SHOW HN: A usage circuit breaker for Cloudflare Workers

14•ethan_zhao•1h ago

I run 3mins.news (https://3mins.news), an AI news aggregator built entirely on Cloudflare Workers. The backend has 10+ cron triggers running every few minutes: RSS fetching, article clustering, LLM calls, email delivery.

The problem: Workers Paid Plan has hard monthly limits (10M requests, 1M KV writes, 1M queue ops, etc.). There's no built-in "pause when you hit the limit", CF just starts billing overages. KV writes cost $5/M over the cap, so a retry loop bug can get expensive fast.

AWS has Budget Alerts, but those are passive notifications, by the time you read the email, the damage is done. I wanted active, application-level self-protection.

So I built a circuit breaker that faces inward, instead of protecting against downstream failures (the Hystrix pattern), it monitors my own resource consumption and gracefully degrades before hitting the ceiling.

Key design decisions:

- Per-resource thresholds: Workers Requests ($0.30/M overage) only warns at 80%. KV Writes ($5/M overage) can trip the breaker at 90%. Not all resources are equally dangerous, so some are configured as warn-only (trip=null).

- Hysteresis: Trips at 90%, recovers at 85%. The 5% gap prevents oscillation, without it the system flaps between tripped and recovered every check cycle.

- Fail-safe on monitoring failure: If the CF usage API is down, maintain last known state rather than assuming "everything is fine." A monitoring outage shouldn't mask a usage spike.

- Alert dedup: Per-resource, per-month. Without it you'd get ~8,600 identical emails for the rest of the month once a resource hits 80%.

Implementation: every 5 minutes, queries CF's GraphQL API (requests, CPU, KV, queues) + Observability Telemetry API (logs/traces) in parallel, evaluates 8 resource dimensions, caches state to KV. Between checks it's a single KV read — essentially free.

When tripped, all scheduled tasks are skipped. The cron trigger still fires (you can't stop that), but the first thing it does is check the breaker and bail out if tripped.

It's been running in production for two weeks. Caught a KV reads spike at 82% early in the month, got one warning email, investigated, fixed the root cause, never hit the trip threshold.

The pattern should apply to any metered serverless platform (Lambda, Vercel, Supabase) or any API with budget ceilings (OpenAI, Twilio). The core idea: treat your own resource budget as a health signal, just like you'd treat a downstream service's error rate.

Happy to share code details if there's interest.

Full writeup with implementation code and tests: https://yingjiezhao.com/en/articles/Usage-Circuit-Breaker-for-Cloudflare-Workers

Comments

kopollo•1h ago

When collecting RSS feeds, I recommend setting a limit so that each RSS source is pulled every 10 minutes.

ethan_zhao•1h ago

That's a solid default. I actually set my RSS polling interval to 1 hour, most sources I follow don't update frequently enough to justify anything shorter. Every 10 minutes works too, but you might end up burning cycles on unchanged feeds.

photobombastic•1h ago

This is a real problem. I've heard similar stories from people running CI pipelines — a retry loop bug burns through your entire monthly Actions minutes budget in hours, and there's no built-in circuit breaker there either.

The approach of tracking usage locally and cutting off before you hit billing overages makes a lot more sense than trying to parse the billing API after the fact. Prevention over detection.

Could be cool to set per-worker limits in addition to the global ones.

ethan_zhao•1h ago

Totally. When I first launched my project, I literally couldn't sleep at night, kept worrying that some bug in my code would spiral into a self-inflicted Denial of Wallet attack by morning. That fear is what pushed me to build the circuit breaker early on. Prevention over detection is spot on.

westurner•23m ago

> The core idea: treat your own resource budget as a health signal, just like you'd treat a downstream service's error rate.

This is more state. The deployed app is then more stateful and thus more complex. If there is more complexity, there are probably more failure cases.

But resource budget quota signals are a good feature, I think.

Apps should throttle down when approaching their resource quotas.

What is the service hosting provider running to scale the service up and down?

Autoscaling: https://en.wikipedia.org/wiki/Autoscaling

k8s ResourceQuotas: https://kubernetes.io/docs/concepts/policy/resource-quotas/

willswire/union is a Kubernetes Helm chart for self-hosting cloudflare/workerd: https://github.com/willswire/union

Helm docs > intro > Using Helm: https://helm.sh/docs/intro/using_helm/ :

> Helm installs resources in the following order:

> [..., ResourceQuota, ..., HorizontalPodAutoscaler, ...]

How could this signal and the messaging about the event be standardized in the Containerfile spec, k8s, Helm?

Containerfile already supports HEALTHCHECK. Should there be a QUOTACMD Dockerfile instruction to specify a command to run when passed a message with the quota status?

iam_circuit•17m ago

This pattern should be default for any metered service. Budget exhaustion is a security failure mode — accidental (retry loops) and adversarial (amplification attacks) look identical to billing.

The gap: most platforms treat billing as purely financial. But spend limits are actually a form of resource isolation. When your Workers hit quota, you don't just lose money, you lose availability. Treating budget as a circuit breaker turns it into active defense.

Show HN: Svglib a SVG parser and renderer for Windows

The ugly history of regime change

What software knowledge will stay relevant?

Show HN: Base Layer – Open-source behavioral compression from any text

Para-biathlete wins silver using ChatGPT as his coach

Amazon is holding a mandatory meeting about AI breaking its systems

Show HN: Claude Tuner – Monitor your Claude usage and find the right plan

CragCLI – a new calculator for the command line

Show HN: Jottit – Reviving the Original from 2007

Stripe: Billing for LLM Tokens

Unlocked SaaS, file source as truth?

Understanding OBD2 codes (past, present, future)

Ask HN: What Happened to Llama Models?

Meta to Acquire Moltbook

Disorder Drives One of Nature's Most Complex Machines

Spacecraft's impact changed asteroid's orbit in a save-the-Earth test

Volkswagen to cut 50k jobs as profits drop

Microsoft 365 confirms new premium tier, stuffed with AI and few discounts

Smol AI WorldCup: What Small LLMs Can Do

Debian decides not to decide on AI-generated contributions

License Laundering and the Death of Clean Room (The Chardet Saga)

We are building data breach machines and nobody cares

Turing Award winner and former Oxford professor Tony Hoare passed away

Non-blocking SQLite for Node.js. Ported 100% of better-sqlite3 tests

AI Agent hacked McKinsey's chatbot and gained full read-write access in 2 hours

Forward to Hell?

Elements of AI Agents

Portable Secret is now open source

Why $100 Oil Isn't Going to Spark a New Shale Boom – Oilprice.com

JSON Documents Performance, Storage and Search: MongoDB vs. PostgreSQL