Backpressure is a feature, not a failure

There’s a failure mode every distributed system eventually meets: it accepts more work than it can finish, queues build everywhere at once, and the whole thing tips over while reporting that it’s healthy.

The fix isn’t more capacity. It’s the willingness to refuse work. Backpressure — propagating “slow down” signals upstream — is what keeps a system inside its safe operating envelope.

Bounded everything

Our rule is simple: every queue is bounded, every pool is bounded, every retry budget is bounded. An unbounded queue is just a memory leak with good intentions.

let tx, rx = mpsc::channel(1024); // bounded

When the channel is full, the sender waits or sheds — and that wait is the backpressure signal travelling upstream, all the way to the client if it has to.

Say no early

A request you can’t serve should be rejected at the edge in single-digit milliseconds, not after it has consumed a connection, a thread, and a database round-trip. Fast rejection is kinder than slow failure.