IoT Device Platform

Design a platform managing ~10 million connected devices over MQTT: connection lifecycle and disconnect detection, telemetry ingest at fleet scale, and — the signature problem — reliably delivering...

00

Practice checkpoints

The requirements are open as a taste. From the numbers onward, the full guide opens in the app.

  1. 01
    Clarify scope
  2. 02
    Requirements + scale
  3. 03
    API + data modelUnlocks in the app
  4. 04
    Draw architectureUnlocks in the app
  5. 05
    Deep diveUnlocks in the app
  6. 06
    Trade-off decisionUnlocks in the app
01

Requirements that shape the design

Do not only state requirements. Ask for them. Each card pairs the design constraint with a clarification question you can say out loud before drawing the architecture.

Functional requirements

01Ten million devices are ‘connected’ — how do we know when one drops?

Every device holds one long-lived MQTT connection (MQTT — the lightweight publish/subscribe protocol built for constrained devices) with a keepalive heartbeat; a missed keepalive window marks the device gone, and its LWT (Last Will and Testament — a message the broker publishes on the device’s behalf when it drops ungracefully) fires presence events on crashes only — a clean disconnect says goodbye itself.

02Where does the sensor data go?

Telemetry flows one way at fleet scale: devices publish readings to per-device topics, the broker fans them into an ingest stream, and no downstream consumer — however slow — is ever allowed to backpressure the connection plane.

03A command is sent to a device that is offline — then what?

A command to an offline device is not an error — it is the product: the command persists as desired state in the device shadow with a version and timestamp, queues as a QoS 1 message (QoS — MQTT’s per-message delivery contract) in the device’s persistent session, and completes when the device reconnects, drains the queue, reconciles the shadow delta, and reports back.

04The same command arrives twice — does the door unlock twice?

Delivery is at-least-once, effect is exactly-once: QoS 1 redelivers on any doubt, so every command carries a command id and the device applies it idempotently — the door told to unlock twice unlocks once.

05The device reconnects after three days — does the old unlock fire?

Every command carries an expiry: an unlock issued three days ago must never fire on today’s reconnect — expired commands transition to a terminal expired state the caller can observe, and the shadow delta, not queue order, decides what still applies.

06What stops an impostor from connecting as someone else’s device?

Every device authenticates with its own X.509 certificate (X.509 — the standard format for public-key identity certificates) over mutual TLS; identity comes from the certificate the platform issued, never from a device-claimed id, and one leaked credential revokes one device — not the fleet.

Out of scopeFirmware and OTA update pipelines — a deliberate deferral: the same shadow-plus-queue machinery carries an update command, but staged rollout, image signing, and rollback are their own design · Edge analytics and on-device ML — the platform moves bytes and state, it does not think on the device · The time-series analytics warehouse — telemetry lands on the ingest stream and this design ends there; downstream storage and query are a separate question

Non-functional requirements

01What does 10M concurrent actually require?

Ten million concurrent connections, horizontally: the broker layer shards by connection — published benchmarks demonstrate 10M concurrent MQTT connections on a clustered deployment of commodity nodes — so growing the fleet means adding broker nodes, never finding a bigger box.

02A command was issued an hour ago — who can prove what happened to it?

No command silently vanishes: every command reaches a terminal state — acknowledged, expired, or failed — that the issuing caller can observe; the contract is at-least-once delivery plus device-side idempotency, because exactly-once transport (QoS 2) is not offered by major cloud brokers.

03A region loses power for an hour, then gets it back — what happens in second one?

Survives its own comeback: a regional outage ending brings hundreds of thousands of devices back at once, so clients back off with jitter and the server admits reconnects at a controlled rate — the recovery is throttled, not trusted.

04How stale may state be — and how stale may an action be?

Bounded staleness for state, zero tolerance for stale actions: shadow reads may lag reported state by seconds, but an actuation past its expiry must never execute — freshness is enforced twice, by the server-side sweep and by the device’s check at apply time.

05One device’s credentials leak — what is the blast radius?

Per-device identity, revocable in minutes: mutual TLS with per-device certificates, a revocation path that cuts a compromised device off at its next connect, topic-level authorization scoping each device to its own topics, and no API that trusts a device-claimed identity.

Keep asking — the interview is a conversation

Real interviews probe far more than a tidy list. These are the scope questions that separate candidates who interrogate the problem from those who recite it.

  • Are devices mains-powered and always-on, or battery-powered and sleepy — a sensor that wakes hourly needs shadow-first delivery, because its session expires before it returns?
  • Are any commands safety-critical actuations — unlock, valve, brake — that need per-command acknowledgment and tight expiry, versus configuration where last-writer-wins on the shadow is enough?
  • What fraction of the fleet is offline at any moment, and for how long — minutes of connectivity blips, or weeks of seasonal darkness — since that sets session expiry and backlog bounds?
  • What is the telemetry rate per device and its retention expectation — does ingest dominate the design, or is this fleet mostly quiet devices awaiting commands?
  • Do we manufacture these devices — certificates burned in at the factory — or onboard third-party hardware, where provisioning and cert rotation become a product surface?
01

Unlock the full playbook for IoT Device Platform

Numbers, architecture diagram, API and data model, deep dives, expected topics, self-check, whiteboard starter, and common mistakes unlock inside the app.

02

Numbers that force architecture decisions

Locked in the app

03

Architecture path

Locked in the app

04

API and data model

Locked in the app

05

Deep dive directions

Locked in the app

+Series

Practice the related series