Event-Driven Architecture: An Honest Assessment
Event-driven systems are elegant in talks and brutal in production. After building and operating them across multiple companies, here is what nobody tells you before you commit to the pattern.
Every few years the industry rediscovers event-driven architecture and decides it is the answer. The talks are compelling. Services decoupled from each other. No direct dependencies. Producers that emit events and never think about who consumes them. Consumers that react to what happened and never worry about who caused it. The system as a whole becomes a collection of independent actors responding to a shared stream of facts about the world.
In the talk, this is clean. In production, it is one of the most operationally demanding patterns in software engineering, and the gap between how it is pitched and what it costs to run it well is wider than almost any other architectural pattern I can think of.
I have built event-driven systems that worked well and event-driven systems that were disasters. The difference was not the technology and it was not the team’s capability. It was whether the team went in with an accurate picture of what they were buying. Most teams do not get that picture before they commit. This article is an attempt to provide it.
What you actually get
Start with what is genuinely good, because there is genuine good here.
Decoupling that is real. When the order service publishes an OrderPlaced event and knows nothing about who consumes it, and when the inventory service consumes OrderPlaced and knows nothing about who published it, you have achieved something meaningful. Either service can be redeployed without the other. Either can evolve its internal implementation without negotiating with the other. A new service can start consuming OrderPlaced tomorrow without touching the order service at all.
This decoupling is the thing that makes large organisations with many teams possible. The team that owns the order service does not need to be in a meeting with every team that cares about orders. They publish the event. Every consumer team builds and maintains their own reaction to it. The coordination that would have been synchronous and blocking becomes asynchronous and independent.
Audit trails that emerge naturally. If your events are your source of truth, you have a complete record of everything that happened in your system in the order it happened. Not just the current state, but the history of how you got there. This is genuinely useful for debugging, for compliance, and for the class of bugs that are almost impossible to diagnose without knowing what sequence of events preceded them.
Load handling that is structural rather than bolted on. A consumer that reads from a queue processes work at the rate it can handle, regardless of the rate at which work arrives. The queue absorbs the spike. The consumer processes the backlog when capacity is available. This is structurally different from a synchronous system where a traffic spike hits the service directly and the service either handles it or falls over.
These are real benefits. They are worth having. They are also not free.
The cost nobody quotes you upfront
Eventual consistency is not a configuration option, it is a commitment.
When you move from synchronous calls to events, you give up the ability to know, at any given moment, that all parts of your system agree on the current state. The order was placed. The OrderPlaced event was published. The inventory service will consume it and reserve the stock. When? Soon. How soon? Depends on the consumer’s lag. What if the user queries their order status right now, before the inventory service has processed the event? The order exists in the order service’s view. The inventory has not yet been reserved. The system is in an intermediate state that is internally consistent but not yet globally consistent.
For many use cases this is acceptable. For some it is not. The teams that adopt event-driven architecture without thinking carefully about which of their use cases fall into which category discover the hard way that “eventually” can mean milliseconds, seconds, or minutes depending on what else is happening, and that users do not have the same patience for eventual consistency that architects do.
# The problem that bites teams who haven't thought this through:
# User places an order. Order service publishes event.
async def place_order(user_id: str, items: list) -> Order:
order = Order.create(user_id=user_id, items=items)
await db.save(order)
await event_bus.publish(OrderPlaced(order_id=order.id, items=items))
return order
# User immediately queries order status.
# Order service returns order with status "pending".
# Inventory service has not yet processed the event.
# Frontend shows "pending" with a spinner.
# User refreshes. Still pending. Refreshes again.
# Inventory event processes. Status updates to "confirmed".
# User has refreshed four times and is on the phone with support.
# The system was correct the entire time.
# The user experience was broken the entire time.
# These are not contradictory.
# What teams often do to address this:
# Read-your-own-writes consistency for the immediate response,
# combined with a clear UI state that communicates processing is happening.
async def place_order_with_ux_in_mind(user_id: str, items: list) -> dict:
order = Order.create(user_id=user_id, items=items)
await db.save(order)
await event_bus.publish(OrderPlaced(order_id=order.id, items=items))
return {
"order_id": order.id,
"status": "processing",
"message": "Your order is being confirmed. This usually takes a few seconds.",
"poll_url": f"/orders/{order.id}/status",
# Give the client a signal about what to do next,
# rather than leaving them in ambiguous pending state
}Debugging across services is a different discipline entirely.
In a synchronous system, a bug has a call stack. You look at the stack trace and you see exactly what called what in what order. The sequence is right there.
In an event-driven system, the equivalent of a call stack is a trace across multiple services, potentially across multiple events, potentially hours or days apart. OrderPlaced fires. InventoryReserved fires. PaymentProcessed fires. FulfillmentCreated fires. ShipmentCreated fires. The user reports that their order is stuck. You need to find where in this sequence something went wrong, knowing that each step is in a different service with different logs, possibly with events that were consumed out of order, possibly with a consumer that failed silently and moved on.
Without distributed tracing that propagates correlation IDs across every event, this debugging is archaeology. You are sifting through log files from multiple services trying to reconstruct what happened to a specific order that a specific user placed at a specific time.
# Event envelope that makes debugging survivable.
# Every event carries a correlation ID from the originating request.
# Every subsequent event in the chain inherits it.
# Every service logs it with every operation related to the event.
# When debugging, filter all service logs by correlation ID
# and you reconstruct the full sequence.
from dataclasses import dataclass, field
from datetime import datetime, timezone
from typing import Any
import uuid
@dataclass
class Event:
event_id: str = field(default_factory=lambda: str(uuid.uuid4()))
event_type: str = ""
correlation_id: str = field(default_factory=lambda: str(uuid.uuid4()))
causation_id: str = "" # ID of the event that caused this one
occurred_at: str = field(
default_factory=lambda: datetime.now(timezone.utc).isoformat()
)
schema_version: str = "1.0"
payload: dict = field(default_factory=dict)
def caused_by(self, parent_event: "Event") -> "Event":
self.correlation_id = parent_event.correlation_id
self.causation_id = parent_event.event_id
return self
# When the inventory service handles OrderPlaced and emits InventoryReserved:
async def handle_order_placed(event: Event) -> None:
order_id = event.payload["order_id"]
log.info(
"inventory.reservation.started",
correlation_id=event.correlation_id,
order_id=order_id,
)
await reserve_inventory(order_id)
reserved_event = Event(
event_type="InventoryReserved",
payload={"order_id": order_id},
).caused_by(event) # Inherits correlation_id, sets causation_id
await event_bus.publish(reserved_event)
log.info(
"inventory.reservation.completed",
correlation_id=event.correlation_id,
order_id=order_id,
caused_event_id=reserved_event.event_id,
)With this envelope, every event in a chain shares a correlation ID. Every log line from every service that handled any event in the chain includes that correlation ID. Debugging a stuck order is a single log query: show me every log line with this correlation ID, across all services, sorted by time.
Without this, you do not have an event-driven system you can operate. You have a system that works until it breaks and then you cannot find out why.
Consumer failures are invisible by default.
In a synchronous system, a failure is loud. The call throws an exception. The caller gets an error. Someone notices.
In an event-driven system, a consumer failure can be completely silent. The consumer reads the event, fails to process it, and depending on how it is configured, either requeues the event, moves it to a dead letter queue, or discards it and moves on. The producer never knows. The other consumers never know. The user whose order triggered the event never knows until they notice that something downstream has not happened.
Dead letter queues are the standard answer to this and they are the right answer, but they are only useful if someone is watching them. A dead letter queue that nobody monitors is not a safety net. It is a place where failed events go to be forgotten.
# Dead letter queue monitoring that actually alerts
import boto3
from prometheus_client import Gauge
sqs = boto3.client("sqs")
DLQ_DEPTH = Gauge(
"sqs_dlq_message_count",
"Number of messages in dead letter queue",
["queue_name"]
)
async def check_dlq_depths():
queues = [
("order-processing-dlq", "https://sqs.region.amazonaws.com/account/order-processing-dlq"),
("inventory-dlq", "https://sqs.region.amazonaws.com/account/inventory-dlq"),
("payment-dlq", "https://sqs.region.amazonaws.com/account/payment-dlq"),
("fulfillment-dlq", "https://sqs.region.amazonaws.com/account/fulfillment-dlq"),
]
for queue_name, queue_url in queues:
response = sqs.get_queue_attributes(
QueueUrl=queue_url,
AttributeNames=["ApproximateNumberOfMessages"]
)
depth = int(response["Attributes"]["ApproximateNumberOfMessages"])
DLQ_DEPTH.labels(queue_name=queue_name).set(depth)
# Alert rule: any DLQ with more than 0 messages is an incident.
# Not a warning. An incident.
# A message in the DLQ means an event failed to process.
# That means something the user expected to happen did not happen.
# That is always worth investigating immediately.Any message in a dead letter queue is a symptom of a real problem. Not a might-be-a-problem. A real problem. Treating DLQ depth as a metric that alerts at zero normalises the expectation that failures are real and visible, rather than the expectation that failures are background noise to be managed.
The schema problem that grows until it bites you
Events are a public interface. Once a consumer is reading your events, the schema of those events is a contract. Changing the schema breaks the consumer.
In a synchronous API, schema evolution is managed through versioning. The producer runs V1 and V2 of the endpoint simultaneously. Consumers migrate at their own pace. When all consumers have migrated, V1 is deprecated.
In an event-driven system, the equivalent is possible but operationally harder. If you change the OrderPlaced event schema, you need every consumer of OrderPlaced to be updated before you change the schema, or the consumer needs to handle both old and new schemas simultaneously, or you need to maintain two event types in parallel during migration. None of these options is cheap, and they are cheaper if you planned for them than if you did not.
The teams that handle this well establish schema governance before they have a schema problem. Not after.
# Schema versioning that makes evolution manageable.
# Every event schema has an explicit version.
# Consumers declare which versions they can handle.
# The event bus routes accordingly.
from pydantic import BaseModel
from typing import Literal
from datetime import datetime
# Version 1 of OrderPlaced
class OrderPlacedV1(BaseModel):
schema_version: Literal["1.0"] = "1.0"
order_id: str
user_id: str
total: float
occurred_at: datetime
# Version 2 adds line items and changes total to be in cents
# to avoid floating point issues that V1 had
class OrderPlacedV2(BaseModel):
schema_version: Literal["2.0"] = "2.0"
order_id: str
user_id: str
total_cents: int # Changed: was "total: float"
currency: str # Added
items: list[dict] # Added
occurred_at: datetime
# Consumer that handles both versions during migration period
class InventoryConsumer:
async def handle(self, raw_event: dict) -> None:
version = raw_event.get("schema_version", "1.0")
if version == "1.0":
event = OrderPlacedV1(**raw_event)
order_id = event.order_id
# V1 doesn't have items, so we have to fetch them
items = await self.order_service.get_items(order_id)
elif version == "2.0":
event = OrderPlacedV2(**raw_event)
order_id = event.order_id
items = event.items
else:
log.error(
"inventory.consumer.unknown_schema_version",
version=version,
event_id=raw_event.get("event_id"),
)
raise UnknownSchemaVersionError(version)
await self.reserve_inventory(order_id=order_id, items=items)Schema versioning adds boilerplate. The alternative is finding out during an incident that a schema change broke a consumer that nobody knew was depending on the old format.
When event-driven architecture is the wrong answer
The pattern is not universally appropriate. Teams adopt it when they should not, attracted by the elegance and the conference talks, and then spend years paying costs that were not necessary.
When you have one team and one service. Events are an organisational boundary mechanism. If there is no organisational boundary, you are paying the operational cost of distributed messaging for no architectural benefit. A function call is faster, simpler, and easier to debug. A modular monolith with internal domain events gives you the architectural thinking without the operational overhead.
When your operations require immediate consistency. Financial transactions. Inventory deduction that must be accurate at the moment of purchase. Medical record updates. Any situation where the user or the business cannot tolerate the state being temporarily inconsistent. Eventual consistency is not a technical property to be engineered around in these cases. It is a fundamental unsuitability.
When your team does not have the operational maturity for it. Event-driven systems require distributed tracing. They require DLQ monitoring. They require schema governance. They require expertise in at least one message broker technology. They require runbooks for consumer failure scenarios. Teams that are still establishing basic engineering practices should not add this operational surface area. Stabilise first. Adopt the pattern when you have the capacity to operate it correctly.
When the communication pattern is inherently synchronous. A user submits a form and expects a result. An API client makes a request and needs a response before it can proceed. A batch job reads data and produces a report. These patterns do not become better by adding events between the steps. They become more complex with no benefit. Forcing an asynchronous pattern onto an inherently synchronous workflow is an architecture astronaut move, not an engineering decision.
The systems that work
The event-driven systems that work well in production share a set of properties that are not negotiable.
Every event carries enough context to be processed without fetching additional data. A consumer that needs to make a synchronous call to process an event has a dependency on the producer that the event pattern was supposed to eliminate.
Every consumer is idempotent. Events can be delivered more than once. A consumer that is not idempotent will produce duplicate effects when this happens. Designing for idempotency upfront is straightforward. Retrofitting it after duplicate processing has caused data integrity issues is expensive.
# Idempotent consumer using a processed events log
async def handle_order_placed(event: Event) -> None:
# Check if we have already processed this event
already_processed = await processed_events.exists(event.event_id)
if already_processed:
log.info(
"inventory.consumer.duplicate_event_skipped",
event_id=event.event_id,
correlation_id=event.correlation_id,
)
return
# Process the event
await reserve_inventory(event.payload["order_id"])
# Record that we have processed it
await processed_events.record(
event_id=event.event_id,
processed_at=datetime.now(timezone.utc),
consumer="inventory-service",
)Every schema change goes through a review process before it is deployed. The review asks: which consumers will be affected? Have they been updated? Can the change be made backwards-compatible? If not, what is the migration plan?
Every dead letter queue has an alert and an owner. DLQ messages are investigated the same day they appear. Not triaged. Not backlogged. Investigated.
The teams that run event-driven systems well have built this infrastructure. It is not glamorous work. It does not appear in the conference talk about the elegant decoupling. It is the thing that makes the decoupling survivable in practice.
The honest version of the pitch
Event-driven architecture is worth adopting when you have multiple teams that need genuine autonomy, when your use cases can tolerate eventual consistency, when you have the operational maturity to run distributed messaging in production, and when the benefits of decoupling outweigh the costs of asynchrony and distribution.
In those circumstances it is genuinely powerful. The teams that use it well will tell you they cannot imagine going back. The operational complexity feels like a fair trade for the organisational flexibility.
In other circumstances it is an expensive mismatch between pattern and problem. The complexity of the pattern does not disappear because you chose it for the wrong reasons. It stays. You pay it.
The evaluation should be honest about both sides. Not “events are the modern way to build systems” which is a fashion statement. Not “events are always too complex” which ignores where they genuinely excel. The honest version: this pattern solves specific organisational and scalability problems at a specific operational cost. Do the problems apply to us? Can we afford the cost? Those are the questions worth asking before you commit.
The answer is sometimes yes. It is not always yes. And pretending otherwise is how teams end up with event-driven systems they cannot operate and cannot easily escape.