Bulkhead Pattern Explained

Table of Contents +

Think about a big ship for a second. Like a cargo ship or a cruise liner. Down below the waterline, the hull isn’t one big open space. It’s split into sealed sections. So here’s the clever part:

If the ship hits a rock and one section starts flooding, water fills only that section.
The walls between sections hold the water back, so the rest of the ship stays dry.
The ship keeps floating, and everyone is fine.

Those walls are called bulkheads. And it turns out our software systems need the exact same idea, because one leaky feature can otherwise sink the whole app. Let’s see how.

🚢 The Analogy

So what exactly is a bulkhead on a ship? Let me define it plainly:

A bulkhead is a wall inside the ship’s hull that seals off one compartment from the next.
If one compartment floods, the bulkhead keeps that water trapped right there. It can’t spread to the other compartments.
The damage stays contained, so one hole doesn’t take down the entire ship.

Now keep this picture in your head. In software, the “water” is overload (too many requests piling up), and the “compartments” are pools of resources. The whole pattern is just about building walls between those pools.

🎯 The Problem

Here’s the pain you’ll actually hit in a real app. Imagine your service has a fixed set of shared resources that every feature dips into:

A pool of threads to handle incoming requests. (A thread is just one worker that handles one piece of work at a time.)
A pool of database connections. (A connection is one open line to the database. You only get so many.)

Now picture this going wrong:

One feature, say the payment service, gets slow or hangs. Maybe the payment provider is having a bad day.
Requests to payment start piling up. Each stuck request holds onto a thread and a connection while it waits.
Because everything shares one pool, those stuck payment requests slowly eat up all the threads and connections.
Now the login page, the search box, the homepage, everything that had nothing to do with payments has no threads left. They can’t run either.

So one slow corner drags the whole app down with it. That spreading kind of failure has a name. It’s called a cascading failure, where one part breaking causes the next part to break, and the next, until the lights go out everywhere.

The shared-pool trap

When every feature draws from the same pool, the slowest feature sets the limit for everyone. One hung dependency can starve perfectly healthy features. That’s the exact problem bulkheads are built to solve.

🧱 What is the Bulkhead Pattern

Okay, so here’s the fix. The bulkhead pattern says:

Don’t give every feature one big shared pool of resources.
Instead, split the resources into separate, isolated pools, one per feature or per dependency.
Now if one pool fills up and gets stuck, it can only drain its own resources. The other pools are untouched, so those features keep working.

In plain words, you draw walls between your features so a failure in one can’t drain the others. Each pool can only sink itself, never the whole ship.

Here’s what that looks like. Notice each feature has its own private pool, and the payment pool filling up doesn’t touch the rest.

⚙️ How It Works

So how do you actually build these walls? The idea is simple: instead of one shared pool, you hand each downstream dependency its own little pool. Let me walk through it:

You give the payment service its own thread pool, say 20 threads. And its own set of database connections.
You give search its own separate pool. Login gets its own. And so on.
Each pool has a hard limit. Once payment’s 20 threads are all busy, the very next payment request is rejected fast instead of waiting forever.

Now replay the bad day with this setup:

The payment provider hangs. Payment requests pile up and fill payment’s 20 threads. That pool is now stuck.
But that’s the whole blast radius. The 20 threads were the only thing payment could ever touch.
Search still has its full pool. Login still has its full pool. They never even notice payment is struggling.

So the user can’t pay right now, which is annoying, sure. But they can still log in, browse, and search. The app stays up. That partial-working state, where you lose one feature but keep the rest, is called graceful degradation.

Pools can be more than threads

Bulkheads aren’t only about threads. You can isolate database connections, memory, queues, even whole servers or containers per feature. The principle is always the same: separate pools so trouble in one can’t spill into another.

⚖️ Without vs With Bulkheads

Let’s put the two worlds side by side so the difference really lands.

Situation	Without bulkheads (one shared pool)	With bulkheads (separate pools)
Payment service hangs	Stuck requests slowly eat every thread	Only the payment pool fills up
Login and search	Starved, no threads left, they break too	Untouched, keep serving users
Blast radius of one failure	The whole app goes down	Contained to one feature
What the user sees	Nothing loads at all	One feature is down, the rest works

🔗 Bulkhead vs Circuit Breaker

People mix these two up all the time, so let me clear it up. They’re different tools that work great together:

A bulkhead isolates resources. It caps how much of your system any one feature can grab, so a struggling feature can’t starve the others.
A circuit breaker stops calling a failing service. When it notices a dependency keeps failing, it “trips” and quickly rejects calls for a while instead of overloading a dead service. (More on that in the linked lesson below.)

So they attack the problem from two angles:

The bulkhead says: “Even if you misbehave, you only get your own pool. You can’t touch anyone else’s.”
The circuit breaker says: “You keep failing, so I’ll stop knocking on your door for a bit and fail fast.”

In a real resilient system you usually want both. The bulkhead contains the damage, and the circuit breaker keeps you from wasting effort on something that’s already down. You can dig deeper in the Circuit Breaker Pattern lesson.

⚡ Why It Helps

So why is this pattern worth the extra setup? A few solid reasons:

It contains failures. One bad dependency can only ruin its own pool, not the whole system.
It keeps the rest of the system responsive. Healthy features stay fast because their resources were never up for grabs.
It makes outages partial instead of total. Losing checkout is bad, but losing the entire site is far worse.
It makes the system predictable. You know up front the most any single feature can ever consume.

The big win is simple: your app fails in small, survivable pieces instead of one giant crash.

⚠️ Common Mistakes and Misconceptions

A few things trip people up here, so let’s sort them out:

“One shared pool is fine, it’s simpler.” It is simpler, right up until one slow dependency drains it and takes everything down. Sharing is exactly the risk bulkheads remove.
“Bulkhead and circuit breaker are the same thing.” No. A bulkhead isolates resources into pools. A circuit breaker stops calling a failing service. They solve different problems and work best together.
“More pools is always better, so split everything tiny.” Careful here. If you carve resources into too many tiny pools, each one is so small it can’t handle normal traffic, and you’ll reject requests even when the system is healthy. You also waste resources that sit idle in one pool while another is starving.
“Bulkheads make the system faster.” They don’t speed anything up. They protect availability. The goal is keeping most of the app alive under stress, not raw speed.

Find the right grain

The art of bulkheads is sizing. Pools big enough to handle each feature’s real traffic, but separate enough that one feature can’t swallow the rest. Isolate around your important dependencies, not around every tiny function.

🛠️ Design Challenge

Try this one on your own. Imagine an e-commerce app with three downstream dependencies: a payment service, a product-search service, and a recommendations service. Recommendations is known to be flaky and sometimes hangs for ten seconds.

Now work through these:

If all three share one thread pool, what happens when recommendations hangs during a traffic spike?
How would you set up bulkheads so a hung recommendations call can’t block checkout or search?
Roughly how would you size each pool, given checkout is critical and recommendations is just a nice-to-have?

Sketch the pools and the failure path. This is exactly the kind of reasoning a system design interviewer is looking for.

🧩 What You’ve Learned

You can now explain how to keep one failing part from sinking the whole system. Here’s what you’ve picked up:

✅ A bulkhead isolates resources into separate pools, one per feature or dependency.
✅ Without it, one slow feature can drain a shared pool and cause a cascading failure that takes everything down.
✅ With it, a stuck pool can only sink itself, so healthy features keep serving (graceful degradation).
✅ You can isolate threads, connections, memory, queues, or whole servers.
✅ Bulkheads isolate resources, circuit breakers stop calling failing services, and the two work best together.
✅ Avoid the extremes: one shared pool risks total collapse, but too many tiny pools reject healthy traffic.

Check Your Knowledge

Test what you learned. Pick an answer for each question, then click Check.

🚀 What’s Next?

Bulkheads are one piece of building systems that don’t crash. Next, look at the patterns that pair with them:

Circuit Breaker Pattern shows how to stop overloading a service that’s already failing and fail fast instead.
Saga Pattern shows how to keep data consistent across services when one step in a long transaction fails.

Put these together and you’ve got the core toolkit for resilient, fault-tolerant systems that interviewers love to dig into.

Previous Backpressure Explained Next Saga Pattern Explained

Share & Connect

Share on LinkedIn