Failure Modes & Fault Tolerance

Failure mode: Cascading failure via thread pool exhaustion (also called "slow resource starvation"). Mechanism: the API server has a shared thread pool of, say, 200 threads. Each /api/reports request holds a thread for 8–15 seconds. At 20 concurrent report requests, all 200 threads are blocked. New requests for /api/health queue up, hit the thread pool timeout, and return 500. Symptoms: thread pool active count = 200 (saturated), queue depth growing, /api/reports p50 latency = 12s, /api/health error rate spikes from 0% to 100% simultaneously. Immediate mitigations: (1) rate-limit /api/reports to 5 concurrent requests at the load balancer or nginx, (2) increase DB connection pool timeout to fail fast rather than hold threads. Long-term: bulkhead pattern — give /api/reports its own dedicated thread pool of 20 threads, preventing it from consuming the shared pool. Hystrix/Resilience4j implement this as ThreadPoolBulkhead.

Retry: 503 (server overloaded, transient), 429 (rate limited — add Retry-After header respect), 408 (request timeout), network timeout (connection refused). Never retry: 400 (bad request — fix the request), 401 (auth — fix credentials), 402 (payment required — billing issue), 422 (validation error — fix data). Backoff: attempt 1: 1s, attempt 2: 2s, attempt 3: 4s, attempt 4: 8s, attempt 5: 16s. Total elapsed: 1+2+4+8+16 = 31 seconds + 5 x 800ms request time = ~35 seconds. Full jitter: delay = random(0, min(max_delay, base * 2^attempt)). For 1,000 simultaneous failures: pure exponential = all retry at exactly t=1s (thundering herd). Full jitter = retries spread uniformly over [0, 1s] — load reduced by ~10x. Idempotency key: generate idempotency_key = UUID at charge creation time, pass it on every retry. Without it: 5 retry attempts = up to 5 separate charges on the customer's card.

State transitions: Closed → Open when failure_rate > 20% over last 100 requests (minimum 20 requests to avoid tripping on startup). Open → Half-Open after 30 second timeout. Half-Open → Closed if 5 consecutive probe requests succeed. Half-Open → Open if any probe fails. Window design: time-based window of 10 seconds at 500 req/sec = 5,000 request sample. At 0.5% normal failure: ~25 failures/window. At 45% failure: ~2,250 failures/window — easily distinguishable. Use 20% threshold: circuit trips only when failure rate is 40x the normal rate. Half-Open probe: send 1 request every 5 seconds (not a burst), require 5 successes before closing. Error budget savings: without circuit breaker: 480 seconds x 500 req/sec x 45% failure = 108,000 failed calls sent to ML API. With circuit breaker (opens at t=3s): 3s x 500 x 45% = 675 failed calls before open, then zero for 477 seconds. Saved: 107,325 failed calls = 99.4% reduction in amplified load.

5 experiments: (1) Payment API latency injection: add 3s latency to 100% of Payment API calls — expected: circuit breaker opens after 20 failures, checkout queue backs up, users see "payment processing" spinner, no data loss. (2) Inventory Service kill: terminate all Inventory pods — expected: checkout shows "unable to verify stock" and allows checkout with a backorder message (graceful degradation). (3) Tax Service 503: expected fallback: use last-cached tax rate (Redis, 1hr TTL) for up to 1 hour, log warning, complete checkout. Legally acceptable in most jurisdictions if tax is corrected on invoice. Hard-blocking checkout for tax failure = $4M revenue loss. (4) DB primary failure: connection pool drains in ~30s, new checkouts fail immediately (fail-fast), existing in-flight transactions roll back, recovery = replica promotion ~20s + app reconnection ~10s = 50s total downtime. (5) Network partition (checkout ↔ User Profile): expected: checkout uses cached user data from JWT token, skips profile enrichment, completes with basic user info. Steady-state: p99 checkout latency < 2s, success rate > 99%. Rollback trigger: success rate drops below 95% for 60 consecutive seconds.