Why Your Microservices Are Turning the Cloud Toxic

1
00:00:00,000 --> 00:00:03,200
One slow dependency can poison an entire cloud system,

2
00:00:03,200 --> 00:00:04,840
and most teams don't even see it happening

3
00:00:04,840 --> 00:00:07,360
until healthy services start failing right along with it.

4
00:00:07,360 --> 00:00:09,640
They blame the traffic, they blame the code,

5
00:00:09,640 --> 00:00:11,120
they even blame the cloud bill.

6
00:00:11,120 --> 00:00:13,120
But the first thing that actually broke was the model

7
00:00:13,120 --> 00:00:15,200
because the system treated every remote call

8
00:00:15,200 --> 00:00:18,920
like it was cheap, safe, and guaranteed to return on time.

9
00:00:18,920 --> 00:00:21,520
That assumption never survives real pressure.

10
00:00:21,520 --> 00:00:24,560
In a .NET microservice chain, delay spreads fast.

11
00:00:24,560 --> 00:00:27,280
A slow call holds onto threads, it holds onto sockets,

12
00:00:27,280 --> 00:00:29,760
and it eventually triggers a wave of retries.

13
00:00:29,760 --> 00:00:32,120
The cues start filling up while pools start draining.

14
00:00:32,120 --> 00:00:34,840
On the dashboard, the services still look like they are up,

15
00:00:34,840 --> 00:00:38,080
but the actual capacity is already disappearing underneath them.

16
00:00:38,080 --> 00:00:39,680
This is exactly why this topic matters

17
00:00:39,680 --> 00:00:41,360
because the failure doesn't start with a crash.

18
00:00:41,360 --> 00:00:42,640
It starts with waiting.

19
00:00:42,640 --> 00:00:44,760
So in this episode, we're going to strip this down

20
00:00:44,760 --> 00:00:45,960
to the real mechanics.

21
00:00:45,960 --> 00:00:47,840
We aren't talking about basic error handling

22
00:00:47,840 --> 00:00:49,640
or looking at happy path diagrams.

23
00:00:49,640 --> 00:00:51,440
We are talking about failure containment.

24
00:00:51,440 --> 00:00:53,560
This is about how to stop one-six servers

25
00:00:53,560 --> 00:00:56,800
from dragging the rest of your platform down into the dirt with it.

26
00:00:56,800 --> 00:00:58,880
Silent latency is the real toxin.

27
00:00:58,880 --> 00:01:01,600
These teams are still designing their systems around an old model.

28
00:01:01,600 --> 00:01:03,760
A service calls another service, it gets an answer,

29
00:01:03,760 --> 00:01:04,920
and then it moves on.

30
00:01:04,920 --> 00:01:07,280
Maybe there is a timeout or a retry involved,

31
00:01:07,280 --> 00:01:10,520
but the call itself is treated like a small detail in the request flow.

32
00:01:10,520 --> 00:01:12,040
It feels almost like a local method call

33
00:01:12,040 --> 00:01:14,200
with a little bit of network tax added on top.

34
00:01:14,200 --> 00:01:16,280
And that's where things break, because a remote dependency

35
00:01:16,280 --> 00:01:19,200
isn't just code you don't own, it represents shared time,

36
00:01:19,200 --> 00:01:21,520
shared capacity, and shared risk.

37
00:01:21,520 --> 00:01:25,000
To see how this works, picture a very normal path in a power-net system.

38
00:01:25,000 --> 00:01:27,960
A user signs in, and your API needs a token check

39
00:01:27,960 --> 00:01:30,400
or a profile look up from an identity service.

40
00:01:30,400 --> 00:01:32,680
That identity provider doesn't go fully down,

41
00:01:32,680 --> 00:01:34,240
but it just starts getting slower.

42
00:01:34,240 --> 00:01:35,640
It isn't dead, it's just late.

43
00:01:35,640 --> 00:01:38,840
And in a distributed system, being late is enough to cause a disaster.

44
00:01:38,840 --> 00:01:42,040
Your API request now waits longer on that outbound HTTP call

45
00:01:42,040 --> 00:01:44,400
and wallet weights that request hasn't disappeared.

46
00:01:44,400 --> 00:01:46,800
It is still consuming resources inside the app.

47
00:01:46,800 --> 00:01:49,120
The incoming request pipeline stays busy longer,

48
00:01:49,120 --> 00:01:50,880
the outbound connection stays occupied,

49
00:01:50,880 --> 00:01:53,960
and upstream callers have to wait longer for your API to respond.

50
00:01:53,960 --> 00:01:57,360
If that API also needs to do database work after the IU's completes,

51
00:01:57,360 --> 00:02:01,560
that database activity starts later and piles into the next wave of incoming requests.

52
00:02:01,560 --> 00:02:05,200
Nothing looks dramatic yet, but the system is quietly filling up with stuck work.

53
00:02:05,200 --> 00:02:06,640
This is the part most people miss.

54
00:02:06,640 --> 00:02:10,800
Outages get everyone's attention, but slowness is something people tend to tolerate.

55
00:02:10,800 --> 00:02:13,680
In distributed systems, slowness often does more damage

56
00:02:13,680 --> 00:02:16,240
because it has time to spread before anyone can react.

57
00:02:16,240 --> 00:02:18,360
A hard failure gets rejected immediately,

58
00:02:18,360 --> 00:02:20,800
but a slow failure gets admitted into the system

59
00:02:20,800 --> 00:02:22,920
and then multiplied across the entire path.

60
00:02:22,920 --> 00:02:25,200
In ASP-Net, even when you use async code,

61
00:02:25,200 --> 00:02:27,080
waiting still costs you something.

62
00:02:27,080 --> 00:02:29,040
You are holding on to the request state

63
00:02:29,040 --> 00:02:30,840
and tying up connection lifetimes,

64
00:02:30,840 --> 00:02:35,280
which extends how long each unit of work lives inside the service.

65
00:02:35,280 --> 00:02:37,280
Once enough requests do that at the same time,

66
00:02:37,280 --> 00:02:39,880
your throughput drops even if the CPU still looks calm.

67
00:02:39,880 --> 00:02:41,440
That's why teams get so confused.

68
00:02:41,440 --> 00:02:43,840
The service appears to be online, the health checks pass,

69
00:02:43,840 --> 00:02:45,320
and the dashboard isn't screaming,

70
00:02:45,320 --> 00:02:46,800
but your useful capacity is gone

71
00:02:46,800 --> 00:02:49,200
because too much work is trapped in a waiting state.

72
00:02:49,200 --> 00:02:51,720
And the problem never stops at just one service.

73
00:02:51,720 --> 00:02:54,240
The service calling identity slows down.

74
00:02:54,240 --> 00:02:57,000
So every caller above it starts to slow down too.

75
00:02:57,000 --> 00:02:58,680
Maybe a gateway keeps connections open

76
00:02:58,680 --> 00:03:00,400
or another API waits for the first one

77
00:03:00,400 --> 00:03:02,000
before it can even build a response.

78
00:03:02,000 --> 00:03:04,800
A background worker might depend on that same identity system

79
00:03:04,800 --> 00:03:06,040
for token acquisition,

80
00:03:06,040 --> 00:03:08,640
and now it processes fewer messages per minute.

81
00:03:08,640 --> 00:03:11,440
Cues begin to grow, not because your demand exploded,

82
00:03:11,440 --> 00:03:13,320
but because your completion rate slowed down.

83
00:03:13,320 --> 00:03:15,040
That is a very different problem to solve.

84
00:03:15,040 --> 00:03:16,760
Adding more replicas might help for a minute,

85
00:03:16,760 --> 00:03:19,760
but if every new replica waits on the same slow dependency,

86
00:03:19,760 --> 00:03:22,120
you've just expanded the size of the waiting room.

87
00:03:22,120 --> 00:03:24,120
The result is that the cloud looks busy,

88
00:03:24,120 --> 00:03:25,720
but it isn't being productive.

89
00:03:25,720 --> 00:03:27,240
This matters at the leadership level too,

90
00:03:27,240 --> 00:03:29,240
because teams often read the situation

91
00:03:29,240 --> 00:03:31,440
as an application bug or a failure to scale.

92
00:03:31,440 --> 00:03:32,760
In reality, it can be neither.

93
00:03:32,760 --> 00:03:35,000
You can have perfectly clean code, plenty of nodes,

94
00:03:35,000 --> 00:03:36,360
and a solid cloud spend,

95
00:03:36,360 --> 00:03:37,680
and you will still lose the system

96
00:03:37,680 --> 00:03:39,840
because your architecture allowed one dependency

97
00:03:39,840 --> 00:03:41,320
to hold everyone else hostage.

98
00:03:41,320 --> 00:03:42,320
That isn't a coding issue.

99
00:03:42,320 --> 00:03:43,640
That is a capacity illusion.

100
00:03:43,640 --> 00:03:46,600
I've seen this pattern happen during very ordinary morning loads.

101
00:03:46,600 --> 00:03:47,960
Nothing dramatic was happening,

102
00:03:47,960 --> 00:03:49,920
but users logged in, traffic rose,

103
00:03:49,920 --> 00:03:51,920
and an off-dependency started lagging.

104
00:03:51,920 --> 00:03:53,280
Suddenly, services that don't even

105
00:03:53,280 --> 00:03:54,880
own authentication began to stall

106
00:03:54,880 --> 00:03:57,120
because they all depend on something that does.

107
00:03:57,120 --> 00:03:58,520
Support tickets started arriving

108
00:03:58,520 --> 00:04:00,680
from completely different parts of the platform.

109
00:04:00,680 --> 00:04:01,680
The outage looked wide,

110
00:04:01,680 --> 00:04:04,040
but the root cause was actually very small.

111
00:04:04,040 --> 00:04:06,320
That's why these incidents confuse people so much,

112
00:04:06,320 --> 00:04:08,760
and once that latency starts spreading like that,

113
00:04:08,760 --> 00:04:12,000
many teams end up triggering the next wave of damage themselves.

114
00:04:12,000 --> 00:04:15,080
Why batteries turn instability into a self-inflicted attack?

115
00:04:15,080 --> 00:04:16,560
When a team sees a failed call,

116
00:04:16,560 --> 00:04:19,200
their first instinct is almost always to try again.

117
00:04:19,200 --> 00:04:21,360
It feels like the responsible thing to do,

118
00:04:21,360 --> 00:04:24,480
and in a single isolated process, it usually works.

119
00:04:24,480 --> 00:04:27,400
But in a distributed system, the math changes completely.

120
00:04:27,400 --> 00:04:30,120
Every retry you send is just more traffic aimed at a service

121
00:04:30,120 --> 00:04:32,880
that already proved it couldn't handle the first request.

122
00:04:32,880 --> 00:04:35,440
That instinct comes from an older, simpler way of thinking.

123
00:04:35,440 --> 00:04:38,280
You assume a packet dropped or a tiny network blip happened,

124
00:04:38,280 --> 00:04:40,200
and a second attempt will clear it up.

125
00:04:40,200 --> 00:04:41,640
That's fine for minor hiccups.

126
00:04:41,640 --> 00:04:42,720
But here is the problem.

127
00:04:42,720 --> 00:04:44,040
Overload isn't a hiccup.

128
00:04:44,040 --> 00:04:46,120
If a downstream service is already saturated,

129
00:04:46,120 --> 00:04:47,560
your retry doesn't fix anything.

130
00:04:47,560 --> 00:04:50,240
It just adds another request to an overflowing backlog,

131
00:04:50,240 --> 00:04:51,640
then another and then another.

132
00:04:51,640 --> 00:04:53,680
You aren't helping the dependency recover.

133
00:04:53,680 --> 00:04:55,280
You are actually increasing the pressure

134
00:04:55,280 --> 00:04:56,920
while it's already losing control.

135
00:04:56,920 --> 00:04:58,640
I started seeing this differently when I stopped

136
00:04:58,640 --> 00:05:00,360
looking at retries as safety logic

137
00:05:00,360 --> 00:05:02,360
and started seeing them as low-generation.

138
00:05:02,360 --> 00:05:04,200
One failed call with two extra attempts

139
00:05:04,200 --> 00:05:05,480
isn't just one failure.

140
00:05:05,480 --> 00:05:07,000
Across a single user journey,

141
00:05:07,000 --> 00:05:09,360
that might turn into three outbound requests.

142
00:05:09,360 --> 00:05:11,760
When you look at a whole service fleet under pressure,

143
00:05:11,760 --> 00:05:14,360
that pattern creates waves of duplicate demand

144
00:05:14,360 --> 00:05:16,800
that all chase the same limited capacity.

145
00:05:16,800 --> 00:05:19,600
Because most of your clients probably share the same retry policy,

146
00:05:19,600 --> 00:05:21,400
they all fire on the same schedule.

147
00:05:21,400 --> 00:05:22,960
They line up, they surge together,

148
00:05:22,960 --> 00:05:25,000
and they hit your weakest point all at once.

149
00:05:25,000 --> 00:05:27,200
In the dot net ecosystem, this gets dangerous fast

150
00:05:27,200 --> 00:05:29,720
because the tools make retries so easy to set up

151
00:05:29,720 --> 00:05:31,360
that you often forget they exist.

152
00:05:31,360 --> 00:05:32,800
You register an HTTP client,

153
00:05:32,800 --> 00:05:35,640
you attach a resilience policy and you feel like you're covered.

154
00:05:35,640 --> 00:05:38,680
But if that policy retries on timeouts or board exceptions

155
00:05:38,680 --> 00:05:40,200
while keeping a long timeout window,

156
00:05:40,200 --> 00:05:42,760
you have essentially built a pressure multiplier.

157
00:05:42,760 --> 00:05:44,880
The call lasts longer, the sockets stay busy

158
00:05:44,880 --> 00:05:46,560
and the upstream request lives longer.

159
00:05:46,560 --> 00:05:49,640
Then the retry kicks in and extends that whole chain even further.

160
00:05:49,640 --> 00:05:51,960
The nasty part is that this actually looks smart

161
00:05:51,960 --> 00:05:53,200
during a code review.

162
00:05:53,200 --> 00:05:54,600
The code seems careful and defensive

163
00:05:54,600 --> 00:05:57,200
because nobody wants to build a system that gives up too easily.

164
00:05:57,200 --> 00:06:00,320
But in reality, true resilience isn't about refusing to give up.

165
00:06:00,320 --> 00:06:03,480
It's about refusing to let a small failure turn into a massive one.

166
00:06:03,480 --> 00:06:05,520
This doesn't mean you should never use retries.

167
00:06:05,520 --> 00:06:09,120
They are great when a fault is brief, random, and cheap to test again.

168
00:06:09,120 --> 00:06:12,320
A temporary network interruption or a one-off connection hiccup

169
00:06:12,320 --> 00:06:14,200
fits that pattern perfectly.

170
00:06:14,200 --> 00:06:17,760
Short-bounded retries with jitter on idempotent operations are usually fine.

171
00:06:17,760 --> 00:06:21,520
The trouble starts when teams apply those same rules to an overloaded API,

172
00:06:21,520 --> 00:06:24,640
a slow database or an identity service that is already drowning.

173
00:06:24,640 --> 00:06:27,280
At that point, your retry logic stops being a recovery tool

174
00:06:27,280 --> 00:06:29,160
and starts being synchronized harassment.

175
00:06:29,160 --> 00:06:30,680
Leaders need to see this clearly

176
00:06:30,680 --> 00:06:33,880
because the damage shows up as both instability and pure waste.

177
00:06:33,880 --> 00:06:37,320
Your platform starts spending more on compute, bandwidth, and queue capacity

178
00:06:37,320 --> 00:06:40,200
just to push the same failing work through the system over and over.

179
00:06:40,200 --> 00:06:42,680
While everyone thinks the system is fighting to stay alive,

180
00:06:42,680 --> 00:06:44,840
it is actually accelerating its own collapse.

181
00:06:44,840 --> 00:06:46,320
The fix starts with classification.

182
00:06:46,320 --> 00:06:49,080
You have to ask what kind of failure you are actually seeing.

183
00:06:49,080 --> 00:06:51,240
Did the dependency reject the call quickly

184
00:06:51,240 --> 00:06:52,240
or did it time out?

185
00:06:52,240 --> 00:06:53,840
Is the latency climbing for everyone?

186
00:06:53,840 --> 00:06:55,480
Is the response a signal to back off?

187
00:06:55,480 --> 00:06:58,040
Or is it a sign that one more try might actually work?

188
00:06:58,040 --> 00:07:01,400
You should only retry when there is a real data-backed reason to believe

189
00:07:01,400 --> 00:07:03,960
the next attempt has a better shot than the last one.

190
00:07:03,960 --> 00:07:06,680
If you don't have that, you need to cut it off early.

191
00:07:06,680 --> 00:07:09,880
Once retries start spreading damage, your job isn't persistence anymore.

192
00:07:09,880 --> 00:07:11,000
It's containment.

193
00:07:11,000 --> 00:07:13,320
bulkhead isolation changes the system model.

194
00:07:13,320 --> 00:07:18,560
If retries are what spread the pressure, you need a way to stop one failing dependency

195
00:07:18,560 --> 00:07:21,400
from stealing resources that belong to something else.

196
00:07:21,400 --> 00:07:23,680
That is exactly what bulkhead isolation does.

197
00:07:23,680 --> 00:07:26,360
It isn't just a tuning trick or a small optimization.

198
00:07:26,360 --> 00:07:30,440
It is a hard rule about which parts of your system get to consume resources

199
00:07:30,440 --> 00:07:31,760
when everything is under stress.

200
00:07:31,760 --> 00:07:34,000
Most teams assume their services are already isolated

201
00:07:34,000 --> 00:07:36,520
because they live in different containers or different repos.

202
00:07:36,520 --> 00:07:38,240
They might even be managed by different teams.

203
00:07:38,240 --> 00:07:41,240
But that isn't real isolation if those services still share

204
00:07:41,240 --> 00:07:44,240
the same outbound connection limits, the same worker capacity

205
00:07:44,240 --> 00:07:46,080
or the same downstream bottleneck.

206
00:07:46,080 --> 00:07:47,960
The architecture looks separate on a diagram,

207
00:07:47,960 --> 00:07:50,200
but the failure path is exactly the same.

208
00:07:50,200 --> 00:07:51,600
So what is a bulkhead really?

209
00:07:51,600 --> 00:07:54,240
It's a boundary that limits the blast radius of a failure.

210
00:07:54,240 --> 00:07:56,640
When one dependency struggles, the rest of the service

211
00:07:56,640 --> 00:07:59,720
refuses to hand over all its time and capacity to save it.

212
00:07:59,720 --> 00:08:03,000
If one workload spikes, another workload still has the room it needs to run.

213
00:08:03,000 --> 00:08:04,720
That is the shift you have to make.

214
00:08:04,720 --> 00:08:07,040
You stop asking how to recover a specific call

215
00:08:07,040 --> 00:08:10,160
and start asking what resources you are willing to let burn with it.

216
00:08:10,160 --> 00:08:13,800
In a .NET system, this becomes a practical design choice very quickly.

217
00:08:13,800 --> 00:08:16,840
If you have an HTTP client talking to a fragile external API,

218
00:08:16,840 --> 00:08:19,320
you give it its own limits and its own timeout policy.

219
00:08:19,320 --> 00:08:22,080
You might even give it its own dedicated handler settings.

220
00:08:22,080 --> 00:08:25,960
If one background job is processing exports while another handles payments,

221
00:08:25,960 --> 00:08:29,360
you cannot let them drain the same execution path without guardrails.

222
00:08:29,360 --> 00:08:32,160
If a specific message consumer has the potential to flood your database,

223
00:08:32,160 --> 00:08:34,840
you have to split it away from the flow that supports your customers.

224
00:08:34,840 --> 00:08:38,160
The goal here isn't elegance, it's separation under pressure.

225
00:08:38,160 --> 00:08:42,160
One level deeper, you realize that bulkheads don't have to map directly to services.

226
00:08:42,160 --> 00:08:43,840
They can map to business value instead.

227
00:08:43,840 --> 00:08:48,520
You can isolate by dependency so a slow search provider can't drag down your authentication service.

228
00:08:48,520 --> 00:08:53,080
You can isolate by capability so a heavy reporting job can't starve the checkout process.

229
00:08:53,080 --> 00:08:54,920
You can even isolate by tenant class,

230
00:08:54,920 --> 00:08:58,960
so one noisy enterprise customer doesn't crowd out everyone else on the platform.

231
00:08:58,960 --> 00:09:02,440
You can also isolate by traffic importance to ensure user actions keep moving

232
00:09:02,440 --> 00:09:04,120
while sync jobs wait their turn.

233
00:09:04,120 --> 00:09:07,520
This is where things change because resilience stops being a generic tech concern

234
00:09:07,520 --> 00:09:09,520
and becomes an explicit business policy.

235
00:09:09,520 --> 00:09:12,520
Shared pools are usually where this whole model breaks down.

236
00:09:12,520 --> 00:09:14,280
A team might say their features are separate,

237
00:09:14,280 --> 00:09:19,120
but the requests still land in the same app instance and compete for the same outbound calls.

238
00:09:19,120 --> 00:09:22,440
They hit the same queue workers and fight for the same database connections.

239
00:09:22,440 --> 00:09:27,160
The moment latency starts to rise, separation on a diagram means very little in the real world.

240
00:09:27,160 --> 00:09:30,720
Under stress, the shared pool becomes the real system boundary

241
00:09:30,720 --> 00:09:34,120
and everything inside that pool has the power to hurt everything else.

242
00:09:34,120 --> 00:09:37,720
I've seen this happen in commerce systems where checkout, profile sync and reporting

243
00:09:37,720 --> 00:09:40,480
all looked independent during architecture reviews.

244
00:09:40,480 --> 00:09:42,680
Then one downstream dependency slowed down,

245
00:09:42,680 --> 00:09:45,800
which caused reporting jobs to stack up and profile updates to linger.

246
00:09:45,800 --> 00:09:49,600
Connection pressure climbed until checkout started missing its response targets.

247
00:09:49,600 --> 00:09:53,640
In that moment, nothing in the business wanted those workloads treated as equals,

248
00:09:53,640 --> 00:09:57,600
but the platform did it anyway because nobody drew a hard line around the resources.

249
00:09:57,600 --> 00:10:00,520
A better design admits something that feels a bit uncomfortable.

250
00:10:00,520 --> 00:10:02,480
Equal access is often the wrong rule.

251
00:10:02,480 --> 00:10:06,240
When your platform is healthy, broad sharing feels efficient and smart,

252
00:10:06,240 --> 00:10:07,840
but when the platform is stressed,

253
00:10:07,840 --> 00:10:12,920
that same sharing becomes a permission slip for low priority work to steal from high priority work.

254
00:10:12,920 --> 00:10:16,360
Architects have to choose early on what gets protected and what gets constrained.

255
00:10:16,360 --> 00:10:21,240
That might mean reserved consumer capacity, separate queues or per dependency concurrency limits.

256
00:10:21,240 --> 00:10:25,800
You might need independent connection budgets or dedicated compute paths for revenue critical operations.

257
00:10:25,800 --> 00:10:27,680
You don't do this because the system is dramatic.

258
00:10:27,680 --> 00:10:30,840
You do it because the system needs structure when behavior gets messy.

259
00:10:30,840 --> 00:10:33,480
This is also where technical design turns into leadership.

260
00:10:33,480 --> 00:10:37,160
Product and engineering leaders have to agree on which paths deserve guaranteed room

261
00:10:37,160 --> 00:10:38,640
and which ones can wait or fail.

262
00:10:38,640 --> 00:10:41,960
If nobody makes that call, the platform will end up making it for you by accident.

263
00:10:41,960 --> 00:10:45,640
Belkheads don't fix a bad dependency, but they do something much more useful.

264
00:10:45,640 --> 00:10:48,840
They stop that dependency from collecting unrelated victims.

265
00:10:48,840 --> 00:10:51,680
Once you have created that boundary, you still need a fast-weighted aside

266
00:10:51,680 --> 00:10:53,800
when a call should just stop entirely.

267
00:10:53,800 --> 00:10:56,040
Circuit breakers stop panic before it spreads.

268
00:10:56,040 --> 00:10:58,400
Isolation gives you boundaries, which is a good start,

269
00:10:58,400 --> 00:11:01,080
but a boundary still needs a decision rule to actually function.

270
00:11:01,080 --> 00:11:04,480
If a dependency keeps failing and your service keeps trying to talk to it,

271
00:11:04,480 --> 00:11:07,000
you have only slowed the damage instead of stopping it.

272
00:11:07,000 --> 00:11:08,680
That is the job of a circuit breaker.

273
00:11:08,680 --> 00:11:11,320
It watches a dependency, judges its recent behavior,

274
00:11:11,320 --> 00:11:14,200
and changes how calls flow based on what it sees in real time.

275
00:11:14,200 --> 00:11:17,200
Think of it less like error handling and more like traffic control.

276
00:11:17,200 --> 00:11:19,960
When the dependency behaves normally, the breaker stays closed

277
00:11:19,960 --> 00:11:22,280
and requests pass through without any friction.

278
00:11:22,280 --> 00:11:24,640
When failures cross a threshold in a given window,

279
00:11:24,640 --> 00:11:29,000
the breaker opens and stops sending more work for a while to let the system breathe.

280
00:11:29,000 --> 00:11:31,360
After that pause, it shifts into a limited test mode

281
00:11:31,360 --> 00:11:34,040
where a few calls get through to see if things have improved.

282
00:11:34,040 --> 00:11:36,600
If the dependency responds well enough, normal flow resumes

283
00:11:36,600 --> 00:11:39,080
but if not, the breaker opens again in the cycle repeats.

284
00:11:39,080 --> 00:11:40,240
The pattern is simple.

285
00:11:40,240 --> 00:11:43,120
Allow, stop, test, and recover.

286
00:11:43,120 --> 00:11:45,560
That sounds obvious, but most teams still run the opposite model

287
00:11:45,560 --> 00:11:47,040
in their production environments.

288
00:11:47,040 --> 00:11:50,480
They keep every call alive until a timeout finally proves the dependency is sick,

289
00:11:50,480 --> 00:11:52,680
which means every call learns the same lesson separately

290
00:11:52,680 --> 00:11:54,960
while holding on to resources the whole time.

291
00:11:54,960 --> 00:11:59,440
A breaker turns that painful process into shared memory for the entire service.

292
00:11:59,440 --> 00:12:01,720
Once enough evidence shows the dependency is failing,

293
00:12:01,720 --> 00:12:04,720
the platform stops pretending the next 100 calls deserve a full wait

294
00:12:04,720 --> 00:12:06,000
and just cuts them off.

295
00:12:06,000 --> 00:12:08,400
That fast rejection matters more than you might think.

296
00:12:08,400 --> 00:12:10,400
A quick failure is annoying for a user,

297
00:12:10,400 --> 00:12:13,960
but a slow failure is expensive for the platform and everyone using it.

298
00:12:13,960 --> 00:12:16,560
If the service can reject a request in a few milliseconds

299
00:12:16,560 --> 00:12:19,400
instead of waiting seconds for another doomed outbound call,

300
00:12:19,400 --> 00:12:22,560
it saves thread time, socket lifetime, and queue pressure.

301
00:12:22,560 --> 00:12:24,920
The user might get a fallback or a partial response

302
00:12:24,920 --> 00:12:27,000
or maybe they just get a clean error message,

303
00:12:27,000 --> 00:12:30,080
but the service itself stays capable of handling other work.

304
00:12:30,080 --> 00:12:31,640
And that is the trade you are making.

305
00:12:31,640 --> 00:12:34,000
You are not promising everybody a full answer all the time

306
00:12:34,000 --> 00:12:37,400
because you are choosing platform survival over graceful denial.

307
00:12:37,400 --> 00:12:41,600
In most incidents, that is the right choice to make for the health of the system.

308
00:12:41,600 --> 00:12:45,320
Users can usually tolerate a narrow feature failure far better than a broad system stall

309
00:12:45,320 --> 00:12:47,120
that locks up the entire interface.

310
00:12:47,120 --> 00:12:49,280
The tricky part sits in the tuning of these thresholds.

311
00:12:49,280 --> 00:12:52,120
If the threshold is too loose, the breaker reacts late

312
00:12:52,120 --> 00:12:55,680
and the service keeps wasting time on bad calls that we're never going to succeed.

313
00:12:55,680 --> 00:12:58,040
If the threshold is too tight, it opens on minor noise

314
00:12:58,040 --> 00:13:00,240
and blocks healthy traffic that should have gone through.

315
00:13:00,240 --> 00:13:01,920
The sample window matters just as much

316
00:13:01,920 --> 00:13:04,640
because a short window catches sharp failures fast

317
00:13:04,640 --> 00:13:06,560
but can flap if traffic is uneven.

318
00:13:06,560 --> 00:13:08,360
A long window smooths out the noise,

319
00:13:08,360 --> 00:13:11,240
but it might respond too slowly when a dependency drops hard

320
00:13:11,240 --> 00:13:12,880
and needs immediate isolation.

321
00:13:12,880 --> 00:13:16,200
This is why one breaker for everything usually fails to solve the problem.

322
00:13:16,200 --> 00:13:17,960
Dependencies behave differently,

323
00:13:17,960 --> 00:13:21,800
and an internal cache API is not the same as a third-party payment gateway.

324
00:13:21,800 --> 00:13:24,400
A token service is not the same as a reporting endpoint,

325
00:13:24,400 --> 00:13:27,400
so they deserve different thresholds, different timeout budgets,

326
00:13:27,400 --> 00:13:28,960
and different fallback rules.

327
00:13:28,960 --> 00:13:32,480
When teams attach one generic policy across all outbound calls,

328
00:13:32,480 --> 00:13:36,400
they flatten those differences and lose control at the exact moment they need it most.

329
00:13:36,400 --> 00:13:41,000
In .NET, this means you should scope policies per client and per dependency path

330
00:13:41,000 --> 00:13:42,960
instead of using one blanket setting.

331
00:13:42,960 --> 00:13:47,000
Your HTTP client for identity should carry rules that match identity

332
00:13:47,000 --> 00:13:49,720
and your client for search should carry rules that match search.

333
00:13:49,720 --> 00:13:51,480
Then you compose the pieces in the right order

334
00:13:51,480 --> 00:13:53,840
by starting with a timeout, adding a breaker,

335
00:13:53,840 --> 00:13:56,880
and finishing with a fallback where the contract allows it.

336
00:13:56,880 --> 00:14:01,080
The order shapes the behavior, and if you get it wrong, the policy stack will just fight itself.

337
00:14:01,080 --> 00:14:03,960
One more thing, trips teams up when they implement these patterns.

338
00:14:03,960 --> 00:14:07,720
They open the breaker, but the rest of the platform still rewards unsafe behavior

339
00:14:07,720 --> 00:14:09,720
by calling too aggressively from upstream.

340
00:14:09,720 --> 00:14:12,040
Cues keep feeding work without any back pressure,

341
00:14:12,040 --> 00:14:14,400
and product flows assume every dependency

342
00:14:14,400 --> 00:14:16,760
deserves a live-round trip every single time.

343
00:14:16,760 --> 00:14:21,880
The breaker helps a lot, but if the wider system treats degraded mode as an accident instead of a feature,

344
00:14:21,880 --> 00:14:25,200
pressure will just find another route to break things.

345
00:14:25,200 --> 00:14:28,040
Built for controlled degradation, not perfect uptime,

346
00:14:28,040 --> 00:14:30,960
the next shift in thinking is actually bigger than the code itself.

347
00:14:30,960 --> 00:14:33,400
A lot of cloud teams still chase perfect uptime

348
00:14:33,400 --> 00:14:36,240
as if every single feature deserves the same level of promise.

349
00:14:36,240 --> 00:14:38,880
That sounds disciplined and customer focused on paper,

350
00:14:38,880 --> 00:14:42,800
but under stress that model turns every feature into a shared liability.

351
00:14:42,800 --> 00:14:45,040
The platform keeps spending scarce capacity on work

352
00:14:45,040 --> 00:14:46,880
that does not need to survive the incident,

353
00:14:46,880 --> 00:14:50,480
and once that happens, low value requests start competing with the parts

354
00:14:50,480 --> 00:14:52,520
that actually keep the business moving.

355
00:14:52,520 --> 00:14:55,000
A healthier model starts with service quality tiers.

356
00:14:55,000 --> 00:14:59,200
Not everything needs the same behavior when the system is under pressure and resources are running low.

357
00:14:59,200 --> 00:15:01,600
Some flows must keep working even in a thinner form,

358
00:15:01,600 --> 00:15:04,600
like authentication, checkout, or critical case creation.

359
00:15:04,600 --> 00:15:08,360
These are the parts where delay or failure immediately hits revenue and trust,

360
00:15:08,360 --> 00:15:09,920
so they need protection first,

361
00:15:09,920 --> 00:15:12,400
because the business loses the fastest when they stop.

362
00:15:12,400 --> 00:15:15,600
Other flows can bend without breaking the whole experience.

363
00:15:15,600 --> 00:15:17,600
Recommendations can pause for a few minutes,

364
00:15:17,600 --> 00:15:20,320
and exports can sit in a queue until the pressure drops.

365
00:15:20,320 --> 00:15:22,440
Search enrichment can disappear for a while,

366
00:15:22,440 --> 00:15:26,640
and analytics pipelines can fall behind without hurting the person currently trying to pay.

367
00:15:26,640 --> 00:15:30,640
A user usually tolerates those small gaps if the main task still completes.

368
00:15:30,640 --> 00:15:36,040
And in fact, most users will not even notice a degraded feature if the path they came for stays responsive.

369
00:15:36,040 --> 00:15:39,640
They only notice when the whole product drags and becomes unusable.

370
00:15:39,640 --> 00:15:42,440
That means resilience design needs a more honest question from the start.

371
00:15:42,440 --> 00:15:44,440
Instead of asking how to keep everything alive,

372
00:15:44,440 --> 00:15:47,640
you should ask what keeps mattering during a moment of extreme stress.

373
00:15:47,640 --> 00:15:48,840
Once you answer that,

374
00:15:48,840 --> 00:15:52,240
your architecture choices get much cleaner and easier to manage.

375
00:15:52,240 --> 00:15:56,840
You can return partial responses instead of blocking on optional data that might not even be necessary.

376
00:15:56,840 --> 00:16:00,440
You can serve stale reads where freshness is not worth a live dependency call,

377
00:16:00,440 --> 00:16:03,440
or you can buffer non-urgent work into queues to process later.

378
00:16:03,440 --> 00:16:05,840
You can even keep cached claims for a short window.

379
00:16:05,840 --> 00:16:09,040
If the identity look-up path is struggling and the risk fits the use case,

380
00:16:09,040 --> 00:16:10,440
none of that is fake availability,

381
00:16:10,440 --> 00:16:13,640
but it is controlled degradation that protects the core transaction

382
00:16:13,640 --> 00:16:16,040
instead of collapsing around optional behavior.

383
00:16:16,040 --> 00:16:18,640
This needs product input instead of just platform input.

384
00:16:18,640 --> 00:16:20,440
Engineers can build fallback paths,

385
00:16:20,440 --> 00:16:24,640
but they should not be the ones guessing which business promises can soften during an incident.

386
00:16:24,640 --> 00:16:28,840
Product leaders need to define what good enough looks like in degraded mode

387
00:16:28,840 --> 00:16:32,840
and legal or security teams might need to approve where cache data is acceptable.

388
00:16:32,840 --> 00:16:35,440
Operations teams need to know which delays are tolerable

389
00:16:35,440 --> 00:16:37,440
and which ones trigger a manual intervention.

390
00:16:37,440 --> 00:16:39,440
If nobody defines those limits early,

391
00:16:39,440 --> 00:16:42,240
the system will just invent them badly when it fails in production.

392
00:16:42,240 --> 00:16:45,840
I have seen teams learn this the expensive way during major outages.

393
00:16:45,840 --> 00:16:49,240
One customer facing workflow stayed usable only after the platform started

394
00:16:49,240 --> 00:16:53,240
dropping recommendation calls and trimming response payloads when pressure rose.

395
00:16:53,240 --> 00:16:55,840
Users kept completing the tasks they actually came to do.

396
00:16:55,840 --> 00:16:57,640
And even though it looked messy internally,

397
00:16:57,640 --> 00:16:59,640
it felt stable enough to the outside world.

398
00:16:59,640 --> 00:17:03,640
That distinction matters because controlled degradation rarely looks elegant on a dashboard

399
00:17:03,640 --> 00:17:06,840
but it preserves the only outcome the user actually cares about.

400
00:17:06,840 --> 00:17:10,440
This also changes how you review your architecture during the design phase.

401
00:17:10,440 --> 00:17:14,240
A design review should not stop at asking if the system scales under normal load.

402
00:17:14,240 --> 00:17:17,440
You need to ask what this feature does when a dependency slows down

403
00:17:17,440 --> 00:17:19,440
or when a breaker finally opens.

404
00:17:19,440 --> 00:17:23,640
Does it fail closed, return less data or just switch to cached information?

405
00:17:23,640 --> 00:17:26,040
If the answer is that it waits forever in hopes for the best,

406
00:17:26,040 --> 00:17:28,640
you know the system is not actually ready for production.

407
00:17:28,640 --> 00:17:30,640
It changes how you think about SLOs as well.

408
00:17:30,640 --> 00:17:33,240
If every endpoint carries the same expectation,

409
00:17:33,240 --> 00:17:36,640
teams end up hiding business priority behind technical symmetry.

410
00:17:36,640 --> 00:17:39,440
It is much better to define separate goals for critical parts

411
00:17:39,440 --> 00:17:41,640
and softer goals for optional capabilities

412
00:17:41,640 --> 00:17:44,040
so you can fund the architecture accordingly.

413
00:17:44,040 --> 00:17:45,640
Cloud cost discussions improve too

414
00:17:45,640 --> 00:17:49,640
because you are no longer buying broad redundancy for features that can degrade safely

415
00:17:49,640 --> 00:17:51,440
without hurting the bottom line.

416
00:17:51,440 --> 00:17:52,440
Once you work this way,

417
00:17:52,440 --> 00:17:56,240
resilience stops being a vague promise of uninterrupted service.

418
00:17:56,240 --> 00:17:59,240
It becomes a concrete plan for which parts of the system keep working

419
00:17:59,240 --> 00:18:01,040
when the rest of the world needs to let go.

420
00:18:01,040 --> 00:18:03,440
If you want more of this kind of structural thinking,

421
00:18:03,440 --> 00:18:05,640
follow me, Mercopedas, on LinkedIn,

422
00:18:05,640 --> 00:18:09,440
and share this with your team if you are dealing with these problems right now.

423
00:18:09,440 --> 00:18:12,240
Operation lies resilience in net teams.

424
00:18:12,240 --> 00:18:14,840
Resilience fails when it lives as a few helper classes inside

425
00:18:14,840 --> 00:18:18,240
one isolated team, but in reality, what happens is much simpler.

426
00:18:18,240 --> 00:18:22,440
One team has Polly, another team copies a timeout value from a random blog post.

427
00:18:22,440 --> 00:18:24,440
A third team wraps everything in retries

428
00:18:24,440 --> 00:18:26,640
because they are afraid of user-visible failure.

429
00:18:26,640 --> 00:18:28,640
Every service looks protected in isolation,

430
00:18:28,640 --> 00:18:33,040
but the platform as a whole has no shared rule for how dependencies behave under stress.

431
00:18:33,040 --> 00:18:36,040
That isn't architecture, that's just drift with good intentions.

432
00:18:36,040 --> 00:18:39,240
The fix starts with standards that are specific enough to actually enforce.

433
00:18:39,240 --> 00:18:42,440
For every outbound dependency, you need to define five things.

434
00:18:42,440 --> 00:18:46,640
The timeout, the retry rule, the breaker rule, the fallback behavior, the isolation boundary.

435
00:18:46,640 --> 00:18:48,040
Write them down and version them.

436
00:18:48,040 --> 00:18:51,640
If a service calls identity, storage, payments, or search,

437
00:18:51,640 --> 00:18:54,840
the team must know exactly how long it waits and when it stops.

438
00:18:54,840 --> 00:18:57,040
They need to know what it returns instead of an error

439
00:18:57,040 --> 00:18:59,640
and which resources are fenced off from the rest of the app.

440
00:18:59,640 --> 00:19:01,240
If those rules aren't written anywhere,

441
00:19:01,240 --> 00:19:03,640
the real policy is just whatever shipped last.

442
00:19:03,640 --> 00:19:05,840
Then you have to assign ownership by the dependency,

443
00:19:05,840 --> 00:19:07,040
not just by the service.

444
00:19:07,040 --> 00:19:10,240
Incidents turn messy because nobody owns the full behavior of the call path.

445
00:19:10,240 --> 00:19:11,840
The product team owns the feature.

446
00:19:11,840 --> 00:19:13,440
The platform team owns the cluster.

447
00:19:13,440 --> 00:19:15,240
Another team owns the shared service.

448
00:19:15,240 --> 00:19:17,240
But nobody owns the failure mode between them.

449
00:19:17,240 --> 00:19:19,840
That gap is where toxic behavior survives.

450
00:19:19,840 --> 00:19:23,840
Somebody needs to decide what acceptable pain looks like when a dependency degrades.

451
00:19:23,840 --> 00:19:26,040
And that decision cannot wait for the incident bridge.

452
00:19:26,040 --> 00:19:27,640
Testing has to follow the same model.

453
00:19:27,640 --> 00:19:29,640
Don't wait for production to reveal the bad path,

454
00:19:29,640 --> 00:19:31,240
slow the dependency on purpose,

455
00:19:31,240 --> 00:19:33,240
force timeouts, open breakers, and staging.

456
00:19:33,240 --> 00:19:35,640
Cut a non-critical API and watch what spills over.

457
00:19:35,640 --> 00:19:37,840
You aren't testing whether the code is elegant.

458
00:19:37,840 --> 00:19:40,240
You're testing whether the business keeps the right things alive

459
00:19:40,240 --> 00:19:42,440
when a dependency turns unreliable.

460
00:19:42,440 --> 00:19:43,840
That is a very different exercise

461
00:19:43,840 --> 00:19:45,840
and it changes what teams pay attention to.

462
00:19:45,840 --> 00:19:46,840
The signals matter too.

463
00:19:46,840 --> 00:19:51,040
Most dashboard still center on uptime, CPU, and request count.

464
00:19:51,040 --> 00:19:53,040
Those are useful, but they're incomplete.

465
00:19:53,040 --> 00:19:57,440
You need to see saturation, Q-depth, timeout rates, open circuit counts.

466
00:19:57,440 --> 00:19:59,640
These metrics show when the service is still reachable

467
00:19:59,640 --> 00:20:01,240
but already losing capacity.

468
00:20:01,240 --> 00:20:03,440
And that is usually the moment that matters most.

469
00:20:03,440 --> 00:20:06,040
Architecture reviews need a different lens as well.

470
00:20:06,040 --> 00:20:09,240
Stop rewarding, need diagrams and start asking about the blast radius,

471
00:20:09,240 --> 00:20:11,240
which dependency can block this path,

472
00:20:11,240 --> 00:20:13,640
which pool is shared, which caller keeps sending work

473
00:20:13,640 --> 00:20:15,640
after the downstream side is already hurting.

474
00:20:15,640 --> 00:20:17,640
The cleaner the answers, the safer the system.

475
00:20:17,640 --> 00:20:19,440
And this lands outside engineering too

476
00:20:19,440 --> 00:20:21,240
because failure budgets and degraded modes

477
00:20:21,240 --> 00:20:23,640
are business decisions with technical consequences.

478
00:20:23,640 --> 00:20:24,640
So that's the shift.

479
00:20:24,640 --> 00:20:27,040
Stop treating resilience like smarter exception handling.

480
00:20:27,040 --> 00:20:30,040
Start treating it like designed containment inside the platform.

481
00:20:30,040 --> 00:20:32,440
This week, pick one critical, and need service.

482
00:20:32,440 --> 00:20:34,240
Map every outbound dependency,

483
00:20:34,240 --> 00:20:36,240
mark every shared pool, every retry chain,

484
00:20:36,240 --> 00:20:38,240
and every place where one slow call can spread,

485
00:20:38,240 --> 00:20:41,040
then add one hard time out, one scope circuit breaker,

486
00:20:41,040 --> 00:20:42,440
one real isolation boundary.

487
00:20:42,440 --> 00:20:44,640
If this changed how you judge microservice health,

488
00:20:44,640 --> 00:20:46,840
follow me, Mirko Peters on LinkedIn.

489
00:20:46,840 --> 00:20:48,840
And if you want more of this, leave a review,

490
00:20:48,840 --> 00:20:50,040
it helps more people find it.