Backpressure in Distributed Systems Explained
After this topic, you will be able to:
- Explain back pressure as a flow control mechanism in producer-consumer systems
- Compare back pressure strategies: blocking, buffering, dropping, and rate limiting
- Evaluate trade-offs between buffering (memory cost) and load shedding (data loss)
- Justify when to apply back pressure vs rate limiting in system design scenarios
TL;DR
Back pressure is a flow control mechanism that prevents fast producers from overwhelming slow consumers by signaling the producer to slow down or stop sending data. Unlike rate limiting (which proactively caps throughput), back pressure reacts to actual consumer capacity in real-time. Critical for maintaining system stability when downstream services can’t keep up with upstream load.
Cheat Sheet: Producer sends faster than consumer processes → Queue fills → Back pressure triggers → Producer blocks/drops/buffers → System stays stable instead of crashing.
Mental Model
Think of back pressure like water flowing through connected pipes of different diameters. When a wide pipe (fast producer) connects to a narrow pipe (slow consumer), water backs up at the junction. You have three choices: (1) Block the source — turn down the faucet until the narrow pipe catches up, (2) Add a reservoir — install a tank to buffer excess water temporarily, or (3) Overflow valve — let excess water spill out to prevent pipe burst. In software, the “pipe burst” is an out-of-memory crash or cascading failure. Back pressure is your safety mechanism that detects the backup and takes action before disaster strikes. The key insight: you can’t make the narrow pipe wider instantly, so you must control what happens at the junction.
Water Pipe Analogy: Back Pressure Flow Control
graph LR
subgraph Wide Pipe - Fast Producer
Source["Water Source<br/><i>10,000 L/min</i>"]
Valve["Control Valve<br/><i>Back Pressure Control</i>"]
end
subgraph Junction Point
Tank["Buffer Tank<br/><i>100,000 L capacity</i>"]
Sensor["Level Sensor<br/><i>Monitors fill level</i>"]
end
subgraph Narrow Pipe - Slow Consumer
Outlet["Outlet Pipe<br/><i>5,000 L/min</i>"]
Destination["Destination<br/><i>Processing</i>"]
end
Source --"1. Water flows"--> Valve
Valve --"2. Through valve"--> Tank
Tank --"3. Drains to"--> Outlet
Outlet --"4. Reaches"--> Destination
Sensor -."5. Signals back<br/>when 80% full".-> ValveBack pressure works like water flow control: when the narrow pipe (slow consumer) can’t drain the tank fast enough, the level sensor detects the backup and signals the valve to reduce flow from the source (fast producer). Without this control, the tank overflows (system crashes).
Why This Matters
Back pressure is the difference between a system that degrades gracefully under load and one that collapses catastrophically. In interviews, this topic tests whether you understand reactive flow control versus proactive rate limiting, and whether you can reason about trade-offs between latency, throughput, and data loss. Senior engineers are expected to design systems that handle load spikes without falling over — back pressure is a fundamental tool in that toolkit. Real-world systems like Kafka, Akka Streams, and reactive frameworks (RxJava, Project Reactor) all implement sophisticated back pressure mechanisms. Companies like Netflix and Amazon have publicly discussed how back pressure saved them during traffic surges. Interviewers want to see that you can identify when back pressure is needed, choose the right strategy for the use case, and understand the cascading effects through a distributed system.
Core Concept
Back pressure occurs when a consumer in a producer-consumer system cannot process data as fast as the producer generates it. Without intervention, the queue between them grows unbounded until memory exhausts or the system crashes. Back pressure is the reactive signal that propagates upstream, telling the producer to adjust its behavior. This is fundamentally different from rate limiting, which proactively caps throughput regardless of downstream capacity. Back pressure responds to actual consumer state: if the consumer speeds up, back pressure releases; if it slows down, back pressure intensifies. The mechanism can take many forms — blocking the producer, returning error codes, dropping messages, or signaling through a control channel — but the goal is always the same: prevent unbounded queue growth by matching producer rate to consumer capacity.
Back Pressure vs Rate Limiting: Reactive vs Proactive Control
graph TB
subgraph Rate Limiting - Proactive
RL_Client["Client Requests<br/><i>Variable load</i>"]
RL_Gate["Rate Limiter<br/><i>Fixed: 1000 req/sec</i>"]
RL_Service["Service<br/><i>Actual capacity: 2000 req/sec</i>"]
RL_Client --"Sends 1500 req/sec"--> RL_Gate
RL_Gate --"Allows 1000 req/sec"--> RL_Service
RL_Gate -."Rejects 500 req/sec<br/>(429 Too Many Requests)".-> RL_Client
Note_RL["Proactive: Caps throughput<br/>regardless of downstream capacity<br/>Protects producer from overload"]
end
subgraph Back Pressure - Reactive
BP_Producer["Producer<br/><i>Can send 2000 req/sec</i>"]
BP_Queue["Queue<br/><i>Bounded buffer</i>"]
BP_Consumer["Consumer<br/><i>Actual capacity: 500 req/sec</i>"]
BP_Producer --"Sends 2000 req/sec"--> BP_Queue
BP_Queue --"Processes 500 req/sec"--> BP_Consumer
BP_Queue -."Queue fills → Signals back<br/>(Block/Drop/Error)".-> BP_Producer
Note_BP["Reactive: Responds to actual<br/>consumer capacity in real-time<br/>Protects consumer from overload"]
end
Both["✓ Use Both Together:<br/>Rate limiting prevents abuse<br/>Back pressure handles legitimate spikes"]Rate limiting is proactive (fixed cap regardless of capacity), while back pressure is reactive (responds to actual consumer state). Rate limiting protects the producer from overload; back pressure protects the consumer. Systems need both: rate limiting to prevent abuse, back pressure to handle legitimate load that exceeds consumer capacity.
How It Works
The back pressure lifecycle has four stages. Stage 1: Detection — The system monitors a resource constraint, typically a bounded queue or buffer. When the queue reaches a threshold (e.g., 80% full), the system detects that the consumer is falling behind. Stage 2: Signaling — The consumer or intermediary sends a signal upstream. In TCP, this is the receive window shrinking to zero. In message queues like RabbitMQ, this is a basic.nack or channel blocking. In reactive streams, this is the request(n) protocol where consumers explicitly request how many items they can handle. Stage 3: Producer Response — The producer must honor the signal. It can block (wait until space is available), buffer locally (shift the problem to its own memory), drop messages (accept data loss), or return errors to its own upstream clients (propagate back pressure further). Stage 4: Recovery — As the consumer catches up and the queue drains, back pressure releases. The producer resumes normal operation. The key is that this cycle is dynamic and continuous — back pressure isn’t a one-time event but an ongoing negotiation between producer and consumer speeds.
Back Pressure Lifecycle: Four-Stage Flow Control
sequenceDiagram
participant P as Producer<br/>(Order Service)
participant Q as Queue<br/>(Bounded Buffer: 100K)
participant C as Consumer<br/>(Inventory Service)
participant M as Monitor<br/>(Queue Manager)
Note over P,C: Stage 1: Normal Operation
loop Every second
P->>Q: Publish 10,000 orders/sec
Q->>C: Consume 5,000 orders/sec
Note over Q: Queue fills at 5,000/sec
end
Note over P,C: Stage 2: Detection (after 20 sec)
M->>Q: Check queue depth
Q-->>M: 100,000 messages (100% full)
M->>M: Threshold exceeded!
Note over P,C: Stage 3: Signaling & Response
M->>P: QueueFull error
P->>P: Decision: Block, Buffer, or Drop?
P-->>P: Choose: Return HTTP 503
Note over P,C: Stage 4: Recovery
C->>Q: Process backlog
Q-->>M: Queue draining (60% full)
M->>P: Resume signal
P->>Q: Resume publishingThe back pressure lifecycle shows how the system detects queue saturation, signals the producer, forces a decision (block/buffer/drop), and recovers as the consumer catches up. This is a continuous, dynamic negotiation between producer and consumer speeds.
Key Principles
principle: Bounded Buffers Are Non-Negotiable explanation: Unbounded queues are a ticking time bomb. They hide back pressure problems until memory exhausts, at which point the entire process crashes. Bounded buffers force you to make an explicit decision: what happens when the buffer is full? This decision — block, drop, or error — must be intentional, not accidental. example: Amazon’s SQS has a maximum message retention of 14 days and a maximum queue size. When limits are hit, producers receive errors and must implement retry logic with exponential backoff. This forces application developers to handle back pressure explicitly rather than assuming infinite buffering.
principle: Back Pressure Propagates Upstream
explanation: Back pressure doesn’t stop at the immediate producer-consumer pair. If Service A is slow, it applies back pressure to Service B, which applies back pressure to Service C, and so on. This cascading effect can propagate all the way to user-facing load balancers, which then return HTTP 503 (Service Unavailable) to clients. Understanding this propagation is critical for designing resilient systems.
example: At Netflix, when the recommendation service experiences high latency, it applies back pressure to the API gateway. The gateway then applies back pressure to client devices by returning 503 responses with Retry-After headers, signaling clients to back off and try again later.
principle: Choose Strategy Based on Data Value and Latency Tolerance explanation: Not all data is equally important, and not all systems can tolerate blocking. Financial transactions require blocking (never drop a payment). Metrics and logs can tolerate dropping (losing 1% of metrics is acceptable). Real-time video can tolerate dropping frames but not blocking (buffering causes lag). The strategy must match the use case. example: Uber’s surge pricing system uses blocking back pressure — if the pricing service is overloaded, ride requests queue up and users see “Finding a driver…” longer. Dropping requests would mean incorrect prices. In contrast, Uber’s real-time driver location updates use a drop-newest strategy — if the consumer is slow, old locations are kept and new ones are dropped, because stale location data is worse than slightly delayed updates.
principle: Back Pressure Requires Cooperative Protocols explanation: Back pressure only works if both producer and consumer understand and honor the protocol. If the producer ignores back pressure signals and keeps sending, the system still fails. This is why standards like Reactive Streams specify explicit contracts: consumers request capacity, producers respect those requests. example: TCP’s flow control is a cooperative protocol: the receiver advertises a window size, and the sender must not exceed it. If a sender ignores the window (malicious or buggy), the receiver’s buffer overflows and packets are dropped, triggering retransmissions and degrading performance. The protocol only works when both sides cooperate.
principle: Monitor Back Pressure as a Leading Indicator explanation: Back pressure events are early warning signs of capacity problems. If you’re frequently applying back pressure, your system is operating at the edge of its capacity. This is a signal to scale consumers, optimize processing, or shed non-critical load before a full outage occurs. example: Amazon’s DynamoDB monitors throttling events (back pressure applied to clients) as a key metric. When throttling spikes, it triggers auto-scaling to add capacity. Teams also use throttling metrics to identify hot partitions or inefficient query patterns that need optimization.
How It Works
Let’s walk through a concrete example: an e-commerce order processing pipeline. Step 1: The order service (producer) receives 10,000 orders per second during a flash sale. It publishes these orders to a message queue with a bounded buffer of 100,000 messages. Step 2: The inventory service (consumer) can only process 5,000 orders per second due to database lock contention. The queue starts filling at a net rate of 5,000 messages per second. Step 3: After 20 seconds, the queue hits 100,000 messages (full capacity). The message broker detects this and applies back pressure. Step 4: The broker blocks the order service’s publish attempts, returning a QueueFull error. The order service now has a choice: it can block its own API threads (making the API slow), return HTTP 503 to clients (propagating back pressure to users), or buffer orders in its own local queue (shifting the problem). Step 5: The order service chooses to return HTTP 503 with a Retry-After: 30 header, telling clients to retry in 30 seconds. Load balancers see the 503s and trigger circuit breakers, temporarily rejecting new requests to give the system time to recover. Step 6: As the inventory service catches up, the queue drains below the threshold. The broker releases back pressure, and the order service resumes accepting requests. This entire cycle happens automatically and continuously, adjusting to real-time capacity. The key is that at no point did the system crash or lose data — back pressure kept it stable by forcing explicit decisions about what to do when capacity is exceeded.
E-Commerce Flash Sale: Back Pressure Propagation
graph LR
subgraph Client Layer
Users["Users<br/><i>10,000 orders/sec</i>"]
LB["Load Balancer"]
end
subgraph Application Layer
API["Order Service<br/><i>Producer</i>"]
CB["Circuit Breaker<br/><i>Monitors 503s</i>"]
end
subgraph Message Layer
Queue["Message Queue<br/><i>100K capacity</i>"]
Monitor["Queue Monitor<br/><i>80% threshold</i>"]
end
subgraph Processing Layer
Inventory["Inventory Service<br/><i>Consumer: 5K/sec</i>"]
DB[("Database<br/><i>Lock contention</i>")]
end
Users --"1. POST /order"--> LB
LB --"2. Route"--> API
API --"3. Publish"--> Queue
Queue --"4. Consume"--> Inventory
Inventory --"5. Update"--> DB
Monitor -."6. Queue 100% full".-> Queue
Queue -."7. QueueFull error".-> API
API -."8. HTTP 503<br/>Retry-After: 30s".-> LB
LB -."9. 503 to clients".-> Users
CB -."10. Circuit opens<br/>after threshold".-> API
DB -."Bottleneck:<br/>5K/sec max".-> InventoryDuring a flash sale, the inventory service (5K/sec) can’t keep up with order submissions (10K/sec). The queue fills, triggers back pressure to the order service, which returns HTTP 503 to clients. The circuit breaker detects the 503 pattern and opens, temporarily rejecting requests to allow recovery. Back pressure propagates from database → consumer → queue → producer → API → load balancer → clients.
Back Pressure Strategies
Blocking
Description
The producer is blocked (paused) until the consumer catches up and buffer space becomes available. This is the TCP approach: the sender stops transmitting when the receiver’s window is full. Blocking preserves all data but adds latency and can cause thread starvation if many producers are blocked simultaneously.
When To Use
Use blocking when data loss is unacceptable and latency spikes are tolerable. Financial transactions, order processing, and any system where correctness trumps speed. Also use when producers are lightweight and blocking them doesn’t consume critical resources.
Example
Java’s BlockingQueue.put() blocks the calling thread until space is available. Kafka producers can be configured with max.block.ms to block up to a specified duration when the send buffer is full.
Buffering
Description
Add intermediate storage to absorb temporary spikes. Buffers can be in-memory (fast but limited by RAM), disk-backed (slower but larger capacity), or overflow to secondary storage (e.g., S3 for cold data). Buffering trades memory/disk cost for time, hoping the consumer will catch up before the buffer exhausts.
When To Use
Use buffering when load spikes are temporary and predictable (e.g., daily batch jobs, flash sales). Requires careful capacity planning — if the buffer fills, you’re back to needing another strategy (block or drop). Best combined with auto-scaling consumers that can drain the buffer faster.
Example
Amazon Kinesis buffers incoming records in shards (in-memory) and allows consumers to lag up to 7 days (disk-backed retention). If consumers fall behind, data is still available for replay. However, if producers exceed shard capacity (1 MB/sec per shard), they receive ProvisionedThroughputExceededException and must back off.
Dropping
Description
Discard messages when the buffer is full. Policies include: tail drop (drop newest messages), head drop (drop oldest messages), random early detection (probabilistically drop as buffer fills), and priority-based (drop low-priority messages first). Dropping accepts data loss to maintain system stability.
When To Use
Use dropping when data is ephemeral or redundant. Metrics (losing 1% is acceptable), logs (sample instead of capturing everything), real-time sensor data (old readings are obsolete), and video frames (dropping frames is better than buffering lag). Never use for financial or transactional data.
Example
Prometheus uses tail drop for metrics scraping — if the scrape queue is full, new scrapes are dropped and a counter is incremented. Operators monitor this counter to detect capacity issues. Netflix’s real-time analytics pipeline drops old events when consumers lag, prioritizing recent data over completeness.
Signaling
Description
Send explicit control messages to the producer requesting it to slow down. This is the Reactive Streams approach: consumers signal request(n) to indicate how many items they can handle. Producers must respect these signals and not send more than requested. This is the most cooperative and flexible strategy.
When To Use
Use signaling in reactive systems where producers and consumers are tightly coupled and can communicate efficiently. Ideal for in-process streams (Akka Streams, RxJava) or systems with low-latency control channels. Requires both sides to implement the protocol correctly.
Example
Akka Streams implements Reactive Streams back pressure: a slow downstream stage signals request(10) to its upstream stage, which then sends at most 10 elements. If the downstream stage is still processing, it doesn’t request more, and the upstream stage buffers or blocks accordingly.
Decision Framework
Choose your strategy based on two dimensions: data importance (can you lose it?) and latency tolerance (can you wait?). High importance + high latency tolerance → blocking (e.g., payments). High importance + low latency tolerance → buffering + auto-scaling (e.g., order processing with elastic consumers). Low importance + high latency tolerance → buffering with TTL (e.g., logs with 7-day retention). Low importance + low latency tolerance → dropping (e.g., real-time metrics). For systems with mixed workloads, use priority-based strategies: block high-priority requests, drop low-priority ones.
Back Pressure Strategy Selection Matrix
graph TB
Start["Buffer Full:<br/>What to do?"] --> Q1{"Can you lose<br/>this data?"}
Q1 -->|No - Critical Data| Q2{"Can you tolerate<br/>latency spikes?"}
Q1 -->|Yes - Ephemeral Data| Q3{"Is old data<br/>still valuable?"}
Q2 -->|Yes| Block["✓ BLOCKING<br/><i>Preserve all data</i><br/>Examples: Payments,<br/>Financial transactions"]
Q2 -->|No| Buffer["✓ BUFFERING<br/>+ AUTO-SCALING<br/><i>Temporary spike absorption</i><br/>Examples: Order processing,<br/>Flash sales"]
Q3 -->|Yes - Keep Old| Drop_New["✓ DROP NEWEST<br/><i>Tail drop policy</i><br/>Examples: Metrics scraping,<br/>Log collection"]
Q3 -->|No - Keep New| Drop_Old["✓ DROP OLDEST<br/><i>Head drop policy</i><br/>Examples: Real-time location,<br/>Sensor readings"]
Buffer --> Scale{"Can consumers<br/>scale quickly?"}
Scale -->|Yes| Auto["Auto-scale consumers<br/>to drain buffer"]
Scale -->|No| Hybrid["Hybrid: Buffer + Drop<br/>with TTL expiration"]Choose your back pressure strategy based on data criticality and latency tolerance. Critical data requires blocking or buffering with auto-scaling. Ephemeral data can use dropping policies, with the choice between tail drop (keep old) or head drop (keep new) depending on whether staleness matters.
Common Misconceptions
misconception: Back pressure and rate limiting are the same thing why_wrong: This confuses proactive and reactive control. Rate limiting is proactive — you set a fixed cap (e.g., 1000 req/sec) regardless of downstream capacity. Back pressure is reactive — it responds to actual consumer state. A system can be rate-limited at 1000 req/sec but still experience back pressure if consumers can only handle 500 req/sec. truth: Rate limiting protects the producer from overload. Back pressure protects the consumer from overload. You often need both: rate limiting to prevent abuse, back pressure to handle legitimate load spikes. For example, AWS API Gateway applies rate limiting to prevent DDoS, while Lambda applies back pressure when concurrent execution limits are hit.
misconception: Adding more buffer space solves back pressure problems why_wrong: Bigger buffers just delay the inevitable. If the consumer is consistently slower than the producer, the buffer will eventually fill no matter how large it is. Worse, large buffers increase latency (messages sit in the queue longer) and make failures more expensive (more data is lost if the system crashes). truth: Buffers should be sized for temporary spikes, not sustained overload. If you’re constantly filling your buffer, the real problem is insufficient consumer capacity. The solution is to scale consumers (add more workers, optimize processing) or apply load shedding (drop low-priority work). Monitor buffer utilization as a signal to scale, not as a solution in itself.
misconception: Back pressure always propagates to end users why_wrong: This assumes a linear chain of dependencies. In reality, systems have multiple layers of buffering, load shedding, and isolation. A slow database might apply back pressure to an API service, but the API service can shed non-critical requests (e.g., analytics) while preserving critical paths (e.g., checkout). truth: Well-designed systems use bulkheads and priority queues to isolate back pressure. Critical requests get dedicated capacity and are never blocked by non-critical load. For example, Amazon’s retail site prioritizes checkout requests over product browsing. If the backend is overloaded, browsing might be slow or return cached data, but checkout always gets capacity.
misconception: Dropping messages is always bad why_wrong: This assumes all data has equal value. In reality, many systems generate redundant or ephemeral data where loss is acceptable or even desirable. Keeping stale data can be worse than dropping it. truth: Dropping is a valid strategy for lossy workloads like metrics, logs, and real-time telemetry. The key is to drop intentionally with a clear policy (drop oldest, drop by priority) rather than randomly when memory exhausts. Systems like Prometheus and StatsD are designed around sampling and dropping — they accept that 100% accuracy isn’t necessary for observability.
misconception: Back pressure is only relevant for message queues why_wrong: Back pressure applies to any producer-consumer relationship, not just queues. HTTP APIs, databases, stream processors, and even in-process function calls can experience back pressure. truth: Back pressure is a universal flow control concept. HTTP/2 uses flow control frames to apply back pressure between client and server. Databases apply back pressure through connection pool exhaustion or lock timeouts. Even single-threaded event loops apply back pressure when the event queue fills. Recognizing back pressure patterns across different technologies is a sign of senior-level thinking.
Real-World Usage
Amazon Api Gateway
Amazon API Gateway applies back pressure through throttling. Each API has a burst limit (e.g., 5000 requests) and a steady-state rate limit (e.g., 10,000 req/sec). When limits are exceeded, API Gateway returns HTTP 429 (Too Many Requests) with a Retry-After header. This propagates back pressure to clients, forcing them to implement exponential backoff. Internally, API Gateway uses token buckets to smooth traffic and prevent downstream Lambda functions from being overwhelmed. The key insight: API Gateway acts as a back pressure adapter, translating bursty client traffic into a steady flow that downstream services can handle.
Netflix Hystrix
Netflix’s Hystrix library (now in maintenance mode, succeeded by Resilience4j) implemented back pressure through bulkheads and semaphores. Each downstream dependency gets a dedicated thread pool with a fixed size. When the pool is exhausted (all threads are blocked waiting for slow responses), Hystrix applies back pressure by rejecting new requests with a fallback response. This prevents a slow dependency from consuming all threads and bringing down the entire service. Hystrix also integrates with circuit breakers: if back pressure is applied frequently, the circuit opens and requests fail fast without even attempting the call.
Uber Ringpop
Uber’s Ringpop (a consistent hashing library) handles back pressure in distributed request routing. When a node is overloaded, it returns a TChannelBusy error to the router. The router interprets this as back pressure and stops sending requests to that node, redistributing load to healthy nodes. If all nodes are applying back pressure, the router propagates back pressure upstream by returning errors to clients. This prevents cascading failures where one slow node causes a pile-up of requests across the entire cluster.
Interview Essentials
Mid-Level
At the mid-level, you should be able to explain back pressure as a flow control mechanism and describe at least two strategies (blocking and dropping). You should recognize when a system needs back pressure (unbounded queue growth) and propose a bounded buffer with a clear policy for what happens when it’s full. Be ready to compare back pressure with rate limiting and explain that rate limiting is proactive while back pressure is reactive. A common question is: “Your message queue is filling up — what do you do?” The answer should include: check consumer capacity, add monitoring for queue depth, implement a bounded buffer, and decide on a back pressure strategy (block, drop, or scale consumers).
Senior
Senior engineers must demonstrate deep understanding of back pressure propagation and trade-offs. You should be able to design a multi-tier system where back pressure cascades correctly (e.g., API → queue → workers → database) and explain how to prevent cascading failures using bulkheads and circuit breakers. Be ready to discuss real-world examples (Netflix, Amazon) and explain why they chose specific strategies. You should also understand the interaction between back pressure and auto-scaling: back pressure is a signal to scale, but scaling takes time, so you need buffering to absorb load during scale-up. A common question is: “Design a system that handles 10x traffic spikes without dropping requests.” The answer should include: auto-scaling consumers, buffering with bounded capacity, back pressure to API layer with 503 responses, and client-side retry with exponential backoff.
Staff+
Staff+ engineers must demonstrate systems thinking about back pressure across organizational boundaries. You should be able to design back pressure policies that balance business priorities (e.g., prioritize paying customers over free users) and explain how to implement priority-based load shedding. You should also understand the operational implications: how to monitor back pressure, set up alerts, and use back pressure metrics as leading indicators for capacity planning. Be ready to discuss trade-offs between different strategies in the context of CAP theorem and consistency models. For example, blocking back pressure preserves ordering but reduces availability; dropping back pressure maintains availability but loses ordering guarantees. A common question is: “Your system is experiencing back pressure across multiple services — how do you diagnose and fix it?” The answer should include: distributed tracing to identify bottlenecks, capacity analysis to find the constraint, priority-based load shedding to protect critical paths, and long-term solutions like sharding or caching to increase consumer capacity.
Common Interview Questions
What’s the difference between back pressure and rate limiting?
Your message queue is growing unbounded — what do you do?
When would you choose to drop messages vs block the producer?
How does back pressure propagate through a multi-tier system?
Design a system that handles 10x traffic spikes without data loss
Red Flags to Avoid
Suggesting unbounded queues or buffers without discussing limits
Confusing back pressure with rate limiting or treating them as interchangeable
Not considering the business impact of different strategies (e.g., dropping payment transactions)
Ignoring the cascading effects of back pressure through a distributed system
Proposing to “just add more buffer space” without addressing root cause capacity issues
Key Takeaways
Back pressure is reactive flow control that responds to actual consumer capacity, unlike rate limiting which proactively caps throughput. Both are needed: rate limiting prevents abuse, back pressure handles legitimate overload.
Bounded buffers are mandatory — unbounded queues hide problems until memory exhausts. When the buffer fills, you must make an explicit choice: block (preserve data, add latency), drop (lose data, maintain throughput), or error (propagate back pressure upstream).
Choose strategy based on data value and latency tolerance: Block for critical data (payments), buffer for temporary spikes (flash sales), drop for ephemeral data (metrics), signal for reactive streams. Mixed workloads need priority-based policies.
Back pressure propagates upstream through the entire system. A slow database applies back pressure to the API, which applies back pressure to the load balancer, which returns 503 to clients. Design for graceful degradation at each layer.
Monitor back pressure as a leading indicator of capacity problems. Frequent back pressure events signal that you’re operating at the edge of capacity and need to scale consumers, optimize processing, or shed non-critical load before a full outage occurs.