How Systems Survive Chaos

Werner Vogels, Amazon's CTO, has a famous quote: “Everything fails, all the time.” He isn't being dramatic. At Amazon's scale — millions of servers, billions of requests per day — hardware failures aren't exceptional events. They're constants. Hard drives fail, networks partition, entire datacenters go dark. The question isn't if things will break, but how the system behaves when they do.

This page covers the hard problems in distributed systems: the mathematical impossibilities (CAP theorem), the elegant algorithms (consistent hashing), the protective patterns (circuit breakers, rate limiters), and the coordination protocols (leader election). These aren't theoretical — Netflix, Amazon, Google, and Discord use every single one in production.

If you haven't seen The Data Layer yet, that covers databases, caching, queues, and replication. This page builds on those concepts — you'll see why replication requires consensus, why caching needs consistent hashing, and why every service call needs a circuit breaker.

The tradeoff you face every day isn't C vs A

Network partitions are rare — maybe a few times per year even at massive scale. The tradeoff you actually face on every single request is latency vs consistency. Daniel Abadi formalized this as PACELC: if there's a Partition, choose Availability or Consistency. Else (no partition), choose Latency or Consistency.

DynamoDB lets you choose per query. Set ConsistentRead: true for critical reads (checking inventory before purchase) and use the default eventually consistent read for everything else (browsing product pages). The consistent read costs 2x the capacity units and adds a few milliseconds — a tax you pay only when correctness matters.

Google Spanner claims to offer “effectively CA” by using atomic clocks and GPS receivers in every datacenter to keep global time synchronized to within a few microseconds. This lets them do globally consistent reads without the typical latency penalty. The catch: it costs $0.90/node-hour and requires Google's custom hardware. For the rest of us, it's back to choosing between latency and consistency.

The paper that powers every CDN

In 1997, David Karger and his co-authors at MIT published “Consistent Hashing and Random Trees.” They were trying to solve web caching at Akamai — how do you distribute billions of cached objects across thousands of servers without reshuffling everything when a server dies? Their solution was the hash ring.

Today, consistent hashing is everywhere. Amazon DynamoDB uses it to distribute data across partitions — when you add capacity, only 1/N of your data migrates instead of reshuffling everything. Cassandra's entire architecture is called “the ring” for this reason. Discord uses it to shard messages by guild ID. Every CDN uses it for cache routing.

Virtual nodes solved the last major problem. With just 4 physical servers on a ring, distribution can be wildly uneven — one server might hold 40% of keys while another holds 10%. By giving each physical server 100-150 virtual positions on the ring, distribution variance drops below 3%. It's an elegant trick: the ring doesn't know or care that 150 points are actually the same machine.

71 million requests per second

In February 2023, Cloudflare mitigated the largest HTTP DDoS attack ever recorded: 71 million requests per second, launched from a botnet of over 30,000 compromised devices. The attack lasted just a few minutes, but without rate limiting at the edge, it would have overwhelmed any origin server on earth.

Rate limiting isn't just for DDoS protection. It's fundamental to API design. GitHub gives you 5,000 API requests per hour. Twitter allows 300 tweet lookups per 15 minutes. Stripe rate-limits by API key and endpoint. These limits exist to ensure fair access and prevent one customer from degrading the service for everyone else.

The distributed rate limiting problem is subtle. With 10 API servers, each maintaining its own counter, a user could send 100 requests to each server — 1,000 total, but each server thinks it's within the 100-request limit. The fix: centralized counting with Redis. All servers atomically increment the same Redis key using INCR with a TTL. Redis handles this at microsecond latency, adding negligible overhead to each request.

Netflix breaks their own systems on purpose

In 2011, Netflix built Chaos Monkey — a tool that randomly kills production instances during business hours. The reasoning: if your system can't survive random failures in controlled conditions, it will definitely fail during real outages at 2 AM on Christmas Eve. They expanded this to the “Simian Army” — Chaos Gorilla kills entire availability zones, Latency Monkey injects random delays, Conformity Monkey shuts down instances that don't follow best practices.

The investment paid off spectacularly. On Christmas Eve 2012, AWS Elastic Load Balancing had a major outage. Services across the internet went down. Netflix stayed up. Their circuit breakers detected the ELB failures, stopped routing through affected paths, and continued streaming from healthy instances. Millions of people watched holiday movies while the rest of the internet was in crisis.

Amazon's 2017 S3 outage taught the rest of the industry the same lesson. A single mistyped command took down S3 in us-east-1 for 4 hours. Slack, Trello, Quora, Business Insider, and thousands of other services went down — not because their own code failed, but because they had no circuit breakers or fallbacks for S3 dependencies. The post-mortem led to a wave of adoption of resilience patterns across the industry.

How Uber coordinates a ride across 15 states

To a user, an Uber ride is five steps: request, match, pickup, trip, complete. Architecturally, it's a 15+ state distributed state machine coordinating the rider, driver, and backend platform across six event streams. A single trip can span 30 minutes, involve dozens of services, and must survive crashes, network failures, and app restarts.

Uber built Cadence to solve this — an open-source workflow engine that grew to 100+ internal use cases. Before Cadence, 80% of requests to Uber's API gateway were polling calls: services endlessly asking “is it done yet?” Cadence replaced this with durable, stateful workflows where each step automatically retries and compensates on failure.

The creators of Cadence later founded Temporal, which has become the industry standard for saga orchestration. ANZ Bank reduced home loan processing development from over a year to weeks. Maersk cut logistics feature delivery from 60-80 days to 5-10 days. Netflix, DigitalOcean, and Stripe all use Temporal. The lesson: distributed transactions need a coordinator — but that coordinator must itself be distributed, fault-tolerant, and horizontally scalable.

The algorithm that keeps the internet coordinated

Leslie Lamport published the Paxos consensus algorithm in 1989. It was mathematically elegant and provably correct — and notoriously difficult to implement. So many teams got it wrong that in 2014, Diego Ongaro and John Ousterhout designed Raft as a more understandable alternative. Raft achieves the same guarantees as Paxos but with a clearer mental model: leader election, log replication, and safety.

etcd (used by Kubernetes for all cluster state) runs Raft. Consul (used by HashiCorp for service discovery) runs Raft. CockroachDB (used by DoorDash for global transactions) runs Raft. Every time Kubernetes schedules a pod, it's writing to etcd through Raft consensus — ensuring that even if one etcd node crashes mid-write, the cluster state stays consistent.

Kafka historically relied on ZooKeeper for leader election and metadata management. In 2022, Kafka introduced KRaft (Kafka Raft) to eliminate the ZooKeeper dependency entirely. Each Kafka controller now participates in a Raft quorum directly. This simplified operations enormously — no more managing a separate ZooKeeper cluster alongside your Kafka cluster.