Everyone in a distributed systems interview can recite CAP theorem like a reflex. "You can only pick two." Head nods all around. The conversation moves on.
But here's the thing — I've been building distributed infrastructure for over a decade. Kubernetes operators, multi-region control planes, private cloud deployments that bridge on-prem racks to cloud APIs. And after enough production incidents, I started asking a different question.
What if everyone is just wrong about CAP? What if you CAN have all three?
Let me try to prove it. And then watch it fall apart.
The Math That Makes You Confident
Before I play devil's advocate, let me establish what makes the "we have consistency" argument so seductive.
The formula: W + R > N.
You have N replicas. A write acknowledges W of them. A read queries R of them. If W + R exceeds N, the write set and read set must overlap by the pigeonhole principle — there aren't enough nodes to keep them apart. That shared node already absorbed the write, so the read will find it.
With N=3, W=2, R=2: overlap = W + R - N = 1. Exactly one node is guaranteed to carry the fresh value. That's all you need.
One thing most people gloss over: the overlap puts the fresh value somewhere in your R replies. It doesn't pick it for you. You still need resolution logic — compare timestamps, apply vector clocks, pick last-write-wins. If your read just returns the first reply or trusts a majority count, the math bought you nothing.
And tunable consistency? It's not a different guarantee — it's just latency redistribution:
| Config | Trade-off |
|---|---|
| W=1, R=N | Cheap writes, expensive reads |
| W=N, R=1 | Expensive writes, cheap reads |
| W=2, R=2, N=3 | Balanced |
Same consistency ceiling across all three. The W and R knobs only move where the cost lands. Still solid. So far, my attempt to break CAP has no ammunition.
My Argument: CAP Is Beatable
Here's the pitch I built for myself.
"What if I just add more servers? More copies of the data means more redundancy. Even if some servers go offline, enough will still be reachable to keep things consistent AND available. W + R > N still holds. Partitions handled. Everyone goes home happy."
It sounds airtight. So let me try to break it — and I'll use a bank to do it, because banks make this painfully concrete.
The Bank Branch Thought Experiment
Imagine you run a bank with 5 branches across a city. Your rule is simple: a transaction is only official once at least 3 branches have recorded it. This way, if a branch burns down or goes offline, the other 4 can still operate. You've built in redundancy. Feels bulletproof.
Now a storm hits and knocks out communication between two parts of the city. Your 5 branches split into two isolated groups with no way to talk to each other:
- Group A (minority): Branch 1 and Branch 2 — only 2 branches
- Group B (majority): Branch 3, Branch 4, and Branch 5 — 3 branches
Group B is fine. Three branches can still reach agreement among themselves. Business as usual on that side of town.
But a customer walks into Branch 1 — stuck in the isolated group — and wants to withdraw ₹50,000. Branch 1 can't reach the other branches to get the required 3-branch confirmation.
You now face a choice. And this is where CAP becomes real.
Option A — Turn them away
You tell the customer: "Sorry, our systems are down. We can't process this until we reconnect."
Your records stay accurate. Nobody ends up with a wrong balance. But Branch 1 and Branch 2 are effectively closed. You protected consistency — and sacrificed availability.
Option B — Serve them anyway
You process the withdrawal. Branch 1 records it locally and adds a note: "Sync this with the other branches once the connection is back."
The customer is happy. The branch is open. Availability preserved. ✅
But here's what just happened across town: someone at Branch 4 checks that same account. Branch 4 doesn't know about the withdrawal yet. It returns the old balance — before the ₹50,000 left. Two branches now have different answers for the same account.
You preserved availability — and sacrificed consistency.
There is no Option C.
No matter how many branches you open, the moment a communication breakdown splits them into groups that can't talk to each other, you face this exact same binary. You either close the cut-off branches (lose availability) or let them operate independently (lose consistency).
I added more servers thinking I could escape this. I didn't. I just delayed the moment the storm arrived.
The Sloppy Quorum Trap
To stay available through the partition, the system can't just refuse requests on the minority side. It uses hinted handoff: it parks the write on substitute nodes — nodes that are reachable but are not the intended replicas — with a sticky note: "Deliver this to Node1 and Node2 once they reconnect."
The write returns W acknowledgments. ✅ Success, from the client's perspective.
But those acknowledgments came from the wrong nodes — not the real quorum members.
A read comes in. It hits the real replicas. Those replicas have no record of the write. They return stale data, with complete confidence, and no indication that anything is wrong. The W + R > N formula is technically satisfied — the numbers add up — but the sets are no longer intersecting on the nodes you assumed they were. The shared node in the overlap is a ghost.
The math didn't lie. The assumption underneath it did.
Why Availability Always Wins the Partition Fight
Here's the precise statement of why you cannot keep all three:
Partition tolerance is not optional. Networks partition. Nodes crash. Packets get dropped inside data centers, not just across regions. If you run anything at meaningful scale, a partition is not a hypothetical — it's a calendar event you haven't received yet.
Given that P is non-negotiable, your real choice resolves to:
- CP — Reject requests when quorum is unreachable. Clients see errors or timeouts. Consistency is preserved. Availability is sacrificed.
- AP — Serve requests always. Writes land on hinted nodes. Stale reads happen. Consistency is sacrificed. Availability is preserved.
And this is the part no one says plainly in interviews: the moment you choose to stay available during a partition, you have already abandoned strong consistency — even if W + R > N is still satisfied on paper.
Systems like Cassandra and DynamoDB make this honest. They're AP by design. Sloppy quorums, eventual consistency, read-repair, anti-entropy — all explicit mechanisms for healing state after divergence. They're not broken. They're correctly prioritizing availability and accepting the consistency cost.
Systems like etcd and ZooKeeper go the other way. They'll tell you "I don't know" rather than lie to you. Minority partitions get no writes. That's CP.
Both are correct choices for their use cases. What's not a valid choice is claiming you have all three.
What I Actually Learned
I came into this exercise wanting to find the edge case that breaks CAP. I left with something more useful: a clearer intuition for where exactly the guarantee breaks.
W + R > N is a strong and correct guarantee — conditional on one assumption that the formula itself doesn't state: every write lands on the real replicas in the real quorum. The moment a partition forces you to route around that assumption to stay available, the guarantee is void.
The candidates who can draw this line in a system design interview aren't just reciting theory. They've internalized that distributed systems don't fail loudly. The cluster stays "up." The writes return success. The formula adds up. And the stale data quietly becomes someone else's incident at 2am.
The CAP theorem doesn't tell you what to build. It tells you what question you're actually answering when you make your availability decision under partition. Answer it deliberately.
I work on distributed Kubernetes infrastructure and private cloud systems. Most of what I understand about distributed systems came from things that broke in ways the math didn't predict.
Top comments (0)