Production Circuit Breaker Integration: Timeouts, Fallbacks, and Observability

Circuit breakers don't work in isolation. They're most effective when orchestrated with timeouts, bulkheads, fallbacks, and comprehensive observability to provide end to end resilience. Timeouts must be set shorter than your user facing Service Level Objective (SLO) to leave room for retries and fallbacks. If your API promises 500ms p99 latency, set dependency timeouts at 200ms so you have 300ms budget for one retry plus fallback logic. The circuit breaker uses these timeouts as failure signals: a call that times out after 200ms counts as an error toward the failure threshold. Crucially, the timeout duration should inform your slow call threshold. If 200ms is your timeout, set slow call threshold at 150ms to trip the breaker before you're fully timing out, catching degrading dependencies early. Bulkheads (resource isolation per dependency) prevent one failing service from exhausting shared resources. Netflix used dedicated thread pools of 10 to 20 threads per dependency: when one backend gets slow, it can only block its allocated threads, leaving others free to serve requests to healthy dependencies. Modern async frameworks use semaphores or rate limiters instead of thread pools but the principle is the same: cap concurrent calls per dependency. Combine this with circuit breaker concurrency limits in the mesh layer (Envoy's max connections and pending requests per host) for defense in depth. Fallbacks define what happens when the breaker is open. Options include serving cached or stale data (acceptable for read heavy social feeds), degraded responses (show products without recommendations), buffering writes for later (queue for eventual processing), or explicit errors with retry guidance. The key is making fallback latency predictable: if your cache lookup takes 50ms versus 200ms for the live API, users get faster responses when the breaker is open, actually improving perceived performance during outages. However, watch for fallback poisoning: overuse of stale data can cause downstream inconsistencies like overselling inventory or showing deleted content. Observability is critical: emit breaker state transitions, failure reasons (error versus slow call), request counts per state, and latency distributions. Alert on sustained open states (longer than 60 seconds suggests a real outage), rising slow call rates (indicates degrading performance before full failure), and frequent flapping (signals misconfiguration). In production, correlate breaker opens with dependency health metrics to validate that your breaker is triggering correctly and not too aggressively.

Netflix social feed: Circuit breaker opens after 50% errors in 10 seconds, serves cached feed from Redis (50ms p99) instead of waiting for slow personalization service (5 second timeout), improves user experience during outages

E commerce product service: 200ms timeout, 150ms slow call threshold, 500ms user SLO. When recommendation service degrades to 180ms, breaker trips before timeouts occur, serves products without recommendations in 100ms

Uber trip matching: Bulkhead limits 50 concurrent requests per geospatial index shard, breaker opens at 60% error rate, falls back to coarser grid search that's slower but always available