Prateek Sharma

← What's New

3 min read Architecture

Engineering for Uncertainty: Patterns for Resilient Systems

Design principles for weathering outages, traffic spikes, and unpredictable market shifts.

ReliabilitySREArchitectureScalabilityChaos EngineeringResilience

Design principles for weathering outages, traffic spikes, and unpredictable market shifts.

Real systems live in bad weather: sudden traffic, dying dependencies, partial network partitions, and shifting product bets. Resilience isn’t a bolt-on; it’s a design stance. Build for failure, limit blast radius, degrade gracefully, and make reality observable.

First principles

  • Design for failure: every dependency can lag, flap, or vanish.
  • Embrace backpressure: never accept more work than you can finish.
  • Decouple by default: prefer async boundaries and durable queues.
  • Idempotency everywhere: make retries safe; use request/operation IDs.
  • Degrade gracefully: offer something useful when the ideal is unavailable.
  • Observe reality: traces, metrics, logs—tied to SLOs and error budgets.

Reliability patterns that pay rent

  • Timeouts & retries (with jitter): timeout=200-500ms per hop; exponential backoff + jitter; max attempts capped.
  • Circuit breakers: open on failures/timeouts; provide fallbacks (cache, stale data, default).
  • Bulkheads & pools: isolate resources per tenant/feature to stop cascade failures.
  • Rate limiting & load shedding: token bucket + priority queues; shed non-critical traffic first.
  • Queues & backpressure: buffer spikes; size with headroom; alert on depth & age.
  • Caching strategies: request coalescing, stale-while-revalidate, TTLs tuned by business risk.
  • Sagas & outbox/inbox: handle distributed transactions with compensations; persist intents.
  • Graceful shutdown: connection drain; preStop hooks; idempotent workers.
  • Cell/Shard architecture: many small blast radii instead of one giant one.

Architecture under uncertainty

  • Multi-AZ baseline; selective multi-region: active-active for read-heavy; active-passive for write-critical with clear RTO/RPO.
  • Event-driven seams: publish domain events; keep contracts versioned (Avro/OpenAPI).
  • Eventual consistency by design: show users status, not lies; add compensations.
  • Thundering herd defenses: request collapsing, jittered retries, tokenized expensive ops.
  • Vendor hedging: abstraction layers for critical providers; circuit breaking per vendor.

Operations: make safety the default

  • SLOs & error budgets: reliability is a product choice; use budgets to pace change.
  • Progressive delivery: flags, canaries, automated rollbacks; cohort by region/tier.
  • Runbooks & incident command: typed incidents, roles, and decision logs.
  • Chaos & game days: failure injection in staging and low-risk prod cohorts.

Market volatility & product resilience

  • Reversible decisions: pick architectures you can unwind; avoid one-way doors early.
  • Composable pricing & features: decouple entitlements with flags & policy.
  • Capacity guardrails: autoscale with limits; protect cost with budgets and alerts.

Pattern cookbook (copy-ready)

// Retry with jitter (pseudo)
retry(max=3, base=100ms, jitter=±30%, backoff=2x)


// Token bucket (ingress)
limit = 200 rps; burst = 100; shed = lowest priority first


// Circuit breaker
open if >40% failures over 30s or p95 > 1s; half-open after 10s; fallback=stale cache


// Idempotency
Idempotency-Key: <uuid>  // dedupe writes within 24h

What to measure (and act on)

  • Golden signals: latency (p95/p99), traffic, errors, saturation.
  • Retry & shed rates: rising retries = distress; shed % = user impact.
  • Queue health: depth, age, DLQ rate.
  • Capacity headroom: CPU/mem/IO; cache hit ratio; DB connection saturation.
  • Resilience drills: time-to-detect, time-to-mitigate, rollback success rate.

30 / 60 / 90 playbook

  1. 30 days: define SLOs for 3 critical journeys; add timeouts/retries/jitter; introduce feature flags.
  2. 60 days: enable circuit breakers; implement request coalescing; add outbox for one write path; run a game day.
  3. 90 days: canary deploys by cohort; cell-split a noisy service; multi-AZ verified; cost & capacity budgets enforced.

Definition of Done (for a resilient service)

  • SLOs and error budgets published; dashboards & alerts wired.
  • Timeouts, bounded retries with jitter, and circuit breakers in place.
  • Idempotency keys for all mutating endpoints; outbox/inbox where needed.
  • Graceful degradation paths & user messaging implemented.
  • Runbooks tested; rollback rehearsed; chaos drill completed.

Anti-patterns to avoid

  • Unbounded retries: DDoS yourself and your partners.
  • Global shared pools: one tenant can drown everyone—use bulkheads.
  • Exactly-once dreams: prefer at-least-once + idempotency.
  • One-region heroics: plan for AZ failure at minimum.
  • Invisible incidents: no runbooks, no timelines, no learning.

Uncertainty is a feature of the world, not a bug. Build systems that bend without breaking, inform without guessing, and recover without drama—and you’ll ship faster because you chose resilience, not in spite of it.