What is a canary release and how to ship changes without jumping off a cliff

BasicsDevOpsDeploymentReliability

Canary release diagram: most traffic goes to the stable version while a smaller stream reaches the new version under monitoring

Hook

A canary release is a way to ship a change to a small part of users before everyone gets it. The idea is simple: if the new version behaves badly, it is better to learn that at 1% of production traffic than at 100%.

It is not a magic shield against bugs. It is release discipline: a small step, clear metrics, and a prepared decision to continue or roll back.

Problem / Context

A traditional release often feels abrupt: there was an old version, someone pressed a button, and now there is a new one. If everything works, the team exhales. If not, people suddenly need to understand why users see errors, why latency increased, and whether rollback is still calm and possible.

A canary release reduces blast radius. The new version reaches only a small part of the audience or one controlled segment. The team watches error rate, latency, logs, business metrics, and compares them with the stable version. If the signals are healthy, the traffic split grows. If not, the rollout stops.

This is part of the broader progressive delivery approach. Changes are not thrown into production all at once. They are exposed gradually: through traffic split, feature flag, selected regions, internal teams, or other controlled groups.

Why it matters

Users do not care how elegant the deploy pipeline looked. If checkout, login, or the main page breaks after the release, the problem is already real.

A canary release buys time. The team sees a signal earlier, while only a small group is affected. This is especially useful for changes where staging cannot fully mimic production: real traffic, different browsers, unusual data, integrations, queues, and caches.

It also reduces panic. When stop conditions are written down before the release, the team does not need to invent decisions under pressure. For example: if error rate in the canary version is twice as high as the stable version for 10 minutes, stop the rollout and roll back.

But a canary release only makes sense when you can actually compare the old and new versions. Without metrics, logs, and fast rollback, canary becomes a nicer name for an ordinary risky release.

How it works

Imagine an API service. The old version already handles all traffic. The new version passed staging and is ready for production. Instead of switching everyone at once, the team starts with a small traffic split:

stable version: 99% traffic
canary version: 1% traffic
watch time: 15 minutes

After that, the team watches concrete signals, not vibes:

  • error rate;
  • latency;
  • number of 5xx responses;
  • CPU and memory usage;
  • business events the release must not break;
  • logs from the canary version.

If the signals look healthy, the next step might be:

stable version: 90% traffic
canary version: 10% traffic
watch time: 30 minutes

Then traffic can move to 25%, 50%, 100%, or stop earlier. The exact numbers are not sacred. The steps should be small enough for the risk and large enough to reveal real signals.

How to do it

1. Choose a change that fits canary

A canary release works well for backend services, frontend versions behind a CDN, edge rules, workers, and features that can be enabled gradually. It works worse for irreversible database migrations, one-off scripts, or changes that immediately mutate shared state for everyone.

If the change includes a database migration, check compatibility between old and new code first. Canary will not save you if the new version rewrites data in a way the old version cannot handle.

2. Prepare routing

You need a mechanism that can really split traffic. It may be a load balancer, Kubernetes ingress, service mesh, CDN, edge platform, or a feature flag inside the application.

Do not start with fancy tooling. Start with the question: can I say exactly which part of users gets the new version, and can I quickly move them back?

3. Agree on metrics before the start

The worst time to choose metrics is after something is already burning. Before the release, write down what healthy means:

  • error rate is not higher than the stable version;
  • latency does not rise beyond the agreed threshold;
  • no new critical error type appears in logs;
  • key business events do not drop;
  • service resources do not hit the ceiling.

This is not bureaucracy. It prevents the argument where one person says “looks fine to me” and another says “absolutely not.”

4. Start with a small traffic split

For a risky change, start with 1% or even internal users only. For a simpler change, 5% or 10% can be reasonable. But do not make the first step large if rollback has not been verified.

After every step, wait long enough. If the service has peak hours, a short test during a quiet period may show almost nothing.

5. Keep rollback close

Rollback must be ready before the rollout starts, not after the first incident. The team should know:

  • which command or button to use;
  • who makes the decision;
  • how to verify that traffic returned to the stable version;
  • what to do with data already processed by the canary version.

If rollback takes an hour of manual magic, canary still reduces risk, but not as much as you want.

6. Write a release log

A short release log helps a lot. Record the start time, version, traffic split, metrics, decision, and finish time. When someone asks two weeks later why the rollout stopped at 25%, the answer will not live in one person’s memory.

Anti-patterns

  • calling a release canary while switching 50% of traffic immediately without a reason;
  • having no stop conditions and arguing about metrics during rollout;
  • watching only average latency and missing the tails;
  • starting canary without fast rollback;
  • shipping a change with an irreversible database migration and no compatibility plan;
  • using a feature flag but never removing old flags after stabilization;
  • treating staging as unnecessary because “canary will catch everything”;
  • not warning support or the on-call engineer about a risky rollout.

Conclusion / Action Plan

A canary release is not for pretty architecture diagrams. It is a practical way to reduce release risk. You ship in small steps, watch real signals, and keep the right to stop before a problem becomes widespread.

What to do next:

  1. choose a change that can be exposed gradually;
  2. confirm that staging and the deploy pipeline already work;
  3. prepare a traffic split or feature flag;
  4. write down metrics and stop conditions;
  5. verify rollback;
  6. start with a small percentage;
  7. keep a release log until full rollout or stop.

If the release sounds a little less heroic after this, that is a good sign. Production likes boring, repeatable steps.

Official sources:

Quick checklist

  • Confirm that the same version passed staging and is ready for production.
  • Define the first small traffic split and the next rollout steps.
  • Agree on metrics, stop conditions, and who makes the decision.
  • Make sure rollback is faster than the problem can spread.
  • Do not start a canary release without monitoring and a short release log.

Prompt Pack: plan a canary release

Help me plan a canary release for a service before a production rollout. Input data: - what is changing: frontend, API, worker, database, or infrastructure; - the current deploy pipeline and whether staging exists; - how traffic is currently routed between versions; - available metrics: error rate, latency, saturation, business events; - whether a feature flag exists; - how quickly rollback can happen. Return: 1. whether a canary release fits this change; 2. a safe traffic split plan by steps; 3. which metrics to watch at every step; 4. when to stop the rollout; 5. a rollback plan; 6. a short pre-start checklist. Response format: verdict, rollout plan, metrics, stop conditions, rollback, checklist.