Canary Release
Progressive rollout: the new version first gets 1%, then 10%, then 50% of traffic, monitored at each step. The pattern that turns a risky deployment into a series of controlled micro-validations.
Problem
A pure Blue-Green is all-or-nothing: 0% or 100% of traffic on the new version. For a critical EDI mapping or AS2 gateway, the 100% switch exposes all traffic to the regression risk simultaneously. If the new version has a sub-1% bug (poorly-covered edge case), many messages are needed to notice: in the meantime, thousands of transactions have already been processed with the bug.
Forces
- Risk must be capped: when the regression is discovered, only X% of traffic has been affected.
- SLOs must be measurable in real time: the rollout depends on live metrics (latency, error rate, ack rate).
- Distribution must be deterministic: a given partner/message should not alternate between v1 and v2 on successive calls.
- Increment must be configurable: the sequence 1% / 10% / 50% / 100% or 5% / 25% / 100% per criticality.
- Rollback must be automatable: if SLOs degrade, automatic return to the previous step without human action.
Solution
Deploy the new version as a canary (reference to the historical use of canaries in mines). At step 1, 1% of traffic is routed to v2.0 — this is the canary, which "dies" if something goes wrong. SLOs are monitored (latency, error rate, ack rate) on this traffic fraction. If OK, move to the next step (10%, 50%, 100%) with validation at each tier. Distribution is typically done by hash of message ID or partner ID, to guarantee stability. Rollback is automatic on threshold breach. Tools: Flagger (CNCF, based on Istio/Linkerd), Argo Rollouts (Kubernetes), AWS AppMesh, Google Cloud Deploy.
Progressive rollout with SLO monitoring:
Step 0: 100% v1.0 (baseline)
▼
Step 1: 1% v2.0 + 99% v1.0 ─ 1h monitoring
▼ (SLO OK?)
Step 2: 5% v2.0 + 95% v1.0 ─ 2h
▼
Step 3: 10% v2.0 + 90% v1.0 ─ 4h
▼
Step 4: 25% v2.0 + 75% v1.0 ─ 8h
▼
Step 5: 50% v2.0 + 50% v1.0 ─ 12h
▼
Step 6: 100% v2.0 ─ stable, v1.0 cleanup
At each step: if SLO degraded (error rate ↗, latency ↗):
- immediate rollback to previous step
- investigation
- re-promote at lower % or abandon
EDI implementation
Concrete case: deployment of a new EN 16931 validator with refined
2025 rules. Without Canary: 100% switch, if a rule is too strict
and rejects legitimate invoices, mass rejection detected after
2-3h, major business impact. With Canary: step 1 at 1% for 1h,
monitoring rejection rates. If baseline rejection rate = 0.2% and
v2.0 climbs to 2%, alert → automatic rollback → investigation. If
OK, ramp to 5%, 10%, etc. The router is an Istio VirtualService
with weights:
http: [{ route: [{ destination: { host: validator, subset: v1 }, weight: 90 }, { destination: { host: validator, subset: v2 }, weight: 10 }] }].
The Flagger controller automates progressive promotion based on
Prometheus SLOs. Interesting variant: per-partner canary — v2 is
first activated on 1 cooperative pilot partner, then expanded.
Anti-patterns
- Canary without observability: ramping to 50% without monitoring SLOs = blind canary = no benefit vs Blue-Green all-or-nothing.
- Non-deterministic distribution: a single partner alternates v1 and v2 → inconsistent mappings, impossible audit.
- No explicit promotion criterion: the decision to move to the next step is left to ops eye → errors.
- Canary that takes days: tiers are too spaced, exposure window long, two partners use v1 and v2 in parallel over long durations (consistency problems).
- No automatic rollback: depending on human on-call for rollback negates the benefit of fast reaction.
- Infinite canary: staying at 25% "to see" for months — decision indefinitely deferred.
Related patterns
- Feature Flag — the application brick that drives distribution.
- Blue-Green Deployment — all-or-nothing version, complementary to Canary.
- Dark Launch — variant where traffic is duplicated without user-facing return.
- Circuit Breaker — independent runtime protection.
- Chaos Engineering — stress-testing prior to Canary to validate resilience.
Sources
- Sato D. — CanaryRelease (martinfowler.com, 2014). Canonical definition of the pattern. martinfowler.com — CanaryRelease
- Beyer B., Jones C., Petoff J., Murphy N. — Site Reliability Engineering, O'Reilly 2016. Chapter 16 on tracking changes in production. sre.google/sre-book
- Argo Rollouts — Official documentation of the Kubernetes controller for canary and blue-green. argoproj.github.io — argo-rollouts
- Flagger (CNCF) — Documentation of the progressive delivery operator for Istio, Linkerd, NGINX. flagger.app
- Kim G., Humble J., Debois P., Willis J. — The DevOps Handbook, IT Revolution Press 2016 (2nd ed. 2021). Progressive deployment patterns.
- Beda K., Burns B., Hightower K. — Kubernetes Up & Running, O'Reilly 2022. Chapter on progressive deployment with Argo and Flagger.