshakejunior
- Sequence numbers and connection statemiddle
- DNS: what it does and why it existsjunior
- The resolver walk: referrals, record types, and gluemiddle
- TTL, caching, and DNS propagationmiddle
- The 1-RTT handshake: key shares and ECDHEmiddle
- Session resumption and 0-RTTmiddle
- WebSocket: the HTTP upgrade handshakejunior
- WebSocket frame format: opcodes, masking, fragmentationmiddle
- WebSocket backpressure: when clients can''''t keep upmiddle
- Reconnection: jittered backoff, thundering herd, message resumptionsenior
- WebSocket at scale: HTTP/2 multiplexing, permessage-deflate, C10Msenior
- WebSocket in production: proxies, security, and distributed architecturesenior
- What reverse proxies dojunior
- Health checks, connection draining, and slow startmiddle
- Session affinity, consistent hashing, and the right fixmiddle
- Retry storms, circuit breakers, and load sheddingsenior
- Resilient LB architecture: anycast, zone-aware routing, and observabilitysenior
- Why QUIC and not TCP+TLSjunior
- Connection IDs and network migrationmiddle
- 0-RTT resumption and packet encryptionsenior
- DDoS: what it is and why it worksjunior
- Amplification attacks and state exhaustionmiddle
- Rate limiting: algorithms and architecturemiddle
- WAFs, firewalls, mTLS, and HSTSmiddle
- DNS cache poisoning and BGP hijackingsenior
- Defense-in-depth architecture and attack economicssenior
- DNS, TCP, TLS in sequence: where the milliseconds gomiddle
- Proxy intercepts and security gates: rate limiters, WAF, mTLSmiddle
- Alternate paths: QUIC 0-RTT, WebSocket upgrade, connection migrationmiddle
- Observability: distributed traces, USE/RED, and samplingsenior
- Resilience: cascading retries, circuit breakers, and error budgetssenior
- What the three signals are: logs, metrics, and tracesjunior
- Why structured logs exist: the diary vs the spreadsheetjunior
- The production log schema: fields every line must carrymiddle
- PII redaction and log injectionsenior
- OTel Logs Data Model and audit logs as a subsystemsenior
- SLI, SLO, and the error budget: reliability by the numbersjunior
- Error budget policy, latency SLOs, and composite journeysmiddle
- Production SLO failures, self-observability, security, and the big picturesenior
- The incident loop: from pager to postmortem to preventionmiddle
- Cache lines, struct layout, and false sharingmiddle
- SIMD, SoA vs AoS, and memory bandwidthmiddle
- Cache-oblivious algorithms, PGO, and production failuressenior
- GC in production: observability, security, edge cases, and fleet governancesenior
- Batching: amortize fixed cost per operationjunior
- The batching window: size and wait timemiddle
- Batching in Kafka and Postgresmiddle
- io_uring and observability of batchingmiddle
- From Nagle to io_uring: evolution of batchingmiddle
- Backpressure, failure isolation, and batch security in productionsenior
- CI enforcement and RUM: making budgets stickmiddle
- V8 JIT pipeline, HTTP priorities, and bundle securitysenior
- The performance loop: discipline, not a projectjunior
- Classify and fix: matching bottleneck families to remediesmiddle
- Observability stack and CI gates: catching regressions before they shipmiddle
- Incident to enforcement: SLO burn to verified fix in 35 minutesmiddle
- Culture, economics, and org-scale performancesenior
- At-most-once, at-least-once, exactly-once: the three delivery contractsjunior
- The three failure legs — where duplicates and losses actually happenmiddle
- Consumer-side dedup: the cheapest path to exactly-once processingmiddle
- Kafka exactly-once semantics: idempotent producer and transactionsmiddle
- SQS visibility timeout, DLQ, and the outbox patternmiddle
- Exactly-once in production: impossibility proof, hybrid patterns, and real incidentssenior
- What OAuth is and why passwords are not the answerjunior
- Authorization code flow with PKCEmiddle
- ID token validation and JWKS cache managementmiddle
- Refresh token rotation and scope-based least privilegemiddle
- Sender-constrained tokens: DPoP and mTLSsenior
- OAuth in production: audience attacks, observability, and real failuressenior