How do you architect web services for scale and consistency?

Long Answer

A production-grade web-services platform treats traffic, state, and variability as first-class. Target consistent latency at scale with clear contracts for web, mobile, and partners. Use an edge gateway, stateless compute, disciplined data paths, and hard SLOs with strong observability.

1. Entry and contracts
   Put a zero-trust API gateway up front: TLS termination, OAuth2/OIDC, mTLS, and per-client rate limits. Publish OpenAPI/AsyncAPI contracts and version additively. Prefer idempotent POST/PUT with request-ids and replay protection.
   
2. Read vs write paths
   Reads dominate; writes create contention. Apply CQRS: denormalized, cache-friendly query models; transactional command models. Serve public reads at the edge/CDN and private reads from Redis with accurate keys/TTLs; invalidate via surrogate keys. Back search with OpenSearch/Algolia to avoid hot scans on OLTP.
   
3. State and storage
   Relational for strong consistency (orders, payments); document/kv for flexible entities; columnar for analytics. Partition by tenant or geography with monotonic shard keys; use read replicas for fan-out and pin writes to leaders. Adopt outbox + change-data-capture to publish events reliably.
   
4. Spikes and back-pressure
   Put queues/streams (Kafka/SQS) between user APIs and heavy jobs. Add circuit breakers, bulkheads, and timeouts. Apply token buckets and per-tenant concurrency limits. When dependencies degrade, fail fast with fallbacks (stale reads, cached quotes) and return partial responses with provenance.
   
5. Compute and autoscaling
   Keep services stateless; externalize sessions and files. Deploy containers with autoscaling driven by SLO signals (p95 latency, queue depth, errors), not CPU only. Roll via canary/blue-green with one-button rollback.
   
6. Multi-region and clients
   Run active-active regions with locality routing and data residency. Replicate async for reads; assign write ownership per region or use conflict-free types when multi-master is unavoidable. Expose eventual consistency with ETags and conditional requests.
   
7. Observability and SLOs
   Instrument RED per endpoint and USE for infra. Correlate traces across gateway→service→DB with a request-id. Set SLOs (p95 ≤ 250 ms; error rate ≤ 0.1%) and alert on budget burn. Load-test realistic mixes and failure injections.
   
8. Security and governance
   Least-privilege IAM; secrets in KMS; key rotation. Dependency scanning, SBOMs, signed images. Field-level encryption and tokenization for PII. Runbooks for incidents and tenant isolation drills.
   
9. Developer experience
   Typed SDKs per platform from the same contracts. Support pagination, filtering, and delta endpoints. Adopt schema evolution and feature flags for incremental rollout.
   
   

With this architecture, services absorb spikes with queues and caches, scale linearly via stateless compute, and keep performance consistent by isolating hot paths, shaping load, and measuring what matters. Clients get stable contracts and fast responses; operators retain levers over cost, reliability, and growth.

‍

Table

‍

Common Mistakes

Treating the API as a single tier and scaling only by CPU, so latency spikes when a dependency slows. Letting OLTP power search and reporting, causing table scans and locks. Caching without keys that encode tenant, auth, and params, then serving mixed data. No back-pressure: synchronous writes and fan-out calls turn spikes into outages. Writing and publishing in one transaction, creating double-write or lost-event bugs. Single region and single database role, so maintenance windows become incidents. Autoscaling on CPU while p95 latency and queue depth burn. Breaking contracts with non-additive changes; no tolerance for unknown fields. Thin observability: no traces across gateway→service→DB, no SLOs, alerts on noise. Secrets in env files, no rotation, weak IAM. Skipping canary or rollback, turning routine deploys into risky events. Ignoring data locality and sharding, so hot tenants dominate a shard. Treating retries as infinite without jitter, amplifying downstream failures.

‍

Sample Answers (Junior / Mid / Senior)

Junior:
I would put an API gateway in front with TLS and rate limits, document endpoints with OpenAPI, use CDN for public reads and Redis for private reads, and send heavy work to a queue so the API stays fast. I would add basic tracing and dashboards to watch error rates and response times.

Mid:
I separate read and write paths with CQRS, back search with OpenSearch, and publish changes via outbox + CDC. Services are stateless and autoscale on p95 latency and queue depth. I run active-active regions with locality routing and expose eventual consistency with ETags. Contracts are additive; clients get typed SDKs and pagination/delta endpoints.

Senior:
I design per-tenant sharding and clear write ownership per region, enforce token buckets at edge and per tenant, and use circuit breakers and bulkheads around slow dependencies. SLOs (p95 ≤ 250 ms, error ≤ 0.1%) drive alerts and capacity plans. Security covers KMS-managed secrets, SBOMs, signed images, and tested isolation. Releases ship via canary/blue-green with one-click rollback.

‍

Evaluation Criteria

‍

Strong answers map traffic control, data design, and runtime operations into one system. Look for: zero-trust gateway with rate limits; clear contracts (OpenAPI/AsyncAPI) and additive versioning; read/write separation with CQRS; cache strategy that encodes tenant/auth/params; search on a dedicated index; partitioned storage with leader writes and replicas; reliable events via outbox + CDC; back-pressure using queues, token buckets, timeouts, circuit breakers; stateless services with SLO-driven autoscaling and safe deploys; multi-region architecture with locality routing and explicit eventual consistency; observability (RED/USE, tracing, budget alerts) tied to SLOs; and governance (KMS secrets, SBOMs, signed images). Red flags: OLTP scans for search, single region, CPU-only autoscale, breaking changes to contracts, no rollback plan, or missing tenant isolation tests. Bonus: typed SDKs, pagination/delta endpoints, and load tests with failure injections. Candidates who quantify targets (p95 ≤ 250 ms, error ≤ 0.1%) and show cost-aware capacity planning demonstrate end-to-end ownership

‍

Preparation Tips

Build a small service with OpenAPI and a gateway in front; add OAuth2 and per-client rate limits. Split reads/writes with CQRS: Redis cache for reads, a relational store for writes, and a tiny outbox table feeding CDC. Index a search view in OpenSearch and verify that hot queries never hit OLTP. Add a queue between the API and a slow job; implement circuit breakers, timeouts, and token buckets. Instrument RED/USE, traces with a request-id, and SLOs (p95 latency, error rate). Deploy on an orchestrator; autoscale on p95 latency and queue depth, not CPU. Run a chaos drill: drop a dependency, observe back-pressure, and confirm fallbacks work. Add multi-region simulation with latency injection and ensure writes route to owners. Practice a canary release and one-click rollback, then show a dashboard showing SLOs, burn rate, and capacity forecast. Create typed SDKs from the same contract and verify pagination, filtering, and delta endpoints on mobile. Rotate secrets via KMS, sign images, and produce an SBOM. Finish with a postmortem template you can reuse for incidents and load-test findings.

‍

Real-world Context

A marketplace split reads from writes and fronted public endpoints with CDN + Redis. Average latency fell 45% and p95 stabilized during campaigns. A fintech replaced ad hoc updates with outbox + CDC; no more double-writes, and downstream search stayed in sync within seconds. A media platform moved search to OpenSearch and paged heavy lists; DB CPU dropped by half while feature velocity rose. A SaaS vendor added queues, token buckets, and circuit breakers around third-party billing; spikes no longer cascaded into outages. A global app enabled active-active regions with locality routing; users saw sub-300 ms p95 worldwide and faster failover drills. Partners adopted typed SDKs and additive versioning, avoiding breakage during upgrades. Tracing with request-ids across gateway→service→DB made bottlenecks obvious, cutting mean time to resolve by 60%. Moving secrets into KMS and signing images simplified audits, while SLO dashboards tied to budget burn shifted teams from reactive paging to planned capacity work that kept costs flat through a 3× traffic increase.

‍

Key Takeaways

• Separate reads and writes (CQRS) and cache aggressively with correct keys.
  
• Use outbox + CDC, queues, and back-pressure to tame spikes.
  
• Partition storage; choose leaders for writes and replicas for scale.
  
• Drive autoscaling by SLOs, not CPU; deploy via canary/blue-green.
  
• Instrument RED/USE, trace end-to-end, and guard security with KMS and signed images.
  
  

Practice Exercise

Scenario:
You own a high-traffic API used by web, iOS, Android, and partner integrations. Peak traffic arrives in short bursts during campaigns. Leadership demands p95 ≤ 250 ms, error rate ≤ 0.1%, global reach, and safe weekly releases.

Tasks:

1. Contracts and edge: publish an OpenAPI spec, stand up an API gateway with OAuth2/OIDC, mTLS, per-client limits, and request-ids. Define additive versioning rules.
   
2. Data paths: apply CQRS—Redis cache for read models, relational leader for writes, and an outbox table feeding CDC. Back search with OpenSearch; forbid OLTP scans.
   
3. Spikes: insert Kafka/SQS between the API and heavy jobs. Add token buckets, timeouts, circuit breakers, and per-tenant concurrency caps. Document fallback behavior when dependencies degrade.
   
4. Regions: deploy two regions active-active with locality routing. Choose a shard key (tenant or geo) and assign write ownership; document consistency guarantees and ETag usage.
   
5. Autoscaling and deploys: autoscale on p95 latency and queue depth; ship via canary/blue-green with one-click rollback. Record capacity playbooks.
   
6. Observability and SLOs: instrument RED/USE and distributed tracing; create SLOs and error budgets with burn-rate alerts. Build a dashboard for latency, errors, queue depth, and CDC lag.
   
7. Security: store secrets in KMS, sign images, generate SBOMs, and add tenant isolation tests.
   
   

Deliverable:
A runbook and diagram showing data flow, shard plan, failover, and deploy steps; a test plan proving SLOs under a synthetic load that includes failure injections and cache cold-start.