Facebook Messenger

✅ Functional Requirements

• Support 1-on-1 conversations between any two users
• Track and broadcast online / offline status for each user
• Persist chat history — same view on every device the user owns
• Show delivered / read receipts per message

⚙️ Non-Functional Requirements

• Real-time chat experience — minimum end-to-end latency, target under 200ms
• Highly consistent — every device shows the same chat history in the same order
• Highly available — but we are willing to sacrifice some availability for consistency (a missing-message bug is worse than a 30-second outage)

➕ Extended

• Group chat — N participants, message fanout to all members
• Push notifications — wake the recipient's phone via APNS / FCM when they're offline

Messages/day

~20 billion

500M × 40

Avg msg size

~100 bytes

Text only

Ingress

~25 MB/s

230K × 100B

Egress

~25 MB/s

Each msg goes out once

❌ Why not MySQL?

A MySQL server tops out around 5K-10K writes/sec on commodity hardware. We need 230K writes/sec sustained. Sharded MySQL could hit it, but we'd be reinventing what HBase ships with — region splits, replication, tombstoning. Operational nightmare.

❌ Why not MongoDB?

Document-style fine for a single message, but range scans across millions of messages in one conversation are slow and memory-hungry. HBase's columnar layout + row-key sort order is purpose-built for "scan the last N rows for key prefix X".

✅ Why HBase + HDFS?

(a) Write-optimized log-structured storage absorbs 230K writes/sec linearly. (b) Row-key range scans for chat history are O(N) on the result, not the dataset. (c) HDFS underneath gives us 3-way replication + petabyte-scale storage for free. (d) Battle-tested at Facebook for exactly this workload.

💥 Wasted polls

500M users polling every 3 seconds is 166 million requests/sec. 99% return empty because most people aren't getting messages most of the time. We'd be running a planetary-scale DDoS on ourselves to hear the answer "nothing new" 99% of the time.

💥 Bad UX latency

Latency = polling interval. A 3-second poll means a message takes on average 1.5 seconds just to appear, and worst case 3. Sarah types "are you free?" and Raj sees it 3 seconds later — feels broken. Drop the interval to 500ms and the request rate becomes 1 billion/sec.

💥 Cost scales with users, not activity

Even if nobody is actually chatting, server load is proportional to user count. Idle users cost the same as active users. We're paying full price 24/7 to mostly say "still nothing".

🔁 Long Polling

Client sends GET /messages; server holds the request open for up to 30 seconds. As soon as a message arrives for that user, server responds. If nothing arrives in 30s, server returns 204 and client immediately reconnects. Works through any HTTP-aware firewall — zero protocol changes — but each "long poll" still ties up one server-side request handler per user.

⚡ WebSockets

A real persistent TCP connection upgraded from HTTP. Bidirectional — server can push, client can send, both at any time, with nearly zero per-message overhead (a few bytes of frame header). One connection per user, lives for hours. The modern default — what Messenger, WhatsApp, and Slack all use.

① Client (Mobile / Web)

The Messenger app on Sarah's iPhone, Raj's Android, or anyone's browser. On launch it authenticates, opens a single WebSocket to the load balancer, and keeps that connection alive with periodic ping frames. All sends and receives flow over this one socket. The client also caches recent messages locally for instant rendering when the user opens a thread.

Solves: the user's window into the system. The WebSocket is what makes "instant" possible — the client never has to ask "anything new?", it just listens. Without a persistent client connection, we'd be back in polling hell.

② Load Balancer (sticky sessions)

The traffic cop. Receives the initial HTTPS upgrade request and routes it to a chat server. Crucially it uses sticky sessions — once Sarah's WebSocket is bound to chat server #137, every subsequent frame from her client must reach the same server, because that server holds her open socket. Round-robin won't work; we need a hash on user_id or a cookie-based affinity.

Solves: spreading 500M connections across 10K chat servers without any one being overloaded, while preserving the connection-server binding. Without stickiness, frame #2 from Sarah might land on server #138 — which has never heard of her socket — and the connection breaks.

③ Chat Server cluster

The heart of the connection plane. Each chat server is a long-running process that holds ~50,000 open WebSockets in memory. When a client connects, the server registers the user in the routing table ④. When a message arrives from Sarah, the server looks up Raj's chat server in the routing table — if it's the same box, it's a direct in-memory push; if it's a different box (almost always), it publishes to Kafka ⑤. Stateless from the data's perspective (everything persists to HBase), but stateful from the connection's perspective.

Solves: the "where does the push come from?" problem. A normal REST app server can't do push because it has no persistent link to the client. Chat servers exist exclusively to hold those links. Without them, every message would need to wait for the recipient to ask for it.

④ User → ChatServer routing table (Redis)

A simple in-memory map: user_id → chat_server_id. When Sarah's client connects to chat server #137, the server writes sarah_id: 137 to Redis. When someone wants to push a message to Sarah, they read this entry and know which server to publish for. Updates on connect/disconnect/reconnect. Replicated for fault tolerance — losing it temporarily means we briefly can't deliver pushes (we fall back to push notifications), but doesn't lose messages because they're already in HBase.

Solves: the cross-server addressing problem. With 10,000 chat servers, "which server holds Raj's connection right now?" is a question we ask millions of times per second. A Redis lookup answers it in under 1ms.

⑤ Message Queue (Kafka)

The async bus that stitches chat servers together. When Sarah on chat server X sends a message to Raj on chat server Y, server X doesn't call server Y directly — it publishes the message to a Kafka topic partitioned by recipient_id. Server Y is a Kafka consumer for the partitions that include Raj. This decouples senders from receivers and gives us at-least-once delivery semantics for free, even if a chat server crashes mid-delivery.

Solves: reliable delivery across server boundaries. Without Kafka, server X would have to do an RPC to server Y; if server Y is down or slow, server X blocks; if the message lands but Y crashes before pushing, the message is lost. Kafka persists every message and lets the consumer retry safely.

⑥ Message Storage (HBase + HDFS)

The durable source of truth. Every message gets written here before any "delivered" ack is sent to the sender. Row key is (conversation_id, reverse_timestamp) so a thread's history is contiguous on one region server and sorted newest-first. HDFS underneath replicates each block 3× across racks. Petabyte-scale by design, write-optimized to absorb 230K writes/sec.

Solves: persistent chat history. If we only kept messages in chat-server memory, a server crash would lose everything in flight. HBase is the safety net — once a write succeeds, the message survives any combination of server failures.

⑦ Presence Service

Tracks who is online and broadcasts changes to interested friends. When Sarah's chat server registers her connection, it notifies the Presence Service. When she disconnects (graceful logout, or 30s of socket silence), the service marks her offline. Friends viewing her profile or thread get the green/grey dot updated via a push down their own WebSocket. Heavily debounced — see §9 for why we don't broadcast every micro-state-change.

Solves: the "is Raj online right now?" question that the UI asks constantly. Without a centralized presence service, every chat server would have to ask every other chat server "do you have user X?" every time the UI needed a status — quadratic chatter.

⑧ Push Notification Service

For when the recipient is offline. If Raj's app is closed and he has no open WebSocket, the chat server discovers (via routing table miss) that there's no active connection. It hands the message to the Push Notification Service, which sends it to APNS (Apple) or FCM (Google) — the OS-level push systems that wake up Raj's phone and pop a notification. When Raj taps it, the app opens, reconnects its WebSocket, and pulls the queued messages from HBase.

Solves: the offline-delivery problem. Without push notifications, an offline user only sees the message when they next open the app — which might be hours later. With push, the message reaches them in seconds even if their app was killed.

⑨ Group Chat Service

Manages the metadata for group conversations: group_id → [member_ids]. When Sarah sends a message to "Dinner Squad" (a group of 8), the chat server asks the Group Chat Service for the member list, then publishes one Kafka event per recipient — fanout happens at the group service, not at the sender. Membership changes (add, remove, leave) flow through this service so all members see consistent group state.

Solves: the fanout problem. Without a dedicated group service, each sender would need to know every group member — leaking the data model into every client. Centralizing fanout also lets us cap group size and enforce permissions in one place.

⑩ Cache (Redis) — last 15 messages per active conversation

An in-memory store holding the most recent ~15 messages of every currently-active conversation. When the chat server needs to render Sarah's open thread on her laptop reconnecting, it pulls from Redis (sub-millisecond) instead of HBase (10-30ms). On miss, it loads from HBase and populates the cache. Eviction: LRU; threads no one has touched in days roll out automatically.

Solves: the "instant scroll" feel when opening a thread. Without this cache, every thread open would hit HBase — fine functionally but adds 30ms to every UI interaction. With it, thread switches feel weightless.

⑪ Read Receipts Service

Tracks the per-message delivered and read states that drive the little check-marks. When Raj's client receives a message, it sends a "delivered" ack down its WebSocket; when he scrolls the message into view, the client sends a "read" ack. Both update the message row in HBase and push a state-change frame to the original sender so Sarah's UI updates her checkmarks.

Solves: the user-trust signal. The double-blue-tick is what tells Sarah her message landed. Without it, she'd have no way to know whether Raj saw it or whether the network ate it.

✅ Happy path — Raj is online (~200ms total)

1. Sarah's client ① sends a SEND frame over its WebSocket: "to=raj_id, text=are you free for dinner?"
2. Frame hits the Load Balancer ② which routes via sticky session to chat server X ③ (the one holding Sarah's socket).
3. Chat server X assigns a message_id, publishes to Kafka ⑤ (partitioned by Raj's user_id), and concurrently writes to HBase ⑥. Once Kafka acks, server X sends a "delivered to server" ack back to Sarah.
4. Chat server Y (consumer for Raj's Kafka partition) reads the message, looks up routing table ④: raj_id → server Y. Match! Server Y has Raj's open socket.
5. Server Y pushes the message frame down Raj's WebSocket. Raj's client ① renders it instantly and fires a "delivered" ack via Read Receipts ⑪.
6. Sarah's UI updates the checkmark from "sent" to "delivered". Total elapsed: ~200ms.

📵 Offline path — Raj's phone is asleep

1. Steps 1-3 same as above — message is durably in HBase ⑥.
2. Chat server Y consumes from Kafka ⑤, looks up routing table ④: raj_id → null (no active connection).
3. Server Y hands the message to the Push Notification Service ⑧, which posts to APNS/FCM.
4. Apple's APNS wakes Raj's phone screen with a notification. Raj taps it 5 minutes later — his app opens, reconnects its WebSocket through the LB to some chat server Z.
5. Chat server Z queries HBase ⑥ for messages newer than Raj's last seen message_id, pushes them all down his WebSocket, then sends "delivered" acks back via Read Receipts ⑪.

📌 Ordering within a conversation

Two messages from Sarah to Raj must arrive in send order. Guaranteed by partitioning Kafka on conversation_id (or sender_id) — all messages for one conversation flow through one Kafka partition, which Kafka delivers in order. Within HBase, the row-key suffix is a strictly-increasing timestamp so reads also return in order.

📌 Idempotency on retry

Network burps mean the chat server may retry a Kafka publish or HBase write. Each message carries a client-assigned idempotency key (UUID generated by the client on send). HBase uses it as part of the row key — a duplicate write is a no-op. Kafka consumers also dedupe on this key before pushing to the recipient.

📌 Persist-before-ack

Sarah only sees "sent" once HBase has confirmed the write. If the chat server crashes between Kafka publish and HBase ack, the message is still in Kafka and will be re-consumed and re-written. If it crashes before either, Sarah's client times out and the user retries — same idempotency key, no duplicate.

📝 Write throughput

HBase is log-structured (LSM trees). Writes go to an in-memory MemStore and a write-ahead log (WAL) on HDFS — both append-only, no random disk seeks. A single region server absorbs tens of thousands of small writes/sec. Sharding across hundreds of region servers gives us the 230K/sec we need with linear scale-out.

📖 Range scans by row-key

Row key = (conversation_id, MAX_LONG - timestamp). The MAX_LONG - timestamp trick reverses sort order so the newest messages come first. Reading "last 50 messages of conv 12345" is a single short scan starting at row (12345, 0) — touches one region, returns 50 cells. O(50), not O(billions).

📦 Petabyte storage

HDFS underneath HBase is built for multi-petabyte data with 3× replication. Adding capacity = adding nodes. Old, cold data automatically migrates to cheaper storage tiers via HDFS storage policies — recent messages on SSD, year-old messages on HDD or even S3 Glacier.

🚀 Pull on app start

When Sarah opens Messenger, the client sends one bulk request: getStatus([friend_ids]). Server returns the current status of all her friends in one round trip. No subscription, no per-friend chatter — a single read against the Presence Service's in-memory map.

📢 Push only on real transitions

Don't broadcast every micro-state-change. Push to friends only when the user transitions OFFLINE → ONLINE or ONLINE → OFFLINE. Heartbeat fluctuations don't count. Use a 5-second debounce on offline-detection so a quick subway-tunnel disconnect doesn't trigger a "left chat" broadcast.

👀 Lazy pull on conversation open

When Sarah opens her thread with Raj specifically, the client refreshes Raj's status with a targeted call. This catches the case where Raj came online while Sarah's app was backgrounded and the broadcast didn't reach her.

❌ Shard by message_id

Distributes individual messages randomly across shards. Each write hits one shard — perfect write distribution. But reading a chat history "last 50 messages between Sarah and Raj" now requires scanning every shard and merging — fan-out reads of O(num_shards). With 100 shards, every chat-open is 100 simultaneous queries. Unworkable.

✅ Shard by user_id (or conversation_id)

All of one user's messages live on the same shard. Chat-history reads touch exactly one shard — O(1) shard count, O(50) result rows. This is the right answer for a read-by-conversation workload. Trade-off: a hyperactive user (a celebrity, a bot) creates a hot shard.

🔄 Consistent hashing

Use consistent hashing (not modulo) so adding a new shard only relocates 1/N of users instead of all of them. Spreads the "split the hot shard" operation over hours instead of days, with the cluster usable throughout.

👥 Replica nodes for hot keys

For known-hot users, replicate their data to multiple read replicas. Reads round-robin across replicas; writes still go to the primary. Buys 3-5× headroom on read traffic for power users without re-sharding.

💥 Chat server crashes with 50K open sockets

The 50K clients see their WebSocket drop. They auto-reconnect (with exponential backoff) and the LB routes them to a healthy chat server. The new server registers them in the routing table ④, and any messages that arrived during the gap are pulled from HBase on the first read. Connection state is replicated to a standby chat server in real time so the routing-table updates have minimal lag.

Data loss: zero. Messages already persisted to HBase are intact. In-flight messages still in Kafka get re-consumed. Messages that hadn't yet reached the chat server are retried by the client (idempotent).

💥 HBase region server crashes

HBase auto-detects via ZooKeeper, reassigns the regions to a healthy server, replays the WAL from HDFS. Recovery takes seconds to a minute. During the gap, writes to those regions queue in the chat-server WAL or Kafka and replay once the region is back. HDFS 3× replication ensures no block is lost.

💥 Kafka broker crashes

Kafka topics are replicated across brokers (replication factor 3). A broker loss shifts leadership of its partitions to a replica in milliseconds. Producers retry transparently. At-least-once delivery is preserved — the dedup key catches the rare double-delivery that follows.

💥 Routing table (Redis) loss

Redis is replicated and persisted, but in the worst case if we lose it entirely, we don't lose messages — we just lose the ability to push them in real-time. Recipients fall back to push notifications via APNS/FCM. The table rebuilds itself within seconds as clients reconnect and re-register. Brief degraded mode, no data loss.