Back to Resources

Postgres CDC with Debezium: Handling Schema Evolution & Backpressure

16 min read
Goh Ling Yong
Technology enthusiast and software architect specializing in AI-driven development tools and modern software engineering practices. Passionate about the intersection of artificial intelligence and human creativity in building tomorrow's digital solutions.

Beyond the Basics: Production-Hardening Your PostgreSQL CDC Pipeline

For senior engineers tasked with building data-intensive systems, Change Data Capture (CDC) is no longer a niche technology; it's a foundational component for microservices integration, real-time analytics, and data warehousing. While setting up a basic Debezium connector to stream changes from PostgreSQL to Kafka is straightforward, the journey from a proof-of-concept to a production-grade, resilient pipeline is fraught with challenges that can destabilize both your database and your downstream consumers.

This article assumes you have already configured PostgreSQL for logical replication and have a running Kafka Connect cluster. We will not cover the basics. Instead, we will dive directly into the complex, real-world problems that emerge at scale:

  • Schema Evolution: How do you handle a ALTER TABLE DDL statement in your source database without causing deserialization failures, data loss, or pipeline downtime? We will implement a robust solution using Avro and the Confluent Schema Registry.
  • Backpressure & High Throughput: A seemingly innocuous UPDATE on a large table can unleash a torrent of WAL changes, overwhelming your Kafka Connect workers, brokers, or even the source database's disk. We will architect a multi-layered backpressure strategy from the database to the consumer.
  • Operational Complexity: How do you re-snapshot a single large table without restarting the entire connector? How do you filter, route, or mask sensitive data in-flight before it even reaches a Kafka topic? We will explore advanced patterns using signaling tables and Single Message Transforms (SMTs).

    • This is not a tutorial. It's a playbook for building a CDC pipeline that you can trust in production.

    Section 1: The Foundation - A Resilient Debezium Connector Configuration

    A production connector configuration is an opinionated declaration of your pipeline's behavior under stress. Let's start with a robust baseline configuration and dissect the critical parameters that move it beyond the defaults.

    Here is a production-ready configuration for a Debezium PostgreSQL connector. We will break down the key sections.

    json
    {
    "name": "inventory-connector",
    "config": {
        "connector.class": "io.debezium.connector.postgresql.PostgresConnector",
        "tasks.max": "1",
        "database.hostname": "postgres-primary.prod.svc.cluster.local",
        "database.port": "5432",
        "database.user": "debezium_user",
        "database.password": "${file:/path/to/secrets/db-password.txt:password}",
        "database.dbname": "inventory_db",
        "database.server.name": "inventory-postgres",
        "plugin.name": "pgoutput",
        "table.include.list": "public.products,public.orders,public.customers",

        "key.converter": "io.confluent.connect.avro.AvroConverter",
        "key.converter.schema.registry.url": "http://schema-registry:8081",
        "value.converter": "io.confluent.connect.avro.AvroConverter",
        "value.converter.schema.registry.url": "http://schema-registry:8081",
        
        "database.history.kafka.bootstrap.servers": "kafka-broker-1:9092,kafka-broker-2:9092",
        "database.history.kafka.topic": "schema-changes.inventory_db",
        "database.history.consumer.security.protocol": "SASL_SSL",
        "database.history.producer.security.protocol": "SASL_SSL",
        "database.history.consumer.sasl.mechanism": "PLAIN",
        "database.history.producer.sasl.mechanism": "PLAIN",

        "snapshot.mode": "initial",
        "snapshot.locking.mode": "none",
        "heartbeat.interval.ms": "10000",
        "heartbeat.action.query": "UPDATE public.debezium_heartbeat SET last_heartbeat_ts = NOW() WHERE id = 1;",

        "max.queue.size": "4096",
        "max.batch.size": "1024",
        "poll.interval.ms": "500",

        "tombstones.on.delete": "false",
        "message.key.columns": "public.products:id;public.orders:order_id",

        "errors.log.enable": "true",
        "errors.log.include.messages": "true",
        "errors.tolerance": "none"
    }
}

    Critical Configuration Deep Dive:

    * plugin.name: pgoutput: While wal2json is a viable option, pgoutput is PostgreSQL's native logical decoding plugin, introduced in version 10. It's more efficient, requires no external libraries on the database server, and is the strategic direction for PostgreSQL's logical replication. It's the recommended choice for any modern deployment.

    * database.history.kafka.topic: This is arguably the most critical parameter for schema evolution resilience. Debezium records all DDL changes it processes to this compacted Kafka topic. When a connector restarts, it replays this topic to rebuild its in-memory schema model to the exact state it was in before shutting down. Without this, a simple connector restart after a DDL change could lead to catastrophic failure. Ensure this topic is configured with a long (or infinite) retention policy (cleanup.policy=compact).

    snapshot.locking.mode: none: The default snapshot mode, shared, places a SHARE lock on tables being snapshotted, which can block write operations. For production systems with high write throughput, this is often unacceptable. snapshot.locking.mode=none avoids this by leveraging PostgreSQL's REPEATABLE READ transaction isolation level. While this prevents blocking, be aware of the edge case: if a long-running transaction modifies a row after the snapshot transaction has begun but commits before* the snapshot reads that row, the change might be missed. This is a trade-off between availability and strict consistency during the initial snapshot.

    * heartbeat.interval.ms: In a database with infrequent changes, the Debezium connector might not receive any new events for an extended period. PostgreSQL, however, will not advance the WAL position for the replication slot until it receives confirmation from the client. This can cause WAL files to accumulate, potentially filling the disk. The heartbeat mechanism forces Debezium to periodically write a small update to a dedicated table and confirm the LSN (Log Sequence Number) with the database, allowing WAL cleanup to proceed. This is an essential operational safeguard.

    * tombstones.on.delete: false: By default, Debezium emits a tombstone record (a message with a null value) upon a DELETE operation. This is useful for Kafka's log compaction. However, if your downstream consumers are not designed to handle these null payloads or if you are not using compaction on your data topics, these tombstones can cause consumer exceptions. Setting it to false means the DELETE event will contain a before field with the state of the row before deletion and an op field of d. This is often easier for consumers to process.

    Section 2: The Nemesis - Taming Schema Evolution with Avro and Schema Registry

    The most common cause of production CDC pipeline failure is unhandled schema evolution. A developer adds a new nullable column to a table, and suddenly all your downstream consumers that rely on a fixed JSON schema start throwing deserialization exceptions.

    The Problem: Raw JSON messages are schemas-after-the-fact. The consumer must infer the schema from each message, making it brittle. A structural change requires a coordinated, and often delayed, deployment of all downstream consumers.

    The Solution: Decouple the schema from the message payload using a binary format like Avro and a centralized Schema Registry. This pattern shifts the responsibility of schema management from the consumer to the pipeline itself.

    The Architecture of a Schema-Aware Pipeline

  • Producer (Debezium): When a DDL change (e.g., ALTER TABLE products ADD COLUMN description TEXT;) is detected in the WAL, Debezium does the following:

    • * Updates its internal schema representation for the products table.

    * Generates a new Avro schema reflecting the change.

    * Contacts the Schema Registry. If this schema is new, it registers it and receives a unique integer ID.

    * Serializes the change data record using the Avro binary format.

    * Prepends the message with a "magic byte" and the schema ID.

    * Produces this compact binary message to Kafka.

  • Consumer (Your Service): When a consumer reads a message from Kafka:

    • * It reads the magic byte and extracts the schema ID.

    * It queries the Schema Registry's cache or REST API: "Give me the schema for ID 123."

    * With the correct schema in hand, it can now reliably deserialize the binary Avro payload.

    This process is seamless. Consumers automatically fetch the schema they need for each message, allowing the producer to evolve the schema without breaking existing consumers (provided the changes are compatible).

    Implementation

    Update your connector configuration to use the AvroConverter:

    json
    {
    "name": "inventory-connector-avro",
    "config": {
        // ... all previous settings ...
        "key.converter": "io.confluent.connect.avro.AvroConverter",
        "key.converter.schema.registry.url": "http://schema-registry.prod:8081",
        "value.converter": "io.confluent.connect.avro.AvroConverter",
        "value.converter.schema.registry.url": "http://schema-registry.prod:8081",
        
        "value.converter.schemas.enable": "true"
    }
}

    Managing Schema Compatibility

    The Schema Registry enforces compatibility rules. The most critical setting for CDC is BACKWARD compatibility. This means that consumers using the new schema can read data written with the old schema. For CDC, you should set this as the default for your topics.

    BACKWARD compatibility allows:

    * Adding new optional fields (fields with a default value).

    * Deleting fields.

    It prevents:

    * Adding new fields without a default value.

    * Renaming existing fields.

    Edge Case: The Breaking Change

    What happens when a developer executes ALTER TABLE products DROP COLUMN name; which is a breaking change? With BACKWARD compatibility, the Schema Registry will reject Debezium's attempt to register the new schema. The Debezium connector task will fail and log an error. This is a feature, not a bug. It acts as a critical circuit breaker, preventing you from poisoning your data topic with a schema that would break consumers. The resolution requires a deliberate, manual intervention: either a new consumer version is deployed first, or the schema compatibility level is temporarily relaxed.

    Consumer Example (Python)

    Here’s how a Python consumer would use the registry to deserialize messages:

    python
    from confluent_kafka import DeserializingConsumer
from confluent_kafka.schema_registry import SchemaRegistryClient
from confluent_kafka.schema_registry.avro import AvroDeserializer
from confluent_kafka.serialization import StringDeserializer

# Configuration
schema_registry_conf = {'url': 'http://schema-registry.prod:8081'}
schema_registry_client = SchemaRegistryClient(schema_registry_conf)

avro_deserializer = AvroDeserializer(schema_registry_client)
string_deserializer = StringDeserializer('utf_8')

consumer_conf = {
    'bootstrap.servers': 'kafka-broker-1:9092',
    'group.id': 'product-analytics-consumer',
    'auto.offset.reset': 'earliest',
    'key.deserializer': string_deserializer, # Or Avro if key is complex
    'value.deserializer': avro_deserializer
}

consumer = DeserializingConsumer(consumer_conf)
consumer.subscribe(['inventory-postgres.public.products'])

while True:
    try:
        msg = consumer.poll(1.0)
        if msg is None:
            continue

        product_data = msg.value()
        if product_data is not None:
            # product_data is a dictionary, deserialized with the correct schema
            print(f"Received product update: ID={product_data['id']}, Name={product_data.get('name')}")

    except Exception as e:
        print(f"Error processing message: {e}")
        break

consumer.close()

    Section 3: The Floodgates - Managing Backpressure and High Throughput

    A CDC pipeline's stability is tested during high-volume events, such as a batch data import or a large backfill operation that updates millions of rows. This generates a massive burst of WAL records that can overwhelm the system at multiple points.

    The Cascade of Failure

  • Postgres WAL Growth: Debezium reads from the replication slot. If it can't process events fast enough, the slot's LSN lags, preventing PostgreSQL from cleaning up old WAL files. This can fill the server's disk, causing a database outage.
  • Connector OOM: Debezium buffers records in an in-memory queue before sending them to Kafka Connect. A large transaction can exceed the JVM heap allocated to the Kafka Connect worker, causing an OutOfMemoryError.
  • Kafka Connect Lag: The internal Kafka consumer that Kafka Connect uses to commit offsets can fall behind, leading to large re-processing delays upon restart.
  • Kafka Broker Saturation: A massive influx of messages can saturate broker network I/O or disk, increasing latency for all clients.

    • A Multi-Layered Defense Strategy

    Layer 1: Debezium Connector Tuning

    These parameters are your first line of defense, controlling the flow of data from the WAL to Kafka Connect's internal buffers.

    * max.queue.size: The maximum number of records to be held in the connector's blocking queue. Default is 8192. If the queue is full, the WAL processor thread will block, naturally slowing down consumption from Postgres.

    * max.batch.size: The maximum number of records to be included in a single batch sent from the connector to Kafka Connect. Default is 2048.

    Scenario: Handling a 1 Million Row UPDATE

    A default configuration might try to buffer 8192 full-row records in memory. If each record is 2KB, this is ~16MB. But a large transaction can fill this queue almost instantly. A more conservative production setting might be:

    json
    "max.queue.size": "4096",
"max.batch.size": "1024"

    This reduces the memory footprint at the cost of slightly lower throughput during normal operation. The key is that max.queue.size acts as the primary backpressure mechanism against the database. When the queue is full, Debezium stops reading from the WAL, which in turn slows down the LSN acknowledgement and signals to Postgres that the consumer is busy.

    Layer 2: Kafka Connect Worker and Producer Overrides

    Even if the connector is paced, the internal Kafka producer within Kafka Connect can still be a bottleneck. You can tune its behavior using producer overrides.

    json
    "producer.override.compression.type": "zstd",
"producer.override.linger.ms": "100",
"producer.override.batch.size": "524288"

    * compression.type: Using zstd or lz4 is critical. It dramatically reduces the payload size sent to Kafka, saving network bandwidth and broker disk space. The CPU overhead is almost always a worthwhile trade-off.

    * linger.ms & batch.size: These settings control the producer's batching behavior, allowing it to collect more messages into fewer, larger requests to the broker, which is more efficient.

    Layer 3: Monitoring the Replication Slot

    This is the most critical metric for database safety. You must monitor the lag of your Debezium replication slot. A growing lag is a direct indicator that your CDC pipeline cannot keep up.

    sql
    SELECT
  slot_name,
  active,
  pg_wal_lsn_diff(pg_current_wal_lsn(), confirmed_flush_lsn) AS replication_lag_bytes
FROM pg_replication_slots
WHERE slot_name = 'debezium'; -- Or whatever your slot name is

    Pipe this query into your monitoring system (e.g., Prometheus via pg_exporter). Set an aggressive alert if replication_lag_bytes exceeds a threshold (e.g., 10-20 GB). This is your early warning system before the database disk fills up.

    Section 4: Advanced Patterns and Edge Cases

    Once your pipeline is stable, you can leverage its power to solve more complex business problems.

    Pattern 1: On-Demand Snapshotting with Signaling Tables

    The snapshot.mode=initial is a one-time, all-or-nothing event. What if you need to onboard a new service that requires a full dump of just one large table, without disrupting the entire stream?

    The signaling table pattern provides a control plane for your connector.

    Implementation:

  • Create the Signal Table in Postgres:
    • sql
        CREATE TABLE public.debezium_signals (
        id VARCHAR(255) PRIMARY KEY,
        type VARCHAR(255) NOT NULL,
        data TEXT
    );
  • Configure the Connector:
    • json
        "snapshot.mode": "never", // Start in streaming-only mode
    "signal.data.collection": "public.debezium_signals",
    "signal.enabled.channels": "source"
  • Trigger a Snapshot via SQL:

    • To snapshot only the public.customers and public.products tables, you or an automated process would execute:

    sql
        INSERT INTO public.debezium_signals (id, type, data)
    VALUES (uuid_generate_v4(), 'execute-snapshot', '{"data-collections": ["public.customers", "public.products"], "type": "incremental"}');

    Debezium continuously polls this table. Upon seeing this new row, it will initiate an incremental snapshot of the specified tables, seamlessly integrating their current state into the existing event stream without requiring a connector restart or full re-snapshot.

    Pattern 2: In-Flight Data Masking and Routing with SMTs

    Single Message Transforms (SMTs) are powerful plugins that can inspect and modify messages after they are produced by the connector but before they are written to Kafka. This is ideal for filtering, routing, and data governance.

    Use Case: The customers table contains PII (email, address). We need to:

    • Create a sanitized stream for general analytics where PII is masked.
    • Route events containing PII to a separate, highly secured Kafka topic.
  • Drop events from a temporary table (customers_staging) entirely.

    • Implementation (Connector Configuration):

    json
    {
    // ... other config ...
    "transforms": "filterStaging,routePII,maskFields",
    
    "transforms.filterStaging.type": "io.debezium.transforms.Filter",
    "transforms.filterStaging.language": "jsr223.groovy",
    "transforms.filterStaging.condition": "value.source.table == 'customers_staging'",
    "transforms.filterStaging.action": "discard",

    "transforms.routePII.type": "org.apache.kafka.connect.transforms.ContentBasedRouter",
    "transforms.routePII.topic.regex": "inventory-postgres.public.customers",
    "transforms.routePII.field.name": "op", // Route based on operation type
    "transforms.routePII.field.value.mappings": "c:secure.customers.pii,u:secure.customers.pii,d:secure.customers.pii,r:secure.customers.pii",
    
    "transforms.maskFields.type": "org.apache.kafka.connect.transforms.MaskField$Value",
    "transforms.maskFields.fields": "email,address",
    "transforms.maskFields.mask.type": "HASH"
}

    Explanation:

    * transforms: Defines the order of execution: filterStaging -> routePII -> maskFields.

    * filterStaging: Uses a Groovy expression to check the source table name. If it matches customers_staging, the record is discarded and never reaches Kafka.

    routePII: This is a powerful but complex SMT. Here, we're using a simplified example. It inspects messages from the customers topic. A more advanced router could inspect the message payload. If a message is from the customers topic, it is re-routed to the secure.customers.pii topic. Crucially, the original message is not stopped. This creates a copy* of the event in the new topic.

    maskFields: This SMT runs on the message after* it has been routed. It will take the email and address fields in the original event destined for inventory-postgres.public.customers and replace their values with a hash. The copied event sent to secure.customers.pii will also be masked. A more sophisticated setup would use predicates to apply masking only to the public topic's stream.

    This SMT chain achieves complex data governance rules directly within the data pipeline, ensuring that sensitive data is handled correctly by design, not by convention in downstream applications.

    Conclusion: From Connector to Data Backbone

    A production-ready CDC pipeline is a living system. It requires more than just initial configuration; it demands a deep understanding of its failure modes and a proactive approach to monitoring and operational management. By implementing robust schema evolution handling with Avro, engineering a multi-layered backpressure strategy, and leveraging advanced patterns like signaling and SMTs, you can transform a simple Debezium connector into a resilient, scalable, and trustworthy data backbone for your entire engineering organization.

    Found this article helpful?

    Share it with others who might benefit from it.

    More Articles