PK
Back to archive

Engineering

Partitioning Is a Product Strategy Decision

How shard keys quietly decide locality, fairness, tenant isolation, and future operating cost.

Partitioning Is a Product Strategy Decision

Partitioning usually enters the conversation as a scaling technique. The database is getting large. The index is getting expensive. A queue has uneven load. Someone asks which key should be used to split the system.

That framing is too small. A partition key is not only an implementation detail. It decides which work sits together, which users compete, which failures spread, which migrations become painful, and which future product promises are cheap or expensive.

The thesis

Partitioning is a product strategy decision because the key you choose defines locality, fairness, isolation, and cost shape before the product fully understands its own access patterns.

A shard key is a bet. It says, "this is the dimension along which the system will scale, operate, and fail." If that bet is made only by looking at current write volume, the organization may buy short-term relief and long-term rigidity.

The production pattern

A system starts with a simple data model. One database, one table family, one search index, one queue, one broad cache. The early design is correct because the product is still learning. Then one dimension grows faster than the rest: tenants, regions, accounts, projects, conversations, devices, jobs, or time.

The first partitioning plan often follows the hottest metric. If one tenant is large, partition by tenant. If writes are constant, hash an identifier. If data is naturally regional, split by region. If historical data dominates storage, split by time.

Each choice works for one pressure and creates another. Tenant partitioning can isolate noisy tenants but make cross-tenant analytics expensive. Hash partitioning spreads write load but destroys useful locality. Region partitioning reduces latency but complicates global users. Time partitioning simplifies retention but concentrates hot writes in the newest partition.

The product experiences these as features and limits, not storage choices.

The trap

The trap is treating "even distribution" as the whole goal.

Even distribution matters. Hot partitions can turn a healthy system into a slow system with one bad key. But a perfectly even hash can still be the wrong product architecture. It may spread one user's data across many places, make per-tenant export expensive, make audit queries fan out, and make incident isolation harder.

The second trap is hiding unfairness inside shared partitions. If one large tenant can exhaust a partition shared with smaller tenants, the product has chosen a fairness model. It may not have chosen it consciously, but users will still feel it.

The third trap is assuming rebalancing is only a data movement problem. Rebalancing is also an availability, observability, and trust problem. During movement, routing must be correct, writes must land once, reads must not see split truth, and operators must know which partition owns what.

The model

I review partitioning through five questions.

Key choice: what product dimension should be kept together? The answer is rarely "whatever spreads load." It may be tenant, region, account, workspace, resource, time, or a composite. The key should match the most important locality promise: low-latency reads, isolated failures, export boundaries, retention policy, or billing scope.

Hot partitions: which values can grow out of proportion? Every key has a celebrity value, a power user, a bursty tenant, a popular object, or a time window where everything lands. The design needs a plan for large keys: subpartitioning, dedicated capacity, admission control, synthetic spreading, or a product limit.

Tenant isolation: who can hurt whom? Partitioning is one of the earliest places where fairness becomes physical. A system may need shared partitions for cost reasons, but then it needs quotas, scheduling, and dashboards by tenant. If high-value tenants need stronger isolation, that should be part of the product plan, not a late exception.

Rebalancing: how does the system change its mind? A partitioning design without a movement story is a commitment disguised as a configuration. I want to know how ownership moves, how routing updates, how dual reads or writes are avoided or controlled, and what proof says the move completed.

Observability by shard: can operators see the system along the same boundary where it fails? Average latency is not enough. I want load, lag, errors, storage, queue depth, saturation, and cost by partition. Without shard-level visibility, partitioning creates smaller black boxes.

This model changes architecture reviews because it makes the shard key carry product meaning. It is not "which key scales?" It is "which key gives us the operating boundary we want to live with?"

Where this model breaks

Many systems should delay partitioning. Early partitioning can freeze a product around assumptions that are still fictional. If access patterns are not known, a simple architecture with strong instrumentation can be better than an elaborate partitioning plan.

There is also a cost to isolation. Per-tenant partitions, regional splits, and dedicated lanes can increase idle capacity, operational overhead, and failure modes. A small product with mostly uniform tenants may not need that complexity yet.

Hashing is not wrong. Sometimes the right answer is to spread load mechanically and accept that cross-partition operations are expensive. That is especially true when the product mostly reads by primary key and does not promise locality beyond single objects.

The point is not to partition early or partition by business entity every time. The point is to notice when the partition key is making product promises the roadmap has not reviewed.

What I do now

When a team proposes partitioning, I ask for the partitioning memo, even if it is short.

It names the key, the access patterns it optimizes, the access patterns it makes worse, the largest expected key class, the fairness model, the rebalancing plan, and the dashboards that will exist on day one. If the answer is "we can add that later," I ask whether the missing part is implementation detail or product risk.

I also ask for the large-tenant story. Not exact numbers, not private forecasts, just the shape: what happens when one tenant is much larger than the median, when one region spikes, when one object gets popular, or when a time window receives most writes?

For multi-tenant products, I separate storage isolation from capacity isolation. Putting data in separate partitions helps, but it does not automatically protect CPU, workers, caches, queues, or downstream dependencies. The product may still need quotas, priorities, and admission decisions.

Finally, I want partitioning to appear in product discussions. If a future feature needs global search, cross-tenant reporting, regional residency, per-tenant export, or strict fairness, the shard key matters. Principal engineering work is making that dependency visible before the product accidentally depends on the opposite shape.

Closing takeaway

Do not choose a partition key only to spread data. Choose it as the operating boundary for locality, fairness, isolation, and future change.