RabbitMQ Internals: How the Broker Actually Works
You've declared exchanges. You've bound queues. You've published messages and watched them arrive on the other side. But do you know what happened in between?
Most RabbitMQ developers don't need to understand the internals — until something goes wrong. A memory alarm fires and all producers block. A queue's throughput mysteriously drops under load. A node fails and you're not sure whether your messages survived. At that point, "the broker does the routing" is not enough to debug with.
This article opens the hood. We'll follow a single message from the moment it arrives as a TCP frame to the moment it's safely on disk — tracing it through every Erlang process it touches. Along the way, we'll understand why RabbitMQ behaves the way it does: why memory alarms exist, why quorum queues are slower than classic queues for single-node writes, why channels are cheap but connections are not, and why a two-node cluster is more dangerous than a single node.
None of this requires knowing Erlang. The concepts map directly to the operational behaviour you observe every day.
Quick Reference
The full message path inside RabbitMQ:
TCP Frame → rabbit_reader → rabbit_channel → Exchange routing
→ rabbit_amqqueue (dispatch) → rabbit_amqqueue_process (queue)
→ rabbit_backing_queue (storage) → msg_store (disk)
Three queue types in RabbitMQ 4.x:
| Type | Storage | Replication | Use when |
|---|---|---|---|
| Classic | WAL + msg_store (fsync not guaranteed on confirms) | None (single node) | Dev, transient, low-stakes data |
| Quorum | Raft WAL, fsync before confirm | Raft consensus across ≥3 nodes | Production — default choice |
| Stream | Osiris append-only log | Raft coordinator | Replay, fan-out to many consumers, high throughput |
Memory alarm threshold: 40% of system RAM (default). When hit, all producer connections are blocked. Tune with vm_memory_high_watermark.
Quorum queue minimum: 3 nodes. A 2-node cluster cannot elect a new leader if one node fails — it stalls permanently.
Gotchas:
- ⚠️ Classic queues do NOT fsync before sending publisher confirms — durable messages can still be lost on an unexpected crash
- ⚠️ Quorum queues write everything to disk before confirming — use fast SSDs
- ⚠️ A 2-node quorum queue cluster is worse than a single-node setup — it cannot survive any node loss
- ⚠️ Channels are not thread-safe — one channel per concurrent goroutine/async context
See also:
Version Information
Tested with:
- RabbitMQ: 4.x (current stable as of July 2025)
- Node.js: v20.x LTS
amqplib: 0.10.x
Critical version note: Classic Mirrored Queues were deprecated in RabbitMQ 3.9 and permanently removed in RabbitMQ 4.0. This article reflects current 4.x architecture. The term "HA queue" in older articles refers to Classic Mirrored Queues — that concept no longer exists. Quorum queues are the correct HA choice today.
Last verified: July 2025
What You Need to Know First
Required reading (in order):
- Message Queues: The Problem They Solve
- How Message Queues Work: Internals and Queue Types
- AMQP and RabbitMQ Core Concepts
You should be comfortable with:
- The AMQP entity model: exchanges, queues, bindings, channels, connections
What We'll Cover in This Article
By the end of this guide, you'll understand:
- Why RabbitMQ is written in Erlang and what that buys you operationally
- The exact path a message takes through Erlang processes inside the broker
- How credit flow works and why it's the engine of back-pressure
- The difference between classic and quorum queue storage — and why classic queues can lose confirmed messages
- How quorum queues use Raft consensus to guarantee durability
- What a memory alarm is, what triggers it, and how to prevent it
- Why a 2-node cluster is more dangerous than a single node
What We'll Explain Along the Way
We'll introduce these as we go:
- Erlang lightweight processes and supervision trees (no Erlang knowledge needed)
- gen_server2 — the OTP pattern behind every queue process
- fsync — the low-level operation that makes disk writes truly durable
- Raft consensus — explained simply, with a concrete voting scenario
- WAL (Write-Ahead Log) — how it works inside quorum queues
- Mnesia — RabbitMQ's internal metadata store
Part 1: Why Erlang — And Why It Matters for Operations
RabbitMQ is written in Erlang. Before you roll your eyes at "implementation detail," understand that this choice directly explains the broker's operational characteristics — both its strengths and its limits.
The BEAM VM and lightweight processes
Erlang runs on a virtual machine called BEAM. BEAM's defining feature is its process model: millions of lightweight processes, each with its own heap, running concurrently without shared memory.
These are not OS threads. An OS thread costs 1–8 MB of stack memory and takes milliseconds to create. An Erlang process costs around 2 KB of heap and takes microseconds. A busy RabbitMQ broker might have hundreds of thousands of them active simultaneously without breaking a sweat.
More importantly: Erlang processes communicate only by message passing. No shared memory, no locks, no mutexes. This eliminates entire categories of concurrency bugs — race conditions, deadlocks, priority inversion. When one process fails, it fails in isolation. Nothing it held is corrupted.
OS Thread model (most systems): Erlang process model (RabbitMQ):
┌────────────┐ ┌──────┐ ┌──────┐ ┌──────┐
│ Thread 1 │──┐ │ P 1 │ │ P 2 │ │ P 3 │
│ Thread 2 │──┼── shared memory │ │ │ │ │ │
│ Thread 3 │──┘ (needs locks) └──┬───┘ └──┬───┘ └──┬───┘
└────────────┘ │ msg │ msg │
└─────────┘─────────┘
message passing only
(no shared state)
Diagram: OS threads compete for shared memory and require synchronisation. Erlang processes have isolated heaps and communicate only by message passing — no locks, no shared mutation.
OTP and supervision trees
Erlang ships with OTP (Open Telecom Platform), a framework for building fault-tolerant systems. The core OTP concept RabbitMQ uses is the supervision tree.
Every Erlang process has a supervisor. When a process crashes, its supervisor restarts it automatically. This is Erlang's "let it crash" philosophy: instead of defensively handling every possible error, you write clean happy-path code and let the supervisor deal with failures.
In RabbitMQ, this means:
- A misbehaving queue process crashes → its supervisor restarts it → the queue is back
- A channel process hits a protocol error → it crashes → the connection process is not affected → client gets a channel error, not a connection drop
- A connection process loses its TCP socket → it crashes → other connections on the broker are completely unaffected
This process isolation is why RabbitMQ is described as robust. It's not defensive coding — it's architectural fault isolation baked into the runtime.
What each Erlang process represents in RabbitMQ
The mapping is direct. At its core, RabbitMQ uses Erlang processes for almost everything — each connection is handled by dedicated Erlang processes, and this process isolation means that issues in one component (like a misbehaving queue) don't affect others.
Concretely:
| What you see | Erlang process |
|---|---|
| One TCP connection | rabbit_reader + rabbit_writer process pair |
| One AMQP channel | rabbit_channel process |
| One queue | rabbit_amqqueue_process (classic) or Ra state machine process (quorum) |
| One exchange | Entry in Mnesia table (not a process — exchanges are pure routing logic) |
Notice that exchanges are not processes. They're routing tables stored in Mnesia (RabbitMQ's internal distributed database). This is why exchanges have negligible overhead — routing is a table lookup, not process communication.
Part 2: Following a Message Through the Broker
Now let's trace a single message from your channel.publish() call to the point it's available to consumers. This is the most important section for understanding RabbitMQ behaviour under load.
Whenever we publish an AMQP message to RabbitMQ we have the following Erlang message flow: reader → channel → queue process → message store. Let's walk each hop.
Your application
│
│ TCP frame (basic.publish)
▼
┌─────────────────┐
│ rabbit_reader │ Reads raw bytes from TCP socket
│ │ Parses AMQP frames
│ │ Forwards commands to channel process
└────────┬────────┘
│ Erlang message: {basic_publish, Exchange, RoutingKey, Content}
▼
┌─────────────────┐
│ rabbit_channel │ Validates the publish
│ │ Calls rabbit_exchange:route/2
│ │ → returns list of destination queues
│ │ Calls rabbit_amqqueue:deliver/2
└────────┬────────┘
│ Erlang message: {deliver, Delivery, SlaveWhenPublished}
▼ (sent to each destination queue process)
┌────────────────────────┐
│ rabbit_amqqueue_process│ The queue process (one per queue)
│ │ Checks if a consumer is ready
│ │ If yes → deliver directly to consumer
│ │ If no → enqueue for later delivery
│ │ Enforces TTL, max-length policies
└────────┬───────────────┘
│ If message is persistent:
▼
┌─────────────────┐
│ msg_store │ Content-addressed message store (shared across queues)
│ │ Writes message body to disk
│ │ Returns a reference (key) back to queue process
└─────────────────┘
Diagram: The internal path of a message through RabbitMQ's Erlang process chain. Each arrow is an Erlang process-to-process message. No shared memory is accessed at any point.
Step 1: rabbit_reader — TCP to AMQP frames
The reader process owns one TCP socket. Its only job is to read raw bytes, assemble them into AMQP frames, and forward those frames as Erlang messages to the appropriate channel process.
AMQP frames have a fixed structure: frame type, channel number, payload size, payload, and a frame-end marker. The reader strips this envelope and delivers the inner command to the right channel.
This process never blocks on anything application-level. If it's slow to deliver to the channel process, the credit flow mechanism (Part 3) kicks in and throttles it.
Step 2: rabbit_channel — routing and dispatch
The channel process is where the AMQP logic lives. When it receives a basic.publish, it:
- Looks up the exchange by name in Mnesia
- Calls
rabbit_exchange:route/2with the routing key — this is a pure function that evaluates bindings and returns a list of queue names - Resolves each queue name to the PID of its
rabbit_amqqueue_process - Sends an Erlang
{deliver, ...}message to each of those PIDs
A message crosses all of these modules once it enters the broker: rabbit_reader → rabbit_channel → rabbit_amqqueue → delegate → rabbit_amqqueue_process → rabbit_backing_queue.
The delegate framework is a small optimization: rather than the channel process directly messaging each queue process (which could be on a different node in a cluster), the delegate batches cross-node deliveries to reduce inter-node traffic.
Step 3: rabbit_amqqueue_process — the queue
Each queue is a gen_server2 Erlang process. The usual pattern of the API and implementation being in one file is not applied; rabbit_amqqueue is the API (a module) and rabbit_amqqueue_process is the implementation (a gen_server2).
gen_server2 is RabbitMQ's optimised variant of OTP's gen_server pattern — a process that receives messages sequentially and maintains state between calls. The queue process's state is the queue itself: the linked list (or Raft log) of messages, the list of active consumers, the prefetch counts, and the TTL/max-length policy settings.
When a message arrives, the queue process decides:
- Is a consumer available with capacity (prefetch not exhausted)? → Deliver immediately, don't store in the queue body
- No consumer available? → Add to the queue's in-memory list; if persistent, also write to the backing store
The queue needs to see if the message can be delivered to a consumer or if it has to be enqueued for later. Once this is handled, the queue needs to enforce the various policies that can be applied to it, like TTLs or max-lengths.
Step 4: msg_store — the content-addressed message store
Persistent messages are written to the msg_store — a shared, content-addressed store. "Content-addressed" means messages are stored by a hash of their content, not by queue name or message ID. This has an important consequence: if a fanout exchange delivers the same message to three queues, all three queue processes hold a reference to the same stored bytes — the message body is not duplicated on disk three times.
The msg_store exposes a simple interface: write a message, get back a key. Read a message by key. Delete a message by key. The queue process holds the key in its in-memory state; the message body lives in the store.
Part 3: Credit Flow — Back-Pressure From the Inside
You've seen back-pressure described as a concept. Here's how RabbitMQ actually implements it internally — and why understanding it explains why a slow consumer eventually blocks your producers.
Whenever we publish an AMQP message to RabbitMQ we have the following Erlang message flow: reader → channel → queue process → message store. In order to prevent any of those processes from overflowing the next one down the chain, we have a credit flow mechanism in place.
Credits: a token-based throttle between processes
Every Erlang process in the message path maintains a credit balance with its upstream process. Credits are tokens of permission to send more messages.
Say we are publishing messages to RabbitMQ. The reader will be sending one Erlang message to the channel process per AMQP basic.publish received. Each of those messages will consume one of these credits from the channel. Once the channel is able to process 50 of those messages, it will grant more credit to the reader. In turn the channel will send the message to the queue process. This will consume one credit from the credit granted by the queue process to the channel. After the queue process manages to handle 50 deliveries, it will grant 50 more credits to the channel.
Visualised:
reader ────(50 credits)────► channel ────(50 credits)────► queue_process ────► msg_store
consumes credits consumes credits
grants back when grants back when
channel processes 50 queue processes 50
Diagram: Credit flow between Erlang processes. Each process grants credits upstream. When credits run out, the upstream process stalls — propagating back-pressure all the way to the TCP reader.
What happens when a queue process is slow
If a queue process fills up (consumers are slow, queue is deep), it stops granting credits to the channel. The channel exhausts its credits and stalls. The reader exhausts its credits from the channel and stalls. The TCP socket stops being read. The OS's TCP receive buffer fills. The kernel sends TCP flow control signals to the producer's OS. The producer's channel.publish() calls start to block.
If the reader is sending messages to the channel at a higher speed than what the channel is able to process, then the channel will block the reader process, which will result in producers being throttled down by RabbitMQ. Note that we only block publishing connections — consumer connections are unaffected since we want consumers to drain messages from queues.
This is important: back-pressure from a slow consumer propagates all the way to the producer, across the network, automatically, without your application code doing anything. Your producer will simply slow down. This is correct behaviour — it's the broker protecting itself.
Memory alarms — credit flow at the broker level
Credit flow handles per-queue back-pressure. Memory alarms handle broker-level resource protection.
When a RabbitMQ node's memory usage exceeds the high-watermark threshold (default: 40% of total system RAM), it triggers a memory alarm that blocks all publishing connections on that node. No new messages can enter until memory drops below the threshold.
Memory usage: ████████████████████░░░░░░░░░░░░░░░░░░░░
▲
40% threshold (default)
│
Memory alarm fires here
All producers blocked
Why does this happen? When consumers are slow and queues grow, messages pile up in memory. At some point the process keeps growing — if unchecked, the OS will OOM-kill the Erlang VM and you lose everything in flight. The memory alarm is a safety valve that buys time for consumers to catch up.
# Check current memory alarm status
rabbitmqctl status | grep -A5 "memory_alarm"
# Check memory watermark setting
rabbitmqctl eval 'rabbit_vm:memory_use(rss).'
# Set a custom watermark (60% of RAM)
rabbitmqctl set_vm_memory_high_watermark 0.6
# Or set an absolute limit (4 GB)
rabbitmqctl set_vm_memory_high_watermark absolute 4GB
Prevention is better than cure. The right response to frequent memory alarms is not to raise the threshold — it's to add consumers, reduce message sizes, or implement application-level rate limiting on producers.
Part 4: Storage — How Messages Are Actually Persisted
This is where most developers have the largest misconceptions. Let's be precise about what "durable" and "persistent" actually guarantee — and where those guarantees break down.
Classic queue storage — and its dangerous gap
Classic queues use a two-tier storage model:
Tier 1: In-memory (alpha/beta state) Messages received by the queue process live in memory. Reads and writes are fast. No disk involved.
Tier 2: On-disk (gamma/delta state)
When memory pressure builds, RabbitMQ pages messages to disk (the msg_store). This is called "paging" or "flow from alpha to delta".
Here's the gap that catches developers: classic queues do not call fsync before sending publisher confirms.
While classic queues call fsync in some cases (for example, when RabbitMQ stops gracefully), fsync is not performed before publisher confirms are sent. Therefore, even durable messages that a publisher received a confirmation for can technically be lost if the server crashes.
fsync is a low-level OS call that forces all buffered disk writes through to actual hardware — bypassing OS page cache and disk write buffers. Without it, "written to disk" means "in the OS's write buffer" — which is lost on a sudden power failure or kernel crash.
This means: if you're using classic queues with publisher confirms and persistent: true, and your server loses power unexpectedly — messages that were confirmed to your producer can still be lost.
Quorum queues solve this. They always fsync before confirming.
Quorum queue storage — Raft WAL
Quorum queues use a completely different storage architecture built on the Raft consensus algorithm.
In Quorum Queues, a shared Write-Ahead-Log (WAL), also called a journal file, is used on each node to persist all operations, including new messages. This log captures actions as they happen. The operations stored in the WAL are kept in memory and simultaneously written to disk. When the current WAL file reaches a certain size (default 512 MiB), it's flushed to a segment file on disk, and the memory used by those log entries is released. These segment files are compacted over time, especially as consumers acknowledge deliveries.
The write sequence for a quorum queue message on a 3-node cluster:
Producer publishes message
│
▼
Leader node receives message
│
├──── Write to WAL on leader (fsync)
│
├──── Send replication command to follower 1
│ └── follower 1 writes to WAL (fsync) → sends ack
│
└──── Send replication command to follower 2
└── follower 2 writes to WAL (fsync) → sends ack
│
▼ (majority ack received — 2 of 3 nodes confirmed)
Leader sends publisher confirm to producer ✅
Diagram: Quorum queue write path. The leader only confirms to the producer after a majority of nodes (the quorum) have written and fsynced the message to their WAL. A minority of nodes can fail with no message loss.
The situation is therefore simple: if the publisher received a confirmation, this means the message had already been written to disk and fsynced on the quorum of nodes. In the most common scenario of a 3-node cluster, that means it was written and fsynced on at least 2 nodes.
The practical implications for your code
// Classic queue — confirms don't guarantee fsync
await channel.assertQueue("jobs", {
durable: true,
// No x-queue-type argument = classic queue (default in older setups)
});
await channel.sendToQueue("jobs", Buffer.from(JSON.stringify(job)), {
persistent: true,
});
// Publisher confirm received ← message in OS write buffer, NOT guaranteed on crash
// ─────────────────────────────────────────────────────
// Quorum queue — confirms DO guarantee fsync across majority of nodes
await channel.assertQueue("jobs", {
durable: true,
arguments: {
"x-queue-type": "quorum", // explicit quorum queue declaration
},
});
await channel.sendToQueue("jobs", Buffer.from(JSON.stringify(job)), {
persistent: true,
// Note: quorum queues treat all messages as persistent
// The persistent flag is redundant but harmless
});
// Publisher confirm received ← message fsynced on ≥2 nodes ✅
The production rule: Use quorum queues for any data you cannot afford to lose. Use classic queues only for transient, loss-tolerant data (temporary RPC reply queues, development environments, metrics feeds).
Quorum queue WAL configuration (RabbitMQ 4.3+)
Starting with RabbitMQ 4.3, all quorum queue Raft/WAL parameters are explicitly configurable via rabbitmq.conf using the quorum_queue.* namespace:
# rabbitmq.conf
# WAL segment size — when the WAL reaches this size, it's flushed to a segment file
# Default: 512 MiB. Increase for higher write throughput at the cost of more memory.
quorum_queue.raft.wal_max_size_bytes = 536870912
# Maximum number of WAL entries before forced flush
quorum_queue.raft.wal_max_batch_size = 4096
# Recommended: use fast NVMe SSDs for the RabbitMQ data directory
# Quorum queue throughput is directly limited by disk fsync speed
As quorum queues persist all data to disks before doing anything, it is recommended to use the fastest disks possible. Due to the disk I/O-heavy nature of quorum queues, their throughput decreases as message sizes increase.
The practical guidance: for quorum queues in production, NVMe SSDs are strongly preferred over spinning disks or network-attached storage. The fsync latency of your disk is directly reflected in your publish throughput ceiling.
Part 5: The Three Queue Types in RabbitMQ 4.x
RabbitMQ 4.x ships with three queue implementations. Each makes different tradeoffs.
Classic queues
Classic queues are the traditional RabbitMQ queue implementation, providing AMQP-compliant behavior with configurable durability and optional high availability through mirroring. Classic queues are implemented as individual Erlang processes (rabbit_amqqueue_process) with a pluggable backing queue interface.
Classic queues are still fully supported in RabbitMQ 4.x — what was removed was their mirroring feature (Classic Mirrored Queues). A non-mirrored classic queue is still available and appropriate for:
- Temporary/exclusive queues (RPC reply queues, per-session queues)
- Development and testing environments
- High-volume transient data where occasional loss is acceptable
- Scenarios requiring AMQP features not yet in quorum queues (certain TTL behaviors, some argument combinations)
How to declare:
await channel.assertQueue("my-classic-queue", {
durable: true,
// No x-queue-type argument, or explicitly:
arguments: { "x-queue-type": "classic" },
});
Quorum queues
The RabbitMQ quorum queue is a modern queue type which implements a durable, replicated queue based on the Raft consensus algorithm and should be considered the default choice when needing a replicated, highly available queue. Quorum queues are designed for data safety as well as reliable and fast leader election properties that ensure high availability even during upgrades or other turbulence.
Key characteristics:
- Always durable — quorum queues cannot be non-durable
- All messages treated as persistent — the
persistentflag is redundant - Require a minimum of 3 nodes for meaningful HA (more on this below)
- Slightly higher write latency than classic queues (due to Raft consensus round-trip)
- Superior throughput for mixed publish/consume workloads with confirms enabled
How to declare:
await channel.assertQueue("my-quorum-queue", {
durable: true, // required — quorum queues are always durable
arguments: {
"x-queue-type": "quorum",
"x-quorum-initial-group-size": 3, // number of Raft members (default: min-quorum-size cluster setting)
},
});
Stream queues
Stream queues use a two-tier architecture: a Raft-based coordinator cluster manages stream metadata and lifecycle, while the actual message streams are implemented using Osiris for append-only log storage with replication.
Streams are RabbitMQ's answer to Kafka's log model. Unlike queues, consuming a message from a stream does not remove it — consumers track their own offset, and multiple consumer groups can read the same stream independently from different positions. Messages are retained for a configurable time or size window, not deleted on consumption.
Use streams when:
- Multiple independent services need to consume the same message history
- You need message replay (re-read from offset 0, or from a timestamp)
- You have very high throughput requirements and don't need complex routing
How to declare:
await channel.assertQueue("my-stream", {
durable: true,
arguments: {
"x-queue-type": "stream",
"x-max-length-bytes": 10_000_000_000, // 10 GB retention
"x-stream-max-segment-size-bytes": 100_000_000, // 100 MB segment size
},
});
Note: Streams require the RabbitMQ Stream protocol plugin for optimal use with offset-based consumers. Using AMQP to consume from a stream works but loses the offset tracking capabilities. The stream protocol uses port 5552 instead of 5672.
Part 6: Clustering — What It Actually Means
You've heard "run RabbitMQ in a cluster for high availability." Let's be precise about what that means — and what it doesn't.
What a cluster shares, and what it doesn't
A RabbitMQ cluster is a group of nodes that share metadata — exchange definitions, queue declarations, user accounts, virtual hosts, policies. This metadata is stored in Mnesia, Erlang's built-in distributed database, which replicates synchronously across all nodes.
What a cluster does not automatically share: queue contents.
In a 3-node cluster, if you declare a classic queue on node 1, the queue's messages live on node 1. Nodes 2 and 3 know the queue exists (that's the metadata), but they don't hold its messages. If node 1 goes down, that classic queue is unavailable until node 1 comes back — regardless of how many other nodes are running.
This is the fundamental difference quorum queues address: they replicate message content across nodes, not just the queue declaration.
Quorum queue leader election — the Raft model
A quorum queue relies on a consensus protocol called Raft to ensure data consistency and safety. Every quorum queue has a primary member (a leader in Raft parlance) and zero or more secondary members (called followers). A leader is elected when the cluster is first formed and later if the leader becomes unavailable.
How Raft leader election works, in plain terms:
3-node cluster: Node A (leader), Node B (follower), Node C (follower)
Normal operation:
Node A receives message → replicates to B and C → B and C ack → A confirms to producer
Node A fails:
B and C detect no heartbeat from A
B sends vote request to C: "I should be the new leader, do you agree?"
C agrees (B's log is up to date)
B becomes leader — resumes accepting publishes
Node A comes back:
A discovers it is no longer leader
A becomes a follower — catches up via log replication
No manual intervention needed
Failed and rejoining followers will automatically resume log replication at the point they left off, which means there is no special "catch-up" process needed and there is no impact on leader availability as was the case with classic mirrored queues.
Why 2 nodes is worse than 1
Here's the counterintuitive truth that trips up teams when they first cluster RabbitMQ.
A quorum queue requires a majority of its members to be available to function. For a 3-member queue: 2 of 3 must be up (majority = ⌊3/2⌋ + 1 = 2). For a 2-member queue: 2 of 2 must be up (majority = ⌊2/2⌋ + 1 = 2).
Cluster size | Can lose | Cannot lose
1 node | 0 nodes | 1 node
2 nodes | 0 nodes | 1 node ← same as single node, but MORE complex
3 nodes | 1 node | 2 nodes
5 nodes | 2 nodes | 3 nodes
A 2-node quorum cluster is strictly worse than a single node: it has the same fault tolerance (zero node failures tolerated), but it's more complex to operate, and if one node fails, the queue stalls — it can't elect a new leader because it can't reach quorum. It doesn't fail fast; it hangs.
To use Quorum Queues effectively, your cluster should have at least 3 nodes. If your cluster has fewer than 3 nodes, or if not all nodes are running, Quorum Queues will not function properly.
The rule: Use 3 nodes minimum for quorum queues. Use 5 nodes if you need to tolerate 2 simultaneous failures. Never use 2 nodes.
Cluster topology in TypeScript — connecting correctly
import amqplib from "amqplib";
// For a 3-node cluster, connect to the node closest to your service
// (not to a load balancer — RabbitMQ load balancing is at the application layer)
// Use a list of hosts and try each on failure
async function connectWithFailover(
hosts: string[],
): Promise<amqplib.Connection> {
for (const host of hosts) {
try {
const connection = await amqplib.connect({
hostname: host,
port: 5672,
username: process.env.RABBITMQ_USER ?? "app-user",
password: process.env.RABBITMQ_PASS!,
vhost: "/production",
heartbeat: 60, // detect dead connections within 60s
});
console.log(`[RabbitMQ] Connected to ${host}`);
connection.on("error", (err) => {
console.error(`[RabbitMQ] Connection error on ${host}:`, err.message);
});
return connection;
} catch (err) {
console.warn(`[RabbitMQ] Could not connect to ${host} — trying next`);
}
}
throw new Error("[RabbitMQ] All nodes unreachable");
}
// Usage
const connection = await connectWithFailover([
"rabbitmq-node1.internal",
"rabbitmq-node2.internal",
"rabbitmq-node3.internal",
]);
Part 7: Monitoring Internals via the Management API
Understanding the internals is most useful when you can observe them. The RabbitMQ management API exposes every metric discussed in this article.
// Utility: fetch queue internals from the management API
async function getQueueInternals(
queueName: string,
vhost: string = "/",
): Promise<Record<string, unknown>> {
const encodedVhost = encodeURIComponent(vhost);
const url = `http://localhost:15672/api/queues/${encodedVhost}/${queueName}`;
const response = await fetch(url, {
headers: {
Authorization: "Basic " + Buffer.from("guest:guest").toString("base64"),
},
});
if (!response.ok) {
throw new Error(`Management API error: ${response.status}`);
}
const data = (await response.json()) as Record<string, unknown>;
// The fields that map directly to internals discussed in this article:
return {
// Queue depth and state
messages_ready: data["messages_ready"], // in READY state
messages_unacked: data["messages_unacknowledged"], // in UNACKED state
messages_total: data["messages"], // ready + unacked
// Storage tier (classic queues only)
messages_ram: data["messages_ram"], // messages in memory (alpha/beta)
messages_persistent: data["messages_persistent"], // messages written to msg_store
// Memory
memory: data["memory"], // bytes used by this queue process
// Queue type and HA
queue_type:
(data["arguments"] as Record<string, unknown>)?.["x-queue-type"] ??
"classic",
leader: data["leader"], // quorum queues: current Raft leader
members: data["members"], // quorum queues: all Raft members
// Consumer info
consumers: data["consumers"], // count of active consumers
consumer_utilisation: data["consumer_utilisation"], // 0.0–1.0: how busy consumers are
// State
state: data["state"], // 'running' | 'idle' | 'flow' | 'down'
};
}
// Usage
const info = await getQueueInternals("jobs.image-resize", "/production");
console.log(info);
/*
{
messages_ready: 142,
messages_unacked: 5,
messages_total: 147,
messages_ram: 142, ← all in memory — no disk pressure yet
messages_persistent: 0, ← classic queue: 0 means not yet paged to disk
memory: 2048392, ← ~2 MB used by this queue process
queue_type: 'quorum',
leader: 'rabbit@node1',
members: ['rabbit@node1', 'rabbit@node2', 'rabbit@node3'],
consumers: 3,
consumer_utilisation: 0.92, ← consumers are 92% busy — healthy
state: 'running'
}
*/
Key fields to monitor in production:
| Field | Healthy | Warning | Action |
|---|---|---|---|
messages_ready growing | Stable | > 10k | Add consumers |
consumer_utilisation | 0.7–0.99 | < 0.5 | Too many consumers — scale down |
state | running | flow or down | Back-pressure or node issue |
memory | Steady | Growing without bound | Consumers too slow |
leader | Consistent | Changes frequently | Unstable cluster — investigate |
Common Misconceptions
❌ Misconception: "Durable queue + persistent message = guaranteed no data loss on crash"
Reality: For classic queues, this is false. Classic queues do not fsync before sending publisher confirms. A confirmed, persistent message in a classic queue can be lost if the server crashes before the OS write buffer is flushed to disk.
The fix: Use quorum queues for any data you cannot lose. Quorum queues fsync before confirming, and replicate across multiple nodes. The cost is a small write latency increase.
// ❌ Confirmed but not crash-safe on classic queues
await channel.assertQueue("jobs", { durable: true }); // classic queue (default)
channel.publish("", "jobs", buf, { persistent: true });
// confirm received ← not fsynced ← can be lost on unexpected crash
// ✅ Confirmed AND crash-safe
await channel.assertQueue("jobs", {
durable: true,
arguments: { "x-queue-type": "quorum" },
});
channel.publish("", "jobs", buf, { persistent: true });
// confirm received ← fsynced on ≥2 nodes ← safe
❌ Misconception: "A memory alarm means RabbitMQ is out of memory"
Reality: A memory alarm fires at 40% of RAM by default — well before the broker is actually memory-constrained. It's a pre-emptive throttle, not an OOM condition. The alarm fires early specifically to give consumers time to drain queues and for the OS to recover before anything crashes.
The correct response: Don't raise the threshold reflexively. First check why queues are growing — slow consumers, producer burst, or a consumer outage are the likely causes.
❌ Misconception: "RabbitMQ stores messages in memory"
Reality: This was partially true for classic queues in older versions. In RabbitMQ 4.x with quorum queues (the default recommendation), messages are written to disk and fsynced before being confirmed. Regardless of the queue type, there is no configuration in which publishing, say, 1 GB of messages to RabbitMQ with no connected consumers would lead to 1 GB of memory being used to store these messages.
❌ Misconception: "A 2-node cluster is better than a single node"
Reality: For quorum queues, a 2-node cluster has the same fault tolerance as a single node (zero node failures tolerated) but is more complex and will hang (not fail fast) when one node is unavailable. Always use 3 nodes minimum, or stay on a single node for non-HA workloads.
Troubleshooting Common Issues
Problem: Memory alarm fires — all producers blocked
Symptoms: Producer channel.publish() calls hang or time out. Management UI shows a yellow memory alarm banner. Consumer operations continue normally.
Common causes:
- Queue backlog growing faster than consumers can drain it (most common)
- Memory watermark set too low for the available RAM
- A large number of unacknowledged messages held in consumer prefetch buffers
Diagnostic steps:
# Step 1: Check which queues are deepest
rabbitmqctl list_queues name messages memory --sorted-by messages
# Step 2: Check memory alarm state
rabbitmqctl status | grep -A10 "alarms"
# Step 3: Check consumer utilisation per queue
# Low utilisation = consumers idle = they're the bottleneck downstream
curl -u guest:guest http://localhost:15672/api/queues | \
jq '.[] | {name: .name, messages: .messages, consumer_utilisation}'
# Step 4: If consumers are overwhelmed, check what they're doing
# If consumers are gone, check for deployment issues or crashes
Solution: Add more consumer instances to drain the queue backlog. If the alarm fires regularly, investigate consumer throughput — the issue is almost always on the consumer side, not the broker.
Problem: Quorum queue unavailable — "not enough replicas available"
Symptoms: Publishing to a quorum queue fails with PRECONDITION_FAILED or similar. The queue shows as down in the management UI.
Common cause: Fewer than the quorum of nodes are available. For a 3-member quorum queue, if 2 nodes are down, the remaining node cannot reach majority and the queue stalls.
Diagnostic steps:
# Step 1: Check node status in the cluster
rabbitmq-diagnostics cluster_status
# Step 2: Check quorum queue member status
rabbitmqctl list_queues name type leader members --queue-type quorum
# Step 3: Check if specific nodes are reachable
rabbitmq-diagnostics ping -n rabbit@node2
Solution: Bring the failed nodes back online. The rejoining nodes will automatically catch up with the leader's log — no manual sync needed. If nodes cannot be recovered, and you have a 5-member queue, you can shrink the quorum membership to exclude the lost nodes (this is an advanced recovery procedure — see the RabbitMQ quorum queue documentation for the specific commands).
Prevention: Use 5-node clusters if you need to survive 2 simultaneous node failures. Monitor node health with alerting on rabbitmq_node_up so you know before a second node fails.
Problem: Quorum queue throughput is lower than expected
Symptoms: Message throughput is well below what your hardware should support. CPU is not saturated. Network is not saturated. Disk I/O is the bottleneck.
Common causes:
- Disk is too slow — quorum queues fsync before confirming, so disk write latency is the ceiling
- Message sizes are large — quorum queue throughput decreases with message size
- Number of Raft members is higher than necessary — more members = more replication round trips
Diagnostic steps:
# Step 1: Measure fsync latency on your disk
# Install fio and run a direct write test
fio --name=fsync-test --ioengine=sync --rw=write --bs=4k \
--numjobs=1 --iodepth=1 --direct=1 --size=256m \
--filename=/var/lib/rabbitmq/testfile --fsync=1
# Step 2: Check disk I/O during RabbitMQ load
iostat -x 1 5
# Step 3: Check Raft member count
rabbitmqctl list_queues name members --queue-type quorum | \
awk '{print $1, length(split($2, a, ","))}'
Solution: Use NVMe SSDs for the RabbitMQ data directory. If throughput is still insufficient at 3 members, consider reducing to 3 members (the minimum). If you need higher throughput than quorum queues can provide on your hardware, evaluate Stream queues (which don't wait for fsync) or Kafka for very high-volume workloads.
Check Your Understanding
Quick Quiz
1. A producer publishes a persistent message to a classic durable queue and receives a publisher confirm. The server then loses power. Is the message safe?
Show Answer
Not guaranteed. Classic queues do not call fsync before sending publisher confirms. The confirm means RabbitMQ accepted the message — not that it's flushed to disk hardware. If the OS write buffer hasn't been flushed when power is lost, the message is gone.
For crash-safe message storage, use quorum queues. They fsync and replicate across a majority of nodes before confirming.
2. Your 3-node RabbitMQ cluster has quorum queues. Node 2 fails. What happens to the quorum queues whose leader was on node 2?
Show Answer
The remaining nodes (1 and 3) detect that node 2's heartbeat has stopped. They initiate a Raft leader election — whichever of node 1 or node 3 has the most up-to-date log becomes the new leader. This process takes seconds. After election, the new leader resumes accepting publishes and serving consumers. No messages are lost (they were already replicated before being confirmed). When node 2 comes back online, it automatically rejoins as a follower and catches up from the log.
3. Why does a memory alarm block producers but not consumers?
Show Answer
The credit flow mechanism blocks publishing connections specifically to reduce the rate at which new messages enter the broker — giving consumers time to drain existing messages and free up memory. Blocking consumers as well would make the situation worse: the queues would never drain, memory would never recover, and the broker would eventually crash. By keeping consumers running while blocking producers, RabbitMQ creates the pressure differential needed for memory to come down.
Hands-On Challenge
The scenario: You're deploying RabbitMQ for a payment processing system. Requirements:
- Messages must not be lost under any single node failure
- Messages must not be lost if the server loses power unexpectedly
- The system processes ~500 messages/second at peak
- You have budget for 3 servers
Your task: Choose the correct queue type and configuration. Write the TypeScript declaration code for the payment jobs queue, and explain every argument you use.
Show Solution
Queue type: Quorum
Reasoning:
- Classic queues don't fsync before confirms — eliminates them for payment data
- Single node eliminates mirroring options — need replication
- Quorum queues on 3 nodes tolerate 1 node failure AND fsync before confirming
Configuration:
// Payment processing queue — quorum type, 3 members, DLQ for failures
await channel.assertExchange("dlx.payments", "fanout", { durable: true });
await channel.assertQueue("dlq.payments", {
durable: true,
arguments: { "x-queue-type": "quorum" }, // DLQ is also a quorum queue
});
await channel.bindQueue("dlq.payments", "dlx.payments", "");
await channel.assertQueue("jobs.payments", {
durable: true, // required for quorum queues
arguments: {
"x-queue-type": "quorum",
// Replicate across all 3 nodes in the cluster
"x-quorum-initial-group-size": 3,
// Failed messages (nacked without requeue) go to DLQ
"x-dead-letter-exchange": "dlx.payments",
"x-dead-letter-strategy": "at-least-once", // quorum queue feature: safer DLQ routing
},
});
On 500 messages/second: Quorum queues can comfortably handle 500 msg/s on NVMe SSDs. The Raft round-trip adds ~1–5ms latency per publish (not per message when batching with publisher confirms in async mode), which is acceptable for payment processing.
Publisher confirms must be enabled on the producer channel — otherwise the fsync guarantee doesn't help you, because you'd be publishing fire-and-forget and wouldn't know if the message was confirmed:
await publishChannel.confirmSelect(); // enable publisher confirm mode
publishChannel.publish(
"",
"jobs.payments",
Buffer.from(JSON.stringify(paymentJob)),
{ persistent: true },
);
// Wait for confirm before telling the user the payment is queued
await new Promise<void>((resolve, reject) => {
publishChannel.waitForConfirms().then(resolve).catch(reject);
});
Summary: Key Takeaways
- Erlang processes are RabbitMQ's unit of isolation — each queue is an Erlang process, each channel is a process, each connection is a process. A crash in one doesn't cascade to others.
- A message travels through 4+ Erlang processes —
rabbit_reader → rabbit_channel → rabbit_amqqueue_process → msg_store. Credit flow between each pair is what implements back-pressure. - Classic queues don't fsync before confirming — a confirmed, persistent message in a classic queue can still be lost on unexpected crash. Use quorum queues for crash-safe storage.
- Quorum queues fsync and replicate before confirming — the publisher confirm from a quorum queue means the message is on disk on a majority of nodes. It's as safe as RabbitMQ gets.
- Memory alarms are pre-emptive — they fire at 40% RAM to give consumers time to drain queues. The correct response is faster consumers, not a higher threshold.
- A 2-node cluster is worse than 1 node — quorum queues need a majority. Two nodes can tolerate zero failures. Use 3 nodes minimum, 5 for two-failure tolerance.
- Cluster metadata is shared; queue contents are not (for classic queues) — quorum queues specifically replicate message content. Classic queues do not.
What's Next?
You now understand what's happening inside RabbitMQ when you publish a message — the Erlang process hops, the credit flow mechanism, the WAL write, the Raft round-trip, the leader election. The broker is no longer a black box.
Once you've mastered this layer, the next step would be to set up a RabbitMQ 4.x node with Docker, connect with amqplib, declare your first quorum queue, and publish/consume messages while watching the management UI to see every concept from this article in action.
References
- RabbitMQ Quorum Queues — Official Docs — Authoritative source on quorum queue design, Raft, WAL, and configuration
- How Are Messages Stored? — RabbitMQ Blog, January 2025 — Official clarification of classic vs quorum queue storage and fsync behaviour
- Migrating from Classic Mirrored Queues to Quorum Queues — RabbitMQ Blog, July 2025 — Current migration guidance post RabbitMQ 4.0 removal of CMQ
- RabbitMQ Internals: deliver_to_queues.md — Official RabbitMQ team documentation of the internal message delivery path
- RabbitMQ Internals: credit_flow.md — Official documentation of the credit flow back-pressure mechanism
- RabbitMQ Queue Types — CloudAMQP, July 2024 — Practical comparison of classic, quorum, and stream queues
- RabbitMQ Persistence Configuration — WAL sizing, disk recommendations, and memory settings for quorum queues