One slow dependency can take down an entire system. A payment service starts responding in 30 seconds instead of 300ms; every request that needs it now holds a thread, waiting. Threads pile up, connection pools drain, and a service that has nothing to do with payments runs out of capacity and falls over too. The failure didn't stay contained — it cascaded. The circuit breaker pattern exists to stop exactly this.
Borrowed from electrical engineering — where a breaker trips to stop a surge from burning down the house — the software circuit breaker wraps calls to a dependency and trips open when that dependency is failing, so callers fail fast instead of piling up against something that's already down. This guide explains how it works, its three states, how to tune it, and how to monitor it.
The Problem: Cascading Failure
In a distributed system, services call services. When one link in that chain slows or fails, the naive behavior is to keep trying and keep waiting — and that's what turns a small, local problem into a system-wide outage:
- Resource exhaustion. Every request blocked waiting on a dead dependency holds a thread, a connection, and memory. Enough of them and the caller runs out of resources and fails too.
- Retry amplification. Callers (and their callers) retry, multiplying load on a service that's already struggling — kicking it while it's down.
- Latency propagation. Slowness ripples upward: a 30-second timeout deep in the stack becomes a 30-second hang for the end user.
The result is a cascading failure: the blast radius of one failing component expands across the whole system. A circuit breaker contains that blast radius.
How a Circuit Breaker Works
The breaker sits between a caller and a dependency, watching the outcome of every call. When failures cross a threshold, it stops letting calls through — it "trips." Instead of waiting on a doomed request, the caller gets an immediate failure (or a fallback) and moves on. After a cool-down, the breaker cautiously tests whether the dependency has recovered.
This delivers two wins at once: the caller stops wasting resources on calls that will fail anyway, and the struggling dependency gets breathing room to recover instead of being hammered.
The Three States
A circuit breaker is a small state machine with three states:
| State | Behavior | Transition |
|---|---|---|
| Closed | Calls pass through normally; failures are counted | Trips to Open when failures exceed the threshold |
| Open | Calls fail instantly (no request sent); a fallback runs if defined | After a timeout, moves to Half-Open |
| Half-Open | A few trial calls are allowed through to test recovery | Success → Closed; failure → back to Open |
- Closed is normal operation. The breaker tracks the failure rate and, as long as the dependency is healthy, stays out of the way.
- Open is the tripped state. For the duration of the cool-down, calls short-circuit immediately — no thread held, no timeout waited. This is the "fail fast" that protects the caller and relieves the dependency.
- Half-Open is the careful recovery probe. After the cool-down, the breaker lets a limited number of requests through. If they succeed, it closes and traffic resumes; if they fail, it re-opens and waits again — avoiding a stampede back onto a service that isn't ready.
Tuning a Circuit Breaker
The defaults that ship with a library are a starting point, not an answer. Key knobs:
- Failure threshold. How many failures (or what failure rate) trips the breaker. Too sensitive and it opens on normal blips; too lax and it never protects you. A rate over a rolling window (e.g. ">50% of the last 20 calls failed") is usually better than a raw count.
- What counts as a failure. Timeouts and
5xxerrors, yes. But a4xxlike400 Bad Requestis the caller's fault, not the dependency's — counting it would trip the breaker for the wrong reason. Be deliberate. - Cool-down (open) duration. How long to stay open before probing. Long enough to give real recovery time; short enough that you're not failing requests longer than necessary.
- Half-open trial volume. How many probe requests to allow. Too many and you re-stampede a fragile service; one or a small handful is typically right.
- Pair it with sane timeouts. A circuit breaker can't fail fast if the underlying call has no timeout — it'll hang before the breaker ever sees a failure. Aggressive timeouts and circuit breakers work together.
Circuit Breakers and Fallbacks
Tripping open is only half the design — the other half is what happens to the caller when it does. Options, roughly best to worst:
- Serve a degraded but useful response — cached data, a default, or a reduced feature. This is graceful degradation in action: the recommendations widget shows generic picks instead of personalized ones, but the page still loads.
- Fail fast with a clear error so the user (or upstream caller) can react immediately, rather than spinning.
- Queue the work for later if it doesn't need to happen synchronously.
The worst option is the one a circuit breaker prevents: hang indefinitely and take the rest of the system down with you.
What to Monitor
A circuit breaker is itself a rich source of signal — its state changes tell you about dependency health in real time:
- Breaker state and trip events. An opening breaker is an early, high-value alert: a dependency is failing before it has cascaded. Track every Closed→Open transition.
- Time spent open. A breaker that's open a lot, or stuck open, points to a dependency that isn't recovering — escalate it by incident severity.
- Fallback rate. How often you're serving the degraded path tells you the real user impact.
- The dependency's own golden signals. Latency and error rate on the wrapped call are what drive the breaker; watch them directly.
A flapping breaker — rapidly opening and closing — is its own warning sign that the dependency is marginally healthy and your thresholds may need tuning, much like any unstable alert.
How Webalert Helps
A circuit breaker protects your system from a failing dependency — but you still need to know which dependency failed and when. That's where outside-in monitoring comes in:
- Third-party and dependency checks that watch the external APIs and services your app relies on, so you see the failure that trips your breakers — independent of your own instrumentation.
- Latency and error-rate tracking on critical endpoints, surfacing the degradation that should trip a breaker (and flagging when one isn't configured).
- Multi-region checks that distinguish "the dependency is down for everyone" from "one path to it is degraded."
- Fast alerting on sustained failure, so an open breaker is matched by a human knowing about it.
Circuit breakers keep one failure from becoming many; Webalert tells you the failure happened in the first place.
Summary
The circuit breaker pattern stops a single failing dependency from cascading into a system-wide outage. By wrapping calls and tripping open when failures cross a threshold, it lets callers fail fast instead of piling up resources against a dead service — and gives that service room to recover. Its three states (closed, open, half-open) form a simple state machine that probes carefully before restoring traffic.
Tune the failure threshold, decide deliberately what counts as a failure, set a sensible cool-down, and always pair breakers with timeouts and a fallback. Then monitor the breaker itself: trip events are some of the earliest, clearest signals you'll get that a dependency is in trouble. Used well, the circuit breaker is one of the highest-leverage resilience patterns there is.