Final Assessment
An integrative assessment covering every topic in the course β design a complete architecture from requirements through to operations.
Objective
This final assessment brings together all the concepts covered in the previous sections: fundamentals, architecture, patterns, flows, security, observability, deployment, and versioning. Your task is to design a complete architecture for a real system.
There is no single correct answer. What matters is the quality of your reasoning, the consistency of your decisions, and your ability to justify each choice.
The project: HealthTrack
Description
HealthTrack is a telemedicine platform that connects patients with doctors for virtual consultations. The platform must handle:
- Registration and profiles for patients and doctors
- Scheduling and appointments with real-time availability
- Video calls for virtual consultations
- Medical records with documents and prescriptions
- Payments per consultation with multiple methods
- Notifications via email, push, and SMS
- Reports for administrators and doctors
Non-functional requirements
| Requirement | Value |
|---|---|
| Registered users | 500,000 |
| Daily consultations | 5,000 |
| Availability | 99.95% |
| API latency | p99 < 500ms |
| Sensitive data | Yes (medical data β HIPAA/GDPR regulation) |
| Development team | 20 people, 4 squads |
| Timeline | MVP in 6 months |
Part 1: Architectural style (Fundamentals)
Questions
- Which architectural style would you choose? Monolith, microservices, or hybrid?
- How would you split the system into domains/services?
- How would you assign the squads to the domains?
Evaluation criteria
- Clear justification of the chosen style
- Domain split that is consistent with the business
- Consideration of team size and timeline
Reference guide
With 20 people and 4 squads, microservices is viable but not mandatory. A pragmatic option:
Suggested domains:
- Users and Auth (Squad 1): registration, profiles, authentication
- Appointments and Scheduling (Squad 2): availability, bookings, calendar
- Consultations and Clinical (Squad 3): video calls, records, prescriptions
- Payments and Notifications (Squad 4): charges, emails, push, SMS
Each squad owns its domain and can deploy it independently.
Part 2: Component architecture (Architecture)
Questions
- Draw a high-level diagram with the main components
- How do the services communicate with one another?
- Do you need an API Gateway? A BFF?
- Where does the video call logic live?
Evaluation criteria
- Clear diagram with components and connections
- Justification of sync vs async communication
- Consideration of external services (video, payments)
Reference guide
[Mobile/Web App]
β
βΌ
[API Gateway + Auth]
β
ββββΊ [Users Service] βββΊ [PostgreSQL]
ββββΊ [Appointments Service] βββΊ [PostgreSQL + Redis]
ββββΊ [Consultations Service] βββΊ [PostgreSQL + S3]
ββββΊ [Payments Service] βββΊ [PostgreSQL]
β
ββββΊ [Event Bus (RabbitMQ/Kafka)]
β
ββββΊ [Notifications Service]
ββββΊ [Analytics Service]
[Video Service: Twilio/Agora] β external integration
- Sync communication for user operations (create appointment, view records)
- Async communication for side effects (notifications, analytics)
- Video as an external service β donβt reinvent the wheel
Part 3: Applied patterns (Patterns)
Questions
- Which resilience patterns would you apply, and where?
- Would you use a Saga for the appointment booking + payment flow? Orchestrated or choreographed?
- Where would you apply CQRS? Is it necessary?
- How do you guarantee idempotency in payments?
Evaluation criteria
- Resilience patterns applied correctly
- Justification of orchestrated vs choreographed Saga
- Idempotency in critical operations
Reference guide
Resilience:
- Circuit breaker on calls to the video and payment providers
- Retry with backoff for notifications
- Timeout on all inter-service calls
- Bulkhead to isolate the video service from the rest
Saga for booking + payment (orchestrated):
- Reserve slot in scheduling β 2. Process payment β 3. Confirm appointment
- If the payment fails: compensate by releasing the slot
- Orchestrated because the flow is linear and you need centralized control
Idempotency in payments:
- Idempotency key generated by the client (appointmentId + timestamp)
- Check before processing; if it exists, return the previous result
Part 4: Security (Security)
Questions
- How do you handle authentication and authorization?
- How do you protect sensitive medical data?
- What security measures do you apply at each layer?
- How do you handle patient consent for accessing their records?
Evaluation criteria
- Robust authentication (MFA for doctors)
- Encryption of sensitive data at rest and in transit
- Granular access control (RBAC or ABAC)
- Regulatory compliance considered
Reference guide
Authentication:
- JWT with refresh tokens
- Mandatory MFA for doctors
- OAuth2 for patient social login
Sensitive data:
- Encryption at rest (AES-256) for medical records
- TLS 1.3 for all traffic
- Medical data in a separate database with restricted access
- Audit logs for every access to patient data
Access control:
- RBAC: patient, doctor, and admin roles
- A doctor can only view the records of their own patients
- The patient can revoke access at any time
- Explicit consent recorded with a timestamp
Part 5: Observability (Observability)
Questions
- Which business and technical metrics would you collect?
- How would you implement distributed tracing?
- Which alerts are critical for this system?
- What dashboard does the on-call team need?
Evaluation criteria
- Relevant business metrics (completed appointments, cancellation rate)
- End-to-end tracing implemented
- Alerts prioritized by user impact
Reference guide
Business metrics:
- Appointments booked vs completed vs canceled per day
- Average wait time to get an appointment
- Payment success rate
- Patient NPS post-consultation
Technical metrics:
- Latency per service and endpoint (p50, p90, p99)
- Error rate per service
- Video service availability
- Message queue size
Critical alerts:
- Video service unavailable (direct impact on consultations)
- Payment error rate > 5%
- p99 latency > 1s in the booking flow
- Medical records database not accessible
Part 6: Deployment and operations (Deployment)
Questions
- How would you deploy the services? Kubernetes, serverless, PaaS?
- What is your CI/CD strategy?
- How do you handle configuration and secrets?
- What is your scaling strategy?
Evaluation criteria
- Deployment strategy consistent with the architecture
- Automated CI/CD with quality gates
- Secrets managed securely
- Scaling defined for the critical components
Part 7: Versioning (Versioning)
Questions
- How do you version the APIs between services?
- How do you handle breaking changes?
- What versioning strategy do you use for events?
Evaluation criteria
- Clear versioning strategy (URL, header, or content negotiation)
- Plan for breaking changes with no downtime
- Event versioning considered
Deliverable
Your assessment must include:
- Architecture document (1-2 pages): component diagram, key decisions, and justifications
- Flow diagram for the main use case: book appointment β pay β hold consultation
- List of trade-offs: what you sacrificed and why
- Migration plan: how you would get from the MVP to the complete architecture
Rubric
| Criterion | Weight |
|---|---|
| Consistency across decisions | 25% |
| Justification of trade-offs | 25% |
| Consideration of non-functional requirements | 20% |
| Completeness (all parts covered) | 15% |
| Clarity of communication | 15% |
Final reflection
By completing this assessment, you will have practiced the full architectural design process β from requirements through to operations. This is the same process you would follow on a real project.
Remember: architecture is not a static document. It is a set of decisions that evolve with the system, the team, and the business. What matters is not getting everything right from the start, but having a solid process for making decisions and adapting when things change.