Core Code
Core Code Modern Dev Handbook
DISTRIBUTED-SYSTEMS-ENGINEERING Contents
Distributed Systems Fundamentals
What Makes a System Distributed? Latency vs Throughput (Why You Can’t Optimize Both Blindly) The Partial Failure Model (The Real Enemy) The Fallacies of Distributed Computing (Production Examples) Time Is Hard: Clocks, Drift, and Ordering Network Partitions: Detection and Reality Checks CAP Theorem in Practice (What You Actually Choose) PACELC: Latency Tradeoffs Beyond CAP Backpressure vs Queueing (Where Systems Die Quietly) Failure Modes Map: Real Incidents You Will See
Data Consistency Models
Strong Consistency (Costs, When It’s Worth It) Eventual Consistency (What It Guarantees, What It Doesn’t) Causal Consistency (The Practical Middle Ground) Read-Your-Writes and Session Guarantees Monotonic Reads / Writes (User-Visible Correctness) Quorums 101: R/W, N, and What “Majority” Really Means Linearizability vs Serializability vs Strict Serializability Stale Reads: Detection, Measurement, and Guardrails Split-Brain Consistency Failures (How They Start) Designing Consistency SLOs (Correctness as an SLO)
Consensus & Coordination
Why Consensus Is Hard (FLP Intuition, No Math Pain) Raft Overview (Roles, Terms, Safety) Leader Election Patterns (And Their Failure Modes) Quorum Math (Write Safety vs Availability) Log Replication Internals (Commit Index, Match Index) Paxos Simplified (So You Can Read Docs Without Crying) Distributed Locks (Why They’re Dangerous) Zookeeper Patterns (Leader, Config, Locks) etcd Usage Patterns (Kubernetes-Style Coordination) Fencing Tokens (The Only Lock That Survives Partitions)
Replication & Data Distribution
Replication Strategies (Leader, Multi-Leader, Leaderless) Sync vs Async Replication (Latency vs Data Loss) Replication Lag: Causes, Metrics, and Mitigations Anti-Entropy (Merkle Trees, Read Repair, Hinted Handoff) Gossip Protocols (Membership, Failure Detection) Sharding Strategies (Range, Hash, Directory) Consistent Hashing (Why It’s Not Just a Ring Diagram) Rebalancing Clusters Safely (Avoid Melting Prod) Hot Partitions (Detection + Fixes) Multi-Region Data: Patterns and Tradeoffs
Messaging & Event Systems
Messaging Models (Queue vs Log vs PubSub) Delivery Semantics: At-Most-Once Delivery Semantics: At-Least-Once Exactly-Once (Where the Myth Breaks) Idempotency in Event Processing (Design Patterns) Kafka Internals (Partitions, ISR, Replication) Consumer Groups (Rebalances, Sticky Assignors) Ordering Guarantees (What You Can Actually Promise) Dead Letter Queues (Policy, Replay, Poison Pills) Event-Driven Architecture Tradeoffs (Coupling vs Debuggability)
Reliability Patterns in Distributed Systems
Retries & Exponential Backoff (Avoiding Retry Storms) Timeouts & Deadlines (Budgeting Latency) Circuit Breakers (State Machines That Save You) Bulkheads (Stop One Fire From Burning the Ship) Load Shedding (Fail Small, Not Catastrophically) Backpressure in Practice (Push vs Pull, Bounded Queues) Graceful Degradation (Feature Flags and Partial Responses) Hedged Requests (Trading Cost for Tail Latency) Chaos Engineering Basics (What to Test First) Failure Injection Testing (Safe Experiments in Prod-Like Envs)
Distributed Transactions & Sagas
Two-Phase Commit (Why It Blocks) Three-Phase Commit (Why You Still Rarely Use It) Sagas (Orchestration vs Choreography) Saga Orchestration (Central Coordinator Done Right) Saga Choreography (Emergent Workflows, Emergent Pain) Compensating Transactions (Designing Undo) Outbox Pattern (The Dual-Write Fix) Dual-Write Problem (How It Actually Fails) Idempotent Consumers (Dedup, Keys, and Storage) Transactional Messaging (What Guarantees You Can Buy)
Observability in Distributed Systems
Distributed Tracing Fundamentals (Spans, Context, Baggage) Correlation IDs (Request IDs That Survive Microservices) Trace Propagation (W3C Trace Context in Practice) Metrics in Clusters (Aggregation, Cardinality, Cost) High Cardinality Problems (How Monitoring Dies) Structured Logging at Scale (Schemas, Sampling, PII) Monitoring Quorum Health (Consensus Systems SLOs) Alert Fatigue Prevention (Signal > Noise) The Golden Signals (And What Changes in Distributed Systems) Postmortems (Blameless, Actionable, Measurable)
Performance & Scaling Strategies
Horizontal Scaling Patterns (Stateless, Stateful, Sticky) Vertical vs Horizontal Tradeoffs (Cost and Failure Domains) Autoscaling in Practice (When It Helps, When It Hurts) Tail Latency (Why p99 Runs Your Life) p99 vs Averages (SLO Math for Humans) The Thundering Herd (Cache, Locks, and Stampedes) Cache Consistency Tradeoffs (Invalidation Strategies) Distributed Rate Limiting (Token Buckets Across Nodes) Load Balancing Algorithms (RR, LC, EWMA, Hashing) Capacity Planning (Queues, Headroom, Failure Budget)
Production Incident Playbooks
Diagnosing a Network Partition (Fast Triage Checklist) Debugging Split-Brain (Symptoms, Proof, Recovery) Quorum Loss Recovery (Safe Steps, Common Traps) Runaway Retry Storm (How to Stop the Bleeding) Cascading Failure Analysis (Finding the First Domino) Replication Lag Debugging (Root Causes + Fixes) Kafka Consumer Lag Playbook (Rebalance, Throughput, Backlog) Multi-Region Outage Handling (Failover Without Data Lies) Consistency Bug Hunting (Proving “It Can’t Happen” Happened) Production Readiness Checklist (Distributed Systems Edition)

Delivery Semantics: At-Least-Once

At-least-once delivery guarantees messages are not lost but may be delivered multiple times. This lesson explains duplication scenarios, idempotency requirements, and production-safe consumer design.
On this page

At-Least-Once Delivery: Durable but Duplicate-Prone

At-least-once delivery guarantees that every message will be delivered one or more times. In other words, the system prioritizes durability over uniqueness. Messages are never silently dropped, but duplicates are possible and expected under failure.

This is the most common delivery model in production messaging systems because it balances reliability and performance. However, it shifts responsibility for correctness to the consumer.

What At-Least-Once Actually Guarantees

  • A message will not be lost if the system is configured correctly.
  • A message may be delivered more than once.
  • Consumers must tolerate duplicates safely.

Duplicates occur primarily when failures happen between processing and acknowledgment.

How Duplicates Happen

Typical flow:

receive(message)
process(message)
ack(message)

If the consumer crashes after processing but before acknowledgment, the broker will redeliver the message. The operation will execute again.

This behavior is correct under at-least-once semantics.

Production Scenario: Double Payment Incident

Symptom

Customers report being charged twice after a brief service restart.

Root Cause

Payment processing was not idempotent. Consumer crashed after charging card but before acknowledging message. Broker redelivered the message after restart.

Diagnosis

  • Redelivery count spikes in broker metrics.
  • Consumer restart logs align with duplicate events.
  • No idempotency key enforcement in payment service.

Resolution

  • Introduce idempotency keys tied to business operation.
  • Persist processed message IDs.
  • Make side-effect operations conditional on prior completion.

At-least-once is safe only if consumers are idempotent.

Designing Idempotent Consumers

Idempotency ensures that repeated processing produces the same result as a single execution.

Common Strategies

  • Store processed message IDs in durable storage.
  • Use unique business operation identifiers (idempotency keys).
  • Perform conditional updates (compare-and-set).
  • Make writes commutative when possible.

Idempotency is a data-layer concern, not just an application-level check.

Exactly-Once vs Effectively-Once

Many systems claim “exactly-once” delivery. In reality, most achieve effectively-once processing by combining:

  • At-least-once delivery
  • Idempotent consumers
  • Transactional offsets or commit logs

True exactly-once delivery across distributed boundaries is extremely complex.

Interaction with Transactions

Consumers that update databases must coordinate message acknowledgment with state changes.

Safe pattern:

  1. Start database transaction.
  2. Check idempotency record.
  3. Apply business logic if not processed.
  4. Persist idempotency record.
  5. Commit transaction.
  6. Acknowledge message.

Acknowledging before commit risks lost updates. Committing without idempotency risks duplication.

Observability Signals

  • Redelivery count per topic
  • Consumer restart frequency
  • Dead-letter queue rate
  • Duplicate detection metrics
  • Processing latency distribution

Redelivery spikes should trigger investigation.

Backpressure and Retry Amplification

Under heavy load, slow consumers cause message accumulation. Crashes increase redelivery. Retries amplify load further.

Without careful flow control, at-least-once systems can enter retry storms.

Failure Injection Test

# At-least-once duplication test
1) Produce message with unique ID
2) Process message but crash consumer before ack
3) Restart consumer
4) Confirm message is redelivered
5) Verify idempotent logic prevents duplicate side effects

Operational Checklist

  • Are consumers idempotent by design?
  • Are idempotency records durable and transactional?
  • Is redelivery rate monitored?
  • Is duplicate processing measurable?
  • Are retry policies bounded and rate-limited?

When to Use At-Least-Once

  • Financial transactions (with idempotency)
  • Order processing
  • State mutation events
  • Any workflow where loss is unacceptable

At-least-once is the default safe choice for critical business workflows — but only if idempotency is enforced strictly.

Key Takeaways

  • At-least-once guarantees no message loss but allows duplicates.
  • Duplicates are expected, not exceptional.
  • Idempotent consumer design is mandatory.
  • Transactional acknowledgment prevents race conditions.
  • Monitoring redelivery is critical for production safety.

At-least-once delivery shifts complexity from the broker to the application. If the application is not designed for duplication, reliability guarantees become a source of data corruption instead of protection.

Exactly-Once (Where the Myth Breaks) →