Module 9: Advanced Topics & Emerging Architectures (Printable)

A Vocabulary for Tradeoffs

Every system design involves tradeoffs. You sacrifice consistency for availability, or you pay more for lower latency. The problem is not making tradeoffs. The problem is making them without realizing it. The AWS Well-Architected Framework exists to make those tradeoffs visible.

AWS published the framework in 2015 and has updated it regularly since. It started with five pillars. In 2021, AWS added a sixth: Sustainability. The framework is not specific to AWS services. Its principles apply to any cloud architecture, and most of them apply to on-premises systems as well. What it provides is a shared vocabulary for evaluating architectural decisions across six dimensions that matter to every production system.

The Well-Architected Framework is not a checklist. It is a vocabulary for making tradeoffs explicit.

The Six Pillars

Each pillar addresses a category of concerns. None of them exist in isolation. Improving security may reduce performance efficiency. Optimizing cost may compromise reliability. The framework does not tell you which pillar to prioritize. It tells you what questions to ask so you can prioritize deliberately.

Pillar	Key Principle	Design Question	Common Violation
Operational Excellence	Perform operations as code	Can you deploy, monitor, and recover without manual steps?	Manual deployments with SSH and prayer
Security	Apply security at all layers	How do you protect data, systems, and assets?	Hardcoded credentials in source code
Reliability	Automatically recover from failure	How does your workload recover from component failures?	Single database instance with no failover
Performance Efficiency	Use computing resources efficiently	Are you using the right resource types and sizes?	Over-provisioned instances running at 5% CPU
Cost Optimization	Avoid unnecessary cost	Are you aware of where your money goes?	Orphaned EBS volumes and unused Elastic IPs
Sustainability	Minimize environmental impact	Can you do the same work with fewer resources?	Running batch jobs on oversized always-on instances

Pillar 1: Operational Excellence

Operational excellence is about running systems well and continuously improving how you run them. The core idea is that operations should be codified. If a human has to remember a sequence of steps to deploy or recover, that process will eventually fail. Infrastructure as code, automated deployments, runbooks, and observability are the tools here.

Key practices include performing operations as code (CloudFormation, Terraform), making frequent small changes instead of infrequent large ones, anticipating failure by running game days, and learning from operational events through post-incident reviews.

Pillar 2: Security

Security protects information, systems, and assets while delivering business value. It operates on the principle of least privilege: every component should have only the permissions it needs and nothing more. Security applies at every layer, from network (security groups, NACLs) to application (input validation, output encoding) to data (encryption at rest and in transit).

The framework emphasizes traceability. Every action in the system should be logged and attributable. If something goes wrong, you need to know who did what, when, and from where.

Pillar 3: Reliability

Reliability means a system performs its intended function correctly and consistently. The framework treats failure as a given, not an exception. Systems must be designed to detect failure, self-heal where possible, and degrade gracefully where self-healing is not feasible.

Reliability design includes testing recovery procedures, scaling horizontally to increase aggregate availability, automatically recovering from failure, and managing change through automation. A system that requires a human to restart a crashed process at 3 AM is not reliable. It is lucky.

Pillar 4: Performance Efficiency

Performance efficiency means using computing resources effectively to meet requirements and maintaining that efficiency as demand changes. This is not just about raw speed. It is about selecting the right resource type (compute-optimized, memory-optimized, GPU), the right architecture (synchronous, asynchronous, event-driven), and the right data store for each access pattern.

The framework encourages experimentation. Cloud makes it cheap to test whether a different instance type or storage engine performs better for your workload. Teams that treat architecture decisions as one-time choices miss the ongoing optimization opportunities the cloud provides.

Pillar 5: Cost Optimization

Cost optimization avoids unnecessary spending and ensures you understand where money goes. It is not about being cheap. It is about ensuring every dollar spent delivers proportional value. The framework recommends adopting a consumption model (pay for what you use), analyzing expenditure regularly, and using managed services to reduce operational overhead.

Common cost pitfalls include over-provisioning "just in case," forgetting to decommission resources from finished projects, and ignoring data transfer costs, which often dominate cloud bills at scale.

Pillar 6: Sustainability

The newest pillar focuses on minimizing the environmental impact of cloud workloads. AWS frames this as a shared responsibility: AWS optimizes the infrastructure, and customers optimize their workloads. Practical sustainability measures include right-sizing instances, using efficient storage tiers, running batch workloads in regions with cleaner energy grids, and reducing unnecessary data movement.

Sustainability often aligns with cost optimization, but not always. Running a workload in a region with renewable energy might cost more than the cheapest region. The pillar forces that tradeoff into the conversation.

Pillar Relationships

The pillars are interdependent. You cannot evaluate one in isolation. The following diagram shows how the pillars influence each other.

graph TD OE[Operational Excellence] --> R[Reliability] OE --> PE[Performance Efficiency] S[Security] --> R S --> CO[Cost Optimization] R --> PE R --> CO PE --> CO PE --> SU[Sustainability] CO --> SU style OE fill:#c8a882,stroke:#111110,color:#111110 style S fill:#6b8f71,stroke:#111110,color:#111110 style R fill:#8a8478,stroke:#111110,color:#ede9e3 style PE fill:#c47a5a,stroke:#111110,color:#111110 style CO fill:#ede9e3,stroke:#111110,color:#111110 style SU fill:#c8a882,stroke:#111110,color:#111110

Operational excellence (automation, monitoring) directly improves reliability and performance. Security constraints influence reliability (you cannot have a reliable system that is also compromised) and cost (security controls cost money). Reliability and performance both feed into cost calculations. Performance efficiency and cost optimization both impact sustainability.

Using the Framework as a Review Lens

The framework is most useful during architecture reviews. Take any system design and walk through each pillar, asking the design questions in the table above. Score each pillar on a scale of 1 to 5, where 1 means "we have not addressed this at all" and 5 means "we have addressed this comprehensively with automation and monitoring."

Most designs score unevenly. A team focused on shipping features quickly might score 4 on Performance Efficiency but 2 on Security and 1 on Cost Optimization. The unevenness is not necessarily a problem. It becomes a problem when it is unintentional. The framework surfaces these gaps before production incidents do.

AWS provides the Well-Architected Tool in the AWS Console for structured reviews. But the framework works just as well with a whiteboard and the right questions.

Tradeoff Awareness

The framework explicitly acknowledges that pillars can conflict. Encrypting everything at rest and in transit improves security but adds latency (performance efficiency) and compute cost (cost optimization). Running in multiple availability zones improves reliability but increases both cost and operational complexity. Using spot instances optimizes cost but reduces reliability for stateful workloads.

The value of the framework is not in eliminating these tensions. It is in naming them. When a team says "we chose to accept higher latency in exchange for encryption at rest," they are making a conscious architectural decision. When encryption is missing and nobody noticed, that is a gap.

Assignment

Take any high-level design you created in Module 7 or Module 8. Score it on a scale of 1 to 5 for each of the six pillars. For each pillar:

Write one sentence explaining your score.
Identify the weakest pillar. Why is it the weakest?
Propose one specific change to improve each pillar by at least one point.

Present your findings as a table with columns: Pillar, Current Score, Justification, Proposed Improvement, New Score.

The End of the Castle

Traditional network security follows the castle-and-moat model. There is a perimeter. Everything inside the perimeter is trusted. Everything outside is not. Firewalls guard the gates. VPNs extend the walls. Once you are inside, you move freely.

This model worked when the perimeter was clear: a corporate office, a data center, a known set of machines. It fails in a world of cloud services, remote workers, mobile devices, third-party APIs, and microservices that communicate across networks you do not control. The perimeter dissolved. The moat dried up. But many organizations kept behaving as though the castle still stood.

Zero trust is the security model built for a world without perimeters.

Zero trust does not mean "trust nothing." It means "verify everything, every time."

Three Core Principles

NIST Special Publication 800-207, published in August 2020, defines zero trust architecture around three principles.

1. Verify explicitly. Every access request must be authenticated and authorized based on all available data: identity, location, device health, service or workload, data classification, and anomalies. There is no "already inside, so probably fine."

2. Use least privilege access. Grant the minimum permissions needed for the task at hand. Use just-in-time and just-enough-access policies. If a service needs to read from a database, it should not have write permissions. If it needs write permissions for five minutes during a migration, revoke them after six.

3. Assume breach. Design as though an attacker is already inside your network. Minimize blast radius. Segment access. Encrypt all traffic, including internal traffic. Verify end-to-end. This assumption changes how you build everything.

Perimeter Security vs. Zero Trust

Dimension	Perimeter Security	Zero Trust
Trust model	Trust internal network implicitly	Trust nothing implicitly, verify every request
Network boundary	Clear perimeter (firewall, VPN)	No perimeter; identity is the new perimeter
Lateral movement	Easy once inside	Restricted; microsegmentation enforced
Authentication	At the gate (login once, roam freely)	Continuous; re-verified per request
Encryption	Perimeter (TLS at the edge)	End-to-end (mTLS between all services)
Access policy	Broad roles, long-lived credentials	Fine-grained, just-in-time, short-lived tokens
Breach response	Detect at the perimeter, contain inside	Detect everywhere, blast radius is already small
Remote workers	VPN required	Same policy regardless of location

Service Mesh and mTLS

In a microservices architecture, services call other services constantly. In a perimeter model, these calls happen over plain HTTP inside the "trusted" network. In zero trust, every service-to-service call must be authenticated and encrypted.

A service mesh handles this transparently. Tools like Istio, Linkerd, and Consul Connect deploy a sidecar proxy alongside each service. The proxy handles mutual TLS (mTLS), meaning both sides of every connection present certificates and verify each other. The application code does not change. The mesh handles identity, encryption, and policy enforcement at the infrastructure layer.

mTLS differs from standard TLS. In standard TLS, only the server presents a certificate. The client verifies the server but the server does not verify the client. In mTLS, both sides authenticate. This prevents a compromised service from impersonating another.

graph TB subgraph "Zero Trust Network with Service Mesh" direction TB GW[API Gateway
Identity Verification] --> PA[Policy Agent
Authorization] subgraph "Service A Pod" A[Service A] --- PA1[Sidecar Proxy] end subgraph "Service B Pod" B[Service B] --- PB1[Sidecar Proxy] end subgraph "Service C Pod" C[Service C] --- PC1[Sidecar Proxy] end PA --> PA1 PA1 -->|mTLS| PB1 PA1 -->|mTLS| PC1 PB1 -->|mTLS| PC1 CP[Control Plane
Certificate Authority
Policy Distribution] -.->|certs & policy| PA1 CP -.->|certs & policy| PB1 CP -.->|certs & policy| PC1 SIEM[SIEM
Log Aggregation
Threat Detection] -.->|telemetry| PA1 SIEM -.->|telemetry| PB1 SIEM -.->|telemetry| PC1 end style GW fill:#c8a882,stroke:#111110,color:#111110 style PA fill:#6b8f71,stroke:#111110,color:#111110 style CP fill:#8a8478,stroke:#111110,color:#ede9e3 style SIEM fill:#c47a5a,stroke:#111110,color:#111110 style A fill:#ede9e3,stroke:#111110,color:#111110 style B fill:#ede9e3,stroke:#111110,color:#111110 style C fill:#ede9e3,stroke:#111110,color:#111110

Secrets Management

Zero trust requires that secrets (API keys, database passwords, TLS certificates) are never hardcoded, never stored in environment variables long-term, and never shared between services. Secrets management tools like HashiCorp Vault, AWS Secrets Manager, and Azure Key Vault provide centralized, audited, and rotatable secret storage.

Vault, for example, can issue short-lived database credentials on demand. A service requests credentials, receives a username and password valid for one hour, and the credentials are automatically revoked when they expire. If the service is compromised, the attacker gets credentials that expire shortly. Compare this with a shared database password that has not been rotated in two years.

Dynamic secrets, automatic rotation, and lease-based access are the mechanisms that make least privilege practical instead of theoretical.

SIEM for Threat Detection

If you assume breach, you need the ability to detect anomalies in real time. Security Information and Event Management (SIEM) systems aggregate logs from every component, correlate events, and detect patterns that indicate compromise.

A SIEM might detect that Service A, which normally makes 100 requests per minute to Service B, suddenly made 10,000 requests. Or that a service account authenticated from an IP address it has never used before. Or that a database query returned 50 million rows when the typical result set is 50.

Tools like Splunk, Elastic Security, Microsoft Sentinel, and AWS Security Hub serve this role. The zero trust principle of "assume breach" only works if you have the observability to detect when a breach actually happens.

Implementing Zero Trust Layer by Layer

Zero trust is not a product you buy. It is a design approach applied at multiple layers.

Network layer: Microsegmentation. Services can only reach the specific services they need. Default deny for all traffic. Network policies in Kubernetes. Security groups in AWS. No flat networks.

Service layer: mTLS between all services. Service identity via certificates (SPIFFE/SPIRE). Authorization policies enforced by the mesh. No service trusts another service just because it is on the same network.

Data layer: Encryption at rest and in transit. Field-level encryption for sensitive data. Access logging on every data store. Row-level security where supported. Data classification and handling policies enforced programmatically.

Assignment

You have a microservices system where all internal services currently trust any request that arrives on the internal network. There is no service-to-service authentication. Database credentials are stored as environment variables and have not been rotated in 18 months.

Redesign the system for zero trust. Address each layer specifically:

Network layer: What changes? What is the default policy? How do you segment?
Service layer: How do services authenticate to each other? What tools do you introduce?
Data layer: How do you manage secrets? What is the credential lifecycle? How do you detect misuse?

Draw a diagram showing the before and after states. Identify the three highest-risk gaps in the current system and explain how your redesign addresses each one.

The Problem With Data at Scale

When a system is small, one database handles everything: transactions, queries, reports, analytics. As the system grows, these workloads conflict. A complex analytics query that scans millions of rows locks resources needed by transactional writes. Real-time dashboards demand low latency. Monthly reports demand completeness. Trying to serve both from the same store is a recipe for a system that does neither well.

Data analytics architectures solve this by separating concerns. Different layers handle different workloads. The question is how to separate them and how many layers you actually need.

Lambda Architecture

Nathan Marz introduced Lambda architecture around 2011 to solve a specific problem: how do you get both accuracy (batch processing over complete datasets) and low latency (real-time processing over recent data)?

The answer: run both, in parallel.

Lambda architecture has three layers. The batch layer processes the complete dataset periodically (hourly, daily) using tools like Apache Spark or Hadoop MapReduce. It produces accurate, comprehensive views. The speed layer processes incoming data in real time using tools like Apache Flink or Kafka Streams. It produces approximate, low-latency views. The serving layer merges results from both layers and serves queries.

graph LR DS[Data Sources] --> IL[Ingestion Layer] IL --> BL[Batch Layer
Spark / Hadoop] IL --> SL[Speed Layer
Flink / Kafka Streams] BL --> SV[Serving Layer
Merged Views] SL --> SV SV --> Q[Queries & Dashboards] DS --> MS[(Master Dataset
Immutable Log)] MS --> BL style DS fill:#c8a882,stroke:#111110,color:#111110 style IL fill:#8a8478,stroke:#111110,color:#ede9e3 style BL fill:#6b8f71,stroke:#111110,color:#111110 style SL fill:#c47a5a,stroke:#111110,color:#111110 style SV fill:#ede9e3,stroke:#111110,color:#111110 style Q fill:#c8a882,stroke:#111110,color:#111110 style MS fill:#8a8478,stroke:#111110,color:#ede9e3

The batch layer is the source of truth. It recomputes views from the complete dataset. The speed layer compensates for the batch layer's latency by processing only the data that has arrived since the last batch run. When a new batch completes, the speed layer's data for that period is discarded.

The strength of Lambda is correctness with low latency. The weakness is complexity. You maintain two separate processing codebases (batch and streaming) that must produce compatible results. When they disagree, debugging is painful.

Kappa Architecture

Jay Kreps proposed Kappa architecture in 2014 as a simplification. His argument: if your streaming layer is reliable and replayable enough, you do not need a separate batch layer. Just process everything as a stream.

graph LR DS2[Data Sources] --> LOG[(Immutable Log
Kafka)] LOG --> SP[Stream Processor
Flink / Kafka Streams] SP --> SV2[Serving Layer
Views & Indexes] SV2 --> Q2[Queries & Dashboards] LOG -->|Replay for
reprocessing| SP style DS2 fill:#c8a882,stroke:#111110,color:#111110 style LOG fill:#6b8f71,stroke:#111110,color:#111110 style SP fill:#c47a5a,stroke:#111110,color:#111110 style SV2 fill:#ede9e3,stroke:#111110,color:#111110 style Q2 fill:#c8a882,stroke:#111110,color:#111110

In Kappa, all data flows through an immutable, replayable log (typically Apache Kafka). A single stream processing engine reads from the log and builds serving views. When you need to reprocess historical data (because your logic changed or you found a bug), you replay the log through an updated processor and swap in the new views.

Lambda architecture is the answer when you cannot choose between batch and real-time. Kappa is the answer when you realize you should not have to.

Data Lakehouse

Data lakes store raw data cheaply at massive scale (S3, ADLS, GCS) but lack the transactional guarantees and query performance of data warehouses. Data warehouses provide structured, fast querying but are expensive and rigid. The data lakehouse combines both.

Technologies like Delta Lake (Databricks), Apache Iceberg, and Apache Hudi add transactional capabilities (ACID transactions, schema enforcement, time travel) directly on top of object storage. You get the cost and flexibility of a data lake with the structure and reliability of a warehouse. No need to copy data between systems.

The lakehouse pattern has gained significant traction since 2022 because it eliminates one of the most painful aspects of data architecture: the ETL pipeline from lake to warehouse. When your lake is your warehouse, that pipeline disappears.

Architecture Comparison

Dimension	Lambda	Kappa	Lakehouse
Processing model	Batch + streaming (dual)	Streaming only (unified)	Batch + streaming on unified storage
Codebase	Two (batch and streaming)	One (streaming)	One or two (depends on tooling)
Reprocessing	Batch layer re-runs	Replay log through new processor	Time travel and replay
Latency	Low (speed layer) + high (batch layer)	Low (streaming only)	Variable (depends on query engine)
Complexity	High (maintaining two systems)	Medium (single path, replay logic)	Medium (table format management)
Storage cost	High (duplicate data across layers)	Medium (log retention)	Low (object storage pricing)
Best for	Mixed workloads requiring guaranteed accuracy	Streaming-first use cases	Analytics + ML on large datasets
Example tools	Hadoop + Flink + Cassandra	Kafka + Flink + Elasticsearch	Iceberg + Spark + Trino

Column-Oriented Storage

Analytics queries typically scan a few columns across millions of rows. Row-oriented storage (PostgreSQL, MySQL) stores each row contiguously on disk. Reading three columns out of fifty means reading all fifty and discarding forty-seven. Column-oriented storage (Apache Parquet, ORC) stores each column contiguously. Reading three columns means reading only three columns.

The performance difference is dramatic. A query that scans a 1 TB table but only needs two columns might read 40 GB in Parquet versus the full 1 TB in row-oriented format. Column storage also compresses better because values in a single column tend to be similar (all timestamps, all country codes, all prices).

Parquet has become the default analytics format. It supports nested data, predicate pushdown (skip reading data that does not match the filter), and integrates with virtually every analytics tool: Spark, Presto, Trino, Athena, BigQuery.

Choosing an Architecture

The choice depends on your workload profile. If you need both guaranteed accuracy for reports and sub-second dashboards, Lambda handles both but at the cost of maintaining two codebases. If your primary workload is real-time and you can tolerate replay-based reprocessing, Kappa is simpler. If your primary workload is analytics and machine learning over large historical datasets with some real-time ingestion, the lakehouse pattern offers the best cost-to-capability ratio.

Many production systems use hybrids. A Kappa pipeline feeds a lakehouse for long-term storage and ad-hoc analytics. The streaming layer serves real-time dashboards. The lakehouse serves monthly reports and ML training. The boundaries between these patterns are not walls. They are guidelines.

Assignment

A fintech company needs two capabilities:

Real-time fraud detection: Every transaction must be scored within 200ms. The model uses the last 30 days of transaction history for each user.
Monthly compliance reports: Regulators require complete, accurate reports of all transactions, aggregated by category, with no data loss.

Design the data architecture. Answer these questions:

Do you choose Lambda or Kappa? Why?
What specific tools do you select for each layer?
Where does the transaction data live? How long do you retain it?
How do you ensure the monthly report is accurate even if the streaming layer drops events?

Draw the architecture diagram showing data flow from transaction ingestion to both the fraud detection output and the monthly report output.

Measure Before You Cut

The most common performance optimization mistake is optimizing the wrong thing. A developer suspects the database is slow, rewrites queries for three days, and discovers the actual bottleneck was a synchronous HTTP call to a third-party API. Another team adds caching everywhere, increasing memory costs by 40%, when the real problem was missing database indexes.

Performance optimization is a discipline. It has an order of operations. Skip a step and you waste time. Follow the order and the problem usually reveals itself quickly.

The first rule of optimization: measure. The second rule: measure again. The third rule: are you sure you measured the right thing?

The Debugging Methodology

Performance debugging follows a systematic flow. Start broad, narrow down, validate, then fix. The following diagram shows the process.

flowchart TD A[Observe: What is slow?] --> B[Measure: Where is time spent?] B --> C{Bottleneck identified?} C -->|No| D[Add instrumentation
Traces, metrics, logs] D --> B C -->|Yes| E[Classify bottleneck] E --> F{CPU bound?} E --> G{I/O bound?} E --> H{Memory bound?} E --> I{Network bound?} F -->|Yes| F1[Profile code
Optimize algorithms] G -->|Yes| G1[Async I/O
Connection pooling
Batch operations] H -->|Yes| H1[Reduce allocations
Fix leaks
Right-size caches] I -->|Yes| I1[Reduce round trips
Compress payloads
Use CDN] F1 --> J[Validate: Did it improve?] G1 --> J H1 --> J I1 --> J J --> K{Target met?} K -->|No| B K -->|Yes| L[Document and monitor] style A fill:#c8a882,stroke:#111110,color:#111110 style B fill:#6b8f71,stroke:#111110,color:#111110 style E fill:#c47a5a,stroke:#111110,color:#111110 style J fill:#8a8478,stroke:#111110,color:#ede9e3 style L fill:#ede9e3,stroke:#111110,color:#111110

Profile Before Optimizing

Profiling tells you where time is actually spent. Without it, you are guessing. Application profilers (pprof for Go, cProfile for Python, async-profiler for Java) show which functions consume the most CPU time. Distributed tracing tools (Jaeger, Zipkin, Datadog APM) show where time is spent across service boundaries. Database query analyzers (EXPLAIN in PostgreSQL, Query Analyzer in MySQL) show how the database executes your queries.

A flame graph is one of the most useful profiling visualizations. It shows the call stack on the x-axis (wider means more time) and stack depth on the y-axis. A wide bar at the top means that function is consuming significant time. A wide bar deep in the stack means something lower-level is the real culprit.

Profile in production or production-like conditions. Performance characteristics change under load. A query that runs in 5ms with 10 concurrent users might take 500ms with 1,000 concurrent users due to lock contention.

Connection Pooling

Opening a database connection is expensive. The TCP handshake, TLS negotiation (if encrypted), and authentication exchange can take 20 to 100 milliseconds. If every request opens a new connection and closes it when done, those milliseconds add up fast.

Connection pooling maintains a set of pre-established connections that are reused across requests. A request borrows a connection from the pool, uses it, and returns it. No handshake, no negotiation. The connection is already open.

Documented case studies show average response time reductions from 150ms to 12ms after switching from on-demand connections to properly configured pools. Database CPU usage dropped from 80% to 15% in the same study because the server no longer spent most of its time establishing and tearing down connections.

Key pool configuration parameters: minimum and maximum pool size, connection timeout (how long to wait for a connection from the pool), idle timeout (how long unused connections stay alive), and max lifetime (to force recycling of stale connections). Tools like PgBouncer (PostgreSQL), ProxySQL (MySQL), and built-in pool implementations in ORMs (SQLAlchemy, HikariCP) handle this.

Async I/O

Synchronous I/O blocks a thread while waiting for a response. If your web server has 10 threads and each request makes a 200ms database call synchronously, you can handle at most 50 requests per second. The threads are not computing. They are waiting.

Asynchronous I/O releases the thread while waiting. The thread handles other requests until the I/O completes and the original request is resumed. The same 10 threads can now handle hundreds of concurrent requests because they are never idle.

In Python, this means using asyncio and async database drivers (asyncpg, aiomysql). In Java, it means reactive frameworks (Spring WebFlux, Project Reactor) or virtual threads (Java 21+). In Node.js, the event loop is async by default, but blocking the loop with synchronous operations (synchronous file reads, CPU-heavy computations) defeats the model.

Async I/O matters most when your service is I/O-bound: waiting on databases, external APIs, file systems, or message queues. If your service is CPU-bound (image processing, cryptographic operations), async I/O does not help. You need more CPU or more efficient algorithms.

Database Query Plans and Index Coverage

Every SQL database has a query planner. When you submit a query, the planner decides how to execute it: which indexes to use, in what order to join tables, whether to scan sequentially or seek by index. The EXPLAIN command shows the plan.

The most important thing to look for in a query plan is sequential scans on large tables. A sequential scan reads every row. On a 100-million-row table, that can take minutes. An index seek reads only the rows that match, which might be microseconds.

Index coverage means the index contains all columns needed to answer the query without touching the table itself (a "covering index" or "index-only scan"). This eliminates the random I/O of going from the index back to the table for each matching row.

The N+1 Query Problem

The N+1 problem is one of the most common performance killers in applications that use ORMs. It works like this: you load a list of 100 orders (1 query). For each order, you load the customer (100 queries). Total: 101 queries. With 1,000 orders: 1,001 queries. The database round-trip overhead multiplied by N dominates response time.

The fix is eager loading or batch loading. Instead of loading each customer individually, load all customers for all orders in a single query using a JOIN or an IN clause. One query replaces N queries.

Most ORMs support eager loading explicitly. In SQLAlchemy, use joinedload() or subqueryload(). In Django, use select_related() or prefetch_related(). In ActiveRecord, use includes(). The ORM generates the efficient query. But you must ask for it. The default behavior in most ORMs is lazy loading, which produces N+1 queries silently.

Common Bottlenecks Reference

Bottleneck	Detection Method	Fix
Missing database index	EXPLAIN shows sequential scan on large table	Add targeted index; consider composite index
N+1 queries	Query count per request is unexpectedly high	Eager loading or batch queries
No connection pooling	High connection setup time in traces; DB max_connections pressure	Implement connection pool (PgBouncer, HikariCP)
Synchronous external API calls	Trace shows long wait time on HTTP calls	Async HTTP client; circuit breaker; timeout
Unbounded result sets	Memory spikes; large payload sizes in logs	Pagination; LIMIT clauses; streaming responses
Lock contention	Thread dumps show threads waiting on same lock	Reduce critical section; use read/write locks; optimistic concurrency
Uncompressed payloads	Network transfer time dominates in traces	Enable gzip/brotli compression; reduce payload size
Cold cache	First requests after deploy are slow; cache hit rate near 0%	Cache warming; graceful rollout; pre-populate on deploy
Memory leaks	RSS grows over time; GC pauses increase	Heap dump analysis; fix unclosed resources; review object lifecycles

The Optimization Loop

Performance optimization is iterative. You measure, identify the top bottleneck, fix it, and measure again. The new top bottleneck is often something that was invisible before because the first bottleneck dominated. This continues until you meet your performance target.

A critical mistake is fixing multiple things at once. If you change three things and performance improves, you do not know which change helped. If performance degrades, you do not know which change hurt. Change one thing, measure, validate, then move to the next.

Document every optimization with the before and after measurements. This creates an institutional record of what worked and prevents future developers from reverting optimizations they do not understand.

Assignment

Your API has a P99 latency of 3 seconds. The target is 500ms. You have access to application logs, database query logs, and distributed tracing. Describe your step-by-step debugging approach:

What do you measure first? What tools do you use? What are you looking for?
You discover that 60% of response time is spent in database queries. What do you check next?
The database queries are fast individually (5ms each), but there are 200 of them per request. What is the problem? How do you fix it?
After fixing the query problem, P99 drops to 800ms. Still above target. The remaining time is split between a synchronous call to a payment API (300ms) and response serialization (200ms). How do you address each?
What monitoring do you put in place to prevent regression?

For each step, state the specific metric you would check, the tool you would use, and the expected outcome of your fix.

When Everything Goes Down Together

A monolithic deployment is simple. One artifact, one process, one deploy. The problem comes when something goes wrong. A bad configuration change, a memory leak, a dependency failure. In a monolith, the blast radius is 100% of users. Everyone is affected because everyone shares the same process.

Even microservices do not fully solve this. A shared database, a common API gateway, a centralized configuration service: any of these can become a single point of failure that takes down every microservice simultaneously. The architecture is distributed, but the failure mode is still monolithic.

Cell-based architecture addresses this directly. Instead of running one copy of the system that serves all users, you run multiple independent copies (cells), each serving a subset of users. A failure in one cell affects only the users assigned to that cell. Everyone else is unaffected.

Cell-based architecture trades deployment simplicity for failure isolation. At scale, that is always worth it.

What Is a Cell?

A cell is a fully independent, self-contained replica of a system or subsystem. Each cell has its own compute, its own storage, its own dependencies. Cells share nothing with each other at runtime. A cell is not a shard (which splits data). A cell is a complete copy of the system that handles a subset of traffic.

Think of it like this. A hotel chain does not build one enormous hotel that houses every guest in the world. It builds many independent hotels. If the plumbing fails in one hotel, the guests in other hotels are unaffected. Each hotel is a cell.

graph TB subgraph "Cell Router" CR[Cell Router
Assignment + Health Check] end subgraph "Cell 1" C1A[API Servers] --> C1D[(Database)] C1A --> C1C[Cache] C1A --> C1Q[Queue] end subgraph "Cell 2" C2A[API Servers] --> C2D[(Database)] C2A --> C2C[Cache] C2A --> C2Q[Queue] end subgraph "Cell 3" C3A[API Servers] --> C3D[(Database)] C3A --> C3C[Cache] C3A --> C3Q[Queue] end CR --> C1A CR --> C2A CR --> C3A style CR fill:#c8a882,stroke:#111110,color:#111110 style C1A fill:#6b8f71,stroke:#111110,color:#111110 style C2A fill:#6b8f71,stroke:#111110,color:#111110 style C3A fill:#6b8f71,stroke:#111110,color:#111110 style C1D fill:#8a8478,stroke:#111110,color:#ede9e3 style C2D fill:#8a8478,stroke:#111110,color:#ede9e3 style C3D fill:#8a8478,stroke:#111110,color:#ede9e3

Cell Assignment Strategies

The cell router must decide which cell handles each request. This decision is the assignment strategy. Different strategies optimize for different goals.

Strategy	How It Works	Best For	Limitation
User-based	Hash user ID to a cell. Same user always goes to same cell.	SaaS products, social platforms	Hot users (celebrities, large accounts) can overload a cell
Tenant-based	Assign each tenant (organization) to a cell. Large tenants get dedicated cells.	Multi-tenant B2B SaaS	Uneven tenant sizes cause imbalanced cells
Geographic	Route by user location. US East users go to cell-us-east-1.	Latency-sensitive applications	Migration is needed if users travel or relocate
Random	Assign each request to a random cell. No affinity.	Stateless workloads	Cannot maintain user state within a cell
Hybrid	Primary assignment by tenant, secondary by geography within cells.	Global SaaS with data residency requirements	Complex routing logic; more operational overhead

The most common strategy for SaaS applications is tenant-based assignment. Each tenant is mapped to a cell when they sign up. Large tenants that represent disproportionate load are assigned to dedicated cells. Small tenants are packed into shared cells. This provides isolation guarantees for the largest customers (who typically pay the most) while keeping infrastructure costs reasonable for smaller ones.

Failure Isolation in Practice

The entire point of cell-based architecture is limiting blast radius. The following chart illustrates this.

With a monolith, a bad deployment or infrastructure failure affects 100% of users. With 10 cells, the same failure affects 10%. With 100 cells, it affects 1%. The math is straightforward. The value is enormous. A 1% impact is often within acceptable SLA thresholds. A 100% impact is a front-page incident.

Real-World Implementations

Amazon. AWS has used cell-based architecture internally for years. Their guidance document, "Reducing the Scope of Impact with Cell-Based Architecture," details the pattern. Route 53, DynamoDB, and other AWS services use cells internally to isolate failures.

Slack. After experiencing partial outages caused by AWS availability zone networking failures, Slack migrated to a cellular architecture. Each availability zone contains a completely siloed backend deployment. Traffic is routed into AZ-scoped cells by a layer using Envoy and xDS. A failure in one AZ's cell does not propagate to others.

Netflix. Netflix uses a form of cell-based architecture for its streaming infrastructure. Regional deployments are isolated so that a failure in one AWS region does not affect users served by another region. Their Zuul gateway handles routing and failover between cells.

Cell Deployment

Cells change how you deploy. Instead of deploying to all production at once, you deploy cell by cell. A typical pattern is:

Deploy to a canary cell (the smallest, lowest-traffic cell).
Monitor for errors, latency increases, and anomalies.
If healthy after a bake period (15 minutes, 1 hour, whatever your risk tolerance), deploy to the next wave of cells.
Continue in waves until all cells are updated.
If any cell shows problems, halt the rollout and roll back that cell.

This is fundamentally safer than deploying to all production simultaneously. A bad deploy that crashes the application takes down one cell (a small percentage of users) rather than the entire system. You detect the problem quickly because you are watching metrics between waves. And the rollback is fast because only one cell needs to revert.

The Tradeoffs

Cell-based architecture is not free. It introduces real costs and complexity.

Infrastructure cost. Running 10 independent copies of your system costs more than running one scaled copy. Each cell has its own databases, caches, and queues. Resource utilization per cell may be lower because you cannot share spare capacity across cells.

Operational complexity. You need tooling to manage cell routing, cell health monitoring, cross-cell data queries (for admin dashboards or analytics), and cell rebalancing (when a cell is overloaded). The cell router itself becomes a critical component that must be highly available.

Cross-cell operations. Some operations span cells. A global search across all users, a company-wide analytics query, or a feature that involves users in different cells. These cross-cell operations require a separate data aggregation layer and are inherently more complex than single-cell operations.

The threshold where cells become worthwhile varies. For a startup with 100 users, cells add unnecessary complexity. For a SaaS product with 10,000 tenants and an SLA of 99.99%, cells are essential infrastructure. The inflection point is when the cost of a full-system outage exceeds the cost of running and operating multiple cells.

Assignment

You operate a B2B SaaS platform with 1,000 tenants. Currently, all tenants share one deployment. Last month, a bad database migration took the entire platform offline for 45 minutes, affecting every tenant. Your largest customer (10% of revenue) is threatening to leave unless you guarantee isolation.

Redesign the system using cell-based architecture. Answer the following:

How many cells? Justify the number. Consider the tradeoff between isolation granularity and operational cost.
Assignment strategy: How do you assign tenants to cells? What do you do with your largest tenant? What about the 800 smallest tenants?
Cell routing: What component routes traffic? Where does the tenant-to-cell mapping live? What happens when a cell is unhealthy?
Deployment process: Describe the deployment flow. How many waves? What is the canary strategy?
Cross-cell operations: Your admin dashboard needs to show total active users across all tenants. How do you collect this data without coupling cells?

Draw the architecture diagram showing the cell router, at least three cells, and the data aggregation layer for cross-cell queries.

Beyond the Three Pillars

Session 4.9 introduced observability through metrics, logs, and traces. That foundation is necessary but insufficient for systems operating at scale. When your platform processes millions of requests per second across hundreds of services, the volume of telemetry data itself becomes an engineering problem. You need instrumentation standards, intelligent sampling, formal reliability targets, and deliberate failure injection.

This session covers the operational machinery that makes observability work in production: OpenTelemetry as the instrumentation layer, sampling strategies that keep costs manageable, SLI/SLO/SLA frameworks that translate reliability into numbers, error budgets that quantify acceptable risk, and chaos engineering that validates your assumptions before production does it for you.

OpenTelemetry

OpenTelemetry (OTel) is a vendor-neutral, open-source observability framework maintained by the Cloud Native Computing Foundation. It provides APIs, SDKs, and tools for generating, collecting, and exporting telemetry data: traces, metrics, and logs. The key insight behind OTel is separation of concerns. Your application code should produce telemetry. A separate component, the Collector, should decide where that telemetry goes.

The OTel Collector sits between your applications and your observability backends (Datadog, Grafana, Jaeger, or any other tool). It receives telemetry, processes it (filtering, batching, enriching, sampling), and exports it to one or more destinations. This means you instrument your code once and change backends without touching application code.

graph LR A1[Service A
OTel SDK] --> C[OTel Collector
Gateway] A2[Service B
OTel SDK] --> C A3[Service C
OTel SDK] --> C C --> P1[Processor:
Batch] P1 --> P2[Processor:
Tail Sampling] P2 --> E1[Exporter:
Jaeger] P2 --> E2[Exporter:
Prometheus] P2 --> E3[Exporter:
Loki]

In production, many teams deploy a two-layer Collector architecture. A local agent Collector runs as a sidecar or DaemonSet on each node, handling buffering and basic processing. A gateway Collector receives data from all agents and performs cross-service operations like tail sampling, which requires seeing all spans for a trace before making a decision.

Sampling Strategies

At scale, you cannot store every trace. A service handling 50,000 requests per second generates terabytes of trace data per day. Sampling reduces this volume while preserving the traces that matter most.

Head-based sampling makes the decision at the start of a trace. The root span decides whether to sample, and that decision propagates to all downstream services via trace context headers. It is simple and cheap. The downside: the decision happens before you know whether the trace is interesting. You might drop a trace that later encounters an error.

Tail-based sampling makes the decision after the trace is complete. The Collector holds all spans in memory for a configurable window (typically 30 seconds), then evaluates policies: keep all traces with errors, keep all traces slower than 2 seconds, sample 1% of everything else. This produces higher-quality data but requires significant memory and a load-balancing layer that routes all spans for the same trace to the same Collector instance.

Most production systems combine both. Head sampling at 10% reduces the firehose. Tail sampling on the remaining 10% ensures error traces and slow traces are always retained.

SLI, SLO, and SLA

Reliability needs a shared language between engineering and business. That language is built on three concepts.

Concept	Definition	Who Sets It	Example
SLI (Service Level Indicator)	A quantitative measure of service behavior	Engineering	Proportion of requests completing in <300ms
SLO (Service Level Objective)	A target value or range for an SLI	Engineering + Product	99.9% of requests complete in <300ms over 30 days
SLA (Service Level Agreement)	A contractual commitment with consequences for missing it	Business + Legal	99.9% availability; breach triggers 10% service credit

The relationship flows upward. SLIs are raw measurements. SLOs are internal targets set against those measurements. SLAs are external promises, typically set slightly below SLOs so you have a buffer before contractual penalties apply. If your SLO is 99.95%, your SLA might promise 99.9%.

Error Budgets

An error budget is the inverse of your SLO. If your SLO is 99.9% availability over 30 days, your error budget is 0.1% of that period. Translated to time:

SLO	Error Budget (%)	Downtime per Month	Downtime per Year
99%	1%	7 hours 18 min	3.65 days
99.9%	0.1%	43.8 min	8.77 hours
99.95%	0.05%	21.9 min	4.38 hours
99.99%	0.01%	4.38 min	52.6 min
99.999%	0.001%	26.3 sec	5.26 min

Error budgets create a shared decision framework. When budget remains, engineering can deploy risky features, run experiments, and refactor aggressively. When the budget is nearly exhausted, the team shifts to stability work: fixing flaky tests, improving rollback speed, adding circuit breakers. The budget makes this tradeoff explicit rather than political.

An error budget is not permission to fail. It is permission to take risks.

Error Budget Burn Rate

The chart below shows a hypothetical 30-day window for a service with a 99.9% SLO. The budget starts at 43.8 minutes. A deploy on day 8 causes 15 minutes of degradation. A brief incident on day 19 burns another 10 minutes. By day 22, the team has consumed 70% of the budget and freezes risky deploys for the rest of the month.

Chaos Engineering

Chaos engineering is the discipline of experimenting on a production system to build confidence in its ability to withstand turbulent conditions. The idea originated at Netflix in 2010 when engineers built Chaos Monkey, a tool that randomly terminates virtual machine instances in production during business hours. The reasoning: if a single instance failure can cause a customer-facing outage, the architecture is not resilient enough.

Netflix expanded Chaos Monkey into the Simian Army, a suite of tools that simulate different failure modes: Latency Monkey injects delays, Chaos Gorilla takes down an entire availability zone, and Chaos Kong simulates the loss of an entire AWS region. The modern successor, Gremlin, provides a commercial platform for controlled fault injection with safety controls, targeting specific services, hosts, or containers.

The process follows the scientific method. Define steady state (normal request rate, latency, error rate). Form a hypothesis ("if we kill one database replica, the system should failover within 5 seconds with no user-facing errors"). Run the experiment. Observe. If the hypothesis holds, confidence increases. If it fails, you found a weakness before your customers did.

ML-Based Anomaly Detection

Static thresholds break at scale. A CPU usage alert at 80% makes sense for a single server. It is meaningless for an auto-scaling group where instances spin up at 70% and the fleet average fluctuates between 40% and 85% depending on time of day. Machine learning models can learn normal patterns and flag deviations. Seasonal decomposition handles daily and weekly cycles. Isolation forests detect outliers in multidimensional metric space. LSTM networks predict expected values and alert when actuals diverge beyond a confidence interval.

The risk with ML-based alerting is alert fatigue. A model that flags every statistical anomaly will generate hundreds of alerts per day, most of them irrelevant. The best implementations combine ML detection with SLO correlation: an anomaly is only escalated if it is burning error budget faster than expected.

Assignment

You are the SRE for a payment processing service. The service handles credit card charges, refunds, and balance inquiries.

Define SLIs. Choose at least three SLIs for this service. For each, specify the metric, how it is measured, and why it matters. Example: "Availability: proportion of non-5xx responses out of total requests, measured at the load balancer."
Set SLOs. For each SLI, set a 30-day SLO target. Justify why you chose that number. A payment service likely needs higher reliability than a recommendation engine.
Calculate error budget. For a 99.9% availability SLO over 30 days, calculate the exact error budget in minutes. If the service processes 10,000 requests per minute, how many failed requests can it tolerate per month before breaching the SLO?
Design one chaos experiment. Pick a failure mode (database replica failure, network partition to payment gateway, spike in request volume). Define the steady state, hypothesis, experiment procedure, and rollback plan.

How Messages Find Their Destination

Session 5.5 introduced message queues and pub/sub as communication patterns. Session 5.6 covered Kafka's internal architecture. This session goes deeper into routing: how do messages reach the right consumer when you have dozens of message types, varying priorities, and messages that sometimes cannot be processed at all?

Two routing paradigms dominate: topic-based routing, where producers publish to named channels and consumers subscribe to those channels, and content-based routing, where the message's content determines its destination. Each has tradeoffs in complexity, flexibility, and performance. On top of routing, priority queues ensure that urgent messages are processed before routine ones, and dead letter queues handle the messages that no consumer can process.

Topic-Based vs Content-Based Routing

In topic-based routing, the producer decides the destination by publishing to a specific topic. A payment service publishes to payments.completed. An order service subscribes to that topic. The routing logic is static: if you subscribe to the topic, you get the message. Kafka, Amazon SNS, and Google Pub/Sub all default to this model.

In content-based routing, the messaging system inspects message attributes or payload and routes based on rules. A message with {"region": "EU", "amount": > 10000} might route to a fraud detection queue, while a message with {"region": "US", "amount": < 100} routes directly to fulfillment. The producer does not need to know the downstream topology. The routing logic lives in the broker or a routing layer.

Dimension	Topic-Based Routing	Content-Based Routing
Routing decision	Producer chooses the topic	Broker evaluates message content against rules
Producer coupling	Producer must know topic names	Producer publishes to a single endpoint
Flexibility	Adding a new consumer requires a new topic or subscription	Adding a new consumer requires a new rule
Performance	Fast: simple lookup by topic name	Slower: broker must evaluate filter expressions per message
Complexity	Low at the broker, higher at the producer	Higher at the broker, lower at the producer
Debugging	Easy: check which topics a service subscribes to	Harder: must trace filter rules to understand routing
Examples	Kafka topics, RabbitMQ exchanges (direct, fanout)	RabbitMQ headers exchange, AWS SNS message filtering, Azure Service Bus filters

In practice, most systems use topic-based routing as the primary mechanism and add content-based filtering for specific use cases. Kafka, for example, does not support content-based routing natively. You implement it by either creating fine-grained topics (one per event type and region) or by having consumers filter messages after receiving them.

Kafka Topic Design Patterns

Topic design in Kafka is a structural decision that affects parallelism, ordering, and consumer isolation. Three common patterns:

Single topic, multiple event types. All events for a domain go to one topic (e.g., orders contains order.created, order.paid, order.shipped). Consumers filter by event type. This preserves ordering within a partition key (order ID) and keeps the topic count low. The downside: consumers receive messages they do not care about and must discard them.

Topic per event type. Each event gets its own topic (orders.created, orders.paid). Consumers subscribe only to relevant topics. This is cleaner for consumer logic but creates many topics and loses cross-event ordering guarantees unless you coordinate partition keys across topics.

Bucket priority pattern. For priority handling in Kafka, create separate topics for each priority level (alerts.p0, alerts.p1, alerts.p2). High-priority consumers poll P0 first and only move to P1 when P0 is empty. This is the standard workaround for Kafka's lack of native priority queues.

Priority Queue Implementations

Some messages are more urgent than others. A cardiac arrest alert must be processed before a medication reminder. A fraud detection flag must be handled before a marketing email. Priority queues ensure that processing order reflects business importance, not arrival order.

graph TB P[Producer] --> R{Priority
Router} R -->|P0: Critical| Q0[Queue P0
Cardiac Arrest] R -->|P1: High| Q1[Queue P1
Abnormal Vitals] R -->|P2: Normal| Q2[Queue P2
Medication Reminder] Q0 --> C[Consumer Pool] Q1 --> C Q2 --> C C --> H[Handler
Service] style Q0 fill:#6b3a3a,stroke:#c47a5a,color:#ede9e3 style Q1 fill:#4a3a2a,stroke:#c8a882,color:#ede9e3 style Q2 fill:#2a3a2a,stroke:#6b8f71,color:#ede9e3

Implementation approaches vary by broker:

RabbitMQ supports native priority queues. You declare a queue with x-max-priority: 10 and set a priority field on each message. The broker delivers higher-priority messages first. Simple, but the priority evaluation adds latency under high load.

Kafka has no built-in priority. The bucket pattern described above is the standard approach. Consumers use a weighted polling strategy: poll P0 with every cycle, poll P1 every second cycle, poll P2 every fourth cycle. Under load, P0 always gets processed first because it is checked on every iteration.

Amazon SQS does not support priority natively. You create separate queues per priority level and implement the polling logic in your consumer application, similar to the Kafka approach.

Dead Letter Queues

A dead letter queue (DLQ) is a holding area for messages that a consumer has tried and failed to process. After a configurable number of retry attempts (typically 3 to 5), the message is moved to the DLQ instead of being retried indefinitely or dropped.

DLQs exist because some failures are not transient. A malformed message will never parse correctly no matter how many times you retry. A message referencing a deleted user will always fail validation. Without a DLQ, these messages block the queue (head-of-line blocking) or get silently dropped. Neither outcome is acceptable.

A dead letter queue is where messages go when the system admits it cannot process them. The best systems check this queue before anything else.

Effective DLQ management requires three things. First, every message in the DLQ must retain its original headers, payload, and metadata plus the error reason and retry count. Second, the DLQ must be monitored with alerts. A growing DLQ is a symptom, not a destination. Third, there must be a reprocessing path: fix the bug, then replay the DLQ messages back into the main queue.

Putting It Together: Hospital Alert System

Consider a hospital monitoring system. Bedside sensors emit events: heart rate, blood pressure, oxygen saturation, medication schedules. These events have vastly different urgency levels.

graph LR S1[Bedside
Sensor] --> I[Ingestion
Service] S2[Bedside
Sensor] --> I I --> CL{Content
Classifier} CL -->|cardiac_arrest| P0[P0 Queue] CL -->|abnormal_vitals| P1[P1 Queue] CL -->|med_reminder| P2[P2 Queue] P0 --> D[Dispatch
Service] P1 --> D P2 --> D D --> N[Nurse Station
+ Pager] P0 -.->|failed after 1 retry| DLQ[Dead Letter
Queue] P1 -.->|failed after 3 retries| DLQ P2 -.->|failed after 5 retries| DLQ DLQ --> MON[DLQ Monitor
+ Alert]

The content classifier examines the event payload. A heart rate of zero or ventricular fibrillation pattern triggers P0 classification. Blood pressure outside safe ranges triggers P1. A scheduled medication reminder goes to P2. The dispatch service always drains P0 before checking P1, and P1 before P2. For P0, the retry limit is 1 (if it fails, alert a human immediately via DLQ monitor). For P2, five retries are acceptable because a medication reminder delayed by 30 seconds is not life-threatening.

Assignment

Design a hospital alert system with three priority levels:

P0: Cardiac arrest, ventricular fibrillation, respiratory failure
P1: Abnormal vitals (blood pressure, oxygen saturation outside safe range)
P2: Medication reminders, routine check-in prompts

Routing design. Will you use topic-based or content-based routing? Justify your choice. Draw the message flow from sensor to nurse station.
Priority guarantee. Describe exactly how your consumer ensures P0 is always processed first, even when P1 and P2 queues have thousands of pending messages. Write pseudocode for the consumer polling loop.
DLQ policy. Define retry limits for each priority level. A failed P0 message has different implications than a failed P2. What happens when a P0 message lands in the DLQ?
Load test scenario. During a mass casualty event, 200 P0 alerts arrive in 10 seconds. Your consumer pool has 5 instances. Calculate processing time per message if each P0 handler takes 200ms. Will all P0 alerts be acknowledged within 10 seconds? If not, what scaling strategy do you propose?

From Theory to Container Orchestration

Session 1.10 introduced the twelve-factor methodology and asked you to score an application against it. That was an audit exercise. This session is an implementation exercise. We focus on three factors that are most frequently misunderstood in containerized environments: logs as event streams (Factor 11), admin processes (Factor 12), and disposability (Factor 9). Then we map all twelve factors to their Kubernetes equivalents, showing that modern orchestration platforms were designed with these principles baked in.

If you have not read Session 1.10, go back and review it. This session assumes familiarity with all twelve factors and builds directly on that foundation.

Factor 11: Logs as Event Streams

The twelve-factor app does not concern itself with log storage or routing. It writes logs to stdout as an unbuffered, time-ordered stream of events. The execution environment is responsible for capturing, aggregating, and routing that stream to whatever destination makes sense: a file on disk in development, a log aggregation service in production.

This sounds trivial until you see how many applications violate it. Applications that write to /var/log/app.log and then require a log rotation cron job. Applications that use a logging framework configured to write to five different files based on severity. Applications that open a network connection to a log aggregation service directly, coupling the application to infrastructure.

In a containerized environment, stdout and stderr are captured by the container runtime (Docker, containerd) and stored as JSON files on the node. A log collection agent (Fluentd, Fluent Bit, or the OpenTelemetry Collector from Session 9.6) reads those files and ships them to a backend. The application never knows where its logs go.

Structured logging amplifies this pattern. Instead of INFO: User 1234 logged in, emit {"level":"info","event":"user.login","user_id":"1234","ts":"2026-04-01T10:00:00Z"}. The log aggregation system can index, filter, and query structured fields without regex parsing.

Factor 12: Admin Processes

Admin and management tasks (database migrations, one-off scripts, REPL sessions, data backups) should run as one-off processes in the same environment as the application. They use the same codebase, the same config, and the same dependency isolation. They do not run on a developer's laptop connected to the production database over a VPN.

In Kubernetes, admin processes map to Jobs and CronJobs. A database migration runs as a Kubernetes Job using the same container image as the application, with the same environment variables injected via ConfigMaps and Secrets. It executes once, runs to completion, and exits. A nightly data cleanup runs as a CronJob on a schedule.

The critical principle: admin processes must be repeatable and automated. If a migration requires someone to SSH into a pod and run a command manually, it will eventually be run against the wrong database, at the wrong time, or forgotten entirely.

Factor 9: Disposability

Processes should start fast and shut down gracefully. In a container orchestration world, this is not a nice-to-have. It is a survival requirement. Kubernetes routinely kills and restarts pods. Rolling deployments replace old pods with new ones. The Horizontal Pod Autoscaler adds and removes pods based on CPU or custom metrics. Spot instances can be reclaimed with 30 seconds notice.

Fast startup means the container is ready to serve traffic within seconds, not minutes. Slow startup causes cascading problems: during a rolling deployment, if new pods take 3 minutes to start, the old pods are terminated before the new ones are ready, and users see errors. Kubernetes readiness probes help by only routing traffic to pods that report themselves as ready, but they do not fix the root cause of slow startup.

Graceful shutdown means the process handles SIGTERM correctly. When Kubernetes decides to terminate a pod, it sends SIGTERM and waits for a configurable grace period (default: 30 seconds). During this window, the process should stop accepting new requests, finish in-flight requests, close database connections, and flush any buffered data. After the grace period, Kubernetes sends SIGKILL. Anything not finished is lost.

All Twelve Factors in Kubernetes

#	Factor	Kubernetes Implementation	Key Resource
1	Codebase	One container image per service, stored in a registry. Same image across all environments.	Container Registry
2	Dependencies	All dependencies baked into the container image via Dockerfile. No reliance on host packages.	Dockerfile
3	Config	Environment variables injected via ConfigMaps and Secrets. Never baked into the image.	ConfigMap, Secret
4	Backing Services	Database, cache, and queue URLs are config values. Swapping a managed database requires changing a ConfigMap, not code.	ConfigMap, ExternalName Service
5	Build, Release, Run	CI pipeline builds the image (build), Helm chart or Kustomize overlay adds config (release), Kubernetes runs the pod (run).	Deployment, Helm Chart
6	Processes	Pods are stateless. Session data lives in Redis or a database. Deployments enforce statelessness; StatefulSets are used only when necessary.	Deployment
7	Port Binding	Each container exposes a port. Kubernetes Services route traffic to pods via label selectors.	Service, containerPort
8	Concurrency	Scale by adding pods, not threads. HPA scales pod count based on metrics.	HorizontalPodAutoscaler
9	Disposability	Pods start in seconds. SIGTERM handling enables graceful shutdown. PreStop hooks run cleanup logic.	terminationGracePeriodSeconds, preStop
10	Dev/Prod Parity	Same container image in dev, staging, and prod. Only ConfigMaps and Secrets differ.	Namespace, Kustomize overlays
11	Logs	Application writes to stdout. Container runtime captures logs. Fluent Bit DaemonSet ships to backend.	DaemonSet (log agent)
12	Admin Processes	Database migrations and one-off tasks run as Kubernetes Jobs using the same image and config.	Job, CronJob

How the Factors Reinforce Each Other in Kubernetes

graph TB CI[CI Pipeline
Build Image] --> REG[Container
Registry] REG --> DEP[Deployment
Factor 5: Release] DEP --> POD[Pod
Factor 6: Stateless] CM[ConfigMap
Factor 3: Config] --> POD SEC[Secret
Factor 3: Config] --> POD POD --> SVC[Service
Factor 7: Port Binding] SVC --> HPA[HPA
Factor 8: Concurrency] POD --> STDOUT[stdout
Factor 11: Logs] STDOUT --> FB[Fluent Bit
DaemonSet] FB --> LOG[Log Backend
Loki / ELK] DEP --> JOB[Job
Factor 12: Admin] POD -.-> SIGTERM[SIGTERM
Factor 9: Disposability]

Notice how the factors are not independent features. They are a coherent design philosophy. Stateless processes (Factor 6) work because config is externalized (Factor 3). Fast disposability (Factor 9) is possible because dependencies are isolated in the image (Factor 2). Logs as streams (Factor 11) work because the orchestration platform captures stdout automatically. Kubernetes did not invent these principles. It implemented them as platform primitives.

The twelve factors are not twelve rules. They are twelve opinions about where complexity should live.

The consistent theme: push operational complexity out of the application and into the platform. The application should not know how to rotate logs, manage config files, or handle rolling restarts. The platform handles these concerns. The application handles business logic. This separation is what makes cloud-native applications portable, scalable, and maintainable.

Where the Twelve Factors Fall Short

The original methodology was published in 2011. It predates containers, Kubernetes, service meshes, and serverless. Several areas receive no coverage:

Health checks. Kubernetes expects liveness and readiness probes. The twelve factors do not mention them. A twelve-factor app that starts successfully but enters a deadlock state has no mechanism for self-reporting that it is unhealthy.

Observability. Metrics, traces, and structured logging go beyond "logs as event streams." Modern applications are expected to expose Prometheus metrics, propagate trace context, and participate in distributed tracing.

Security. The twelve factors mention nothing about secrets management, network policies, or least-privilege access. In a Kubernetes environment, RBAC, network policies, and pod security standards are essential.

These gaps do not invalidate the methodology. They extend it. The twelve factors remain the foundation. Health checks, observability, and security are the additions that modern cloud-native development requires on top of that foundation.

Assignment

Return to the application you scored in Session 1.10. If you scored every factor 0-2, you now have a 12-item report card.

Identify your three lowest-scoring factors. List them with their current scores and the specific violation.
Design concrete changes. For each of the three factors, describe the exact changes needed to bring the score to 2 (fully compliant). Be specific: which files change, which tools are introduced, which processes are modified.
Map to Kubernetes. For each change, identify which Kubernetes resource would implement it (ConfigMap, Job, HPA, DaemonSet, etc.). If the application is not on Kubernetes, describe what the equivalent would be in your deployment environment.
Estimate effort. For each change, estimate implementation time in hours. Which change has the highest impact-to-effort ratio? Start there.

The Interview Is Not a Test

You have spent eight modules learning how systems work: feedback loops, scaling patterns, database tradeoffs, distributed consensus, and real-world case studies. This session is about communicating that knowledge under pressure. A system design interview is 45 minutes. You cannot cover everything. The interviewer knows this. They are not measuring completeness. They are measuring how you think, how you prioritize, and how you handle the gap between what you know and what you do not.

This session covers time management, communication structure, tradeoff articulation, ambiguity handling, and the skill of saying "I don't know" without losing credibility.

The 45-Minute Framework

Most system design interviews at major tech companies are 45 to 60 minutes. After introductions and closing questions, you have roughly 35 minutes for the actual design. Spending that time without structure leads to one of two failure modes: either you spend 25 minutes on requirements and never reach the architecture, or you start drawing boxes immediately and design a system that solves the wrong problem.

Phase	Time	Goal	Common Mistake
1. Requirements	5 min	Clarify functional and non-functional requirements. Agree on scope.	Assuming requirements instead of asking. Designing for features the interviewer did not mention.
2. Estimation	5 min	Estimate scale: users/sec, storage, bandwidth. Identify the dominant constraint.	Skipping estimation entirely. Or spending 10 minutes on exact math that does not change the design.
3. High-Level Design	15 min	Draw the architecture. Identify major components, data flow, and API contracts.	Going too deep on one component. Forgetting to show data flow between components.
4. Deep Dive	15 min	Drill into 1-2 components. Discuss database schema, caching, or scaling approach.	Waiting for the interviewer to choose the topic. Not discussing tradeoffs.
5. Wrap-Up	5 min	Summarize. Mention what you would add with more time. Ask questions.	Ending abruptly. Not acknowledging known limitations of the design.

These time blocks are guidelines, not rigid boundaries. If the interviewer asks a follow-up question during your high-level design, answer it. The framework prevents you from losing track of time, not from having a conversation.

flowchart LR A[Requirements
5 min] --> B[Estimation
5 min] B --> C[High-Level
Design
15 min] C --> D[Deep Dive
15 min] D --> E[Wrap-Up
5 min]

Communicating Tradeoffs

Every architectural decision is a tradeoff. SQL vs NoSQL. Synchronous vs asynchronous. Push vs pull. Cache-aside vs write-through. The interviewer expects you to identify these tradeoffs, articulate both sides, and justify your choice in the context of the problem.

A weak answer: "I'll use PostgreSQL for the database." A strong answer: "For the user profile service, I'll use PostgreSQL because we need strong consistency for account data, the data is relational (users have addresses, payment methods, order history), and the read/write ratio is heavily read-biased, which PostgreSQL handles well with read replicas. If this were a session store with high write throughput and flexible schema, I'd choose Redis or DynamoDB instead."

The structure is: decision, reasoning, context, and the alternative you considered. This pattern works for every choice in the design. Practice it until it becomes automatic.

Tradeoffs to have ready for common decisions:

Decision	Option A	Option B	Key Tradeoff
Database	SQL (PostgreSQL, MySQL)	NoSQL (DynamoDB, Cassandra)	Consistency + joins vs. write throughput + horizontal scale
Communication	Synchronous (REST, gRPC)	Asynchronous (Kafka, SQS)	Simplicity + immediate response vs. decoupling + resilience
Consistency	Strong consistency	Eventual consistency	Correctness guarantee vs. availability + latency
Caching	Cache-aside	Write-through	Simple invalidation vs. always-fresh cache
Scaling	Vertical	Horizontal	Simpler ops vs. near-unlimited capacity

Handling Ambiguity

The interviewer will give you an intentionally vague prompt. "Design Spotify." "Build a URL shortener." "Design a chat application." The vagueness is the test. Candidates who immediately start designing reveal that they build systems without understanding requirements. Candidates who ask clarifying questions demonstrate that they know requirements drive architecture.

Good clarifying questions follow a pattern. Start with users and use cases: "Who are the users? What are the core actions they take?" Then scale: "How many daily active users? What is the read/write ratio?" Then constraints: "Is there a latency requirement? Are there regulatory constraints on data storage?" Then scope: "Should I design the recommendation engine, or focus on playback and playlist management?"

You do not need to ask every possible question. Five to seven targeted questions are enough. The goal is to demonstrate that you think about problems before solving them, and to give the interviewer a chance to steer you toward the areas they care about.

Saying "I Don't Know"

There will be moments when you do not know the answer. The interviewer asks about a specific algorithm, a technology you have not used, or a scaling technique you have only read about. How you handle this moment matters more than the missing knowledge.

The interviewer is not testing whether you know the answer. They are testing whether you can find it while thinking out loud.

Three approaches that work:

Acknowledge and reason from first principles. "I haven't worked with CRDTs directly, but I understand they are data structures designed for eventual consistency in distributed systems. For this collaborative editor, I would need a structure that allows concurrent edits without coordination. Let me think through what properties that requires."

Acknowledge and offer an alternative. "I'm not deeply familiar with Cassandra's compaction strategies, but I know the general approach to LSM-tree compaction. For this write-heavy workload, I'd choose a compaction strategy that favors write throughput over read performance. In production, I'd benchmark size-tiered vs leveled compaction."

Acknowledge and move on. "I don't know the specifics of that algorithm. Let me note it as a detail to research and continue with the high-level design so we use the remaining time well."

What never works: guessing confidently, changing the subject without acknowledging the gap, or freezing.

Common Anti-Patterns

The resume recital. Spending five minutes explaining your current job before addressing the problem. The interviewer already has your resume. Start with the problem.

The technology parade. Listing every technology you know without connecting it to the problem. "We could use Kafka, or RabbitMQ, or SQS, or Redis Streams." The interviewer wants to know which one and why.

The premature optimization. Adding caching, sharding, and CDNs before establishing that the basic design works. Start simple. Scale when the numbers demand it.

The monologue. Talking for 10 minutes without checking in. The interview is a collaboration. Pause periodically: "Does this direction make sense? Should I go deeper here or move on?"

The perfectionist. Refusing to draw a component until the design is perfect in your head. Sketching a rough version and iterating is faster and more communicative than silent thinking.

The Wrap-Up That Leaves an Impression

With five minutes remaining, summarize what you designed and what you left out. This shows self-awareness and architectural maturity.

"We designed a music streaming service with a microservices architecture. The core components are user management with PostgreSQL, a catalog service backed by Elasticsearch for search, an audio streaming service using a CDN for delivery, and a playlist service using Redis for session data. We discussed the fan-out strategy for the activity feed and the caching layer for popular tracks. Given more time, I would address the recommendation engine, offline playback synchronization, and a more detailed approach to rights management and geo-restrictions."

This takes 60 seconds and communicates that you understand what the system needs beyond what you had time to design.

Assignment

Set a 45-minute timer. Design Spotify (or another music streaming service). Follow the framework exactly.

Minutes 0-5: Requirements. Write down 5-7 clarifying questions and answer them yourself. Define the scope: playback, search, playlists, social features. Pick three to focus on.
Minutes 5-10: Estimation. Estimate DAU, concurrent listeners, catalog size, average song size, peak bandwidth. Show your math.
Minutes 10-25: High-Level Design. Draw the architecture. Label every component and every arrow. Include at least: client, CDN, API gateway, 3+ backend services, 2+ data stores.
Minutes 25-40: Deep Dive. Pick two components. For each, discuss the data model, scaling strategy, and one specific tradeoff you made.
Minutes 40-45: Wrap-Up. Write a 3-sentence summary of what you built and what you would add with more time.

After the timer ends, review your notes. Where did you run out of time? Which phase took longer than expected? Practice this exercise three times with different systems (chat app, ride-hailing, e-commerce) and track how your time allocation improves.

The Point of All of This

You have studied systems thinking principles, architectural patterns, databases, caching, reliability, distributed systems, design frameworks, and real-world case studies across nine modules. This final session asks you to do what systems thinkers do: connect things that appear separate.

Every system you designed in Modules 7 and 8 was treated as standalone. The URL shortener existed in isolation. The ride-hailing platform did not share infrastructure with the payment system. The notification service was drawn as a box inside one architecture, not as a shared platform serving many. In reality, large organizations run dozens of these systems simultaneously, and they interact in ways that create emergent behavior, both beneficial and dangerous.

This capstone session combines two case studies from Modules 7-8, maps their interactions through causal loop diagrams (Module 0), identifies shared infrastructure, and locates the leverage points and failure cascades that emerge when systems connect.

Choosing Two Systems

For this walkthrough, we combine the ride-hailing system (Session 7.5) with the payment system that underlies every transaction. In a real organization like Uber or Grab, these are separate engineering teams with separate codebases, separate databases, and separate on-call rotations. But they share infrastructure: the API gateway, the notification service, the identity system, and the observability platform.

The same exercise works with any pair. E-commerce (7.6) and notification (7.7). Video streaming (7.3) and search engine (8.1). Chat (7.4) and collaborative editor (8.4). The goal is not the specific pair. The goal is the practice of seeing across boundaries.

Mapping Shared Infrastructure

When two systems coexist in an organization, they share more than you expect. The table below maps shared components between ride-hailing and payments.

Shared Component	Ride-Hailing Usage	Payment Usage	Failure Impact
API Gateway	Routes rider/driver requests, handles rate limiting	Routes charge/refund requests, enforces auth	Gateway outage blocks both ride requests and payments simultaneously
Identity Service	Authenticates riders and drivers	Authenticates payment tokens and merchant accounts	Auth failure prevents rides from starting and payments from processing
Notification Service	Sends ride status updates, ETA, driver arrival	Sends payment receipts, refund confirmations	Notification backlog delays ride updates and payment confirmations
Observability Platform	Traces ride matching latency, monitors dispatch SLOs	Traces payment processing latency, monitors charge success rates	Observability outage blinds both teams during incidents
Kafka Cluster	Events: ride.requested, ride.matched, ride.completed	Events: payment.initiated, payment.completed, payment.failed	Kafka lag delays ride completion and payment settlement
Redis Cluster	Caches driver locations, surge pricing multipliers	Caches user payment methods, idempotency keys	Redis failure causes stale driver locations and duplicate charges

Six shared components. Each is a potential coupling point. Each creates a path through which a failure in one system can propagate to the other.

Combined Causal Loop Diagram

Session 0.8 introduced causal loop diagrams (CLDs) as a tool for mapping feedback relationships. We now apply that tool across system boundaries. The diagram below shows how ride-hailing and payment systems interact through reinforcing and balancing loops.

graph TB RD[Ride Demand] -->|+| MR[Matching Requests] MR -->|+| PL[Payment Load] PL -->|+| PLL[Payment Latency] PLL -->|+| RCT[Ride Completion Time] RCT -->|−| UX[User Experience] UX -->|−| RD MR -->|+| KL[Kafka Event Volume] KL -->|+| CL[Consumer Lag] CL -->|+| PLL CL -->|+| NL[Notification Delay] NL -->|−| UX PL -->|+| GW[Gateway Load] GW -->|+| GWL[Gateway Latency] GWL -->|+| PLL GWL -->|+| RCT SP[Surge Pricing] -->|−| RD SP -->|+| DS[Driver Supply] DS -->|+| MR

Read the diagram carefully. Ride demand increases matching requests, which increases payment load. Payment latency increases ride completion time, which degrades user experience, which reduces demand. This is a balancing loop: the system naturally slows itself down when overloaded. But there is also a reinforcing loop through surge pricing: high demand triggers surge pricing, which attracts more drivers, which increases matching capacity, which increases payment load further.

The Kafka cluster appears as a shared bottleneck. Both ride events and payment events flow through it. Consumer lag in Kafka increases both payment latency and notification delay, creating two separate paths to degraded user experience.

Identifying Leverage Points

Session 0.6 introduced Donella Meadows' concept of leverage points: places in a system where a small intervention produces large effects. In a combined system, leverage points often sit at shared infrastructure boundaries.

Leverage Point	Type	Intervention	Impact
API Gateway rate limiting	Balancing loop (flow control)	Per-service rate limits prevent one system from consuming all gateway capacity	Prevents ride-hailing traffic spikes from starving payment requests
Kafka partition isolation	Buffer (decoupling)	Separate Kafka topics and consumer groups for ride events vs payment events	Consumer lag in ride events does not affect payment processing
Circuit breaker on payment service	Balancing loop (damage control)	When payment latency exceeds threshold, queue charges instead of blocking ride completion	Rides complete even when payment is slow; charges settle asynchronously
Redis cluster isolation	Buffer (resource separation)	Separate Redis clusters for location data and payment data	Location cache eviction does not affect payment idempotency
Notification priority queues	Information flow (prioritization)	Ride status updates get higher priority than payment receipts	Users see "driver arriving" in real time even when receipt delivery is delayed

Notice that three of these five leverage points are about isolation: preventing one system's load from affecting another. This is the central insight of combined systems analysis. When systems share infrastructure, the most powerful interventions are usually at the boundaries, not inside either system.

Failure Cascades

A failure cascade occurs when a failure in one component propagates through shared infrastructure to cause failures in apparently unrelated components. In the combined ride-hailing + payment system, two cascades stand out.

Cascade 1: Payment gateway timeout. The external payment processor (Stripe, Adyen) experiences elevated latency. Payment service threads block waiting for responses. The thread pool exhausts. Payment service stops responding. The API gateway's connection pool to the payment service fills up. The gateway starts rejecting all requests, including ride-hailing requests that have nothing to do with payments. Riders cannot request rides because the gateway is overwhelmed by backed-up payment connections.

Cascade 2: Kafka cluster degradation. A Kafka broker loses a disk. Partition rebalancing causes temporary consumer lag across all topics. Ride completion events are delayed, which delays payment initiation. Payment events queue up behind the ride events. The notification service, also consuming from Kafka, falls behind. Users see no ride status updates and no payment confirmations. Support ticket volume spikes. The support system, which also uses the shared notification service, adds more load to the already-lagging notification pipeline.

Both cascades follow the same pattern: a single failure crosses a shared boundary and amplifies through feedback loops. The CLD makes these paths visible before they happen in production.

Systems thinking is not a module you complete. It is a lens you keep. Every system you design from here forward will be shaped by how you see connections.

Applying This to Any System Pair

The process is repeatable. For any two systems in the same organization:

List shared infrastructure. API gateway, databases, caches, message brokers, identity services, observability platforms, CDNs.
Draw the CLD. Map how load in one system creates load in shared components, and how that affects the other system. Mark reinforcing loops (R) and balancing loops (B).
Identify leverage points. Look for places where isolation, rate limiting, circuit breaking, or priority ordering can prevent cross-system interference.
Trace failure cascades. For each shared component, ask: "If this fails, what happens to System A? What happens to System B? How does A's failure mode affect B through shared dependencies?"
Design interventions. For each cascade, identify the cheapest intervention that breaks the propagation chain.

This is systems thinking applied to system design. It is the skill that separates engineers who build individual services from architects who build organizations.

Assignment

This is the capstone assignment for the entire course.

Pick two systems from Modules 7-8. Choose systems that would plausibly coexist in the same organization. Suggestions: e-commerce (7.6) + notification (7.7), chat (7.4) + collaborative editor (8.4), video streaming (7.3) + search engine (8.1), ride-hailing (7.5) + ticketing (8.2).
Map shared infrastructure. Create a table like the one above. Identify at least 5 shared components. For each, describe how both systems use it and what happens when it fails.
Draw a combined CLD. Map the causal relationships between the two systems. Include at least one reinforcing loop and one balancing loop. Use Mermaid, a whiteboard, or paper. Label every arrow with + or − to show polarity.
Identify 3 leverage points. For each, describe the intervention, its type (isolation, flow control, prioritization, information flow), and the expected impact.
Trace 2 failure cascades. For each, describe the initiating failure, the propagation path through shared infrastructure, the impact on both systems, and the intervention that would break the cascade.

This assignment synthesizes material from every module in the course: feedback loops (Module 0), architectural patterns (Module 1), scaling (Module 2), databases and caching (Module 3), reliability (Module 4), distributed systems (Module 5), design methodology (Module 6), and case studies (Modules 7-8). If you can complete it thoroughly, you have internalized the core skill this course teaches: seeing systems as connected wholes, not isolated parts.

Module 9: Advanced Topics & Emerging Architectures

A Vocabulary for Tradeoffs

The Six Pillars

Pillar 1: Operational Excellence

Pillar 2: Security

Pillar 3: Reliability

Pillar 4: Performance Efficiency

Pillar 5: Cost Optimization

Pillar 6: Sustainability

Pillar Relationships

Using the Framework as a Review Lens

Tradeoff Awareness

Further Reading

Assignment

The End of the Castle

Three Core Principles

Perimeter Security vs. Zero Trust

Service Mesh and mTLS

Secrets Management

SIEM for Threat Detection

Implementing Zero Trust Layer by Layer

Further Reading

Assignment

The Problem With Data at Scale

Lambda Architecture

Kappa Architecture

Data Lakehouse

Architecture Comparison

Column-Oriented Storage

Choosing an Architecture

Further Reading

Assignment

Measure Before You Cut

The Debugging Methodology

Profile Before Optimizing

Connection Pooling

Async I/O

Database Query Plans and Index Coverage

The N+1 Query Problem

Common Bottlenecks Reference

The Optimization Loop

Further Reading

Assignment

When Everything Goes Down Together

What Is a Cell?

Cell Assignment Strategies

Failure Isolation in Practice

Real-World Implementations

Cell Deployment

The Tradeoffs

Further Reading

Assignment

Beyond the Three Pillars

OpenTelemetry

Sampling Strategies

SLI, SLO, and SLA

Error Budgets

Error Budget Burn Rate

Chaos Engineering

ML-Based Anomaly Detection

Further Reading

Assignment

How Messages Find Their Destination

Topic-Based vs Content-Based Routing

Kafka Topic Design Patterns

Priority Queue Implementations

Dead Letter Queues

Putting It Together: Hospital Alert System

Further Reading

Assignment

From Theory to Container Orchestration

Factor 11: Logs as Event Streams

Factor 12: Admin Processes

Factor 9: Disposability

All Twelve Factors in Kubernetes

How the Factors Reinforce Each Other in Kubernetes

Where the Twelve Factors Fall Short

Further Reading

Assignment

The Interview Is Not a Test