Core Code
Core Code Modern Dev Handbook
DISTRIBUTED-SYSTEMS-ENGINEERING Contents
Distributed Systems Fundamentals
What Makes a System Distributed? Latency vs Throughput (Why You Can’t Optimize Both Blindly) The Partial Failure Model (The Real Enemy) The Fallacies of Distributed Computing (Production Examples) Time Is Hard: Clocks, Drift, and Ordering Network Partitions: Detection and Reality Checks CAP Theorem in Practice (What You Actually Choose) PACELC: Latency Tradeoffs Beyond CAP Backpressure vs Queueing (Where Systems Die Quietly) Failure Modes Map: Real Incidents You Will See
Data Consistency Models
Strong Consistency (Costs, When It’s Worth It) Eventual Consistency (What It Guarantees, What It Doesn’t) Causal Consistency (The Practical Middle Ground) Read-Your-Writes and Session Guarantees Monotonic Reads / Writes (User-Visible Correctness) Quorums 101: R/W, N, and What “Majority” Really Means Linearizability vs Serializability vs Strict Serializability Stale Reads: Detection, Measurement, and Guardrails Split-Brain Consistency Failures (How They Start) Designing Consistency SLOs (Correctness as an SLO)
Consensus & Coordination
Why Consensus Is Hard (FLP Intuition, No Math Pain) Raft Overview (Roles, Terms, Safety) Leader Election Patterns (And Their Failure Modes) Quorum Math (Write Safety vs Availability) Log Replication Internals (Commit Index, Match Index) Paxos Simplified (So You Can Read Docs Without Crying) Distributed Locks (Why They’re Dangerous) Zookeeper Patterns (Leader, Config, Locks) etcd Usage Patterns (Kubernetes-Style Coordination) Fencing Tokens (The Only Lock That Survives Partitions)
Replication & Data Distribution
Replication Strategies (Leader, Multi-Leader, Leaderless) Sync vs Async Replication (Latency vs Data Loss) Replication Lag: Causes, Metrics, and Mitigations Anti-Entropy (Merkle Trees, Read Repair, Hinted Handoff) Gossip Protocols (Membership, Failure Detection) Sharding Strategies (Range, Hash, Directory) Consistent Hashing (Why It’s Not Just a Ring Diagram) Rebalancing Clusters Safely (Avoid Melting Prod) Hot Partitions (Detection + Fixes) Multi-Region Data: Patterns and Tradeoffs
Messaging & Event Systems
Messaging Models (Queue vs Log vs PubSub) Delivery Semantics: At-Most-Once Delivery Semantics: At-Least-Once Exactly-Once (Where the Myth Breaks) Idempotency in Event Processing (Design Patterns) Kafka Internals (Partitions, ISR, Replication) Consumer Groups (Rebalances, Sticky Assignors) Ordering Guarantees (What You Can Actually Promise) Dead Letter Queues (Policy, Replay, Poison Pills) Event-Driven Architecture Tradeoffs (Coupling vs Debuggability)
Reliability Patterns in Distributed Systems
Retries & Exponential Backoff (Avoiding Retry Storms) Timeouts & Deadlines (Budgeting Latency) Circuit Breakers (State Machines That Save You) Bulkheads (Stop One Fire From Burning the Ship) Load Shedding (Fail Small, Not Catastrophically) Backpressure in Practice (Push vs Pull, Bounded Queues) Graceful Degradation (Feature Flags and Partial Responses) Hedged Requests (Trading Cost for Tail Latency) Chaos Engineering Basics (What to Test First) Failure Injection Testing (Safe Experiments in Prod-Like Envs)
Distributed Transactions & Sagas
Two-Phase Commit (Why It Blocks) Three-Phase Commit (Why You Still Rarely Use It) Sagas (Orchestration vs Choreography) Saga Orchestration (Central Coordinator Done Right) Saga Choreography (Emergent Workflows, Emergent Pain) Compensating Transactions (Designing Undo) Outbox Pattern (The Dual-Write Fix) Dual-Write Problem (How It Actually Fails) Idempotent Consumers (Dedup, Keys, and Storage) Transactional Messaging (What Guarantees You Can Buy)
Observability in Distributed Systems
Distributed Tracing Fundamentals (Spans, Context, Baggage) Correlation IDs (Request IDs That Survive Microservices) Trace Propagation (W3C Trace Context in Practice) Metrics in Clusters (Aggregation, Cardinality, Cost) High Cardinality Problems (How Monitoring Dies) Structured Logging at Scale (Schemas, Sampling, PII) Monitoring Quorum Health (Consensus Systems SLOs) Alert Fatigue Prevention (Signal > Noise) The Golden Signals (And What Changes in Distributed Systems) Postmortems (Blameless, Actionable, Measurable)
Performance & Scaling Strategies
Horizontal Scaling Patterns (Stateless, Stateful, Sticky) Vertical vs Horizontal Tradeoffs (Cost and Failure Domains) Autoscaling in Practice (When It Helps, When It Hurts) Tail Latency (Why p99 Runs Your Life) p99 vs Averages (SLO Math for Humans) The Thundering Herd (Cache, Locks, and Stampedes) Cache Consistency Tradeoffs (Invalidation Strategies) Distributed Rate Limiting (Token Buckets Across Nodes) Load Balancing Algorithms (RR, LC, EWMA, Hashing) Capacity Planning (Queues, Headroom, Failure Budget)
Production Incident Playbooks
Diagnosing a Network Partition (Fast Triage Checklist) Debugging Split-Brain (Symptoms, Proof, Recovery) Quorum Loss Recovery (Safe Steps, Common Traps) Runaway Retry Storm (How to Stop the Bleeding) Cascading Failure Analysis (Finding the First Domino) Replication Lag Debugging (Root Causes + Fixes) Kafka Consumer Lag Playbook (Rebalance, Throughput, Backlog) Multi-Region Outage Handling (Failover Without Data Lies) Consistency Bug Hunting (Proving “It Can’t Happen” Happened) Production Readiness Checklist (Distributed Systems Edition)

Bulkheads (Stop One Fire From Burning the Ship)

The bulkhead pattern isolates resources so failures in one component do not exhaust the entire system. This lesson explains thread pool isolation, connection pool partitioning, and production design strategies to prevent internal cascading failures.
On this page

Bulkhead Pattern: Isolating Failures Inside a Service

The bulkhead pattern isolates resources so that failure in one subsystem does not consume all available capacity. The name comes from ship design, where compartments are separated so that flooding in one area does not sink the entire vessel.

In distributed systems, bulkheads prevent internal cascading failures caused by shared resource exhaustion.

The Core Problem: Shared Resource Collapse

Most services share finite resources:

  • Thread pools
  • Connection pools
  • CPU capacity
  • Memory
  • Async worker queues

If one dependency slows down, calls to that dependency may block threads or saturate connections. Without isolation, unrelated features degrade as well.

Production Scenario: Reporting Endpoint Kills Core API

Symptom

Heavy traffic to reporting endpoint causes login and checkout APIs to time out.

Root Cause

All endpoints shared the same thread pool and database connection pool. Reporting queries were slow and consumed all resources.

Diagnosis

  • Thread pool saturation at 100 percent.
  • Database connections exhausted.
  • Core endpoints blocked waiting for threads.

Resolution

  • Separate thread pools for reporting vs transactional endpoints.
  • Limit connection pool allocation per feature.
  • Apply request rate limiting to reporting API.

Types of Bulkhead Isolation

1) Thread Pool Isolation

Allocate separate execution pools per dependency or feature.

core_pool = 50 threads
reporting_pool = 10 threads

If reporting fails, core traffic continues using its own pool.

2) Connection Pool Partitioning

Divide database or HTTP connection pools per dependency.

This prevents one slow backend from consuming all connections.

3) Queue Isolation

Use separate message queues for critical and non-critical workloads.

High-volume background processing should not delay transactional flows.

4) Process-Level Isolation

Run critical and non-critical workloads in separate services or containers.

This provides the strongest isolation boundary.

Bulkheads vs Circuit Breakers

  • Circuit breakers stop traffic to failing dependencies.
  • Bulkheads isolate resource consumption inside a service.

They complement each other but solve different problems.

Capacity Planning Considerations

Isolation introduces tradeoffs:

  • Underutilized resources in one pool cannot be borrowed by another.
  • Misconfigured limits can cause premature throttling.
  • Too many small pools increase operational complexity.

Bulkheads require careful capacity sizing.

Graceful Degradation Strategy

When a bulkhead is saturated:

  • Reject requests with controlled error responses.
  • Degrade non-essential features.
  • Preserve core functionality.

The goal is controlled failure, not total outage.

Observability Requirements

  • Thread pool utilization per pool
  • Queue depth per workload
  • Connection pool saturation per dependency
  • Rejected request count per bulkhead
  • Latency distribution per feature

Without per-bulkhead metrics, isolation effectiveness cannot be validated.

Failure Injection Test

# Bulkhead validation test
1) Generate heavy load on non-critical endpoint
2) Observe reporting pool saturation
3) Confirm core endpoint latency remains stable
4) Verify controlled rejection occurs only in isolated pool
5) Measure resource utilization boundaries

Common Anti-Patterns

  • Single global thread pool for all workloads
  • Unlimited connection pools
  • No rejection policy when pool saturates
  • Over-isolation causing idle resources
  • Ignoring backpressure signals

Operational Checklist

  • Are critical and non-critical workloads isolated?
  • Are resource limits explicitly defined?
  • Are saturation thresholds monitored?
  • Is graceful degradation defined per bulkhead?
  • Are capacity assumptions tested under load?

Key Takeaways

  • Bulkheads isolate resource consumption within a service.
  • They prevent one failing component from degrading unrelated features.
  • Isolation can be applied at thread, connection, queue, or process level.
  • Proper capacity planning is required to avoid over-restriction.
  • Bulkheads enable controlled degradation instead of total collapse.

The bulkhead pattern transforms shared-resource risk into compartmentalized failure. In production systems, this separation is often the difference between partial degradation and full outage.

Load Shedding (Fail Small, Not Catastrophically) →