%22%20opacity%3D%220.58%22%3E%3C%2Fellipse%3E%0A%20%20%3Cellipse%20cx%3D%22255%22%20cy%3D%22132%22%20rx%3D%2228%22%20ry%3D%2218%22%20fill%3D%22%234cc9f0%22%20opacity%3D%220.36%22%3E%3C%2Fellipse%3E%0A%20%20%3Cellipse%20cx%3D%22346%22%20cy%3D%22112%22%20rx%3D%2242%22%20ry%3D%2225%22%20fill%3D%22%234361ee%22%20opacity%3D%220.28%22%3E%3C%2Fellipse%3E%0A%20%20%3Cellipse%20cx%3D%22470%22%20cy%3D%22125%22%20rx%3D%2236%22%20ry%3D%2220%22%20fill%3D%22%234cc9f0%22%20opacity%3D%220.34%22%3E%3C%2Fellipse%3E%0A%20%20%3Cellipse%20cx%3D%22565%22%20cy%3D%22108%22%20rx%3D%2230%22%20ry%3D%2218%22%20fill%3D%22%234361ee%22%20opacity%3D%220.30%22%3E%3C%2Fellipse%3E%0A%20%20%3Cpath%20d%3D%22M182%2071C196%2063%20212%2064%20223%2073C234%2082%20237%2098%20229%20109C221%20120%20205%20124%20190%20118C175%20113%20168%2096%20172%2083C174%2077%20177%2073%20182%2071Z%22%20fill%3D%22%234cc9f0%22%20opacity%3D%220.38%22%3E%3C%2Fpath%3E%0A%20%20%3Cpath%20d%3D%22M308%2073C326%2062%20350%2063%20363%2077C376%2091%20375%20111%20361%20123C347%20135%20325%20137%20309%20127C294%20118%20287%2098%20291%2084C294%2079%20300%2075%20308%2073Z%22%20fill%3D%22%234361ee%22%20opacity%3D%220.34%22%3E%3C%2Fpath%3E%0A%20%20%3Cpath%20d%3D%22M443%2066C462%2056%20488%2057%20500%2071C512%2086%20510%20106%20495%20117C480%20128%20459%20128%20444%20118C429%20108%20423%2089%20427%2076C430%2071%20436%2068%20443%2066Z%22%20fill%3D%22%234cc9f0%22%20opacity%3D%220.30%22%3E%3C%2Fpath%3E%0A%20%20%3Ccircle%20cx%3D%22610%22%20cy%3D%2288%22%20r%3D%2214%22%20fill%3D%22%234cc9f0%22%20opacity%3D%220.42%22%3E%3C%2Fcircle%3E%0A%20%20%3Ccircle%20cx%3D%2286%22%20cy%3D%22166%22%20r%3D%2210%22%20fill%3D%22%234361ee%22%20opacity%3D%220.40%22%3E%3C%2Fcircle%3E%0A%3C%2Fsvg%3E)
Deploying new software versions to production is one of the highest-risk operations in any distributed system.
A faulty release can cascade across thousands of nodes in minutes, degrading service for millions of users.
Blue-green and canary deployments are two complementary strategies designed to reduce this risk by controlling how traffic shifts from an old version to a new one.
Both techniques decouple the act of deploying code from the act of releasing it to users, but they differ fundamentally in their approach to traffic management, rollback semantics, and failure blast radius.
Blue-Green Deployments
A blue-green deployment maintains two identical production environments, conventionally called "blue" and "green." At any given time, one environment serves all live traffic (say, blue), while the other (green) sits idle or serves as a staging target.
To deploy a new version, you provision the green environment with the updated code, run validation checks against it, and then atomically switch the router or load balancer to direct all traffic from blue to green.
Mechanics
The core abstraction is a single traffic switch.
This is typically implemented at the load balancer or DNS level.
The switch is binary: 100% of traffic goes to one environment or the other, never both simultaneously (outside of the brief switchover window).
The key properties are:
- Atomic cutover. The transition from old to new happens in a single step. There is no prolonged period where two versions coexist serving user traffic.
- Instant rollback. If the new version exhibits problems, you flip the switch back. The old environment is still running, warm, and fully provisioned.
- Resource cost. You need double the infrastructure capacity at all times, since both environments must be capable of handling full production load.
State and Database Concerns
%20--%3E%0A%3C!--%20Expand%3A%20x%3D80..240%2C%20Dual-write%3A%20240..400%2C%20Contract%3A%20400..560%20--%3E%0A%3Crect%20x%3D%2280%22%20y%3D%2238%22%20width%3D%22160%22%20height%3D%22200%22%20rx%3D%224%22%20fill%3D%22%236ea8ff%22%20opacity%3D%220.04%22%2F%3E%0A%3Crect%20x%3D%22240%22%20y%3D%2238%22%20width%3D%22160%22%20height%3D%22200%22%20rx%3D%224%22%20fill%3D%22%23ff7a93%22%20opacity%3D%220.04%22%2F%3E%0A%3Crect%20x%3D%22400%22%20y%3D%2238%22%20width%3D%22160%22%20height%3D%22200%22%20rx%3D%224%22%20fill%3D%22%23b58dff%22%20opacity%3D%220.04%22%2F%3E%0A%0A%3C!--%20Phase%20header%20labels%20--%3E%0A%3Ctext%20x%3D%22160%22%20y%3D%2252%22%20font-family%3D%22Inter%2C%20-apple-system%2C%20system-ui%2C%20sans-serif%22%20font-size%3D%2213%22%20font-weight%3D%22600%22%20fill%3D%22%236ea8ff%22%20text-anchor%3D%22middle%22%3EExpand%3C%2Ftext%3E%0A%3Ctext%20x%3D%22320%22%20y%3D%2252%22%20font-family%3D%22Inter%2C%20-apple-system%2C%20system-ui%2C%20sans-serif%22%20font-size%3D%2213%22%20font-weight%3D%22600%22%20fill%3D%22%23ff7a93%22%20text-anchor%3D%22middle%22%3EDual-write%3C%2Ftext%3E%0A%3Ctext%20x%3D%22480%22%20y%3D%2252%22%20font-family%3D%22Inter%2C%20-apple-system%2C%20system-ui%2C%20sans-serif%22%20font-size%3D%2213%22%20font-weight%3D%22600%22%20fill%3D%22%23b58dff%22%20text-anchor%3D%22middle%22%3EContract%3C%2Ftext%3E%0A%0A%3C!--%20Phase%20divider%20lines%20--%3E%0A%3Cline%20x1%3D%22240%22%20y1%3D%2240%22%20x2%3D%22240%22%20y2%3D%22238%22%20stroke%3D%22%233a3f52%22%20stroke-width%3D%221.5%22%20stroke-linecap%3D%22round%22%20stroke-dasharray%3D%224%203%22%2F%3E%0A%3Cline%20x1%3D%22400%22%20y1%3D%2240%22%20x2%3D%22400%22%20y2%3D%22238%22%20stroke%3D%22%233a3f52%22%20stroke-width%3D%221.5%22%20stroke-linecap%3D%22round%22%20stroke-dasharray%3D%224%203%22%2F%3E%0A%0A%3C!--%20Horizontal%20timeline%20baseline%20--%3E%0A%3Cline%20x1%3D%2280%22%20y1%3D%22148%22%20x2%3D%22554%22%20y2%3D%22148%22%20stroke%3D%22%233a3f52%22%20stroke-width%3D%222%22%20stroke-linecap%3D%22round%22%20marker-end%3D%22url(%23arr)%22%2F%3E%0A%0A%3C!--%20Phase%20milestone%20dots%20on%20timeline%20--%3E%0A%3Ccircle%20cx%3D%2280%22%20cy%3D%22148%22%20r%3D%224%22%20fill%3D%22%233a3f52%22%2F%3E%0A%3Ccircle%20cx%3D%22240%22%20cy%3D%22148%22%20r%3D%224%22%20fill%3D%22%233a3f52%22%2F%3E%0A%3Ccircle%20cx%3D%22400%22%20cy%3D%22148%22%20r%3D%224%22%20fill%3D%22%233a3f52%22%2F%3E%0A%3Ccircle%20cx%3D%22554%22%20cy%3D%22148%22%20r%3D%224%22%20fill%3D%22%233a3f52%22%2F%3E%0A%0A%3C!--%20%3D%3D%3D%3D%3D%3D%3D%20BLUE%20LANE%20(old%20service)%20%3D%3D%3D%3D%3D%3D%3D%20--%3E%0A%3C!--%20Lane%20background%20label%20--%3E%0A%3Ctext%20x%3D%2236%22%20y%3D%2293%22%20font-family%3D%22Inter%2C%20-apple-system%2C%20system-ui%2C%20sans-serif%22%20font-size%3D%2210%22%20font-weight%3D%22600%22%20fill%3D%22%236ea8ff%22%20text-anchor%3D%22middle%22%20opacity%3D%220.9%22%3EBlue%3C%2Ftext%3E%0A%3Ctext%20x%3D%2236%22%20y%3D%22104%22%20font-family%3D%22Inter%2C%20-apple-system%2C%20system-ui%2C%20sans-serif%22%20font-size%3D%2210%22%20fill%3D%22%238a93a8%22%20text-anchor%3D%22middle%22%3E(old)%3C%2Ftext%3E%0A%0A%3C!--%20Blue%20active%20bar%3A%20Expand%20phase%20(full)%20--%3E%0A%3Crect%20x%3D%2286%22%20y%3D%2275%22%20width%3D%22148%22%20height%3D%2222%22%20rx%3D%224%22%20fill%3D%22%236ea8ff%22%20opacity%3D%220.85%22%20filter%3D%22url(%23soft)%22%2F%3E%0A%3Ctext%20x%3D%22160%22%20y%3D%2290%22%20font-family%3D%22Inter%2C%20-apple-system%2C%20system-ui%2C%20sans-serif%22%20font-size%3D%2211%22%20font-weight%3D%22600%22%20fill%3D%22%230f1419%22%20text-anchor%3D%22middle%22%3Eactive%3C%2Ftext%3E%0A%0A%3C!--%20Blue%20active%20bar%3A%20Dual-write%20phase%20(full)%20--%3E%0A%3Crect%20x%3D%22246%22%20y%3D%2275%22%20width%3D%22148%22%20height%3D%2222%22%20rx%3D%224%22%20fill%3D%22%236ea8ff%22%20opacity%3D%220.85%22%2F%3E%0A%3Ctext%20x%3D%22320%22%20y%3D%2290%22%20font-family%3D%22Inter%2C%20-apple-system%2C%20system-ui%2C%20sans-serif%22%20font-size%3D%2211%22%20font-weight%3D%22600%22%20fill%3D%22%230f1419%22%20text-anchor%3D%22middle%22%3Eactive%3C%2Ftext%3E%0A%0A%3C!--%20Blue%20fading%20bar%3A%20Contract%20phase%20(decommissioned)%20--%3E%0A%3Crect%20x%3D%22406%22%20y%3D%2275%22%20width%3D%22148%22%20height%3D%2222%22%20rx%3D%224%22%20fill%3D%22%233a3f52%22%20opacity%3D%220.65%22%2F%3E%0A%3Ctext%20x%3D%22480%22%20y%3D%2290%22%20font-family%3D%22Inter%2C%20-apple-system%2C%20system-ui%2C%20sans-serif%22%20font-size%3D%2211%22%20fill%3D%22%238a93a8%22%20text-anchor%3D%22middle%22%3Eretired%3C%2Ftext%3E%0A%0A%3C!--%20%3D%3D%3D%3D%3D%3D%3D%20GREEN%20LANE%20(new%20service)%20%3D%3D%3D%3D%3D%3D%3D%20--%3E%0A%3Ctext%20x%3D%2236%22%20y%3D%22123%22%20font-family%3D%22Inter%2C%20-apple-system%2C%20system-ui%2C%20sans-serif%22%20font-size%3D%2210%22%20font-weight%3D%22600%22%20fill%3D%22%23b58dff%22%20text-anchor%3D%22middle%22%20opacity%3D%220.9%22%3EGreen%3C%2Ftext%3E%0A%3Ctext%20x%3D%2236%22%20y%3D%22134%22%20font-family%3D%22Inter%2C%20-apple-system%2C%20system-ui%2C%20sans-serif%22%20font-size%3D%2210%22%20fill%3D%22%238a93a8%22%20text-anchor%3D%22middle%22%3E(new)%3C%2Ftext%3E%0A%0A%3C!--%20Green%20inactive%3A%20Expand%20phase%20--%3E%0A%3Crect%20x%3D%2286%22%20y%3D%22105%22%20width%3D%22148%22%20height%3D%2222%22%20rx%3D%224%22%20fill%3D%22%233a3f52%22%20opacity%3D%220.65%22%2F%3E%0A%3Ctext%20x%3D%22160%22%20y%3D%22120%22%20font-family%3D%22Inter%2C%20-apple-system%2C%20system-ui%2C%20sans-serif%22%20font-size%3D%2211%22%20fill%3D%22%238a93a8%22%20text-anchor%3D%22middle%22%3Edeploying%3C%2Ftext%3E%0A%0A%3C!--%20Green%20active%20bar%3A%20Dual-write%20phase%20--%3E%0A%3Crect%20x%3D%22246%22%20y%3D%22105%22%20width%3D%22148%22%20height%3D%2222%22%20rx%3D%224%22%20fill%3D%22%23b58dff%22%20opacity%3D%220.85%22%2F%3E%0A%3Ctext%20x%3D%22320%22%20y%3D%22120%22%20font-family%3D%22Inter%2C%20-apple-system%2C%20system-ui%2C%20sans-serif%22%20font-size%3D%2211%22%20font-weight%3D%22600%22%20fill%3D%22%230f1419%22%20text-anchor%3D%22middle%22%3Eactive%3C%2Ftext%3E%0A%0A%3C!--%20Green%20active%20bar%3A%20Contract%20phase%20(full)%20--%3E%0A%3Crect%20x%3D%22406%22%20y%3D%22105%22%20width%3D%22148%22%20height%3D%2222%22%20rx%3D%224%22%20fill%3D%22%23b58dff%22%20opacity%3D%220.85%22%20filter%3D%22url(%23soft)%22%2F%3E%0A%3Ctext%20x%3D%22480%22%20y%3D%22120%22%20font-family%3D%22Inter%2C%20-apple-system%2C%20system-ui%2C%20sans-serif%22%20font-size%3D%2211%22%20font-weight%3D%22600%22%20fill%3D%22%230f1419%22%20text-anchor%3D%22middle%22%3Eactive%3C%2Ftext%3E%0A%0A%3C!--%20%3D%3D%3D%3D%3D%3D%3D%20DATABASE%20SECTION%20%3D%3D%3D%3D%3D%3D%3D%20--%3E%0A%3C!--%20DB%20icon%20label%20--%3E%0A%3Ctext%20x%3D%2236%22%20y%3D%22186%22%20font-family%3D%22Inter%2C%20-apple-system%2C%20system-ui%2C%20sans-serif%22%20font-size%3D%2210%22%20font-weight%3D%22600%22%20fill%3D%22%23e8edf5%22%20text-anchor%3D%22middle%22%3EDB%3C%2Ftext%3E%0A%0A%3C!--%20----%20EXPAND%20phase%20columns%20----%20--%3E%0A%3C!--%20old_col%3A%20present%2C%20written%20--%3E%0A%3Crect%20x%3D%2290%22%20y%3D%22162%22%20width%3D%2264%22%20height%3D%2220%22%20rx%3D%223%22%20fill%3D%22%236ea8ff%22%20opacity%3D%220.85%22%20filter%3D%22url(%23soft)%22%2F%3E%0A%3Ctext%20x%3D%22122%22%20y%3D%22176%22%20font-family%3D%22ui-monospace%2C%20SFMono-Regular%2C%20Menlo%2C%20monospace%22%20font-size%3D%229%22%20font-weight%3D%22600%22%20fill%3D%22%230f1419%22%20text-anchor%3D%22middle%22%3Eold_col%3C%2Ftext%3E%0A%3C!--%20new_col%3A%20added%20(schema%20only%2C%20not%20written%20yet)%20--%3E%0A%3Crect%20x%3D%22158%22%20y%3D%22162%22%20width%3D%2264%22%20height%3D%2220%22%20rx%3D%223%22%20fill%3D%22%233a3f52%22%20stroke%3D%22%236ea8ff%22%20stroke-width%3D%221.2%22%20opacity%3D%220.8%22%2F%3E%0A%3Ctext%20x%3D%22190%22%20y%3D%22176%22%20font-family%3D%22ui-monospace%2C%20SFMono-Regular%2C%20Menlo%2C%20monospace%22%20font-size%3D%229%22%20fill%3D%22%236ea8ff%22%20text-anchor%3D%22middle%22%3Enew_col%3C%2Ftext%3E%0A%3C!--%20caption%20--%3E%0A%3Ctext%20x%3D%22160%22%20y%3D%22196%22%20font-family%3D%22Inter%2C%20-apple-system%2C%20system-ui%2C%20sans-serif%22%20font-size%3D%229%22%20fill%3D%22%238a93a8%22%20text-anchor%3D%22middle%22%3Eadded%20(nullable)%3C%2Ftext%3E%0A%0A%3C!--%20----%20DUAL-WRITE%20phase%20columns%20----%20--%3E%0A%3C!--%20old_col%3A%20present%2C%20written%20--%3E%0A%3Crect%20x%3D%22250%22%20y%3D%22162%22%20width%3D%2264%22%20height%3D%2220%22%20rx%3D%223%22%20fill%3D%22%23ff7a93%22%20opacity%3D%220.85%22%2F%3E%0A%3Ctext%20x%3D%22282%22%20y%3D%22176%22%20font-family%3D%22ui-monospace%2C%20SFMono-Regular%2C%20Menlo%2C%20monospace%22%20font-size%3D%229%22%20font-weight%3D%22600%22%20fill%3D%22%230f1419%22%20text-anchor%3D%22middle%22%3Eold_col%3C%2Ftext%3E%0A%3C!--%20new_col%3A%20present%2C%20written%20--%3E%0A%3Crect%20x%3D%22318%22%20y%3D%22162%22%20width%3D%2264%22%20height%3D%2220%22%20rx%3D%223%22%20fill%3D%22%23ff7a93%22%20opacity%3D%220.85%22%2F%3E%0A%3Ctext%20x%3D%22350%22%20y%3D%22176%22%20font-family%3D%22ui-monospace%2C%20SFMono-Regular%2C%20Menlo%2C%20monospace%22%20font-size%3D%229%22%20font-weight%3D%22600%22%20fill%3D%22%230f1419%22%20text-anchor%3D%22middle%22%3Enew_col%3C%2Ftext%3E%0A%3C!--%20caption%20--%3E%0A%3Ctext%20x%3D%22320%22%20y%3D%22196%22%20font-family%3D%22Inter%2C%20-apple-system%2C%20system-ui%2C%20sans-serif%22%20font-size%3D%229%22%20fill%3D%22%238a93a8%22%20text-anchor%3D%22middle%22%3Eboth%20written%3C%2Ftext%3E%0A%0A%3C!--%20----%20CONTRACT%20phase%20columns%20----%20--%3E%0A%3C!--%20old_col%3A%20being%20dropped%20--%3E%0A%3Crect%20x%3D%22410%22%20y%3D%22162%22%20width%3D%2264%22%20height%3D%2220%22%20rx%3D%223%22%20fill%3D%22%233a3f52%22%20stroke%3D%22%23ff7a93%22%20stroke-width%3D%221.2%22%20opacity%3D%220.65%22%2F%3E%0A%3Ctext%20x%3D%22442%22%20y%3D%22176%22%20font-family%3D%22ui-monospace%2C%20SFMono-Regular%2C%20Menlo%2C%20monospace%22%20font-size%3D%229%22%20fill%3D%22%238a93a8%22%20text-anchor%3D%22middle%22%3Eold_col%3C%2Ftext%3E%0A%3C!--%20strikethrough%20line%20--%3E%0A%3Cline%20x1%3D%22414%22%20y1%3D%22172%22%20x2%3D%22470%22%20y2%3D%22172%22%20stroke%3D%22%23ff7a93%22%20stroke-width%3D%221.5%22%20stroke-linecap%3D%22round%22%20opacity%3D%220.7%22%2F%3E%0A%3C!--%20new_col%3A%20sole%20owner%20--%3E%0A%3Crect%20x%3D%22478%22%20y%3D%22162%22%20width%3D%2264%22%20height%3D%2220%22%20rx%3D%223%22%20fill%3D%22%23b58dff%22%20opacity%3D%220.85%22%20filter%3D%22url(%23soft)%22%2F%3E%0A%3Ctext%20x%3D%22510%22%20y%3D%22176%22%20font-family%3D%22ui-monospace%2C%20SFMono-Regular%2C%20Menlo%2C%20monospace%22%20font-size%3D%229%22%20font-weight%3D%22600%22%20fill%3D%22%230f1419%22%20text-anchor%3D%22middle%22%3Enew_col%3C%2Ftext%3E%0A%3C!--%20caption%20--%3E%0A%3Ctext%20x%3D%22480%22%20y%3D%22196%22%20font-family%3D%22Inter%2C%20-apple-system%2C%20system-ui%2C%20sans-serif%22%20font-size%3D%229%22%20fill%3D%22%238a93a8%22%20text-anchor%3D%22middle%22%3Eold_col%20dropped%3C%2Ftext%3E%0A%0A%3C!--%20Write%20indicator%20arrows%20(down%20from%20lanes%20to%20db)%20--%3E%0A%3C!--%20Expand%3A%20blue%20writing%20old_col%20--%3E%0A%3Cline%20x1%3D%22122%22%20y1%3D%22148%22%20x2%3D%22122%22%20y2%3D%22160%22%20stroke%3D%22%236ea8ff%22%20stroke-width%3D%221.5%22%20stroke-linecap%3D%22round%22%20marker-end%3D%22url(%23arr-blue)%22%20opacity%3D%220.7%22%2F%3E%0A%3C!--%20Dual-write%3A%20both%20writing%20both%20cols%20--%3E%0A%3Cline%20x1%3D%22282%22%20y1%3D%22148%22%20x2%3D%22282%22%20y2%3D%22160%22%20stroke%3D%22%23ff7a93%22%20stroke-width%3D%221.5%22%20stroke-linecap%3D%22round%22%20opacity%3D%220.7%22%2F%3E%0A%3Ccircle%20cx%3D%22282%22%20cy%3D%22159%22%20r%3D%222.5%22%20fill%3D%22%23ff7a93%22%20opacity%3D%220.8%22%2F%3E%0A%3Cline%20x1%3D%22350%22%20y1%3D%22148%22%20x2%3D%22350%22%20y2%3D%22160%22%20stroke%3D%22%23ff7a93%22%20stroke-width%3D%221.5%22%20stroke-linecap%3D%22round%22%20opacity%3D%220.7%22%2F%3E%0A%3Ccircle%20cx%3D%22350%22%20cy%3D%22159%22%20r%3D%222.5%22%20fill%3D%22%23ff7a93%22%20opacity%3D%220.8%22%2F%3E%0A%3C!--%20Contract%3A%20green%20writing%20new_col%20only%20--%3E%0A%3Cline%20x1%3D%22510%22%20y1%3D%22148%22%20x2%3D%22510%22%20y2%3D%22160%22%20stroke%3D%22%23b58dff%22%20stroke-width%3D%221.5%22%20stroke-linecap%3D%22round%22%20marker-end%3D%22url(%23arr-green)%22%20opacity%3D%220.7%22%2F%3E%0A%0A%3C!--%20Bottom%20legend%20--%3E%0A%3Crect%20x%3D%2282%22%20y%3D%22214%22%20width%3D%2210%22%20height%3D%2210%22%20rx%3D%222%22%20fill%3D%22%236ea8ff%22%20opacity%3D%220.85%22%2F%3E%0A%3Ctext%20x%3D%2296%22%20y%3D%22223%22%20font-family%3D%22Inter%2C%20-apple-system%2C%20system-ui%2C%20sans-serif%22%20font-size%3D%2210%22%20fill%3D%22%238a93a8%22%3EBlue%20%3D%20old%20service%3C%2Ftext%3E%0A%3Crect%20x%3D%22200%22%20y%3D%22214%22%20width%3D%2210%22%20height%3D%2210%22%20rx%3D%222%22%20fill%3D%22%23b58dff%22%20opacity%3D%220.85%22%2F%3E%0A%3Ctext%20x%3D%22214%22%20y%3D%22223%22%20font-family%3D%22Inter%2C%20-apple-system%2C%20system-ui%2C%20sans-serif%22%20font-size%3D%2210%22%20fill%3D%22%238a93a8%22%3EGreen%20%3D%20new%20service%3C%2Ftext%3E%0A%3Crect%20x%3D%22340%22%20y%3D%22214%22%20width%3D%2210%22%20height%3D%2210%22%20rx%3D%222%22%20fill%3D%22%23ff7a93%22%20opacity%3D%220.85%22%2F%3E%0A%3Ctext%20x%3D%22354%22%20y%3D%22223%22%20font-family%3D%22Inter%2C%20-apple-system%2C%20system-ui%2C%20sans-serif%22%20font-size%3D%2210%22%20fill%3D%22%238a93a8%22%3EBoth%20services%20write%20simultaneously%3C%2Ftext%3E%0A%0A%3C!--%20Bottom%20note%20--%3E%0A%3Ctext%20x%3D%22300%22%20y%3D%22248%22%20font-family%3D%22Inter%2C%20-apple-system%2C%20system-ui%2C%20sans-serif%22%20font-size%3D%2210%22%20fill%3D%22%233a3f52%22%20text-anchor%3D%22middle%22%3EZero-downtime%20migration%20%E2%80%94%20no%20locking%2C%20no%20cutover%20outage%3C%2Ftext%3E%0A%3C%2Fsvg%3E)
The hardest problem in blue-green deployments is not the compute layer, it is the data layer.
Both environments typically share a database, which means schema migrations must be backward-compatible.
If the green deployment requires a column rename, the blue environment will break if you roll back.
The standard mitigation is the "expand and contract" pattern: first add the new column (expand), deploy code that writes to both, then eventually drop the old column (contract) in a later release.
This constraint applies to any shared stateful resource, including caches, message queues, and session stores.
Canary Deployments
A canary deployment takes a fundamentally different approach.
Instead of switching all traffic at once, it routes a small fraction of requests to the new version while the majority continues hitting the old version.
The fraction is gradually increased as confidence builds, based on observed metrics.
If anomalies appear, the canary is killed and traffic reverts entirely to the stable version.
The name comes from the "canary in a coal mine" metaphor: the small subset of traffic serves as an early warning system.
Mechanics
A canary deployment requires a traffic-splitting mechanism that can route a configurable percentage of requests to different backend pools.
This is commonly implemented via weighted routing rules in a service mesh (Envoy, Istio, Linkerd) or at the load balancer level.
The deployment proceeds in stages:
- Deploy the new version alongside the old version. The new version initially receives 0% of traffic.
- Shift a small percentage (often 1-5%) of traffic to the canary.
- Observe key metrics: error rates, latency percentiles (p50, p95, p99), resource utilization, and business-level KPIs.
- If metrics are healthy, increase the traffic share incrementally (e.g., 5% → 10% → 25% → 50% → 100%).
- If metrics degrade beyond defined thresholds, route all traffic back to the stable version and investigate.
Observability Requirements
Canary deployments are only as good as your monitoring.
You need per-version metric segmentation, meaning you must be able to attribute error rates and latency to the canary pool independently from the stable pool.
Without this, you cannot distinguish a canary regression from background noise.
This typically requires version-aware request tagging propagated through distributed tracing and metrics pipelines.
Statistical rigor matters.
With only 1% of traffic hitting the canary, sample sizes are small.
Anomaly detection systems must account for this.
Common approaches include sequential hypothesis testing and Bayesian inference over time-series data, avoiding premature conclusions from low-traffic windows.
Walkthrough
The following walkthrough describes an automated canary promotion pipeline with rollback logic.
PROCEDURE canary_deploy(new_version, stable_version, stages, metric_thresholds):
deploy(new_version, canary_pool)
FOR EACH stage IN stages:
set_traffic_weight(canary_pool, stage.percent)
WAIT(stage.observation_period)
metrics_canary = collect_metrics(canary_pool, stage.observation_period)
metrics_stable = collect_metrics(stable_pool, stage.observation_period)
FOR EACH metric IN metric_thresholds:
IF NOT within_threshold(metrics_canary[metric], metrics_stable[metric], metric_thresholds[metric]):
set_traffic_weight(canary_pool, 0)
ALERT("Canary failed at stage " + stage.percent + "% on metric " + metric)
RETURN FAILURE
// All stages passed
promote(new_version, stable_pool)
decommission(canary_pool)
RETURN SUCCESS
A typical stages configuration might look like:
| Stage | Traffic % | Observation Period |
|---|---|---|
| 1 | 1% | 10 minutes |
| 2 | 5% | 15 minutes |
| 3 | 25% | 30 minutes |
| 4 | 50% | 30 minutes |
| 5 | 100% | 15 minutes |
The within_threshold function compares the canary's metrics against the stable baseline.
A common implementation checks whether the canary's error rate exceeds the stable error rate by more than a relative tolerance (e.g., 1.1x) and whether p99 latency exceeds an absolute ceiling.
Comparing the Two Strategies
| Dimension | Blue-Green | Canary |
|---|---|---|
| Traffic transition | Atomic (0% → 100%) | Gradual (0% → 1% → ... → 100%) |
| Blast radius | Full (all users affected at once) | Bounded (only canary % affected) |
| Rollback speed | Very fast (flip the switch) | Fast (set canary weight to 0) |
| Infrastructure cost | 2x capacity at all times | 1x + small canary pool |
| Observability required | Basic health checks sufficient, | Per-version metric segmentation required |
| Complexity | Lower | Higher |
| Version coexistence | Brief or none | Extended (hours during rollout) |
Blue-green is simpler and works well for systems where atomic cutover is acceptable, and the risk of a few minutes of bad traffic across all users is tolerable.
Canary is preferred for large-scale systems where even a brief full-traffic regression is unacceptable, and where the observability infrastructure exists to support per-version metric analysis.
Hybrid Approaches
In practice, many organizations combine both strategies.
A common pattern is to use blue-green at the environment level (maintaining two full clusters) while using canary logic at the traffic routing level within the "green" environment.
The new version is deployed to green; a canary weight is applied, and only after full canary graduation does the blue environment get decommissioned or recycled.
Another hybrid is the "rolling canary," where individual nodes in a fleet are upgraded incrementally.
Kubernetes rolling updates approximate this.
Each new pod becomes a canary for a fraction of traffic, and the deployment controller watches readiness and liveness probes before proceeding.
This is less precise than a true canary with weighted routing but provides some of the same benefits with lower operational overhead.
Practical Considerations
Session affinity and statefulness. If your service maintains session state, canary deployments must ensure that a user's requests consistently hit the same version during a session.
Version-aware sticky sessions prevent users from experiencing inconsistent behavior as requests bounce between old and new code.
Database migrations. Both strategies require backward-compatible schema changes when the old and new versions share a data store.
This is non-negotiable.
Forward-incompatible migrations make rollback impossible.
Feature flags as a complement. Deployment strategies control which version of code handles traffic.
Feature flags control which code paths execute within a version.
Combining canary deployments with feature flags gives you two independent axes of risk control: you can deploy code broadly but activate new behavior only for a subset of users.
Cost optimization for blue-green. The 2x infrastructure cost can be mitigated by using the idle environment for batch processing, integration testing, or disaster recovery.
Cloud auto-scaling also helps, since the idle environment can be scaled down (though not to zero if you want instant rollback).
Key Points
- Blue-green deployments provide atomic cutover and instant rollback by maintaining two parallel production environments at the cost of double infrastructure.
- Canary deployments limit blast radius by gradually shifting traffic to the new version, requiring robust per-version observability to detect regressions.
- Both strategies decouple deployment from release, allowing code to be provisioned in production before it receives user traffic.
- Backward-compatible database migrations are a hard requirement for both approaches, since rollback must remain possible at any point during the transition.
- Canary effectiveness depends on statistical rigor in metric comparison; small traffic percentages produce small sample sizes that require careful anomaly detection.
- Hybrid approaches (blue-green environments with canary traffic shifting) combine the rollback safety of blue-green with the gradual exposure of canary.
- Feature flags provide a complementary risk-reduction axis that operates at the code-path level rather than the deployment level.
References
Humble, J. and Farley, D. "Continuous Delivery: Reliable Software Releases through Build, Test, and Deployment Automation." Addison-Wesley, 2010.
Beyer, B., Jones, C., Petoff, J., and Murphy, N.R. "Site Reliability Engineering: How Google Runs Production Systems." O'Reilly Media, 2016.
Schermann, G., Cito, J., Leitner, P., Zdun, U., and Gall, H.C. "We're Doing It Live: A Multi-Method Empirical Study on Continuous Experimentation." Information and Software Technology, Vol. 99, 2018.
Burns, B., Grant, B., Oppenheimer, D., Brewer, E., and Wilkes, J. "Borg, Omega, and Kubernetes." ACM Queue, Vol. 14, No. 1, 2016.
Sato, D. "CanaryRelease." Martin Fowler's Bliki, 2014. https://martinfowler.com/bliki/CanaryRelease.html