Shadow Traffic & Dual-Run - Prove It Before Cutover

Reversibility (Lesson #18): design the exit before the entry.

Idempotency (Lesson #19): make retries and replays safe.

Backpressure (Lesson #20): keep the core path alive under stress.

SLOs & Error Budgets (Lesson #21): ship with guardrails.

From “staging truth” → to “production truth.”

From “correctness on paper” → to “behavior parity under reality.”

From “we think it’s faster” → to “we measured it against the SLO you care about.”

Mindset Shift - From task finisher to system shaper

Design for Change - Build for today, adapt for tomorrow

Tradeoff Thinking - Decide with context, not dogma

Architecture = Communication - Align minds, not just modules

Lead Without the Title - Influence decisions before you’re promoted

Success criteria: What must be true to cut over? (e.g., ≤0.5% output deviation on core scenarios; p95 latency ≤ old system + 10%; availability ≥ SLO.)

Scope: Which endpoints, tenants, or flows are in scope? Start narrow.

Edge/gateway tee: Mirror requests at the gateway to the new system. Good for HTTP APIs.

Producer tee: Publish the same events to both old and new consumers (Kafka/Kinesis fan-out).

Span/sidecar tee: Service-mesh/agent duplicates calls without code changes.

Sampling: Start at 1–5% of total traffic; grow gradually.

Stickiness: Keep related requests for a session or entity consistent (same user → same cohort) to avoid bias.

Exclusions: Remove obviously risky tenants or VIPs initially.

Block writes to external systems (email, payments) from the shadow path.

Sandbox third-party calls (or stub them).

Route side effects to a black-hole sink or a safe audit topic.

Mask or tokenize PII in the mirrored stream where lawful.

Partition logs/metrics for shadow traffic.

Access control: Observability for shadows follows least-privilege.

Exact match (binary): IDs, status codes, flags, deterministic decisions.

Tolerance window (numeric): scores, prices, totals (e.g., within ±0.1).

Semantic parity (ranking/top-K): overlap %, Kendall tau, business KPI equivalence.

Error parity: % mismatches by category (schema, validation, 4xx/5xx).

Latency parity: p50/p95/p99 deltas for the new path vs old.

Throughput headroom: CPU/mem/GC; connection pools; queue depth.

Business KPIs: conversion, fraud, authorization rate, in shadow only as simulated metrics.

Golden set: Curated, nasty cases (edge locales, Unicode, leap days, max payloads, hot SKUs).

Real-time: Live stream exposes unknowns (seasonality, tenant quirks, traffic spikes).
Cut only after the new path passes both.

Toggle location: feature flag, routing rule, DNS/LB weight, or consumer offset switch.

Blast radius plan: 1% → 5% → 25% → 100% with hold times and health checks at each step.

Rollback: exact command + condition (breach of SLO/latency/diff). Practice once.

Retire the tee and shadow observers after stability.

Archive diffs for a postmortem doc (“what surprised us”).

Remove flags and dead configs to keep the system simple.

Correlation IDs everywhere. Thread a single ID through teeing, new path, and diff store so analysis isn’t guesswork.

Seed determinism. Fix random seeds for tests; freeze time for golden replays.

Clock sanity. NTP skew makes TTLs and signatures fail; verify time alignment.

Eventual consistency-aware diffs. Compare after the same stabilization window on both sides.

Cost controls. Shadowing can be expensive; sample aggressively and auto-pause off-peak.

Business guardrails. If a new path is cheaper but subtly shifts a KPI (e.g., authorization rate vs. fraud), instrument that as a parity metric too.

Decision: Move from Provider A → Provider B.

Tee point: At the payments gateway, mirror authorize and capture calls to Provider B (sandbox).

Read-only: B’s real money calls are replaced with sandbox + audit log; no real charges.

Diffing: Compare auth outcomes (approve/decline), reason codes, and expected fees within tolerance.

SLO: Authorization success rate ≥ A; p95 latency within +10%.

Cutover: 1% of tenants with low–medium volume → hold 24h → 5% → 25% → 100%.

Rollback: Single feature flag; auto-rollback if auth success dips >0.5% for 15 minutes.

Decision: New search ranking model.

Tee: Mirror top-X queries to the new model.

Diff: Measure rank correlation, top-3 overlap, and simulated business click-through.

Guardrails: If semantic parity stalls below the threshold for key categories, don’t cut.

Cutover: Canary on low-risk categories; measure live CTR lift; expand gradually.

Pitfall: Shadow path accidentally sends emails/charges.
Fix: Hard block egress to production side-effect systems; route to sink or sandbox.

Pitfall: Sampling bias hides the scary cases.
Fix: Combine random sampling with targeted golden sets (tenants, locales, big payloads).

Pitfall: Chasing bit-for-bit parity on non-deterministic outputs.
Fix: Use tolerance or semantic diffs; document accepted variance.

Pitfall: Declaring victory after a day.
Fix: Run across peak cycles (day of week, month-end) and partner outages.

Pitfall: Diff store without privacy controls.
Fix: Mask PII; access-scope shadow logs.

Pitfall: No owner for go/no-go.
Fix: Name a DRI and set objective thresholds before you start.

Identify one risky change on your roadmap (provider swap, data-store move, algorithm change).

Run the Dual-Run Checklist end-to-end with a narrow scope.

Schedule a cut rehearsal (toggle + rollback) in staging.

Put the go/no-go thresholds into your team’s runbook and pin the parity dashboard.

Mirror real inputs.

Compare outputs with the right parity metric.

Watch SLO-aligned deltas.

Cut over gradually with rollback rehearsed.