Message Queues & Streaming • Dead Letter Queues & Error HandlingMedium⏱️ ~3 min
Multi Tenant DLQs and Per Consumer Isolation Patterns
In publish subscribe architectures with multiple consumer applications reading from shared topics, DLQ topology becomes critical for isolation and safe reprocessing. The anti pattern is a single shared DLQ for all consumers: if Consumer A (order service) and Consumer B (analytics pipeline) both dead letter to the same queue, you cannot safely redrive because messages would be delivered to both consumers again, potentially causing duplicate side effects in the wrong service.
The solution is per consumer DLQs attached to individual subscriptions rather than topics. Microsoft Azure Service Bus implements this with each subscription having its own associated dead letter queue. When a message fails processing for the order service subscription, it moves to that subscription's DLQ in isolation. Google Pub/Sub follows the same pattern with per subscription dead letter topics. This enables Consumer A to redrive its DLQ without affecting Consumer B, and allows different retry policies and retention settings per consumer based on their specific requirements.
Redrive mechanics in multi tenant systems require dedicated consumer specific retry flows. You cannot redrive from a subscription DLQ back to the shared source topic because other subscriptions would receive those messages. Instead, create a dedicated retry topic or queue that only the affected consumer reads from. Amazon architectures commonly implement this with a separate retry queue per consumer group, rate limited independently, feeding back into that consumer's processing pipeline before the business logic layer.
This topology also enables heterogeneous failure handling. The order service might retry transient failures 10 times over 5 minutes before dead lettering, while the analytics pipeline tolerates data loss and drops messages after 2 attempts to avoid backlog. Schema evolution becomes manageable: when you deploy a new message version, only consumers that haven't upgraded fail validation and populate their DLQs, while upgraded consumers process successfully. This allows gradual rollout without coordinated downtime.
💡 Key Takeaways
•Per consumer DLQs attach to subscriptions not topics, enabling isolated redrive without affecting other consumers in multi tenant pub sub architectures
•Microsoft Azure and Google Pub/Sub implement per subscription dead letter queues, allowing heterogeneous retry policies and retention per consumer
•Redrive from subscription DLQ must go to consumer specific retry queue, never back to shared source topic which would deliver to all subscriptions
•Heterogeneous failure handling allows order service to retry 10 times over 5 minutes while analytics pipeline drops after 2 attempts to avoid backlog
•Schema evolution becomes gradual: only consumers lacking new field validation populate DLQs, upgraded consumers process successfully during rollout
•Amazon architectures use separate retry queue per consumer group with independent rate limiting feeding back into that consumer's pipeline
📌 Examples
E-commerce system with order service and analytics reading shared topic: order service DLQ uses 10 retry attempts and 24 hour retention, analytics uses 2 attempts and 1 hour retention based on different criticality
During schema migration adding required customer_id field, legacy analytics consumers dead letter 30 percent of messages while upgraded order service processes 100 percent, enabling phased rollout over 3 days
Google Pub/Sub customer creates dedicated retry subscription for order service reading from its DLQ topic at 100 messages per second, isolated from analytics subscription processing at full speed