Circuit Breaker Pattern: Microservices Resilience & Cascading Failures

What is a Cascading Failure?

A cascading failure is when the failure of one component causes a chain reaction that brings down other components — until the entire system collapses.

It's the digital equivalent of a power grid blackout: one substation trips, overloads the next, which trips, overloads the next — until entire cities go dark.

Cascading Failure — The Domino Effect

  User Request
       │
       ▼
  ┌──────────┐      ┌──────────────┐      ┌──────────┐
  │  App     │─────▶│  Razorpay    │─────▶│ Bank API │
  │  Server  │      │  Gateway     │ ✗    │ (slow)   │
  └──────────┘      └──────────────┘      └──────────┘
       │                   │
   Threads             Threads
   blocking             blocking
   (waiting)           (waiting for bank)
       │
       ▼
  New requests pile up
  Memory fills up
  Thread pool exhausted
       │
       ▼
  ┌──────────────────────────┐
  │   ENTIRE APP CRASHES     │  ← because of ONE slow dependency
  └──────────────────────────┘

The core problem: Your app keeps sending requests to a broken dependency. Each request blocks a thread while waiting for a timeout. Thread pool fills up. No threads left to serve other requests. App dies — even the parts that have nothing to do with payments.

Why It Happens — Thread Exhaustion

Modern web servers use a thread pool to handle requests. When Razorpay slows down, here's what happens at the thread level:

Razorpay starts responding slowly (5s instead of 200ms)

Each request to your payment service now takes 5 seconds to complete or timeout. During those 5 seconds, the thread is blocked — it can't do anything else.

New requests keep arriving at normal rate

Users don't know Razorpay is slow. They keep clicking "Pay". Each click spawns a new thread. Your thread pool starts filling up.

Thread pool saturates

With 200 threads and each taking 5s, you exhaust your thread pool in ~40 requests/second. After that, new requests queue up — and the queue fills up too.

Everything else dies

Now even requests that have nothing to do with payments — product pages, login, search — can't get a thread. The whole app is down because of one slow external service.

// What thread exhaustion looks like in metrics
Thread pool size:     200
Threads waiting on Razorpay:  200   ← all blocked
Threads available:      0   ← nothing left
Request queue length:  4800  ← backing up fast
P99 latency:         30000ms  ← everything timing out

// Result: your /home, /login, /search endpoints all return 503
// because of a payment provider outage

The Circuit Breaker Pattern

The Circuit Breaker is a design pattern borrowed from electrical engineering. In your home, a circuit breaker trips when it detects dangerous current — it breaks the circuit to prevent fire and damage.

In software: when a dependency starts failing, the Circuit Breaker stops sending requests to it. Instead of letting threads pile up waiting for timeouts, it fails fast — immediately returning an error or fallback response.

Circuit Breaker — How It Sits in Your Architecture

  ┌──────────────────────────────────────────────────────┐
  │                    Your Service                       │
  │                                                      │
  │    ┌──────────┐    ┌─────────────────┐    ┌───────┐ │
  │    │  Your    │───▶│ Circuit Breaker │───▶│ Razorpay│
  │    │  Code    │    │  (proxy/wrapper)│    │ API   │ │
  │    └──────────┘    └────────┬────────┘    └───────┘ │
  │                            │ (when OPEN)             │
  │                            ▼                         │
  │                   ┌─────────────────┐                │
  │                   │  Fallback Logic │                │
  │                   │  (use Paytm /   │                │
  │                   │   return error) │                │
  │                   └─────────────────┘                │
  └──────────────────────────────────────────────────────┘

The 3 States Every Engineer Must Know

CLOSED Normal operation

Everything is healthy. Requests flow through to the dependency normally. The CB is monitoring the failure rate in a sliding time window.

If failure rate exceeds the threshold (e.g. 50% of calls fail in 10 seconds) → trips to OPEN.

↓ failure rate > threshold

OPEN Failure detected — blocking requests

The CB stops sending ALL requests to the broken dependency. Instead, it immediately returns a fallback response — no waiting, no thread blocking.

After a configured timeout (e.g. 30 seconds) → transitions to HALF-OPEN to test recovery.

↓ after timeout window

HALF-OPEN Testing recovery

The CB allows a small number of test requests through. If they succeed → the service has recovered → trips back to CLOSED. If they fail → trips back to OPEN.

This is the self-healing mechanism. No engineer needs to manually reset anything.

State Machine Diagram

                    failures > threshold
  ┌─────────┐ ─────────────────────────────▶ ┌──────────┐
  │ CLOSED  │                                 │  OPEN    │
  │  ●●●    │ ◀─────────────────────────────  │  ○○○    │
  └─────────┘   test succeeds                 └────┬─────┘
       ▲                                           │
       │                                    after timeout
       │                                           │
       │         test succeeds              ┌──────▼──────┐
       └────────────────────────────────────│  HALF-OPEN  │
                test fails → back to OPEN   │    ◑◑◑     │
                                            └─────────────┘

Real World: Razorpay → Paytm Fallback

Here's the exact scenario from the reel, with full engineering detail:

Normal

CB is CLOSED — all payments via Razorpay

Traffic flows normally. CB monitors: 0% failure rate. Avg response: 180ms. All good.

Failure

Razorpay slows down — failure rate spikes

Razorpay API starts returning 504s. Within the 10-second sliding window, 60% of calls fail. CB threshold crossed → trips to OPEN.

OPEN

CB OPEN — all new requests routed to Paytm fallback

Instead of waiting for Razorpay to timeout, the CB immediately returns a fallback. Your code routes to Paytm. Users see "Pay via Paytm" — no crash, no 503. Zero engineers woken up at 3AM.

Recovery

30 seconds later — CB goes HALF-OPEN

CB allows 3 test requests to Razorpay. All succeed. Response times back to 180ms. CB trips back to CLOSED. Traffic shifts back to Razorpay automatically.

Code Implementation

Pick your language — each example includes the recommended library, configuration explanation, and the Razorpay → Paytm fallback pattern.

Library: Resilience4j — the standard for Spring Boot microservices.
How it works: A sliding window tracks the last N calls. When failure rate exceeds the threshold, the CB trips OPEN. After waitDurationInOpenState, it goes HALF-OPEN and lets N test requests through. If they succeed → CLOSED.

/* ── 1. Add dependency (build.gradle) ─────────────────── */
implementation 'io.github.resilience4j:resilience4j-spring-boot3:2.2.0'

/* ── 2. Configure in application.yml ──────────────────── */
resilience4j:
  circuitbreaker:
    instances:
      razorpay:
        slidingWindowType: COUNT_BASED
        slidingWindowSize: 10          # track last 10 calls
        failureRateThreshold: 50       # trip if >50% fail
        waitDurationInOpenState: 30s  # stay OPEN 30 seconds
        permittedNumberOfCallsInHalfOpenState: 3
        slowCallDurationThreshold: 2s # slow = failure too
        slowCallRateThreshold: 80

/* ── 3. Use in your service ────────────────────────────── */
@Service
public class PaymentService {

    // Primary: Razorpay. Fallback: Paytm
    @CircuitBreaker(name = "razorpay", fallbackMethod = "payViaPaytm")
    public PaymentResult payViaRazorpay(PaymentRequest req) {
        // This call is protected by the CB
        return razorpayClient.processPayment(req);
    }

    // Called automatically when CB is OPEN or call fails
    public PaymentResult payViaPaytm(PaymentRequest req, Exception ex) {
        log.warn("Razorpay CB open, using Paytm fallback", ex);
        return paytmClient.processPayment(req);
    }
}

/* ── 4. Monitor CB state changes ──────────────────────── */
@Component
public class CBEventListener {

    @EventListener
    public void onOpen(CircuitBreakerOnStateTransitionEvent e) {
        if (e.getStateTransition().getToState() == OPEN) {
            alertService.page("Razorpay CB tripped OPEN");
        }
    }
}

Library: opossum — the most popular CB library for Node.js.
How it works: Wraps any async function. Tracks errors and timeouts in a rolling window. Emits events on state changes so you can log, alert, or switch metrics.

// npm install opossum

const CircuitBreaker = require('opossum');

// ── 1. Configure ─────────────────────────────────────────
const options = {
  timeout: 3000,                  // treat as failure if takes >3s
  errorThresholdPercentage: 50,    // trip OPEN if 50% of calls fail
  resetTimeout: 30000,             // wait 30s before HALF-OPEN
  volumeThreshold: 5,             // minimum calls before tripping
};

// ── 2. Wrap your external call ───────────────────────────
async function callRazorpay(req) {
  const res = await fetch('https://api.razorpay.com/v1/payments', {
    method: 'POST', body: JSON.stringify(req)
  });
  if (!res.ok) throw new Error(`Razorpay error: ${res.status}`);
  return res.json();
}

const breaker = new CircuitBreaker(callRazorpay, options);

// ── 3. Define fallback ───────────────────────────────────
breaker.fallback(async (req) => {
  console.warn('CB OPEN — routing to Paytm');
  return callPaytm(req);           // secondary payment provider
});

// ── 4. Listen to state changes ───────────────────────────
breaker.on('open',     () => logger.alert('Razorpay CB → OPEN'));
breaker.on('halfOpen', () => logger.info('Razorpay CB → HALF-OPEN (testing)'));
breaker.on('close',    () => logger.info('Razorpay CB → CLOSED (recovered)'));
breaker.on('fallback', () => metrics.increment('payment.fallback.paytm'));

// ── 5. Use it ────────────────────────────────────────────
app.post('/pay', async (req, res) => {
  try {
    const result = await breaker.fire(req.body);  // CB handles everything
    res.json({ success: true, data: result });
  } catch (err) {
    res.status(503).json({ error: 'Payment unavailable' });
  }
});

Library: pybreaker — lightweight, zero dependencies.
How it works: Wraps any callable. Raises CircuitBreakerError when OPEN so you can catch and route to fallback. Configures failure threshold and recovery timeout.

# pip install pybreaker requests

import pybreaker
import requests
import logging
from functools import wraps

# ── 1. Configure the breaker ──────────────────────────────
class PaymentListener(pybreaker.CircuitBreakerListener):
    def state_change(self, cb, old_state, new_state):
        logging.warning(
            f"CircuitBreaker '{cb.name}': {old_state} → {new_state}"
        )
        if str(new_state) == "open":
            alert_oncall(f"CB OPEN: {cb.name} — switching to fallback")

razorpay_breaker = pybreaker.CircuitBreaker(
    fail_max=5,                  # trip after 5 consecutive failures
    reset_timeout=30,            # wait 30s before HALF-OPEN
    name="razorpay",
    listeners=[PaymentListener()]
)

# ── 2. Protect the external call ──────────────────────────
@razorpay_breaker          # decorator wraps the function
def call_razorpay(payload: dict) -> dict:
    response = requests.post(
        "https://api.razorpay.com/v1/payments",
        json=payload,
        timeout=3             # always set a timeout!
    )
    response.raise_for_status()
    return response.json()

# ── 3. Route to fallback when CB is OPEN ──────────────────
def process_payment(payload: dict) -> dict:
    try:
        return call_razorpay(payload)
    except pybreaker.CircuitBreakerError:
        # CB is OPEN — fail fast, use Paytm
        logging.warning("Razorpay CB open — routing to Paytm")
        return call_paytm(payload)
    except requests.RequestException as e:
        # Real error — CB records it, may trip
        raise PaymentError(str(e)) from e

# ── 4. Check state programmatically ───────────────────────
def health_check():
    return {
        "razorpay_cb_state": str(razorpay_breaker.current_state),
        "fail_count": razorpay_breaker.fail_counter
    }

Library: gobreaker (sony/gobreaker) — idiomatic, production-grade.
How it works: The Execute method wraps your call. Returns ErrOpenState immediately when OPEN. Uses a sliding window based on request counts or time intervals.

// go get github.com/sony/gobreaker

package payment

import (
    "errors"
    "log"
    "time"
    "github.com/sony/gobreaker"
)

// ── 1. Configure the breaker ──────────────────────────────
var razorpayCB = gobreaker.NewCircuitBreaker(gobreaker.Settings{
    Name:        "razorpay",
    MaxRequests: 3,           // max calls in HALF-OPEN state
    Interval:    10 * time.Second, // sliding window size
    Timeout:     30 * time.Second, // OPEN → HALF-OPEN after 30s

    // Trip OPEN when ≥50% of last 10 calls fail
    ReadyToTrip: func(counts gobreaker.Counts) bool {
        failureRatio := float64(counts.TotalFailures) /
                        float64(counts.Requests)
        return counts.Requests >= 10 && failureRatio >= 0.5
    },

    // Log every state change
    OnStateChange: func(name string, from, to gobreaker.State) {
        log.Printf("CB %s: %s → %s", name, from, to)
        if to == gobreaker.StateOpen {
            alertOncall("Razorpay CB tripped OPEN")
        }
    },
})

// ── 2. Wrap the external call ─────────────────────────────
func callRazorpay(payload PaymentRequest) (PaymentResult, error) {
    result, err := razorpayCB.Execute(func() (interface{}, error) {
        resp, err := httpClient.Post(
            "https://api.razorpay.com/v1/payments",
            payload,
        )
        if err != nil {
            return nil, err   // counts as failure in CB
        }
        return resp, nil
    })
    if err != nil {
        return PaymentResult{}, err
    }
    return result.(PaymentResult), nil
}

// ── 3. Use with fallback ──────────────────────────────────
func ProcessPayment(payload PaymentRequest) (PaymentResult, error) {
    result, err := callRazorpay(payload)

    if errors.Is(err, gobreaker.ErrOpenState) {
        // CB is OPEN — fast fail, use Paytm immediately
        log.Println("Razorpay CB open — routing to Paytm")
        return callPaytm(payload)
    }

    if err != nil {
        return PaymentResult{}, fmt.Errorf("payment failed: %w", err)
    }
    return result, nil
}

Production checklist: Always pair Circuit Breaker with (1) a timeout on every external call, (2) metrics on CB state changes, (3) an alert when CB trips OPEN, and (4) a meaningful fallback — not just a 503.

When to Use Circuit Breaker

ScenarioUse CB?Why

Calling external payment gateway✅ YesPayment providers go down. Needs fallback.

Calling your own DB⚠️ MaybeYes if reads — use replica. Writes need careful fallback.

Microservice-to-microservice calls✅ YesCritical for distributed systems — any service can fail.

Calling a 3rd party SMS/email API✅ YesNon-critical path — fallback to queue for retry.

In-process function calls❌ NoNo network involved. Use try/catch directly.

Pair Circuit Breaker with: Retry with exponential backoff (for transient failures), Bulkhead pattern (isolate thread pools per dependency), and Timeout (never wait forever for a response).

Key Takeaways

A Cascading Failure happens when one slow dependency exhausts your thread pool, taking down the entire app — even parts unrelated to the failing service.
The Circuit Breaker wraps calls to external dependencies. When failures spike, it "trips open" and stops making calls — failing fast instead of waiting for timeouts.
CLOSED = normal traffic. OPEN = dependency broken, use fallback. HALF-OPEN = testing if service recovered.
In OPEN state, requests get an immediate fallback response — no threads blocked, no memory pressure, rest of app stays healthy.
HALF-OPEN is the self-healing mechanism — it periodically probes the broken service and automatically closes the circuit when it recovers. Zero manual intervention.
Use Resilience4j (Java), opossum (Node.js), or Polly (.NET) — don't roll your own in production.

What is a Cascading Failure?

Why It Happens — Thread Exhaustion

The Circuit Breaker Pattern

The 3 States Every Engineer Must Know

Real World: Razorpay → Paytm Fallback

Code Implementation

When to Use Circuit Breaker

Decode More Systems