Read-heavy

This is what 90% of read-heavy services run in production, and for good reason: the failure modes are well understood, every senior engineer has debugged one, and the library support is mature in every language. The contract is simple — read goes to cache; on miss, read from DB and populate; write goes to DB and invalidates (or updates) the cache.

The two implementation details that matter are TTL and what you do on cache miss. TTL is your staleness budget made concrete. Pick the number from the requirements ("product cards can be 5 minutes stale") and write it into the config; do not let it drift. On miss, naive code reads the DB and writes the cache without any coordination — fine when miss rate is low, catastrophic when a hot key expires (see the stampede deep dive). Production-grade cache-aside always pairs with single-flight or probabilistic early refresh.

The blind spot of cache-aside is invalidation. A write path that forgets to invalidate leaves stale data in the cache for the full TTL. Real teams plug this with explicit invalidation on every write path plus short TTLs as a safety net, plus CDC-based invalidation for the paths the app team did not write. The honest answer is "all three, layered".

Sometimes the right answer is no cache at all. If your data is highly relational, queries are varied, and the working set is too large to fit in cache RAM at any reasonable cost, read replicas are simpler than a cache layer that bounces between 40% and 70% hit rate.

Modern Postgres or MySQL on dedicated hardware will cheerfully serve 30,000-50,000 reads per second per replica, and you can run five or six replicas before coordinating gets painful. That is enough to handle the long-tail "browse" workload of a mid-sized e-commerce site without ever touching a cache. The win is operational simplicity: no TTL debate, no invalidation strategy, no stampede defence. The cost is replication lag — anywhere from milliseconds to seconds depending on write load — which means you need a story for read-your-writes.

Where this shines is complex query workloads: analytics-style reads, ad-hoc joins, full-text search done in the DB. A cache cannot easily memoise these because the query space is unbounded. Where it falls over is the hot-key problem. Replicas distribute load by query, not by key — the same celebrity profile fetched across all replicas still costs CPU on each one. For mixed workloads, you usually end up combining replicas (long tail) with a small cache (hot tail).

The cheapest read is the one your origin never sees. For publicly cacheable content — product pages without per-user data, public posts, video metadata, search results without personalisation — a CDN with a 30-90 second TTL absorbs 70-95% of traffic before it ever reaches your region. You pay flat-rate egress to the CDN, not per-request CPU at origin.

The art is in the cache key. CDNs cache by URL plus a controlled set of vary headers. If your URLs include user-specific query parameters or you vary on too many headers, every user gets their own entry and the hit rate collapses. The discipline is to keep cacheable URLs free of personalisation, push personal data into a separate request issued by the page itself (the "shell + slot" trick — see the deep dive), and sign URLs only when you must.

Modern edge platforms (Cloudflare Workers, Fastly Compute, Vercel Edge) blur the line further: you can run a small amount of code at every PoP, fetch a personalised slot from origin, and stitch it into a cached shell. Used well, you can get 80%+ edge hit rate even on logged-in pages.

Sometimes the cheapest read is not the one you cache, but the one you precompute. For queries that join half a dozen tables or aggregate millions of rows, no amount of indexing will save you — the query is fundamentally expensive. A materialised read model flips the cost: writers pay a small extra cost to update a denormalised view; readers do a single-row, single-table lookup.

Implementations sit on a spectrum. At the simple end you have Postgres materialised views, refreshed on a schedule — fine when staleness of minutes is acceptable. In the middle you have double-writes from the application: every write goes to the normalised OLTP table and the denormalised summary table in the same transaction. This works but couples writers to the read shape; every new read pattern needs a writer change. At the high end you have CDC-driven materialisation: writers only touch the OLTP store, a CDC stream (Debezium, Postgres logical replication) feeds an event log, and a stateless materialiser job updates the read model. New read shapes mean a new materialiser, no writer changes.

The mistake to avoid is making the read model too far from the OLTP truth. Materialise the shape of the query, not a wholly different domain. Keep the relationship to the source obvious so debugging "why is the summary wrong?" stays tractable.

Modern Postgres or MySQL on a properly-sized box happily serves a few thousand RPS for a normal CRUD workload. Zero cache, zero replica, zero operational surface. The thing that breaks is not the database — it is the team panicking and adding complexity before the database is the bottleneck.

When this is enough: internal tools, early-stage consumer products under ~10k DAU, B2B with low concurrent users, anything where you can fit the working set in DB RAM.

Anti-pattern at this stage: adding Redis "for performance" when your DB is at 12% CPU. You are paying invalidation tax for a bottleneck that does not exist.

Add Redis (cache-aside) and 2+ read replicas behind the app. Route reads cache → replica → primary; writes still hit the primary and replicate out. Hit-rate target: 90%+ on the cache. Instrument and alert when it drops below 80% — that is your signal that the working set has outgrown cache RAM, not a transient blip.

The replication lag budget is where read-your-writes lives. Pick a strategy and write it down: (1) sticky-read to primary for N seconds after a write per user, (2) write-through cache so the user reads from cache even before the replica has caught up, or (3) semi-sync replication if your DB supports it. Without a documented strategy, every team picks a different one and you end up with weird user-visible bugs.

Push public, cacheable content to a CDN with 30-90s TTLs. For logged-in pages, use the shell-and-slot pattern: cache the full HTML shell at the edge, fetch only the small personalised widget from origin. Goal: 80%+ edge hit rate on the read path.

Beyond CDN, in-process LRU on the app servers absorbs hot-key spikes before they hit Redis. A 50K-entry LRU keyed on user-ID + recent-N-items costs maybe 100MB RAM per app server and routinely catches 30-50% of cache traffic that would otherwise hit Redis. The combined topology is often called four-tier: CDN → in-proc LRU → shared Redis → DB.

Once you have international users, every cross-region round trip is 100-300ms. The CDN gives you free global presence for cacheable content. For the rest, deploy regional read replicas and a regional cache, with the primary in one region for writes. Reads serve from the closest replica; writes round-trip to the primary region. This is active-passive at the data tier — far simpler than active-active and good enough for most read-heavy workloads.

The thing that breaks at v4 is not architecture, it is cache coherency across regions. A write in US-east invalidates Redis in US-east immediately, but EU-west may serve stale data for the replication lag plus the invalidation broadcast time. Either accept the staleness, broadcast invalidations on a global pub/sub channel, or use versioned cache keys (see the deep dive) and let stale entries become naturally unreachable.

Three different tools, three different problems. Confusing them is one of the most common mid-level mistakes in interviews.

Indexing fixes single-table query cost. If your query is "find user by email" and the table has a million rows, you need an index on email. Without it the database scans every row; with it the lookup is a B-tree walk in microseconds. The tradeoff is write cost (every write updates every relevant index) and disk space (~10% of the indexed column's data per index). The fear of "too many indexes hurting writes" is wildly overblown for typical OLTP workloads — under-indexing kills more services than over-indexing ever has. In an interview, when you sketch a schema, name the indexes you would add right then. It signals you are thinking about the read path, not just the data shape.

Denormalisation fixes cross-table query cost. If your query joins users to orders to order_items to products and you serve it 10K times per second, no index will make it fast enough. Denormalisation stores redundant copies — the user's name lives on every order row, the product name lives on every order_item — and reads become single-table lookups. The cost is write complexity: a name change has to propagate everywhere the name is duplicated. For high read:write ratios this is a great trade. The materialised read model variant takes denormalisation to its logical conclusion: a separate table shaped exactly for the read query, kept up-to-date asynchronously.

Caching fixes repeated query cost. If the same query runs many times with the same answer, caching memoises the result. The cost is staleness (the cached answer can be wrong for the TTL window) and invalidation work (every write path must invalidate). Caching does not help with query cost itself — every cache miss still pays the full query cost. So caching makes sense only when (a) the same data is read many times, and (b) the underlying query is already reasonably fast. Caching a slow query just hides it; the first cache miss still hurts and the stampede on TTL expiry can take down the database.

The order matters. Add indexes first — they are free correctness. Denormalise second when query shape itself is the bottleneck. Cache last, after you have done everything you can to make the underlying read cheap. A team that reaches for Redis before adding the obvious index is shipping a more complex system to solve a problem they have not yet earned.

A celebrity posts. Within seconds, a million users hit the same key in your cache. Your Redis cluster is happy serving the data — it is in memory, the lookup is O(1) — but a single Redis shard has finite CPU and finite network bandwidth. Serialising the same response a million times per second over a 10 Gbps NIC saturates the wire long before the CPU.

Consistent hashing does not help. By design every read of profile:taylor lands on the same shard. The whole point of the hash is determinism — and that is exactly what is killing you now. This is workload imbalance, not structural imbalance, and it needs different tools.

The first defence is in-process LRU on the app servers. Each app box holds the top-N hottest keys in local memory with a short TTL (5-10 seconds). On a hot-key event, the first request from each app server fetches once from Redis and populates the LRU; the next 99,999 requests on that server serve from local RAM. With 500 app servers and a 5-second LRU TTL, Redis sees roughly 500 requests per 5 seconds for that key — 100 RPS instead of 500K RPS. The cost is staleness inside the LRU window; the win is enormous.

The second defence is request coalescing (also called single-flight) for cache misses on the same server. When a hot key expires and a thousand concurrent requests on one server all miss simultaneously, naive code launches a thousand parallel fetches against Redis or the DB. Single-flight collapses them into one: the first request to miss takes ownership of the fetch and stores its in-flight Future on a map; every subsequent miss within the request looks up the map and awaits the same Future. The origin sees one query; the thousand callers all get the same answer.

The third defence is key fanout — replicate the hot key to N slots and have clients pick a random slot per read. profile:taylor:0 through profile:taylor:9 each store the same data, distributed across ten different Redis shards. A million reads per second now spread across ten shards, 100K each, comfortably within a single-shard budget. The cost is N× memory and N× invalidation work. You only do this for keys you have identified as hot — usually a small celebrity-tier set surfaced by the cache hit-rate metrics — not for every key.

In production these three defences usually combine. In-process LRU catches the bulk before Redis ever sees it. Single-flight protects the cache miss path. Key fanout protects the long-running hot keys that cannot be absorbed by the LRU alone. A staff-level answer names all three and explains which one solves which sub-problem.

Cache expiration is binary. One moment the entry is there; the next millisecond it is gone. For a key serving 100K reads per second, the moment of expiry is a synchronised cliff: 100K concurrent misses, all racing to refetch from the database. The database — sized for the normal cache-miss rate of maybe 1K queries per second — sees a 100x spike, queues fill, queries time out, the cache cannot repopulate, and you have a self-inflicted DDoS.

The naive fix is a distributed lock: only one process gets to refresh, others wait. This works in theory and breaks in practice. If the lock holder is slow or dies mid-refresh, every waiter sits idle until lock timeout, and your tail latency becomes pathological. Lock-based stampede defence requires careful timeout tuning, fallback behaviour for lock acquisition failure, and a story for what happens when the lock service itself is degraded. It is the classic fragile-by-default solution.

The better answer is probabilistic early refresh (the XFetch algorithm, from Vattani et al., 2015). Instead of waiting for TTL to expire, every read at fetch time computes a random refresh probability that rises as the entry approaches expiry. At 50% of TTL the chance is roughly 1%; at 90% of TTL it climbs to ~12%; at 99% it might be 40%. The stampede flattens into a smear of background refreshes spread across the last 10-20% of the TTL window. Most readers still get cached data; a handful of unlucky ones trigger a refresh; the database sees a steady trickle instead of a synchronised cliff.

For your most critical keys — the ones whose stampede would take you down — you can go further with active background refresh. A worker continuously refreshes the entry well before TTL, so user reads never trigger a recompute at all. The cost is wasted work refreshing data that may not be requested; the win is that user-visible latency is never tied to recompute cost. You only do this for a small hand-picked set of keys (the homepage, the top product, the celebrity profile), not for everything.

The defences compose: probabilistic early refresh as the default for all keys, plus active background refresh for the small hot tail you cannot afford to let stampede. The distributed-lock approach is rarely the right answer in production — name it in the interview to show you know about it, then explain why you would prefer the probabilistic approach.

"There are only two hard things in computer science: cache invalidation and naming things." — Phil Karlton. He was not joking. The naive approach is "DEL the cache entry on every write", and it has three failure modes that you will eventually hit. First, the application has many write paths and one of them forgets to invalidate. Second, the data is cached in multiple places (app cache, edge cache, browser cache) and the DELETE only fires on one of them. Third — the killer — there is a race window between the DELETE and the next write where a concurrent reader can fetch stale data, populate the cache with it, and undo your invalidation.

The race goes like this: writer commits the DB update at T=0; writer DELETEs the cache at T=1ms. But between T=0 and T=1ms a reader checks the cache, sees the old entry (still there, since DELETE has not landed yet), and... actually that is fine, reader gets stale-by-1ms data. The real bug is more subtle: writer commits at T=0; reader misses cache at T=0.5ms (slightly before writer DELETE); reader queries DB, gets the new value, populates cache. Writer DELETE lands at T=1ms — and removes the new value. Now another reader misses, queries DB, sees the new value, populates cache with it. OK, the system recovers. But under contention this can loop, and you can get sustained windows of stale data.

The cleanest production answer for entity-level data is cache versioning. Each row has a version column, incremented atomically with every update inside the same transaction. The cache key includes the version: event:7:v42. When the writer increments to v43 and commits, every reader that fetches the row's version next will compose a key for v43, miss, and populate it cleanly. The old v42 entry is never deleted — it is just unreachable, and falls out of the cache via TTL eventually.

The beauty of versioning is that it sidesteps every race condition. A "late writer" cannot stomp the new version because version increments are atomic in the database. There is no partial-invalidation problem because nothing is being deleted. CDN edges and browser caches naturally expire stale versions because the version is part of the URL or response key. The cost is two cache lookups per read (one for the version, one for the data) and accumulated stale entries — both manageable with a small versions cache and reasonable TTLs.

Versioning shines for single-entity caches (user profiles, product details, event metadata). It does not directly solve computed cache invalidation — feeds, search results, aggregates that combine many entities. For those, a complementary trick is the deleted-items cache: a small, fast-changing set of "things that were just removed/hidden/changed", consulted as a filter when serving cached aggregates. A user blocks another user; the blocked user's ID goes into a deleted-items cache for that user's feed; the cached feed is served as-is, with the blocked user's posts filtered out at render time. The cached aggregate stays valid; the deleted-items cache is small enough to stay fast.

Combining versioned keys for entities and a deleted-items cache for aggregates handles the vast majority of real-world invalidation problems without ever needing a hard "purge all caches" button.

User submits a comment, the page refreshes, and... the comment is not there. They click again. Still not there. Third click, it shows up. The user concludes your product is broken; the engineer looks at the code and shrugs because the comment did write successfully. The bug is replication lag colliding with the read-your-writes expectation.

The user model is simple: "if I just did this, I should see it immediately." The system is more complicated: you wrote to the primary, the cache was invalidated, but the reader landed on a replica that is 200ms behind the primary, and the cache has not yet been repopulated either, and so the reader sees a stale view. Multiply by a thousand users and you have a steady stream of "your product is broken" support tickets.

There are three production-tested fixes, each with tradeoffs.

Primary pinning is the most common. After a user writes, set a short-lived flag in the user's session ("wrote-recently") with an expiry slightly longer than your replication lag — say 5 seconds. While the flag is set, route that user's reads to the primary, bypassing replicas. After the flag expires, normal replica routing resumes. This is precise (only the user who just wrote pays the primary-load cost) and bounded (the window is short by design). The downside is bookkeeping: you need a session, a flag, and a routing layer that knows about it.

Write-through cache is more invasive but elegant when it fits. Instead of "write DB, invalidate cache", the write path goes "write DB, update cache to the new value". The reader hits the cache, sees the new value, and never queries a replica that might be stale. This works beautifully for entity reads and breaks down for aggregate reads where the cache cannot be updated cleanly from a single write. Most production systems use it for the user's own profile and recent-activity reads, and fall back to primary pinning for everything else.

Quorum reads at the database level — semi-sync replication, Aurora's read-after-write consistency, Spanner's external consistency — push the problem down to the data tier. The application reads from any replica, but the replica is guaranteed to have applied the write before serving the read. The cost is write latency: the primary cannot ack the write until enough replicas have applied it. Some databases support this natively; many do not. Where it works, it is the cleanest answer because the application code does not need to think about lag at all.

In an interview, name primary pinning as the default, mention write-through for entity caches, and reach for quorum reads only when the data store gives them to you for free.

The first 80% of CDN benefit comes from caching publicly shareable URLs — product pages, blog posts, public profiles. The next 15% comes from the trick that lets you cache logged-in pages too: separate the page into a shared shell and a personalised slot, and cache only the shell.

The shell is everything that does not change per user: the layout HTML, the navigation, the product details, the comments, the article body. It can be cached at the edge with a long TTL because nothing about it depends on who is requesting it. The slot is the small piece that does vary per user: their name in the header, their saved-items count, their cart, their recommendation rail. The slot is fetched separately, either by a small client-side request after the shell renders or — better — by an edge worker that stitches the slot into the shell at the PoP before sending the response.

Done well, you get edge hit rates on logged-in pages that approach what you see on anonymous pages. The shell hits cache; the slot hits origin; users see the page in 30ms instead of 300ms.

There are two failure modes to watch for. First, leaky personalisation in the shell: a developer adds the user's name to a shell template "just for this one feature", and now every shell request varies by user, and the cache hit rate collapses to zero overnight. Mitigations: lint rules, code review for shell templates, and a hit-rate alert on any shell URL whose hit rate drops below 60%. Second, slot fan-out: every page renders a slot, and the slot endpoint becomes the new bottleneck. Mitigations: cache the slot itself (very short TTL, varied by user ID), batch multiple slots into one origin call, or push the slot data into the JWT/session cookie if it is small enough.

The pattern generalises beyond CDN. The same shell-and-slot decomposition applies to GraphQL persisted queries (cache the query response, fetch the user-specific fragment separately), mobile API responses (cache the public payload, fetch the personal extras), and even SSR streaming (flush the shell early, await the slot).

Once the team is fluent with shell-and-slot, the operational rule becomes: if it is not a slot, it does not vary. Anything that varies must be a slot, with its own cache key, its own TTL, and its own latency budget. That discipline is what keeps a CDN-dominant architecture from drifting back to a CDN-bypassed one as the product grows.