NovVista Tech Brief

Global tech intelligence, tools, and practical AI workflows.

Security & Infrastructure

Zero-Downtime Deployments: Blue-Green, Canary, and Rolling Updates Explained

ByMichael Sun

Mar 26, 2026

Every Minute of Downtime Has a Price Tag

Gartner’s often-cited figure of $5,600 per minute of downtime is from 2014. Adjusted for inflation and the degree to which businesses now depend on always-on services, the real number for most mid-market SaaS companies sits somewhere between $8,000 and $15,000 per minute. But the cost that nobody puts on a spreadsheet is the one that actually hurts: user trust. A customer who hits a 502 during checkout does not file a support ticket. They leave.

The good news is that zero-downtime deployment strategies are no longer the exclusive domain of companies with dedicated platform engineering teams. The tooling has matured. The patterns are well-documented. And for most workloads, you can get there with an afternoon of focused work.

The bad news is that the term “zero-downtime” has become marketing language as much as engineering practice. There are trade-offs, failure modes, and edge cases that the glossy overview posts tend to skip. This piece covers the three dominant approaches, the database migration problem that lurks beneath all of them, and a frank assessment of when you should bother at all.

Blue-Green Deployments: The Conceptual Starting Point

Blue-green is the oldest and most intuitive of the zero-downtime deployment strategies. You maintain two identical production environments. One (blue) serves live traffic. The other (green) sits idle or runs the new version. When the new version passes validation, you switch the load balancer to point at green. Blue becomes the fallback.

How It Actually Works with Nginx

The switch itself is trivial. Here is a minimal Nginx upstream configuration that demonstrates the mechanism:

# /etc/nginx/conf.d/upstream.conf

upstream app_backend {
    # Blue environment (currently live)
    server 10.0.1.10:8080;
    # server 10.0.1.20:8080;  # Green environment (standby)
}

# To switch: comment blue, uncomment green, then reload
# nginx -s reload triggers a graceful handoff — no dropped connections

With HAProxy, the pattern is similar but you get more sophisticated health checking out of the box:

backend app_servers
    option httpchk GET /health
    http-check expect status 200

    # Blue (active)
    server blue 10.0.1.10:8080 check
    # Green (standby — disabled until cutover)
    server green 10.0.1.20:8080 check disabled

To switch traffic to green, you enable the green server and disable blue through HAProxy’s runtime API or stats socket. No config file editing, no reload required.

The Strengths and Weaknesses

Blue-green gives you the cleanest rollback story of any deployment strategy. Something goes wrong? Switch back. The old version is still running, warm, and ready. You are not rebuilding anything.

The cost is infrastructure. You need double the compute capacity sitting around at all times. For a small stateless API, this is negligible. For a workload with 16 application servers and dedicated worker queues, it gets expensive fast. Some teams mitigate this by using the idle environment for staging or batch processing, but that introduces its own complexity.

The other underappreciated problem is session state. If your application stores sessions in memory (which it should not, but many do), the switchover drops every active session. Sticky sessions, Redis-backed session stores, or JWT-based authentication eliminate this issue, but you need to address it before the first deployment, not during.

Canary Releases: Trust, But Verify

Canary deployments take a more cautious approach. Instead of switching all traffic at once, you route a small percentage to the new version and watch what happens. If error rates stay flat and latency does not spike, you gradually increase the percentage until the new version handles everything.

This is the strategy that large-scale operators like Google and Netflix have championed, and for good reason. It catches problems that no amount of staging-environment testing will find: subtle performance regressions under real load, edge cases in user data that your fixtures do not cover, and interaction effects between services.

Traffic Splitting in Practice

Nginx supports weight-based upstream distribution natively:

upstream app_backend {
    server 10.0.1.10:8080 weight=95;  # Stable version
    server 10.0.1.20:8080 weight=5;   # Canary version
}

For more granular control, Nginx Plus or Envoy give you percentage-based routing and the ability to pin specific users or request paths to the canary. Istio, if you are already running it, makes canary routing a first-class concept through VirtualService resources.

What Metrics to Watch

The whole point of a canary is that you are making a data-driven decision about whether to proceed. The metrics that matter are:

  • Error rate (5xx responses) — the most obvious signal. Compare canary error rate against the baseline, not against zero. A 0.1% error rate on both is fine. A 0.1% baseline and 0.8% canary is a problem.
  • P95 and P99 latency — averages hide problems. If the canary’s median latency is identical but P99 doubled, you have a regression that affects your most complex requests.
  • Business metrics — conversion rate, checkout completion, API call success rate. These catch bugs that do not throw errors but produce wrong results.
  • Resource consumption — CPU and memory on the canary instances. A memory leak will not show up in a five-minute smoke test, but it will show up after thirty minutes of real traffic.

Automated canary analysis tools like Kayenta (from Netflix/Google) or Flagger (for Kubernetes) can compare these metrics between canary and baseline and automatically promote or roll back. For smaller teams, a Grafana dashboard and a human making the call works perfectly well.

Rolling Updates: The Kubernetes Default

Rolling updates replace instances of the old version with the new version one at a time (or in small batches). At any given moment during the deployment, some instances run the old code and some run the new code. Once all instances are replaced, the deployment is complete.

This is the default strategy in Kubernetes and Docker Swarm, which means many teams are already using it without having made a deliberate choice.

Kubernetes Rolling Update Configuration

apiVersion: apps/v1
kind: Deployment
metadata:
  name: web-app
spec:
  replicas: 4
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 1    # At most 1 pod down during update
      maxSurge: 1          # At most 1 extra pod during update
  template:
    spec:
      containers:
      - name: app
        image: registry.example.com/app:2.1.0
        readinessProbe:
          httpGet:
            path: /health
            port: 8080
          initialDelaySeconds: 10
          periodSeconds: 5
        livenessProbe:
          httpGet:
            path: /health
            port: 8080
          initialDelaySeconds: 30
          periodSeconds: 10

The readinessProbe is critical. Without it, Kubernetes will send traffic to pods that are still starting up. The maxUnavailable and maxSurge parameters control how aggressive the rollout is. Setting maxUnavailable: 0 and maxSurge: 1 ensures you always have full capacity during the update, at the cost of temporarily running one extra pod.

Docker Swarm Equivalent

docker service update \
  --image registry.example.com/app:2.1.0 \
  --update-parallelism 1 \
  --update-delay 30s \
  --update-failure-action rollback \
  web-app

The --update-delay flag is something Kubernetes does not have a direct equivalent for. It forces a pause between each instance update, giving you time to spot problems before the next instance rolls over.

The Mixed-Version Problem

Rolling updates have a fundamental property that blue-green and canary deployments share in a more controlled way: for some period, old code and new code serve traffic simultaneously. If the new version changes an API response format, both formats will be in play. If the new version writes data in a different shape, both shapes will coexist in your database.

This is manageable, but only if you design for it. Backward-compatible changes are a requirement, not a nice-to-have.

Comparison: Choosing the Right Strategy

Factor Blue-Green Canary Rolling Update
Rollback speed Instant (switch LB) Fast (stop canary traffic) Moderate (redeploy old version)
Infrastructure overhead High (2x capacity) Low-moderate Low (1 extra instance)
Mixed-version duration None (atomic switch) Controlled Throughout rollout
Complexity Low High (metrics pipeline) Low (built into orchestrators)
Best for Critical apps, small fleets High-traffic, risk-sensitive Stateless services, Kubernetes-native
Database migration risk Moderate High (two versions read/write) High (two versions read/write)

The Database Problem Nobody Wants to Talk About

Every zero-downtime deployment strategy runs into the same wall: the database. You can swap application servers all day long, but a schema migration that adds a NOT NULL column without a default value will break the old application code that is still running.

The expand-contract pattern (sometimes called parallel change) is the standard solution. It works in three phases:

  • Expand: Add the new column as nullable or with a default. Deploy code that writes to both old and new columns. Old code continues to work because it ignores the new column.
  • Migrate: Backfill existing rows. This can run as a background job. No downtime, no locking (if you batch properly).
  • Contract: Once all rows are populated and the old code is fully retired, drop the old column and remove the dual-write logic. Add the NOT NULL constraint if needed.

This turns one migration into three deployments. It is slower. It requires discipline. It is also the only approach that actually works for zero-downtime deployment strategies when your schema needs to change.

Tools like gh-ost (for MySQL) and pgroll (for PostgreSQL) automate parts of this by performing online schema changes that do not lock tables. They are worth evaluating if you run migrations more than a few times a month.

Feature Flags: Decoupling Deployment from Release

The most powerful shift in deployment practice over the past decade is the separation of deployment (putting code on servers) from release (making features available to users). Feature flags make this separation concrete.

With feature flags, you deploy code that includes the new feature behind a conditional check. The feature is off by default. Once the deployment is stable, you toggle the flag to enable it. If the feature causes problems, you toggle it off without redeploying anything.

The safest deployment is one where nothing changes from the user’s perspective. Feature flags make that the default state.

You do not need a commercial feature flag service for this. A simple implementation backed by a database table or environment variable works for most teams. LaunchDarkly, Unleash (open-source), and Flipt are worth considering once you have more than a handful of flags and need audit trails or gradual rollouts.

The discipline required is cleanup. Feature flags that live forever become technical debt. Every flag should have an expiration date or a ticket to remove it once the feature is confirmed stable. Teams that skip this step end up with codebases full of dead branches and flags that nobody is sure whether they can remove.

Practical Implementation for Small Teams

If you are a team of one to five engineers running a handful of services, here is an honest recommendation: start with rolling updates on whatever orchestrator you already use, add health checks, and call it done. That covers 80% of what you need.

The specific steps:

  • Implement a /health endpoint that checks database connectivity and returns 200 when the app is ready to serve traffic. Not before.
  • Configure your orchestrator to use that endpoint as a readiness check. Kubernetes does this natively. Docker Swarm supports health checks. Even a simple systemd service behind Nginx can do this with periodic health polling.
  • Set your deployment to replace one instance at a time with at least a 30-second delay between replacements.
  • Ensure your database migrations are backward-compatible. If a migration is not backward-compatible, split it into two: one that is, and one that cleans up after the old code is gone.

Add canary analysis later, if and when you have the traffic volume and observability stack to make it meaningful. Running a canary against 50 requests per minute does not tell you much. Running it against 5,000 does.

When “Just Restart” Is Perfectly Fine

Not every service needs zero-downtime deployments. A controversial opinion, maybe, but a pragmatic one.

If your service is an internal tool used during business hours by a team of 20 people, a 10-second restart during a maintenance window at 2 AM is not a problem worth engineering around. The cost of downtime is literally zero, because nobody is using it.

Similarly, if your service processes asynchronous jobs from a queue, restarting it causes a brief pause in processing, not data loss. The queue buffers. The jobs get picked up when the service comes back. For many background workers, systemctl restart app is a perfectly valid deployment strategy.

The services that genuinely need zero-downtime deployment share these characteristics:

  • They serve synchronous requests from users or other services that cannot retry transparently.
  • They handle traffic volumes where even a few seconds of downtime means thousands of failed requests.
  • They operate in environments where maintenance windows are not an option (global user base, SLA commitments, real-time data processing).

If none of those apply, invest your engineering time elsewhere. Premature optimization of deployment pipelines is just as real as premature optimization of code.

The Path Forward

Zero-downtime deployment strategies are a spectrum, not a binary. You do not go from “restart and pray” to full canary analysis with automated rollback in one step. The progression for most teams looks like this:

  • Stage 1: Health checks and graceful shutdown. Your app drains connections before stopping. Your load balancer knows when an instance is not ready.
  • Stage 2: Rolling updates with readiness gating. New instances must pass health checks before receiving traffic.
  • Stage 3: Feature flags for high-risk changes. The deployment itself changes nothing user-facing. The release is a separate, reversible action.
  • Stage 4: Canary analysis for services where the traffic volume and business criticality justify the observability investment.

Most teams will find that stages 1 and 2 eliminate the vast majority of deployment-related incidents. Stages 3 and 4 are for when you have the scale, the team, and the operational maturity to make them worthwhile. Get the fundamentals right first. The sophisticated tooling means nothing without solid health checks, backward-compatible migrations, and graceful shutdown handling.

By Michael Sun

Founder and Editor-in-Chief of NovVista. Software engineer with hands-on experience in cloud infrastructure, full-stack development, and DevOps. Writes about AI tools, developer workflows, server architecture, and the practical side of technology. Based in China.

Related Post

Security & Infrastructure

Infrastructure as Code for Solo Developers: Terraform, Pulumi, and When a Shell Script Is Enough

Mar 26, 2026 Michael Sun
Security & Infrastructure

Understanding OAuth 2.0 and OpenID Connect: A Developer’s Implementation Guide

Mar 26, 2026 Michael Sun
Security & Infrastructure

Linux Process Management: systemd, Supervisor, and PM2 Compared

Mar 26, 2026 Michael Sun

Leave a Reply

Your email address will not be published. Required fields are marked *

You missed

Security & Infrastructure

Zero-Downtime Deployments: Blue-Green, Canary, and Rolling Updates Explained

March 26, 2026 Michael Sun
Creator Tools

Building Accessible Web Applications: Beyond Checkbox Compliance

March 26, 2026 Michael Sun
Security & Infrastructure

Infrastructure as Code for Solo Developers: Terraform, Pulumi, and When a Shell Script Is Enough

March 26, 2026 Michael Sun
Developer Tools

SQLite in Production: When the Simplest Database Is the Right One

March 26, 2026 Michael Sun