Command Routing Strategies in CQRS Microservices

⏱ 21 min read

Most distributed systems don’t fail because the teams forgot a pattern name. They fail because a business decision took the scenic route through the wrong service, arrived late, and changed state in a place that never truly owned it.

That is the heart of command routing in CQRS microservices. microservices architecture diagrams

People often discuss CQRS as if the hard part were splitting reads from writes. It isn’t. The hard part is deciding, with precision, where a command should go, why it belongs there, and what should happen when the rest of the landscape disagrees. In a real enterprise, commands do not travel through a tidy textbook. They pass through API gateways, workflow engines, Kafka topics, anti-corruption layers, legacy systems, and teams with conflicting boundaries. They cross contexts. They trigger policies. They expose all the cracks in your domain model. event-driven architecture patterns

A command is not just a message. It is a claim about intent. “Approve loan.” “Cancel order.” “Reserve inventory.” Those phrases have business meaning, and routing them carelessly is how we end up with a distributed ball of mud wearing a microservices badge.

So this article is about routing decisions. Not just the mechanics of sending a payload to a queue, but the architecture behind choosing the correct handler in a CQRS landscape. We will look at the forces that shape the design, the practical routing patterns, the migration path from monolith or layered systems, the role of Kafka and asynchronous workflows, and the unpleasant but unavoidable topics: reconciliation, failure modes, and when not to use any of this at all.

The short version is simple: route commands according to domain ownership, not technical convenience. The long version is what follows.

Context

CQRS in microservices usually emerges for one of three reasons.

First, scale. A system has diverging read and write workloads, and the team needs write-side integrity without dragging every query through a transactional model.

Second, complexity. The business process has enough rules, invariants, and temporal behavior that a single CRUD model no longer reflects reality.

Third, organizational design. Separate teams own separate business capabilities, and they need autonomy over release cadence, persistence choices, and operating models.

In these environments, command routing stops being trivial. In a monolith, routing is an in-process method call hidden behind a controller or application service. In a microservice estate, routing becomes a first-class architectural concern. The moment a command can be accepted by one service, enriched by another, rejected by a policy engine, or transformed during migration, someone has to decide where authority lives.

This is where domain-driven design matters. CQRS without DDD thinking often degenerates into transport-driven architecture: “send it to the service with the table” or “publish it on Kafka and let someone pick it up.” That is cargo cult design. Commands belong to aggregates or process boundaries that enforce business invariants. The routing strategy must reflect the ubiquitous language and the bounded context map, not merely the network topology.

The router decision tree is therefore not an infrastructure diagram. It is a domain statement encoded in software.

Problem

Suppose a customer submits a command to cancel an order.

At first glance this sounds easy. Send CancelOrder to the Order Service. Done.

But in the real world, the order may already be invoiced, partially shipped, reserved in inventory, financed through a payment schedule, and synchronized to a legacy ERP. The “cancel” intent may mean different things in different bounded contexts:

  • In Order Management, it means “transition the order aggregate to a cancelled state if allowed.”
  • In Fulfillment, it means “attempt to stop picking and shipment.”
  • In Billing, it means “void or issue credit according to accounting rules.”
  • In Customer Care, it may require human approval.
  • In a Legacy ERP, it may be represented as a reversal transaction, not a cancellation.

Now ask the routing question again: where does CancelOrder go?

If you route it to every interested service, you have turned a command into an event and surrendered authority. If you route it to an orchestrator that decides everything, you may create a god service. If you route it to the wrong context, you risk violating invariants, duplicating business rules, or creating reconciliation headaches when two systems both believe they own the same state transition.

That is the problem. A command in CQRS microservices is not merely delivered. It must be owned, validated, authorized, sequenced, and observed. Routing is the mechanism by which ownership is made operational.

Forces

Several forces pull the architecture in different directions.

Domain ownership versus user-facing workflows

The business wants one endpoint for “cancel order.” The domain model may require multiple contexts to participate. You want a clean user journey, but not at the expense of fuzzy ownership.

Strong consistency versus autonomy

Some commands must enforce invariants immediately. “Approve payment above credit limit” is not eventually consistent in any meaningful sense. Yet microservices thrive on autonomy and local transactions. Routing has to choose where immediate decisions happen and where downstream consequences are asynchronous.

Latency versus correctness

Direct synchronous routing is easier to reason about for immediate responses. Kafka-based asynchronous routing improves decoupling and resilience, but introduces ambiguity around completion, timeout, retries, and duplicate processing.

Stable business language versus evolving service topology

Bounded contexts should reflect durable domain concepts. Deployments, teams, and data stores change more often. A good routing strategy should survive infrastructure churn.

Migration constraints

Very few enterprises get to start clean. You may have a monolith, a service mesh, an ESB, or a large ERP integration layer. Routing often has to straddle old and new worlds for years, not months.

Auditability and compliance

In regulated industries, you need to answer “who issued this command, under what policy, to which authority, and what happened next?” Routing cannot be a black box.

Failure containment

Misrouted commands are expensive. Duplicate commands are worse. Commands sent to the right service at the wrong time can trigger compensations, legal exposure, or customer harm.

This is why command routing deserves explicit design. It is where business semantics meet distributed systems reality.

Solution

The best strategy is usually a layered command routing model, anchored on domain ownership.

Here is the principle I recommend:

Route each command to the single bounded context that owns the invariant the command intends to change. Then publish resulting facts for other contexts to react to.

That sounds obvious. It is not widely practiced.

Teams often route commands to a workflow service because the UI talks in workflows. Or to a gateway because centralization feels tidy. Or to Kafka because asynchronous messaging is fashionable. All three can be valid, but only if they preserve the rule: the command reaches an authoritative handler, not a committee.

A practical router decision tree usually asks five questions:

  1. What business capability owns the state transition?
  2. Is the command targeting an aggregate invariant or coordinating a cross-context process?
  3. Does the caller require immediate acceptance, immediate outcome, or eventual completion?
  4. Is the command native to the target bounded context, or does it require translation through an anti-corruption layer?
  5. What is the failure contract: reject, retry, compensate, or reconcile?

If the command changes an aggregate under one bounded context, route directly there. If it initiates a long-running business process spanning contexts, route to a process manager or saga coordinator that issues downstream commands. If it originates in a foreign model, route through an anti-corruption layer first. If no single context owns the invariant, you probably have a boundary problem, not a routing problem.

A command router should therefore be intentionally boring in the middle and very smart at the edges. Its job is not to contain business logic. Its job is to make business ownership executable.

Core routing strategies

1. Direct authoritative routing

A command is sent synchronously to the service that owns the aggregate or transactional rule.

Examples:

  • ChangeCustomerAddress → Customer Service
  • ApproveLoan → Lending Decision Service
  • ReserveInventory → Inventory Service

Use this when:

  • the command maps cleanly to one bounded context,
  • immediate validation matters,
  • the caller needs a strong acceptance or rejection signal.

This is the default. If in doubt, start here.

2. Orchestrated process routing

A command is sent to a workflow or process service that owns the business process, not the domain state of every participant. The orchestrator issues downstream commands to authoritative services.

Examples:

  • SubmitClaim
  • OnboardCorporateCustomer
  • CloseTradingAccount

Use this when:

  • the process spans multiple bounded contexts,
  • steps are long-running,
  • there are pauses, compensations, approvals, or human tasks.

The trick is discipline. The process manager owns progression, not all business invariants. It must not become the place where all domain rules go to die.

3. Event-initiated command routing via Kafka

An event in Kafka triggers a service to issue a command internally or to another bounded context through a controlled integration contract.

Examples:

  • OrderPlaced event leads Fulfillment to create a picking task
  • PaymentCaptured leads Billing to issue an invoice command
  • CustomerKYCApproved leads Account Service to activate an account

Use this when:

  • the downstream action is consequential but not part of the original transactional invariant,
  • asynchronous decoupling is acceptable,
  • replay and audit matter.

This is powerful, but dangerous when teams start treating events as commands in disguise. Events announce facts. Commands express intent. Keep the distinction sharp.

4. Policy-based routing

A lightweight router evaluates metadata, tenant, product line, region, or migration flags to decide which authoritative handler receives the command.

Examples:

  • route mortgage applications by jurisdiction,
  • route according to product platform generation,
  • route between legacy and new service during strangler migration.

Use this when:

  • domain ownership is stable, but implementation destination varies.

This is especially useful in migration, but it must remain transparent and temporary where possible.

Architecture

A healthy command routing architecture has a few recognizable pieces: entry points, command contracts, routing logic, authoritative handlers, event publication, and reconciliation mechanisms.

Architecture
Architecture

The important point in this picture is not the boxes. It is the authority model.

  • The API Gateway may authenticate, authorize, normalize, and correlate.
  • The Command Router decides the destination based on domain semantics and policy.
  • The authoritative service validates invariants and performs the state transition.
  • Kafka distributes resulting facts to interested parties.
  • An anti-corruption layer protects the new model from legacy semantics.

Router decision tree

Here is a simplified decision tree for routing commands in CQRS microservices.

Router decision tree
Router decision tree

This diagram hides an uncomfortable truth: some commands expose that your bounded contexts are wrong. Architects often treat routing complexity as an integration challenge when it is really a domain modeling failure. If no one can confidently answer who owns the invariant, stop adding infrastructure and fix the boundaries.

Domain semantics first

The wording of commands matters.

UpdateOrderStatus is often a smell. It sounds generic because it bypasses domain language. Better commands are:

  • ConfirmOrder
  • CancelOrder
  • ReleaseOrderForFulfillment
  • MarkOrderAsFraudulent

Generic commands produce generic routing. Generic routing creates accidental coupling. Domain-specific commands reveal ownership and sharpen invariants.

This is classic domain-driven design. Commands should speak the language of the bounded context they target. If the incoming language belongs to another context, translate it. Do not leak foreign terms into the core model merely to simplify routing.

Migration Strategy

Most enterprises adopt CQRS microservices in the shadow of existing systems. That means the routing architecture must support coexistence. The romantic version of migration says we decompose the monolith, move commands to new services, and switch traffic. The real version is slower, stranger, and full of duplicate truth.

Progressive strangler migration is the right mental model.

You do not replace command routing all at once. You introduce a routing layer in front of the existing write path, then peel off command types or business segments one by one. The router becomes the control point for moving authority safely.

A pragmatic strangler sequence

  1. Inventory command types and ownership

    2. - identify commands by business intent, not controller endpoint,

    - map each to current implementation and future bounded context.

  1. Introduce a stable command ingress

    2. - API or message contract remains stable,

    - router initially forwards everything to the monolith or legacy write model.

  1. Carve out one command family

    2. - start with a cohesive capability, such as customer address changes or order cancellation,

    - implement the new authoritative service,

    - route only those commands to the new path.

  1. Publish integration events

    2. - keep downstream consumers informed,

    - maintain compatibility with old reporting and operational processes.

  1. Reconcile old and new state

    2. - compare outcomes,

    - resolve drift,

    - build confidence before expanding.

  1. Shift adjacent commands

    2. - move related state transitions together where possible,

    - avoid splitting one aggregate’s invariants across old and new systems for too long.

  1. Retire legacy handlers

    2. - only after operational evidence confirms ownership is truly transferred.

Dual-write is not migration strategy

During strangler efforts, teams are tempted to send the same command to old and new systems “for safety.” This is usually a trap. You now have two authoritative handlers and no principled owner. Better patterns are:

  • route the command to one owner,
  • replicate state outward through events,
  • run shadow validation in the non-authoritative system,
  • reconcile discrepancies explicitly.

Reconciliation is not optional

Eventually consistent migration without reconciliation is wishful thinking dressed as architecture.

When commands are rerouted gradually, discrepancies will occur:

  • one side rejects for a rule the other no longer enforces,
  • one system processes duplicates differently,
  • legacy reference data lags,
  • Kafka consumers replay messages after a schema change,
  • compensations fail halfway through.

So define reconciliation up front:

  • what records are compared,
  • on what cadence,
  • which system is the source of truth for each command family,
  • how drift is classified,
  • who fixes it and how.

A good reconciliation process includes automated diff jobs, operational dashboards, and domain-specific repair commands. Not SQL scripts passed around on Friday evening.

Diagram 3
Reconciliation is not optional

That sequence is dull by design. Enterprise architecture should prefer repeatable dullness over heroic cleverness.

Enterprise Example

Consider a global retailer modernizing order management.

The retailer had a central commerce platform backed by a large relational database and nightly synchronization to SAP. Over time, they introduced microservices for pricing, inventory visibility, fulfillment, and customer communications. CQRS was adopted selectively because reads were heavy and writes carried substantial business rules.

The first serious routing issue appeared with order cancellation.

Originally, the web channel called a monolith endpoint. The monolith updated order tables and pushed changes to downstream systems. But as fulfillment moved to a separate service and payment handling moved to a payment platform, cancellation became a business process, not a simple update.

The team’s first instinct was a central “Order Workflow Service” that accepted every command and distributed tasks. Within six months it knew too much:

  • inventory reservation rules,
  • refund eligibility,
  • shipping carrier cutoffs,
  • fraud hold overrides,
  • SAP reversal codes.

It became the system of anxiety. Every change request went there.

The architecture was corrected by separating command routing from process orchestration.

  • CancelOrder was routed to Order Management, because cancellation permission belonged to the order aggregate and its core invariants.
  • If accepted, Order Management emitted OrderCancelled.
  • A Cancellation Process Manager reacted only when downstream activities were required: release reservation, stop shipment, issue refund, notify customer, update SAP.
  • Fulfillment and Billing remained authoritative over their own compensating actions.
  • An anti-corruption layer translated modern events into SAP transactions.
  • Kafka carried domain and integration events with explicit versioning.
  • Reconciliation compared cancelled orders in Order Management, refund records in Billing, and reversal postings in SAP.

The result was not perfect elegance. There were delays. Some downstream reversals took minutes. Customer support needed a status dashboard that showed “cancellation accepted, refund pending.” But the ownership model was finally clear.

The lesson was stark: the first command recipient is not always the process owner, and the process owner is not the owner of every rule.

That distinction saved them.

Operational Considerations

Once commands move across services, the operational model becomes part of the design.

Idempotency

Commands will be retried. Sometimes by clients. Sometimes by routers. Sometimes by Kafka consumers after rebalancing or timeout. The authoritative handler must support idempotent processing where feasible, usually via command IDs, aggregate version checks, or business keys.

Without idempotency, retries become duplicate side effects. That is not resilience. That is multiplication.

Correlation and traceability

Every command should carry:

  • command ID,
  • causation ID,
  • correlation ID,
  • tenant and principal context,
  • timestamp,
  • version.

This is not paperwork. It is how you explain to auditors and operators what happened.

Backpressure and admission control

A command router can become a traffic amplifier. If a flash sale pushes a surge of PlaceOrder and CancelOrder commands, downstream hot partitions can collapse. Routers should support rate shaping, queueing policies, and selective rejection rather than turning every spike into a cascading failure.

Ordering guarantees

Some commands require per-aggregate ordering. Kafka can help if partitioning aligns with the aggregate key, but many enterprise landscapes break this accidentally by repartitioning on tenant or region. If command order matters, make it explicit in the design.

Schema and contract evolution

Command contracts evolve more delicately than events because they express intent. A new optional field is easy. A changed meaning is dangerous. Use versioning, tolerant readers where appropriate, and translation at bounded context boundaries.

Security and authorization

Authorization should not be left solely to edge gateways. A router may validate high-level policy, but the authoritative service must enforce domain authorization. “Can this principal approve this limit increase for this jurisdiction?” is domain logic wearing a security badge.

Observability by business outcome

Do not stop at CPU, latency, and consumer lag. Track:

  • command acceptance rate,
  • rejection reasons by domain category,
  • median completion time for multi-step processes,
  • compensation frequency,
  • reconciliation drift volume.

You want to know not only whether the system is alive, but whether the business is coherent.

Tradeoffs

No routing strategy is free.

Direct routing tradeoffs

Pros

  • clear authority,
  • straightforward invariants,
  • simpler reasoning,
  • easier synchronous UX.

Cons

  • tighter runtime coupling,
  • can expose latency from the authoritative service,
  • less flexible for long-running processes.

Orchestrated routing tradeoffs

Pros

  • good fit for long-running workflows,
  • central visibility of process progression,
  • explicit compensations.

Cons

  • easy to create a god orchestrator,
  • duplicated business rules if not disciplined,
  • operational complexity increases quickly.

Kafka-centric routing tradeoffs

Pros

  • decoupling,
  • scalability,
  • replayability,
  • temporal buffering.

Cons

  • eventual consistency by default,
  • weaker immediate user feedback,
  • more failure states,
  • easy confusion between events and commands.

Policy-based migration routing tradeoffs

Pros

  • supports strangler migration,
  • lowers cutover risk,
  • enables tenant or region slicing.

Cons

  • hidden complexity,
  • temporary logic tends to become permanent,
  • debugging route selection can become painful.

My bias is plain: prefer direct authoritative routing for domain commands, and use orchestration or Kafka where business process and temporal decoupling genuinely require it. Do not start with an event-driven maze because it looks modern on a slide.

Failure Modes

Distributed command routing fails in predictable ways. The tragedy is that teams keep acting surprised.

Misidentified ownership

A command is routed to the service with the data, not the service with the invariant. Business rules leak, duplicate, and drift.

Command-event confusion

Teams publish “commands” onto Kafka as if any consumer may pick them up. This destroys single authority and creates race conditions disguised as flexibility.

Orchestrator obesity

The process manager accumulates all domain logic. Eventually every change funnels through one team, and your “microservices” are just remote procedure calls orbiting a central brain.

Split authority during migration

Legacy and new systems both process the same intent. Reconciliation becomes endless, and no one knows which result wins.

Hidden temporal assumptions

A UI assumes a command is complete when it is merely accepted. Customers see “cancelled” while billing still shows “refund pending,” and support gets the angry calls.

Poison message loops

Malformed or semantically invalid commands keep retrying through queues or Kafka consumers. Without dead-letter and triage policies, the platform slowly fills with trapped intent.

Over-generic commands

UpdateAccount, SaveOrder, ProcessCase. These force routing to inspect payload internals or embed giant conditional logic. The command model has failed before the router even starts.

When Not To Use

CQRS microservices with sophisticated command routing are not a moral virtue. Sometimes they are simply the wrong tool.

Do not use this style when:

  • your domain is simple CRUD with weak invariants,
  • the team cannot sustain operational complexity,
  • the business does not need separate read and write models,
  • organizational boundaries are unstable,
  • you are still guessing at core domain concepts,
  • latency and transactional simplicity matter more than autonomy,
  • a modular monolith would solve the real problem.

A modular monolith with clear application services and domain boundaries often gives you the benefits people actually need: explicit ownership, clean command handling, and easier refactoring. Many enterprises jump to distributed routing to escape a bad monolith and merely end up with a bad distributed monolith.

The rule is blunt: if your bounded contexts are not yet clear in-process, they will not become clearer over the network.

Several patterns sit next to command routing and should be considered together.

Saga / Process Manager

Coordinates long-running workflows across bounded contexts. Useful when no single transaction can span the process.

Anti-Corruption Layer

Translates commands and events between old and new models or across bounded contexts with different semantics.

Outbox Pattern

Ensures that state changes and event publication happen reliably without dual-write inconsistency.

Idempotent Consumer

Protects downstream processing from duplicate delivery.

Strangler Fig Pattern

Supports incremental migration by gradually shifting command families from legacy to new services.

Event Sourcing

Sometimes paired with CQRS, but not required. It can sharpen command handling around aggregates, though it introduces its own operational and modeling demands.

Domain Events versus Integration Events

Domain events reflect internal business facts. Integration events are tailored for external consumption. Conflating them creates coupling and brittle routing contracts.

These patterns are not a menu to order everything from. They are tools. Use the minimum set needed to preserve domain clarity and operational sanity.

Summary

Command routing in CQRS microservices is where architecture either tells the truth about the business or begins to lie.

The right strategy starts with domain-driven design. Commands are intent, not packets. They should be routed to the bounded context that owns the invariant they want to change. Direct routing should be your default. Process managers should coordinate long-running workflows, not hoard all business logic. Kafka is excellent for propagating facts and triggering downstream work, but it should not dissolve the distinction between command and event.

Migration matters just as much as greenfield design. A progressive strangler approach lets you move command authority incrementally, with policy-based routing, anti-corruption layers, and explicit reconciliation. In large enterprises, that reconciliation capability is not an afterthought. It is the price of eventual consistency and phased change.

The tradeoffs are real. You gain autonomy, scalability, and cleaner ownership, but you also inherit retries, duplicates, ordering concerns, and more subtle failure modes. And sometimes the wisest choice is not to use CQRS microservices at all.

If there is one memorable rule to keep, let it be this:

Route commands by business authority. Publish events by business fact. Reconcile where time and migration make liars of us all.

That is not glamorous. It is just how enterprise systems stay honest.

Frequently Asked Questions

What is a service mesh?

A service mesh is an infrastructure layer managing service-to-service communication. It provides mutual TLS, load balancing, circuit breaking, retries, and observability without each service implementing these capabilities. Istio and Linkerd are common implementations.

How do you document microservices architecture for governance?

Use ArchiMate Application Cooperation diagrams for the service landscape, UML Component diagrams for internal structure, UML Sequence diagrams for key flows, and UML Deployment diagrams for Kubernetes topology. All views can coexist in Sparx EA with full traceability.

What is the difference between choreography and orchestration in microservices?

Choreography has services react to events independently — no central coordinator. Orchestration uses a central workflow engine that calls services in sequence. Choreography scales better but is harder to debug; orchestration is easier to reason about but creates a central coupling point.