To minimize message loss in Kafka, you must control all three stages of the pipeline: production, storage, and consumption. The core failure modes are network jitter, broker failures, and committing offsets before processing actually completes. Keywords: Kafka reliability,
acks=all, manual offset commit.
The technical specification snapshot is outlined below
| Parameter | Details |
|---|---|
| Language | Java |
| Protocols/Mechanisms | Kafka Producer/Consumer API, Replication, ISR |
| GitHub Stars | Not provided in the source content |
| Core Dependency | org.apache.kafka:kafka-clients |
Kafka message durability cannot be solved with a single configuration switch
Kafka reliability is not a toggle. It is a coordinated set of strategies. If you optimize only the producer and ignore broker replication, or if you emphasize manual offset commits on the consumer side while allowing weak producer acknowledgments, you still leave message-loss windows open.
In practice, engineers usually divide the risks into three categories: the message never successfully reaches the broker, the message is written but lacks sufficient replica protection, or the message is fetched by the consumer but the business logic fails after the offset has already been committed. To close these gaps, you must harden all three ends at the same time.
A highly reliable message path should satisfy this minimum closed loop
Producer send succeeds
-> Leader receives the message
-> ISR replicas complete synchronization
-> Consumer fetches the message
-> Business processing succeeds
-> Offset is committedThe key point in this chain is simple: a message should reach the end of its consumption lifecycle only after processing has completed successfully.
The producer side must enable acknowledgments, retries, and idempotence together
The most common producer-side issues are transient network failures or short broker outages, which can cause send failures or retry reordering. In reliability-first scenarios, you should at minimum enable strong acknowledgments, idempotence, and retries.
import org.apache.kafka.clients.producer.*;
import java.util.Properties;
public class ReliableKafkaProducer {
public static void main(String[] args) {
Properties props = new Properties();
props.put("bootstrap.servers", "localhost:9092");
props.put("acks", "all"); // Success is confirmed only after all ISR replicas acknowledge
props.put("enable.idempotence", "true"); // Enable idempotence to prevent duplicate writes during retries
props.put("retries", Integer.MAX_VALUE); // Keep retrying on recoverable errors
props.put("max.in.flight.requests.per.connection", "1"); // Reduce the risk of reordering
props.put("retry.backoff.ms", "300"); // Control retry backoff time
KafkaProducer<String, String> producer = new KafkaProducer<>(props);
ProducerRecord<String, String> record = new ProducerRecord<>("test-topic", "key", "value");
producer.send(record, (metadata, exception) -> {
if (exception == null) {
System.out.println("Send succeeded, partition=" + metadata.partition() + ", offset=" + metadata.offset());
} else {
System.err.println("Send failed: " + exception.getMessage()); // Integrate alerting or compensation logic here
}
});
producer.close();
}
}This code defines “send success” as an auditable and retryable result through strong acknowledgments, idempotence, and callback handling.
acks=all is the baseline requirement for reliable writes
acks=0 fits only extreme throughput-first scenarios, where the client has almost no visibility into failures. acks=1 requires only that the leader write succeeds. If the leader crashes before followers synchronize, the message can still be lost. Only acks=all extends the acknowledgment scope to the ISR.
The idempotent producer solves duplicate writes caused by retries
After you enable enable.idempotence=true, Kafka deduplicates messages based on sequence numbers. That means retries no longer create duplicate writes that push dirty data pressure downstream. This setting does not improve availability directly; it makes retries safe and predictable.
The broker side must enforce persistence quality with replication and minimum ISR
The broker is where the message is actually persisted. If you configure only the replication factor but do not enforce a minimum number of in-sync replicas, the value of acks=all becomes weaker, because “all” refers to the current ISR, not every replica.
default.replication.factor=3
min.insync.replicas=2
log.flush.interval.messages=10000
log.flush.interval.ms=1000This configuration gives a topic multi-replica redundancy and requires at least two in-sync replicas to be online before Kafka accepts high-reliability writes.
min.insync.replicas and acks=all must be used together
This is one of the most frequently overlooked combinations. If acks=all is enabled but min.insync.replicas=1, Kafka can still accept writes when only one replica remains alive. In that case, the actual risk has not been meaningfully reduced. For production systems, a common recommendation is replication.factor=3 and min.insync.replicas=2.
Kafka achieves high performance through sequential writes and asynchronous flush
Kafka does not force every message to disk immediately. It writes to the page cache first and flushes to disk asynchronously. Kafka relies on replication to survive extreme failures. In other words, high reliability in Kafka comes from distributed redundancy rather than single-node forced persistence.
The consumer side prevents logical message loss only by committing offsets after business success
Many so-called “lost messages” are not actually lost by Kafka itself. The consumer commits the offset first, then the business logic fails, so the message is never consumed again. This is one of the most common consumer-side incidents.
import org.apache.kafka.clients.consumer.*;
import java.time.Duration;
import java.util.Collections;
import java.util.Properties;
public class ReliableKafkaConsumer {
public static void main(String[] args) {
Properties props = new Properties();
props.put("bootstrap.servers", "localhost:9092");
props.put("group.id", "test-group");
props.put("key.deserializer", "org.apache.kafka.common.serialization.StringDeserializer");
props.put("value.deserializer", "org.apache.kafka.common.serialization.StringDeserializer");
props.put("enable.auto.commit", "false"); // Disable auto-commit to avoid committing before processing
KafkaConsumer<String, String> consumer = new KafkaConsumer<>(props);
consumer.subscribe(Collections.singletonList("test-topic"));
try {
while (true) {
ConsumerRecords<String, String> records = consumer.poll(Duration.ofMillis(100));
for (ConsumerRecord<String, String> record : records) {
try {
System.out.println("Processing message: " + record.value()); // Simulate business processing
consumer.commitSync(); // Commit the offset only after business success
} catch (Exception e) {
System.err.println("Processing failed: " + e.getMessage()); // Do not commit on failure; retry or send to DLQ
}
}
}
} finally {
consumer.close();
}
}
}This code delays offset commits until after successful business processing, which gives you at-least-once delivery semantics.
Manual commit fixes consumption semantics, not business idempotence
Even if you use commitSync(), duplicate consumption can still occur during consumer restarts, rebalance timeouts, or rollback scenarios. That is why the business layer should still implement idempotence, for example through business-key deduplication, state-machine guards, or external unique constraints.
A dead letter queue is a necessary safeguard against poison messages
If you never commit the offset after a failure, the consumer can become stuck on the same bad message indefinitely. In production systems, you should define retry limits and use a DLQ to isolate unprocessable messages so the main consumption pipeline does not stall.
Best practices should balance reliability, throughput, and availability
| Stage | Recommended Configuration/Action | Goal |
|---|---|---|
| Producer | acks=all |
Ensure writes are acknowledged by the ISR |
| Producer | enable.idempotence=true |
Prevent duplicates caused by retries |
| Producer | Callback + alerting | Detect failures and trigger compensation |
| Broker | replication.factor>=3 |
Prevent single points of failure |
| Broker | min.insync.replicas>=2 |
Raise the write acceptance standard |
| Consumer | enable.auto.commit=false |
Prevent premature commits |
| Consumer | commitSync() after success |
Precisely control when consumption is complete |
| Business layer | Idempotence + DLQ | Absorb duplicates and isolate bad messages |
This reliability baseline is practical for direct production adoption
If your workload includes high-value flows such as orders, payments, or inventory, start with this baseline: producer settings of acks=all + idempotence + retries, broker settings of 3 replicas + min ISR 2, and a consumer that disables auto-commit and commits offsets only after business success, all backed by monitoring and a dead letter queue.
FAQ
FAQ 1: Why can messages still fail even after setting acks=all?
Because acks=all covers only producer-side acknowledgment. It does not protect you from business failures on the consumer side. In addition, if min.insync.replicas is set too low, overall reliability is weakened.
FAQ 2: Will disabling auto-commit cause duplicate consumption?
Yes. It is especially common during consumer restarts or group rebalancing. Disabling auto-commit solves message loss. Business idempotence solves duplication.
FAQ 3: Is the high-reliability configuration always the best choice?
No. acks=all, multi-replica replication, and synchronous commits all increase latency and reduce throughput. For log collection workloads, you can relax these settings appropriately. For transactional workloads, reliability should take priority.
Core Summary: This article systematically explains how to prevent Kafka message loss across producers, brokers, and consumers. It covers acks=all, idempotent producers, replication, min.insync.replicas, manual offset commits, and dead letter queues, helping developers make practical trade-offs among reliability, throughput, and availability.