Production databases must survive hardware failures, network issues, and data center outages. This module teaches you how to build highly available PostgreSQL deployments.Real-world analogy: Replication is like having a live backup singer who knows every word to every song. If the lead vocalist (primary) loses their voice mid-concert (server crash), the backup (standby) can take over immediately without the audience (users) noticing more than a brief pause. The key engineering challenge is keeping the backup singer perfectly in sync — and deciding whether you are willing to slow down the lead singer to guarantee synchronization.
Estimated Time: 10-12 hours Hands-On: Set up streaming replication Key Skill: Designing for 99.99% uptime
# Take base backup from primarypg_basebackup -h primary_host -U replicator -D /var/lib/postgresql/data \ -P -Xs -R -S standby1_slot# The -R flag creates standby.signal and configures primary_conninfo
-- postgresql.auto.conf on standby (created by pg_basebackup -R)primary_conninfo = 'host=primary_host port=5432 user=replicator password=xxx'primary_slot_name = 'standby1_slot'-- postgresql.conf on standbyhot_standby = on -- Allow read queries on standby
Practical tip: Replication lag is not one number — it is four numbers, each measuring a different stage. Understanding the difference between sent_lsn, write_lsn, flush_lsn, and replay_lsn is essential for diagnosing replication problems. If sent is far ahead of write, you have a network bottleneck. If write is ahead of flush, the standby’s disk is slow. If flush is ahead of replay, the standby’s CPU cannot keep up with applying changes.
-- On primary: View connected standbysSELECT client_addr, state, sent_lsn, -- WAL sent over the network to the standby write_lsn, -- WAL written to standby's disk (but not fsynced) flush_lsn, -- WAL fsynced to standby's disk (durable) replay_lsn, -- WAL actually applied (queries on standby see this data) pg_wal_lsn_diff(sent_lsn, replay_lsn) AS replication_lag_bytesFROM pg_stat_replication;-- On standby: View replication statusSELECT status, received_lsn, latest_end_lsn, pg_last_wal_receive_lsn(), pg_last_wal_replay_lsn(), pg_last_xact_replay_timestamp()FROM pg_stat_wal_receiver;-- Calculate lag in secondsSELECT EXTRACT(EPOCH FROM (NOW() - pg_last_xact_replay_timestamp())) AS lag_secondsFROM pg_stat_wal_receiver;
Automatic vs Manual Failover:Automatic (PostgreSQL with Patroni/Stolon):
Faster recovery (seconds to minutes)
Risk of split-brain if network partition
Requires robust failure detection
Manual (Traditional):
Slower (minutes to hours)
Human verification prevents mistakes
Better for planned maintenance
Common pitfall — split-brain: Split-brain occurs when both the primary and the standby believe they are the leader, accepting writes independently. This creates two divergent copies of your data that are extremely difficult to reconcile. It is the single most dangerous failure mode in database replication. Patroni avoids this by using a distributed consensus store (etcd/ZooKeeper) as the source of truth for leadership — a node is only the leader if the consensus store says so.Failover Checklist:
✓ Verify leader is truly dead (not just slow)
✓ Choose most up-to-date follower
✓ Promote follower to leader
✓ Update DNS/load balancer
✓ Reconfigure other followers
✓ Monitor for split-brain
✓ Investigate root cause
Testing Failover: Use chaos engineering tools like Chaos Monkey to regularly test your failover process in production.
-- Asynchronous (default)synchronous_commit = onsynchronous_standby_names = ''-- Synchronous with named standbyssynchronous_standby_names = 'standby1' -- Wait for standby1-- First N of list (any 1 from list)synchronous_standby_names = 'FIRST 1 (standby1, standby2)'-- Any N of list (quorum)synchronous_standby_names = 'ANY 2 (standby1, standby2, standby3)'-- Per-transaction control (this is a powerful production technique)SET synchronous_commit = off; -- This transaction doesn't wait for standby-- Use this for non-critical writes like logging, analytics, or notifications.-- Keep synchronous_commit = on for financial transactions and order processing.-- This gives you the best of both worlds: strong durability where it matters,-- high throughput where eventual consistency is acceptable.
-- On publisherCREATE PUBLICATION my_publication FOR TABLE users, orders, products;-- Or all tablesCREATE PUBLICATION all_tables FOR ALL TABLES;-- View publicationsSELECT * FROM pg_publication;SELECT * FROM pg_publication_tables;
Common pitfall: Choosing the wrong pool mode is the number one source of PgBouncer problems. In transaction mode, session-level state (SET commands, prepared statements, temp tables, LISTEN/NOTIFY) is lost between transactions because each transaction may land on a different backend connection. If your application uses Django or Rails with prepared statements, you may need session mode — but that significantly reduces pooling efficiency.
Pros: Fast, consistent, can be used for new replicas
Cons: Same PG version only, full backup only
Continuous Archiving (PITR)
-- postgresql.confarchive_mode = onarchive_command = 'rsync -a %p backup:/wal_archive/%f'
# Recovery to specific point in time# recovery.conf / postgresql.confrestore_command = 'cp /wal_archive/%f %p'recovery_target_time = '2024-01-15 14:30:00'
You are designing a database architecture with 99.99% uptime. Walk through your approach with PostgreSQL.
Strong Answer:
99.99% means max 52 minutes downtime per year, covering planned maintenance and unplanned failures. Architecture: primary + 2 synchronous standbys managed by Patroni with etcd consensus. Use synchronous_standby_names = 'ANY 1 (standby1, standby2)' so the primary needs only one standby ACK to commit. PgBouncer in front absorbs connection storms during failover. HAProxy for read replica load balancing.
Zero-downtime maintenance: pg_upgrade via logical replication for major versions, CREATE INDEX CONCURRENTLY for schema changes, never VACUUM FULL during business hours. Budget: 30 min for 2 unplanned failovers/year, 22 min for planned maintenance.
Follow-up: How do you prevent split-brain during failover?Patroni uses etcd as the source of truth for leadership. A node is only the leader if it holds the etcd leader key (requires quorum). If the old primary is partitioned, its lease expires and Patroni demotes it. The new primary can only be promoted after acquiring the leader key. This prevents both nodes from accepting writes simultaneously.
When would you choose logical replication over physical streaming replication?
Strong Answer:
Cross-version upgrades: Physical requires identical major versions. Logical works across versions (PG 14 to PG 16), enabling zero-downtime upgrades.
Selective replication: Physical copies everything. Logical can publish specific tables to specific subscribers.
Writable subscribers: Physical standbys are read-only. Logical subscribers can have their own tables, indexes, and materialized views.
Tradeoffs: Logical has higher overhead (WAL decoding), does not replicate DDL, and minimal conflict resolution (INSERT conflicts stop replication until manually resolved). For pure HA failover, physical is simpler and faster.
Follow-up: What happens if the subscriber is down for a day?It catches up automatically via replication slots, which prevent the publisher from recycling unconsumed WAL. The danger: a long-disconnected subscriber causes unbounded WAL retention on the publisher. Monitor pg_replication_slots for active = false and set max_slot_wal_keep_size to cap retention.
Your read replica shows 30 seconds of replication lag during peak hours. Diagnose and fix it.
Strong Answer:
Check pg_stat_replication on the primary and compare the four LSN values to identify the bottleneck stage:
write_lsn >> flush_lsn: Replica disk cannot keep up with fsync. Fix: faster storage (NVMe).
flush_lsn >> replay_lsn: Replica CPU cannot apply WAL fast enough. Common when primary generates WAL from many parallel backends but replay is single-threaded. Fix: reduce indexes on replica, or leverage PG 15+ parallel recovery improvements.
Bonus: Long-running queries on replica holding back replay due to high max_standby_streaming_delay. Fix: lower the delay (accept query cancellation) or route analytics to a dedicated replica.
Follow-up: Can you achieve zero lag while allowing reads on the replica?Yes. synchronous_commit = remote_apply ensures the standby has fully replayed WAL before the primary acknowledges the commit. Reads on the standby are always consistent with committed primary data. The cost is increased commit latency on the primary.
