Skip to content
Back to blog

Availability vs Reliability vs Durability

CoreConceptJuly 17, 20268 min read

An order API can return responses all day and still charge the wrong amount. It can be temporarily unreachable while every stored order remains safe. It can fail over instantly and lose the order it just acknowledged. Calling all three outcomes “reliability” hides the design decision you actually need to make.

This guide follows POST /orders with idempotency key ord-42. Success means the API accepts the request, computes the right order once, and retains that acknowledged order through a primary-node failure. We will separate availability, reliability, and durability, measure each with a different indicator, intentionally lose an acknowledged write, and design the recovery boundary.

Three promises for one order: usable now, correct over time, retained after failure
Three promises for one order: usable now, correct over time, retained after failure

Three promises, not three synonyms

Availability asks whether an authorized user can use the service when needed. For a request-driven API, teams often measure the fraction of valid requests that receive a good response within a window. Reliability asks whether the system performs its required function without failure under stated conditions over time. Durability asks whether data acknowledged as stored remains intact over time despite failures.

The properties overlap but are not interchangeable. An order database can be durable while the API is unavailable during a network outage. An API can be available but unreliable if it returns fast 200 responses with wrong totals. A service can fail over and remain available yet violate durability if an acknowledged order disappears.

Use one contract for the rest of the article: POST /orders with Idempotency-Key: ord-42 must create exactly one correct order, return 201, and preserve it after the database primary fails.

POST /orders with ord-42 must be reachable, correct once, and retained
POST /orders with ord-42 must be reachable, correct once, and retained

Quick reference

  • Availability: usable on demand.
  • Reliability: correct function without failure under stated conditions over time.
  • Durability: acknowledged data remains intact over time.
  • A 200 with incorrect data is not a good event merely because the server answered.
  • State the user, operation, conditions, and measurement window for every target.

Remember this

Availability promises access now, reliability promises correct behavior over time, and durability promises acknowledged data will still exist later.

Availability: can the user use it now?

For POST /orders, availability is best measured from the user's boundary: good requests divided by valid requests over a stated window. Define “good” narrowly enough to match the product—perhaps 201 or a valid idempotent replay within 500 ms. Planned maintenance, dependency outages, and overload still affect the user even when the application process itself is healthy.

Redundancy improves availability only when failover works. Two API replicas behind a load balancer remove one process as a single point of failure; multi-zone database replicas can remove one zone. But every extra dependency also creates another way for the request to fail. Health checks, timeouts, load shedding, and tested failover are the mechanisms—not the number of boxes in a diagram.

A 99.9% monthly request-success SLO allows a 0.1% error budget. That budget should drive release decisions and incident response. Chasing 100% availability can cost more than the user value and can block safe changes; choose the target from the business consequence of a bad event.

Availability path: load balancer routes valid requests to healthy replicas and sheds doomed work
Availability path: load balancer routes valid requests to healthy replicas and sheds doomed work

Quick reference

  • Measure good events at the user boundary, not process uptime alone.
  • Include a latency threshold when a late response is unusable.
  • Redundancy needs health checks and tested failover to improve availability.
  • Error budget = 1 − SLO; use burn rate to detect fast budget loss.
  • Load shedding can preserve useful availability better than accepting doomed work.

Remember this

Availability is the ratio of usable order requests—not whether the process is running—and redundancy helps only when failover is tested.

Reliability: does it keep doing the right thing?

Reliability adds correctness and time. The order service must calculate the right total, create the order once, and keep meeting that contract under the stated traffic, dependency, and failure conditions. A service that answers every request but sometimes double-charges is highly reachable and deeply unreliable.

For software services, one useful reliability SLI is the fraction of good events that satisfy correctness, latency, and outcome constraints. Component metrics such as mean time between failures (MTBF) and mean time to repair (MTTR) help operations, but they do not replace the user-facing contract. Ten tiny failures and one long failure can share similar downtime while producing different customer harm.

Idempotency is a reliability mechanism for retries. If the client times out after payment succeeds, it repeats POST /orders with ord-42. The server stores the key with the first result and returns that same result instead of creating a second charge.

Reliable retry: the same idempotency key returns the same order instead of charging twice
Reliable retry: the same idempotency key returns the same order instead of charging twice

Quick reference

  • Correctness belongs in the good-event definition; fast wrong answers fail.
  • State operating conditions: workload, dependency behavior, and time window.
  • Idempotency makes retries converge on one outcome.
  • MTBF/MTTR describe components; user-facing SLIs describe service reliability.
  • Test degraded dependencies, retry storms, and concurrent duplicate requests.

Remember this

Reliable order handling means the same valid request produces one correct outcome over time—even across retries and dependency faults.

Durability: does acknowledged data survive?

Durability starts at the acknowledgment boundary. If the API returns 201 Created, the system has made a promise about ord-42. The exact promise depends on the storage contract: was the record only in process memory, appended to an operating-system buffer, flushed to stable storage, or replicated to another failure domain before acknowledgment?

Replication protects against device or node loss only when replicas are independent and the write policy waits for enough copies. Checksums detect corruption; repair restores redundancy. Backups and point-in-time recovery protect against operator mistakes, software bugs, and deletions that replication may copy faithfully. Replication is not a backup.

Durability is not availability. A backup archive can retain every order while restore takes hours. Conversely, an always-responsive cache can be available while losing all orders on restart. Design the acknowledgment point from the maximum acceptable data loss (RPO), then prove restore time against the recovery-time objective (RTO).

Durable acknowledgment waits for the chosen stable commit and surviving failure domain
Durable acknowledgment waits for the chosen stable commit and surviving failure domain

Quick reference

  • Define what must happen before returning 201.
  • Independent replicas protect against the failure domains they do not share.
  • Checksums detect corruption; repair restores lost redundancy.
  • Backups protect against failures replication can copy, including deletion.
  • RPO defines acceptable data loss; RTO defines acceptable recovery time.

Remember this

Durability is determined at acknowledgment: 201 is only honest after the configured stable/replicated commit, with backups for logical loss.

Failure story: available after failover, but the order vanished

Trigger. A custom order store appends ord-42 to an in-memory buffer, returns 201, and replicates asynchronously. The primary loses power before flush or replication. Symptom: the load balancer sends the next request to a healthy standby, so availability recovers quickly, but GET /orders/ord-42 returns 404. The service is available after failover and has violated durability; because its acknowledged contract is broken, it is also unreliable.

Root mechanism. The acknowledgment boundary was ahead of the durable commit. Fast failover cannot recover bytes that never reached a surviving failure domain. Retrying without an idempotency record risks charging again, while blindly returning success hides the loss.

Recovery. Freeze automated retries for affected keys, reconcile payment-provider records against the order log, recreate only verified missing orders, and notify users where outcome is uncertain. Prevention: move acknowledgment after the chosen commit policy, persist idempotency records in the same transaction, test power-loss/failover, and continuously restore backups into an isolated environment.

Failure: primary acknowledged memory, lost power, and failed over to a healthy standby without the order
Failure: primary acknowledged memory, lost power, and failed over to a healthy standby without the order

Quick reference

  • Trigger: acknowledge memory-buffered write before flush/replication.
  • Symptom: fast failover, healthy API, missing acknowledged order.
  • Mechanism: failover preserves service access, not bytes that never survived.
  • Recovery: reconcile external side effects before retrying or recreating.
  • Prevention: atomic order + idempotency commit, failure tests, restore drills.

Remember this

Fast failover can restore availability while exposing lost data; it cannot manufacture an acknowledged write that never reached durable storage.

Choose and measure the promise separately

Start from harm. If users cannot place orders, availability matters. If retries can double-charge or totals can be wrong, reliability/correctness matters. If acknowledged orders must survive infrastructure loss, durability matters. Most transactional systems need all three, but targets and mechanisms differ.

Write separate SLIs: good order requests / valid requests for availability; correct exactly-once outcomes / attempted logical orders for reliability; acknowledged orders retained and recoverable / acknowledged orders for durability. Add restore-test success and measured RPO/RTO because a backup that has never restored is an assumption.

Do not multiply vendor “nines” into a system guarantee. End-to-end behavior includes your configuration, code, dependencies, operations, and correlated failure domains. Set user-facing SLOs, spend error budgets deliberately, and test the specific failure each promise claims to survive.

Choose a mechanism from the promise: access, correct outcome, or retained data
Choose a mechanism from the promise: access, correct outcome, or retained data

Quick reference

  • Availability: can users complete the operation now?
  • Reliability: does the operation remain correct under stated conditions?
  • Durability: does acknowledged state survive the defined failures?
  • Measure each at the user contract, then map to component mechanisms.
  • Test failover and restore; architecture diagrams do not prove either.

Remember this

Set three separate promises and tests: usable requests, correct outcomes, and retained acknowledged data—one vendor percentage cannot cover all three.

Key takeaway

Availability, reliability, and durability answer different failure questions. Redundant serving paths keep the order API usable; idempotency and correctness checks keep outcomes reliable; stable commits, independent replicas, checksums, backups, and restore drills keep acknowledged orders durable. A design is complete only when its acknowledgment and failure boundaries match the user promise.

Practice (30 minutes): take one write endpoint and write three SLIs: availability (good/valid requests), reliability (correct logical outcomes), and durability (acknowledged records retained/recoverable). Draw the exact point where the API acknowledges. Intentionally stop the primary immediately before and after that point in a local test, retry with the same idempotency key, and restore from backup. You pass when you can prove whether the client receives one outcome, whether the record survives, and how much time/data restore actually costs.

Share:

Related Articles

A checkout API can wait until every step finishes, or accept an order and complete work later. The first path gives the

Read

A shopping cart must remember items, so the product cannot be literally stateless. The useful design question is where t

Read

"Just use Postgres" is good advice until a measured access pattern needs a specialist. A checkout might use Redis for th

Read

Keep learning

Follow a structured path or browse all courses to go deeper.