CAP Theorem: The Trade-off at the Heart of Distributed Systems
It is 2:17am on Black Friday. Your e-commerce platform is handling 40,000 orders per minute across three data centers. Then the network link between US-East and US-West goes dark. A fiber cut in Ohio. Your inventory service in US-East says there are 12 units of the hot-selling headphones left. The replica in US-West still shows 15 because the last three writes never made it across. A customer in Seattle just placed an order. Do you serve stale data and risk overselling? Or do you reject the request and lose the sale?
That question, right there, is what the CAP theorem is actually about. Not some abstract academic exercise. A real, painful, 2am decision that every distributed system must make before the failure happens.
What CAP actually says
In 2000, Eric Brewer proposed a conjecture (later proved by Gilbert and Lynch in 2002) that states: a distributed data store can provide at most two of the following three guarantees simultaneously.
Consistency (C) - Every read receives the most recent write or an error. All nodes see the same data at the same time. If you write balance = 500, no node will ever return 400 for that read afterward.
Availability (A) - Every request receives a non-error response, without the guarantee that it contains the most recent write. The system always responds, even if the data might be stale.
Partition Tolerance (P) - The system continues to operate despite arbitrary message loss or failure of part of the network. Nodes can’t talk to each other, but the system doesn’t just stop.
The critical insight most people miss: partition tolerance is not optional. Networks fail. Cables get cut. Switches die. Cloud availability zones lose connectivity. You don’t get to choose “CA” in any real distributed system because partitions will happen whether you plan for them or not.
So the real choice is: when a partition occurs, do you sacrifice consistency (AP) or availability (CP)?
How it works - the mechanism
Let’s walk through what actually happens when a network partition occurs.
graph TB subgraph normal["Normal Operation - All Nodes in Sync"] A1["Node A (US-East)<br/>balance = 500<br/>Primary"] B1["Node B (EU-West)<br/>balance = 500<br/>Replica"] C1["Node C (US-West)<br/>balance = 500<br/>Replica"] A1 -->|replicates| B1 A1 -->|replicates| C1 end subgraph partition["After Partition - Nodes Diverge"] A2["Node A (US-East)<br/>balance = 300<br/>Write accepted"] P["PARTITION<br/>Network link severed"] C2["Node C (US-West)<br/>balance = 500<br/>Stale data"] A2 -.-x|blocked| P P x-.-|blocked| C2 end subgraph choices["The Choice"] AP["AP: Serve stale data, stay available"] CP["CP: Reject reads until partition heals"] end normal --> partition partition --> choices style P fill:#FCEBEB,stroke:#A32D2D,color:#791F1F style A1 fill:#EEEDFE,stroke:#534AB7,color:#3C3489 style B1 fill:#EEEDFE,stroke:#534AB7,color:#3C3489 style C1 fill:#EEEDFE,stroke:#534AB7,color:#3C3489 style A2 fill:#EEEDFE,stroke:#534AB7,color:#3C3489 style C2 fill:#FAEEDA,stroke:#854F0B,color:#633806 style AP fill:#E1F5EE,stroke:#0F6E56,color:#085041 style CP fill:#EEEDFE,stroke:#534AB7,color:#3C3489
Step 1: Normal operation. All nodes replicate writes. A client writes balance = 300 to Node A, and that write propagates to B and C. Everyone agrees.
Step 2: Partition occurs. The link between Node A and Node C dies. Writes to Node A can no longer reach Node C.
Step 3: The choice. A client connected to Node C requests the balance. The system must decide:
- CP path: Refuse the read. Return an error. The data might be stale, and we won’t lie.
- AP path: Return
balance = 500(stale). The system stays responsive, but the client gets old data.
Step 4: Partition heals. Network recovers. Now you need a reconciliation strategy. Which value wins? Last-write-wins? Vector clocks? Application-level merge? This is where it gets interesting.
Where it breaks or gets interesting
The “pick two” framing is misleading
The Venn diagram with three overlapping circles that you see everywhere? It implies you pick two and permanently lose the third. Reality is more nuanced:
- You only sacrifice C or A during a partition
- When the network is healthy, you can have all three
- Different parts of the same system can make different choices
- The degree of consistency/availability trade-off exists on a spectrum
Consistency is not ACID consistency
This trips up a lot of people. The “C” in CAP is linearizability - a specific, strong form of consistency where operations appear to execute atomically and in real-time order. It is not the “C” in ACID, which is about maintaining database invariants (foreign keys, constraints, etc.).
Availability means “every non-failing node responds”
CAP’s definition of availability is absolute. Even one rejected request means you’ve given up availability in CAP terms. This is stricter than what most people mean when they say “high availability” (usually 99.9% uptime).
Latency is the hidden fourth dimension
Brewer himself later noted that partitions are essentially the same as very high latency. If a node takes 30 seconds to respond, is that a partition or just slow? In practice, systems set timeouts and treat anything beyond the timeout as a partition. This means your timeout configuration is actually a CAP dial.
graph LR SC["Strong Consistency"] --- SP["Spanner"] --- MG["MongoDB"] --- CA["Cassandra (tunable)"] --- DY["DynamoDB"] --- CO["CouchDB"] --- HA["High Availability"] style SC fill:#EEEDFE,stroke:#534AB7,color:#3C3489 style SP fill:#EEEDFE,stroke:#534AB7,color:#3C3489 style MG fill:#EEEDFE,stroke:#534AB7,color:#3C3489 style CA fill:#F1EFE8,stroke:#888780,color:#444441 style DY fill:#E1F5EE,stroke:#0F6E56,color:#085041 style CO fill:#E1F5EE,stroke:#0F6E56,color:#085041 style HA fill:#E1F5EE,stroke:#0F6E56,color:#085041
Real-world systems and their CAP bets
CP systems (consistency over availability during partitions):
-
Google Spanner - Uses TrueTime (GPS + atomic clocks) to achieve external consistency across global data centers. During a partition, affected regions become unavailable rather than serving potentially stale data. The bet: Google can afford enough redundancy that partitions between Spanner nodes are vanishingly rare.
-
etcd / ZooKeeper - Coordination services that use consensus protocols (Raft, ZAB). If a node can’t reach a quorum, it refuses writes. You never want your distributed lock service returning “maybe locked.”
-
MongoDB (default config) - With the default write concern and read preference, reads go to the primary. If the primary is partitioned away, those reads fail until a new primary is elected.
-
HBase - Built on HDFS with a single active master. If the master is unreachable, the system won’t accept new region assignments.
AP systems (availability over consistency during partitions):
-
Cassandra - Tunable consistency, but the default is eventual. Writes succeed to available replicas. Conflict resolution uses last-write-wins timestamps. During a partition, both sides accept writes, and you reconcile via anti-entropy repair later.
-
DynamoDB - Amazon’s foundational lesson from the 2004 holiday season: “customers should always be able to add to their shopping cart.” Even if the inventory count is slightly off, never reject the action.
-
CouchDB - Multi-master replication with automatic conflict detection. Both sides of a partition can accept writes. Conflicts are stored and surfaced to the application for resolution.
-
DNS - The internet’s nameservice is heavily AP. Stale DNS records are served all the time (TTL-based caching). The system keeps working, even if it takes hours for changes to propagate.
Systems that blur the line:
-
CockroachDB - Attempts “no compromises” by using Raft consensus per range. Technically CP, but with enough replicas, unavailability windows are extremely short.
-
Cassandra with QUORUM - Set both read and write consistency to QUORUM, and you get linearizable reads. You’ve effectively made an AP system behave like CP for that operation.
-
Amazon Aurora - Uses a quorum-based storage layer (4/6 writes, 3/6 reads) that provides both high availability and strong consistency within a single region.
How to apply it in practice
Decision framework
Ask these questions for each piece of data in your system:
1. What is the cost of a stale read?
- User sees an old profile photo → cheap, go AP
- User sees an incorrect account balance → expensive, go CP
- System double-charges a credit card → catastrophic, go CP
2. What is the cost of unavailability?
- Admin dashboard is down for 30 seconds → tolerable
- Checkout page returns an error → losing money every second
- Health monitoring stops reporting → potentially dangerous
3. Can you reconcile conflicts automatically?
- Counters: use CRDTs (commutative replicated data types)
- Shopping carts: merge (union of items)
- Bank transfers: you cannot automatically reconcile, you need coordination
The “per-feature” approach
Most real systems are not purely CP or AP. They make different choices for different data:
graph LR subgraph cp["CP - Must Be Correct"] I["Inventory count"] P["Payment processing"] O["Order state machine"] end subgraph ap["AP - Must Be Fast"] PC["Product catalog"] SC["Shopping cart"] RE["Recommendation engine"] end subgraph hybrid["Tunable / Hybrid"] US["User sessions"] SI["Search index"] AC["Analytics counters"] end style cp fill:#EEEDFE,stroke:#534AB7,color:#3C3489 style ap fill:#E1F5EE,stroke:#0F6E56,color:#085041 style hybrid fill:#FAEEDA,stroke:#854F0B,color:#633806
Practical patterns for handling partitions
Pattern 1: Graceful degradation. During a partition, switch from strong consistency to eventual consistency for non-critical reads. Show cached product pages but disable checkout until the inventory service is reachable.
Pattern 2: Conflict-free data structures. Use CRDTs for data that can be merged without coordination. A G-Counter (grow-only counter) on each node can be summed after partition heals. Shopping carts can be modeled as add/remove sets.
Pattern 3: Compensation over prevention. Instead of preventing all inconsistency (expensive), detect it after the fact and compensate. Airlines oversell flights (AP) and compensate bumped passengers. Banks process transactions and reverse fraudulent ones.
Pattern 4: Quorum reads/writes. With N replicas, write to W and read from R nodes. If W + R > N, you get strong consistency. If W + R <= N, you get availability at the cost of freshness. Tuning W and R is tuning the CAP dial.
FAQ
Q: Can you just avoid network partitions entirely?
No. Even within a single data center, switch failures, NIC flaps, and misconfigured firewalls create partitions. In 2011, a network partition split the entire Amazon US-East region for hours. Google’s Chubby paper reports that their data centers experience multiple network partitions per year. You can reduce partition frequency with redundant network paths, but you cannot eliminate them.
Q: Is CAP still relevant, or has it been superseded?
CAP remains the foundational framework, but the conversation has evolved. The PACELC theorem (Abadi, 2012) extends CAP by noting that even in the absence of partitions (Else), there’s a trade-off between Latency and Consistency. Spanner achieves both C and A by making partitions extremely unlikely through massive infrastructure investment - but it still technically sacrifices availability during the rare partition. CAP hasn’t been “disproved”; real systems just operate in a more nuanced space within it.
Q: Does CAP apply to microservices that use a single database?
If all your microservices write to one PostgreSQL instance, you’ve centralized your state. CAP applies less because there’s no replication to partition. But the moment you add a read replica, a cache layer, or a second database, you’re back in CAP territory. And frankly, a single database is itself a single point of failure - your “availability” hinges entirely on that one node.
Interview questions
Q1: You’re designing a distributed banking system. A network partition splits your cluster. A customer at an ATM wants to withdraw cash. How do you handle it?
Strong answer: This depends on the withdrawal amount relative to the balance. For small amounts below a pre-configured threshold, you might allow offline withdrawals (AP - the cost of a small overdraft is less than the cost of rejecting a legitimate customer). For large amounts, reject the transaction (CP). This is exactly what real ATM networks do - they have “floor limits” that represent the maximum offline authorization amount. Mention that you’d log the offline transaction and reconcile when the partition heals, potentially triggering overdraft fees rather than blocking the operation entirely.
Q2: Your team is evaluating Cassandra vs MongoDB for a global user profile service. Walk through how CAP informs your choice.
Strong answer: Start by identifying access patterns. User profiles are read-heavy, rarely conflicting (usually one user edits their own profile), and brief staleness is acceptable (showing a 5-second-old bio is fine). This points toward Cassandra (AP, eventual consistency, multi-dc by design). MongoDB would work for single-region deployments with strong read-after-write consistency needs. But for a global service where you want every region to serve reads locally, Cassandra’s tunable consistency and built-in multi-datacenter replication is the better fit. Mention that you’d use LOCAL_QUORUM for writes and LOCAL_ONE for reads to get good consistency within a region while staying available globally.
Q3: Explain a scenario where a system advertised as “CP” can still serve stale data.
Strong answer: A CP system sacrifices availability during a partition, not consistency. But between the moment a partition occurs and the moment the system detects it (the timeout window), reads might still be served from a node that has already fallen behind. In Raft-based systems, a leader that gets partitioned away from the majority doesn’t immediately know it’s no longer leader. It continues serving reads for a brief window until its lease expires. This is why systems like etcd offer “serializable” reads (potentially stale, but fast) alongside “linearizable” reads (always fresh, but requires quorum confirmation).