The latest articles on DEV Community by InstaDevOps (@instadevops). https://dev.to/instadevops https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2952358%2F474aa7f4-09cf-409d-891e-cfc4f071d18a.png https://dev.to/instadevops en InstaDevOps Sat, 09 May 2026 13:48:13 +0000 https://dev.to/instadevops/chaos-engineering-building-resilient-systems-in-production-2l33 https://dev.to/instadevops/chaos-engineering-building-resilient-systems-in-production-2l33 <h2> Chaos Engineering: Building Resilient Systems with Litmus, Gremlin, and Chaos Monkey </h2> <p>Chaos engineering is the discipline of experimenting on a system to build confidence in its ability to withstand turbulent conditions in production. It is not about breaking things randomly - it is a scientific method where you form a hypothesis about how your system handles failure, inject a controlled fault, observe the behavior, and improve based on what you learn. The alternative is waiting for production to surprise you at 3 AM.</p> <p>The practice starts with steady-state definition: what does normal look like for your system? Define it with metrics - request success rate above 99.9%, P95 latency below 200ms, error rate below 0.1%. Then design experiments: what happens when a database replica fails, when network latency increases by 100ms between two services, or when a pod's CPU is throttled to 50%? Tools like Litmus (Kubernetes-native, open source), Gremlin (SaaS with enterprise features), and Chaos Monkey (Netflix's original tool for random instance termination) let you inject these faults in a controlled manner.</p> <p>Start small and expand. Your first chaos experiment should be killing a single pod of a replicated service - if your system cannot handle that, you have bigger problems than chaos engineering can solve. Graduate to network partitions between services, DNS failures, and disk pressure. Run game days where the team practices incident response with injected failures. The goal is not to find every possible failure mode but to build muscle memory for responding to the unexpected and to systematically eliminate single points of failure.</p> <p><strong>Want to build more resilient infrastructure?</strong> <a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a> helps teams implement chaos engineering practices and improve system reliability. <a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a free consultation</a>.</p> chaos reliability sre devops InstaDevOps Fri, 08 May 2026 13:48:10 +0000 https://dev.to/instadevops/linux-performance-tuning-for-devops-engineers-2mk4 https://dev.to/instadevops/linux-performance-tuning-for-devops-engineers-2mk4 <h2> Linux Performance Tuning for DevOps: CPU, Memory, I/O, and Network Optimization </h2> <p>Linux performance tuning is a skill that separates good DevOps engineers from great ones. Default kernel parameters are optimized for general-purpose workloads, but production servers running databases, web applications, or container orchestrators need targeted tuning. The difference between default settings and properly tuned parameters can be 2-5x throughput improvement without any hardware changes.</p> <p>Start with understanding your bottleneck. Use <code>top</code>, <code>htop</code>, and <code>mpstat</code> for CPU analysis - look at user vs system time, I/O wait, and per-core utilization. For memory, <code>free -h</code>, <code>vmstat</code>, and <code>/proc/meminfo</code> reveal swap usage, page faults, and buffer/cache behavior. Disk I/O diagnostics use <code>iostat</code>, <code>iotop</code>, and <code>blktrace</code> to identify whether you are IOPS-limited or throughput-limited. Network performance requires <code>ss</code>, <code>netstat</code>, and <code>iperf3</code> to find connection bottlenecks, dropped packets, and bandwidth limits.</p> <p>The most impactful sysctl tunings for web-facing servers include increasing <code>net.core.somaxconn</code> and <code>net.ipv4.tcp_max_syn_backlog</code> for connection handling, tuning <code>vm.swappiness</code> to 10 for application servers (keeping data in RAM), adjusting <code>vm.dirty_ratio</code> and <code>vm.dirty_background_ratio</code> for write-heavy workloads, and enabling <code>net.ipv4.tcp_fastopen</code> for reduced latency. For containerized workloads, file descriptor limits (<code>fs.file-max</code>), inotify watches (<code>fs.inotify.max_user_watches</code>), and PID limits need attention. Always benchmark before and after changes - tuning without measurement is just guessing.</p> <p><strong>Need help optimizing your infrastructure?</strong> <a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a> tunes production Linux servers for maximum performance. <a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a free consultation</a>.</p> linux performance sre devops InstaDevOps Thu, 07 May 2026 13:48:06 +0000 https://dev.to/instadevops/opentelemetry-the-future-of-cloud-native-observability-2323 https://dev.to/instadevops/opentelemetry-the-future-of-cloud-native-observability-2323 <h2> OpenTelemetry in Practice: Unified Traces, Metrics, and Logs for Microservices </h2> <p>OpenTelemetry has become the industry standard for instrumenting applications, but most teams struggle with the gap between understanding the concept and running it in production. The documentation covers individual components well, but the real challenge is wiring everything together - auto-instrumentation, the OTel Collector pipeline, sampling strategies, and connecting traces to logs to metrics in a way that actually speeds up debugging.</p> <p>Start with auto-instrumentation. For Node.js, the <code>@opentelemetry/auto-instrumentations-node</code> package automatically traces HTTP requests, database queries, gRPC calls, and message queue operations without changing application code. For Python, <code>opentelemetry-instrumentation</code> does the same. Deploy the OpenTelemetry Collector as a sidecar or DaemonSet - it receives telemetry via OTLP, processes it (batching, filtering, adding resource attributes), and exports to your backends. The Collector is where you implement tail-based sampling: keep 100% of error traces and slow requests, sample 10% of successful fast requests.</p> <p>The real power of OpenTelemetry is correlation. When a trace ID propagates through every service, you can click from a Grafana dashboard showing elevated P99 latency directly to the specific trace causing it, then pivot to the structured logs for that trace ID. Configure your logging library to inject trace and span IDs into every log entry. Use exemplars to link metrics to traces. This workflow - alert fires, check dashboard, find trace, read logs - should take minutes, not hours.</p> <p><strong>Need help implementing observability?</strong> <a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a> deploys production OpenTelemetry stacks with Grafana, Tempo, Loki, and Prometheus. <a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a free consultation</a>.</p> opentelemetry observability monitoring devops InstaDevOps Wed, 06 May 2026 13:48:03 +0000 https://dev.to/instadevops/aws-vpc-networking-transit-gateway-peering-privatelink-775 https://dev.to/instadevops/aws-vpc-networking-transit-gateway-peering-privatelink-775 <h2> AWS VPC Networking: Subnets, NAT Gateways, Transit Gateway, and PrivateLink </h2> <p>AWS networking is the foundation that everything else sits on, yet it is the area where most teams accumulate the most technical debt. A poorly designed VPC leads to security gaps, connectivity issues, and painful migrations later. Getting your network architecture right from the start - proper CIDR planning, subnet tiers, and connectivity patterns - saves enormous headaches as you scale.</p> <p>Every production VPC should have three subnet tiers across multiple availability zones: public subnets for load balancers and bastion hosts, private subnets for application workloads, and isolated subnets for databases with no internet access. NAT Gateways provide outbound internet access for private subnets - deploy one per AZ for high availability, but be aware they are one of the most expensive networking components. Use VPC endpoints (Gateway endpoints for S3/DynamoDB, Interface endpoints for other services) to keep traffic on the AWS backbone and reduce NAT Gateway costs.</p> <p>For multi-VPC architectures, Transit Gateway replaces the mesh of VPC peering connections that becomes unmanageable beyond 3-4 VPCs. Transit Gateway acts as a hub that all VPCs connect to, with route tables controlling which VPCs can communicate. PrivateLink exposes services across VPCs or to customers without traversing the public internet - essential for SaaS architectures and shared services platforms. Plan your CIDR ranges carefully to avoid overlaps, and use AWS RAM to share subnets across accounts in an AWS Organizations setup.</p> <p><strong>Need help designing your AWS network?</strong> <a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a> architects production-grade VPC layouts for startups and scale-ups. <a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a free consultation</a>.</p> aws networking vpc devops InstaDevOps Tue, 05 May 2026 13:47:55 +0000 https://dev.to/instadevops/terraform-state-management-remote-backends-locking-recovery-3ofe https://dev.to/instadevops/terraform-state-management-remote-backends-locking-recovery-3ofe <h2> Terraform State Management: Remote Backends, Locking, and State Surgery </h2> <p>Terraform state is the single most critical file in your infrastructure-as-code workflow. It maps your Terraform configuration to real-world resources, and corrupting or losing it means Terraform loses track of everything it manages. Yet many teams start with local state files, no locking, and no backup strategy - a recipe for disaster the moment two people run terraform apply simultaneously.</p> <p>Remote backends solve the fundamentals: store state in S3 with DynamoDB locking, or use Terraform Cloud for managed state with built-in versioning. Every remote backend should have encryption at rest, versioning enabled for rollback, and a DynamoDB table for state locking to prevent concurrent modifications. Structure your state files by environment and component - a single monolithic state file for your entire infrastructure creates blast radius problems and slows down every plan and apply.</p> <p>State surgery is the skill you need when things go wrong. <code>terraform state mv</code> renames resources without destroying them. <code>terraform state rm</code> removes resources from state without deleting them from your cloud provider. <code>terraform import</code> brings existing infrastructure under Terraform management. These commands are dangerous - always back up your state file before running them. For large-scale refactoring, <code>terraform state pull</code> and <code>terraform state push</code> let you manipulate state as JSON, but treat this as a last resort.</p> <p><strong>Need help with your Terraform setup?</strong> <a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a> specializes in production-grade infrastructure as code. <a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a free consultation</a> to discuss your IaC strategy.</p> terraform iac devops cloud InstaDevOps Mon, 04 May 2026 13:47:52 +0000 https://dev.to/instadevops/kubernetes-autoscaling-hpa-vpa-and-keda-deep-dive-32g7 https://dev.to/instadevops/kubernetes-autoscaling-hpa-vpa-and-keda-deep-dive-32g7 <h2> Kubernetes Autoscaling Deep Dive: HPA, VPA, KEDA, and Cluster Autoscaler </h2> <p>Kubernetes autoscaling is not a single feature - it is a layered system where four components work together to match your infrastructure to actual demand. Getting autoscaling wrong means either wasting money on idle resources or dropping traffic during load spikes. Understanding how HPA, VPA, KEDA, and the Cluster Autoscaler interact is essential for any production Kubernetes deployment.</p> <p>The Horizontal Pod Autoscaler (HPA) scales the number of pod replicas based on CPU, memory, or custom metrics. The Vertical Pod Autoscaler (VPA) adjusts resource requests and limits for individual containers based on observed usage - critical for right-sizing workloads you have not profiled yet. KEDA (Kubernetes Event-Driven Autoscaling) extends HPA with scalers for external event sources like SQS queue depth, Kafka consumer lag, or Prometheus queries, enabling scale-to-zero for workloads that do not need to run continuously. The Cluster Autoscaler adds or removes nodes when pods cannot be scheduled due to insufficient cluster capacity.</p> <p>The key to effective autoscaling is layering these components correctly. Run VPA in recommendation mode first to establish baseline resource requests. Configure HPA with appropriate metrics and thresholds - CPU utilization of 60-70% is a good starting point. Use KEDA for event-driven workloads like queue processors. And ensure Cluster Autoscaler is configured with appropriate node groups and scale-down policies to avoid unnecessary churn.</p> <p><strong>Struggling with Kubernetes scaling?</strong> <a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a> helps teams implement autoscaling strategies that balance performance and cost. <a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a free consultation</a>.</p> kubernetes autoscaling keda devops InstaDevOps Sun, 03 May 2026 13:47:49 +0000 https://dev.to/instadevops/hashicorp-vault-production-secrets-management-guide-387p https://dev.to/instadevops/hashicorp-vault-production-secrets-management-guide-387p <h2> HashiCorp Vault for DevOps: Dynamic Secrets, PKI, and Zero-Trust Infrastructure </h2> <p>Static secrets are a ticking time bomb. Hardcoded API keys, long-lived database passwords stored in environment variables, and shared credentials passed around in Slack channels - these are the security gaps that attackers exploit every day. HashiCorp Vault solves this by providing a centralized secrets management platform that generates short-lived, dynamic credentials on demand.</p> <p>Vault's power lies in its secrets engines. The database secrets engine generates unique credentials for each application instance with automatic expiration. The PKI engine issues TLS certificates programmatically, eliminating manual certificate management. The AWS engine creates temporary IAM credentials scoped to exactly the permissions each service needs. Combined with Vault Agent for automatic secret injection and renewal, you can build infrastructure where no secret lives longer than it needs to.</p> <p>Implementing zero-trust with Vault means every service authenticates independently - whether through Kubernetes service accounts, AWS IAM roles, or AppRole for CI/CD pipelines. Vault's audit log tracks every secret access, giving you a complete trail for compliance. The transit engine handles encryption-as-a-service without exposing keys to applications. For teams running Kubernetes, the Vault CSI provider and sidecar injector make integration seamless.</p> <p><strong>Need help securing your infrastructure?</strong> At <a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a>, we implement production-grade secrets management with HashiCorp Vault. <a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a free consultation</a> to discuss your security posture.</p> vault security secrets devops InstaDevOps Sat, 02 May 2026 13:47:45 +0000 https://dev.to/instadevops/microservices-communication-grpc-vs-rest-message-queues-and-sagas-337b https://dev.to/instadevops/microservices-communication-grpc-vs-rest-message-queues-and-sagas-337b <h2> Introduction </h2> <p>The moment you split a monolith into microservices, communication becomes your biggest challenge. In a monolith, a function call is nanoseconds, type-safe, and transactional. In microservices, every interaction is a network call that can fail, timeout, arrive out of order, or silently duplicate. The communication patterns you choose determine your system's reliability, latency, and operational complexity.</p> <p>This guide covers the practical decisions you face when designing microservice communication: synchronous vs asynchronous, gRPC vs REST, choosing the right message broker, implementing the saga pattern for distributed transactions, and building circuit breakers to prevent cascade failures.</p> <h2> Synchronous vs Asynchronous Communication </h2> <p>The first architectural decision is whether services communicate synchronously (request-response) or asynchronously (event-driven). Most systems need both.</p> <p><strong>Synchronous (request-response):</strong> Service A sends a request to Service B and waits for a response. Use for operations where the caller needs an immediate answer.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User → API Gateway → Order Service → Inventory Service (check stock) ← stock confirmed ← order created ← 201 Created </code></pre> </div> <p><strong>Asynchronous (event-driven):</strong> Service A publishes an event and moves on. Other services consume the event whenever they are ready. Use for operations where the caller does not need an immediate answer, or when you want to decouple services.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Order Service → publishes "OrderCreated" event → Message Queue ├→ Payment Service (processes payment) ├→ Notification Service (sends email) └→ Analytics Service (records metric) </code></pre> </div> <p><strong>When to use synchronous:</strong></p> <ul> <li>User-facing requests that need an immediate response</li> <li>Data reads where you need the latest state</li> <li>Simple request-response queries between two services</li> </ul> <p><strong>When to use asynchronous:</strong></p> <ul> <li>Operations that can happen in the background (email, analytics, audit logs)</li> <li>When you need to fan out to multiple consumers</li> <li>When services have different availability requirements</li> <li>When you need to handle traffic spikes (the queue acts as a buffer)</li> </ul> <p>The biggest mistake teams make is going 100% synchronous. If your order service synchronously calls payment, inventory, notification, and analytics services in sequence, a slowdown in any one of them degrades the entire order flow. Move non-critical steps to async processing.</p> <h2> gRPC vs REST </h2> <p>For synchronous service-to-service communication, you are choosing between REST (HTTP/JSON) and gRPC (HTTP/2, Protocol Buffers).</p> <p><strong>REST</strong> is the default because it is simple, well-understood, and debuggable with curl:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Express.js REST endpoint</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/inventory/:productId</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">stock</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span> <span class="dl">'</span><span class="s1">SELECT quantity FROM inventory WHERE product_id = $1</span><span class="dl">'</span><span class="p">,</span> <span class="p">[</span><span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">productId</span><span class="p">]</span> <span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">productId</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">productId</span><span class="p">,</span> <span class="na">quantity</span><span class="p">:</span> <span class="nx">stock</span><span class="p">.</span><span class="nx">rows</span><span class="p">[</span><span class="mi">0</span><span class="p">]?.</span><span class="nx">quantity</span> <span class="o">||</span> <span class="mi">0</span> <span class="p">});</span> <span class="p">});</span> <span class="c1">// Calling it from another service</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">http://inventory-service:3000/api/inventory/SKU-123</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> </code></pre> </div> <p><strong>gRPC</strong> uses Protocol Buffers for serialization and HTTP/2 for transport, giving you strong typing, smaller payloads, and bidirectional streaming:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight protobuf"><code><span class="c1">// inventory.proto</span> <span class="na">syntax</span> <span class="o">=</span> <span class="s">"proto3"</span><span class="p">;</span> <span class="kn">package</span> <span class="nn">inventory</span><span class="p">;</span> <span class="kd">service</span> <span class="n">InventoryService</span> <span class="p">{</span> <span class="k">rpc</span> <span class="n">CheckStock</span> <span class="p">(</span><span class="n">StockRequest</span><span class="p">)</span> <span class="k">returns</span> <span class="p">(</span><span class="n">StockResponse</span><span class="p">);</span> <span class="k">rpc</span> <span class="n">WatchStock</span> <span class="p">(</span><span class="n">StockRequest</span><span class="p">)</span> <span class="k">returns</span> <span class="p">(</span><span class="n">stream</span> <span class="n">StockUpdate</span><span class="p">);</span> <span class="c1">// Server streaming</span> <span class="p">}</span> <span class="kd">message</span> <span class="nc">StockRequest</span> <span class="p">{</span> <span class="kt">string</span> <span class="na">product_id</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="p">}</span> <span class="kd">message</span> <span class="nc">StockResponse</span> <span class="p">{</span> <span class="kt">string</span> <span class="na">product_id</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="kt">int32</span> <span class="na">quantity</span> <span class="o">=</span> <span class="mi">2</span><span class="p">;</span> <span class="kt">bool</span> <span class="na">in_stock</span> <span class="o">=</span> <span class="mi">3</span><span class="p">;</span> <span class="p">}</span> <span class="kd">message</span> <span class="nc">StockUpdate</span> <span class="p">{</span> <span class="kt">string</span> <span class="na">product_id</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="kt">int32</span> <span class="na">quantity</span> <span class="o">=</span> <span class="mi">2</span><span class="p">;</span> <span class="kt">string</span> <span class="na">timestamp</span> <span class="o">=</span> <span class="mi">3</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// gRPC server (Node.js)</span> <span class="kd">const</span> <span class="nx">grpc</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">@grpc/grpc-js</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">protoLoader</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">@grpc/proto-loader</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">packageDef</span> <span class="o">=</span> <span class="nx">protoLoader</span><span class="p">.</span><span class="nf">loadSync</span><span class="p">(</span><span class="dl">'</span><span class="s1">inventory.proto</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">proto</span> <span class="o">=</span> <span class="nx">grpc</span><span class="p">.</span><span class="nf">loadPackageDefinition</span><span class="p">(</span><span class="nx">packageDef</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">grpc</span><span class="p">.</span><span class="nc">Server</span><span class="p">();</span> <span class="nx">server</span><span class="p">.</span><span class="nf">addService</span><span class="p">(</span><span class="nx">proto</span><span class="p">.</span><span class="nx">inventory</span><span class="p">.</span><span class="nx">InventoryService</span><span class="p">.</span><span class="nx">service</span><span class="p">,</span> <span class="p">{</span> <span class="na">checkStock</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">call</span><span class="p">,</span> <span class="nx">callback</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">stock</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span> <span class="dl">'</span><span class="s1">SELECT quantity FROM inventory WHERE product_id = $1</span><span class="dl">'</span><span class="p">,</span> <span class="p">[</span><span class="nx">call</span><span class="p">.</span><span class="nx">request</span><span class="p">.</span><span class="nx">product_id</span><span class="p">]</span> <span class="p">);</span> <span class="nf">callback</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="p">{</span> <span class="na">product_id</span><span class="p">:</span> <span class="nx">call</span><span class="p">.</span><span class="nx">request</span><span class="p">.</span><span class="nx">product_id</span><span class="p">,</span> <span class="na">quantity</span><span class="p">:</span> <span class="nx">stock</span><span class="p">.</span><span class="nx">rows</span><span class="p">[</span><span class="mi">0</span><span class="p">]?.</span><span class="nx">quantity</span> <span class="o">||</span> <span class="mi">0</span><span class="p">,</span> <span class="na">in_stock</span><span class="p">:</span> <span class="p">(</span><span class="nx">stock</span><span class="p">.</span><span class="nx">rows</span><span class="p">[</span><span class="mi">0</span><span class="p">]?.</span><span class="nx">quantity</span> <span class="o">||</span> <span class="mi">0</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">,</span> <span class="p">});</span> <span class="p">},</span> <span class="p">});</span> <span class="nx">server</span><span class="p">.</span><span class="nf">bindAsync</span><span class="p">(</span><span class="dl">'</span><span class="s1">0.0.0.0:50051</span><span class="dl">'</span><span class="p">,</span> <span class="nx">grpc</span><span class="p">.</span><span class="nx">ServerCredentials</span><span class="p">.</span><span class="nf">createInsecure</span><span class="p">(),</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">gRPC server running on port 50051</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p><strong>Choose REST when:</strong></p> <ul> <li>External-facing APIs (browsers, mobile apps, third parties)</li> <li>Simple CRUD operations</li> <li>You want maximum debuggability</li> <li>Team is not familiar with protobuf</li> </ul> <p><strong>Choose gRPC when:</strong></p> <ul> <li>Internal service-to-service communication with high call volume</li> <li>You need streaming (real-time feeds, file uploads)</li> <li>Latency-sensitive paths where the ~30% serialization speedup matters</li> <li>You want strict API contracts enforced at compile time</li> </ul> <p>In practice, many teams use REST for their public API and gRPC for internal service mesh communication.</p> <h2> Choosing a Message Broker </h2> <p>For asynchronous communication, you need a message broker. The three most common choices are SQS, RabbitMQ, and Kafka, and they serve different use cases.</p> <p><strong>Amazon SQS</strong> - Managed queue, simplest to operate, no infrastructure to manage:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">{</span> <span class="nx">SQSClient</span><span class="p">,</span> <span class="nx">SendMessageCommand</span><span class="p">,</span> <span class="nx">ReceiveMessageCommand</span><span class="p">,</span> <span class="nx">DeleteMessageCommand</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">@aws-sdk/client-sqs</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">sqs</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SQSClient</span><span class="p">({</span> <span class="na">region</span><span class="p">:</span> <span class="dl">'</span><span class="s1">us-east-1</span><span class="dl">'</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">QUEUE_URL</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">https://sqs.us-east-1.amazonaws.com/123456789/order-events</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Producer: publish event</span> <span class="k">await</span> <span class="nx">sqs</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="k">new</span> <span class="nc">SendMessageCommand</span><span class="p">({</span> <span class="na">QueueUrl</span><span class="p">:</span> <span class="nx">QUEUE_URL</span><span class="p">,</span> <span class="na">MessageBody</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">eventType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">OrderCreated</span><span class="dl">'</span><span class="p">,</span> <span class="na">orderId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ord_abc123</span><span class="dl">'</span><span class="p">,</span> <span class="na">userId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">usr_456</span><span class="dl">'</span><span class="p">,</span> <span class="na">total</span><span class="p">:</span> <span class="mf">99.99</span><span class="p">,</span> <span class="na">timestamp</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">(),</span> <span class="p">}),</span> <span class="na">MessageGroupId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ord_abc123</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// FIFO queue: ensures ordering per order</span> <span class="na">MessageDeduplicationId</span><span class="p">:</span> <span class="s2">`order-created-ord_abc123`</span><span class="p">,</span> <span class="c1">// Prevents duplicates</span> <span class="p">}));</span> <span class="c1">// Consumer: poll for events</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">pollMessages</span><span class="p">()</span> <span class="p">{</span> <span class="k">while </span><span class="p">(</span><span class="kc">true</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">sqs</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="k">new</span> <span class="nc">ReceiveMessageCommand</span><span class="p">({</span> <span class="na">QueueUrl</span><span class="p">:</span> <span class="nx">QUEUE_URL</span><span class="p">,</span> <span class="na">MaxNumberOfMessages</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="na">WaitTimeSeconds</span><span class="p">:</span> <span class="mi">20</span><span class="p">,</span> <span class="c1">// Long polling</span> <span class="na">VisibilityTimeout</span><span class="p">:</span> <span class="mi">60</span><span class="p">,</span> <span class="p">}));</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">message</span> <span class="k">of</span> <span class="nx">response</span><span class="p">.</span><span class="nx">Messages</span> <span class="o">||</span> <span class="p">[])</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">event</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">message</span><span class="p">.</span><span class="nx">Body</span><span class="p">);</span> <span class="k">await</span> <span class="nf">processEvent</span><span class="p">(</span><span class="nx">event</span><span class="p">);</span> <span class="k">await</span> <span class="nx">sqs</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="k">new</span> <span class="nc">DeleteMessageCommand</span><span class="p">({</span> <span class="na">QueueUrl</span><span class="p">:</span> <span class="nx">QUEUE_URL</span><span class="p">,</span> <span class="na">ReceiptHandle</span><span class="p">:</span> <span class="nx">message</span><span class="p">.</span><span class="nx">ReceiptHandle</span><span class="p">,</span> <span class="p">}));</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>RabbitMQ</strong> - Feature-rich broker with flexible routing (exchanges, bindings, dead letter queues):</p> <p>Best when you need complex routing patterns (topic-based, headers-based), priority queues, or delayed messages. More operational overhead than SQS since you manage the broker yourself.</p> <p><strong>Apache Kafka</strong> - Distributed log for high-throughput event streaming:</p> <p>Best when you need event replay (consumers can re-read history), very high throughput (millions of events/second), or multiple consumer groups reading the same stream independently. Most complex to operate.</p> <p><strong>Decision matrix:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Requirement</th> <th>SQS</th> <th>RabbitMQ</th> <th>Kafka</th> </tr> </thead> <tbody> <tr> <td>Zero ops overhead</td> <td>Yes</td> <td>No</td> <td>No</td> </tr> <tr> <td>Message ordering</td> <td>FIFO queues</td> <td>Per queue</td> <td>Per partition</td> </tr> <tr> <td>Event replay</td> <td>No</td> <td>No</td> <td>Yes</td> </tr> <tr> <td>Complex routing</td> <td>No</td> <td>Yes</td> <td>No (use streams)</td> </tr> <tr> <td>Throughput</td> <td>High</td> <td>Medium</td> <td>Very high</td> </tr> <tr> <td>Latency</td> <td>~20ms</td> <td>~1ms</td> <td>~5ms</td> </tr> <tr> <td>Cost at low volume</td> <td>Cheapest</td> <td>Moderate</td> <td>Expensive</td> </tr> </tbody> </table></div> <p>For most startups: <strong>start with SQS</strong>. You can always migrate to Kafka later when you actually need event replay or million-message-per-second throughput.</p> <h2> The Saga Pattern for Distributed Transactions </h2> <p>In a monolith, creating an order means a single database transaction: deduct inventory, charge payment, create order - all or nothing. In microservices, each step is a different service with its own database. You cannot use a distributed transaction (2PC) because it does not scale and couples all services together.</p> <p>The saga pattern breaks a distributed transaction into a sequence of local transactions, each publishing an event that triggers the next step. If any step fails, compensating transactions undo the previous steps.</p> <p><strong>Choreography-based saga</strong> (each service reacts to events):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>OrderService PaymentService InventoryService │ │ │ ├─ Create order (PENDING) │ │ ├─ Publish "OrderCreated" ──►│ │ │ ├─ Charge payment │ │ ├─ Publish "PaymentCharged" ─►│ │ │ ├─ Reserve stock │ │ ├─ Publish "StockReserved" │◄───────────────────────────┼────────────────────────────┤ ├─ Update order → CONFIRMED │ │ │ │ │ │ --- If payment fails --- │ │ │ ├─ Publish "PaymentFailed" ──►│ │◄───────────────────────────┤ ├─ Release stock ├─ Update order → CANCELLED │ │ </code></pre> </div> <p><strong>Orchestration-based saga</strong> (a central coordinator manages the flow):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// saga-orchestrator.js</span> <span class="kd">class</span> <span class="nc">CreateOrderSaga</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">orderService</span><span class="p">,</span> <span class="nx">paymentService</span><span class="p">,</span> <span class="nx">inventoryService</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">steps</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span> <span class="na">execute</span><span class="p">:</span> <span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">inventoryService</span><span class="p">.</span><span class="nf">reserveStock</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">items</span><span class="p">),</span> <span class="na">compensate</span><span class="p">:</span> <span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">inventoryService</span><span class="p">.</span><span class="nf">releaseStock</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">items</span><span class="p">),</span> <span class="p">},</span> <span class="p">{</span> <span class="na">execute</span><span class="p">:</span> <span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">paymentService</span><span class="p">.</span><span class="nf">charge</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">userId</span><span class="p">,</span> <span class="nx">data</span><span class="p">.</span><span class="nx">total</span><span class="p">),</span> <span class="na">compensate</span><span class="p">:</span> <span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">paymentService</span><span class="p">.</span><span class="nf">refund</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">paymentId</span><span class="p">),</span> <span class="p">},</span> <span class="p">{</span> <span class="na">execute</span><span class="p">:</span> <span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">orderService</span><span class="p">.</span><span class="nf">confirmOrder</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">orderId</span><span class="p">),</span> <span class="na">compensate</span><span class="p">:</span> <span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">orderService</span><span class="p">.</span><span class="nf">cancelOrder</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">orderId</span><span class="p">),</span> <span class="p">},</span> <span class="p">];</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">execute</span><span class="p">(</span><span class="nx">orderData</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">completedSteps</span> <span class="o">=</span> <span class="p">[];</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">step</span> <span class="k">of</span> <span class="k">this</span><span class="p">.</span><span class="nx">steps</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">step</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="nx">orderData</span><span class="p">);</span> <span class="nx">orderData</span> <span class="o">=</span> <span class="p">{</span> <span class="p">...</span><span class="nx">orderData</span><span class="p">,</span> <span class="p">...</span><span class="nx">result</span> <span class="p">};</span> <span class="nx">completedSteps</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">step</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="s2">`Saga step failed: </span><span class="p">${</span><span class="nx">error</span><span class="p">.</span><span class="nx">message</span><span class="p">}</span><span class="s2">. Compensating...`</span><span class="p">);</span> <span class="c1">// Compensate in reverse order</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">completed</span> <span class="k">of</span> <span class="nx">completedSteps</span><span class="p">.</span><span class="nf">reverse</span><span class="p">())</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">completed</span><span class="p">.</span><span class="nf">compensate</span><span class="p">(</span><span class="nx">orderData</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">compError</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="s2">`Compensation failed: </span><span class="p">${</span><span class="nx">compError</span><span class="p">.</span><span class="nx">message</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="c1">// Alert on-call - manual intervention needed</span> <span class="p">}</span> <span class="p">}</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`Order saga failed: </span><span class="p">${</span><span class="nx">error</span><span class="p">.</span><span class="nx">message</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">orderData</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Choreography vs orchestration:</strong> Use choreography when you have 2-3 services in the saga and the flow is simple. Use orchestration when you have 4+ services or complex branching logic. Orchestration is easier to understand, debug, and monitor.</p> <h2> Circuit Breakers </h2> <p>When a downstream service is failing, you do not want every request to wait for a timeout. A circuit breaker detects failures and short-circuits requests to the failing service, returning an error immediately or falling back to a cached response.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// circuit-breaker.js</span> <span class="kd">class</span> <span class="nc">CircuitBreaker</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">options</span> <span class="o">=</span> <span class="p">{})</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">failureThreshold</span> <span class="o">=</span> <span class="nx">options</span><span class="p">.</span><span class="nx">failureThreshold</span> <span class="o">||</span> <span class="mi">5</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">resetTimeout</span> <span class="o">=</span> <span class="nx">options</span><span class="p">.</span><span class="nx">resetTimeout</span> <span class="o">||</span> <span class="mi">30000</span><span class="p">;</span> <span class="c1">// 30 seconds</span> <span class="k">this</span><span class="p">.</span><span class="nx">failureCount</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">lastFailureTime</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">state</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">CLOSED</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// CLOSED = normal, OPEN = failing, HALF_OPEN = testing</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">execute</span><span class="p">(</span><span class="nx">fn</span><span class="p">,</span> <span class="nx">fallback</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">state</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">OPEN</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">-</span> <span class="k">this</span><span class="p">.</span><span class="nx">lastFailureTime</span> <span class="o">&gt;</span> <span class="k">this</span><span class="p">.</span><span class="nx">resetTimeout</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">state</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">HALF_OPEN</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">fallback</span><span class="p">)</span> <span class="k">return</span> <span class="nf">fallback</span><span class="p">();</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Circuit breaker is OPEN</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fn</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">state</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">HALF_OPEN</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">state</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">CLOSED</span><span class="dl">'</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">failureCount</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">result</span><span class="p">;</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">failureCount</span><span class="o">++</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">lastFailureTime</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">failureCount</span> <span class="o">&gt;=</span> <span class="k">this</span><span class="p">.</span><span class="nx">failureThreshold</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">state</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">OPEN</span><span class="dl">'</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">warn</span><span class="p">(</span><span class="dl">'</span><span class="s1">Circuit breaker tripped to OPEN</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">fallback</span><span class="p">)</span> <span class="k">return</span> <span class="nf">fallback</span><span class="p">();</span> <span class="k">throw</span> <span class="nx">error</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Usage</span> <span class="kd">const</span> <span class="nx">inventoryBreaker</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">CircuitBreaker</span><span class="p">({</span> <span class="na">failureThreshold</span><span class="p">:</span> <span class="mi">3</span><span class="p">,</span> <span class="na">resetTimeout</span><span class="p">:</span> <span class="mi">15000</span><span class="p">,</span> <span class="p">});</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">checkStock</span><span class="p">(</span><span class="nx">productId</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">inventoryBreaker</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="c1">// Primary: call inventory service</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`http://inventory-service:3000/api/stock/</span><span class="p">${</span><span class="nx">productId</span><span class="p">}</span><span class="s2">`</span><span class="p">).</span><span class="nf">then</span><span class="p">(</span><span class="nx">r</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">r</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`Inventory service returned </span><span class="p">${</span><span class="nx">r</span><span class="p">.</span><span class="nx">status</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="k">return</span> <span class="nx">r</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="p">}),</span> <span class="c1">// Fallback: return cached/default value</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="nx">productId</span><span class="p">,</span> <span class="na">quantity</span><span class="p">:</span> <span class="kc">null</span><span class="p">,</span> <span class="na">in_stock</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">source</span><span class="p">:</span> <span class="dl">'</span><span class="s1">fallback</span><span class="dl">'</span> <span class="p">})</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>In production, use a library like <a href="https://github.com/nodeshift/opossum" rel="noopener noreferrer">opossum</a> for Node.js or rely on your service mesh (Istio, Linkerd) to handle circuit breaking at the infrastructure level:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Istio DestinationRule with circuit breaking</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.istio.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">DestinationRule</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">inventory-service</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">inventory-service</span> <span class="na">trafficPolicy</span><span class="pi">:</span> <span class="na">connectionPool</span><span class="pi">:</span> <span class="na">tcp</span><span class="pi">:</span> <span class="na">maxConnections</span><span class="pi">:</span> <span class="m">100</span> <span class="na">http</span><span class="pi">:</span> <span class="na">h2UpgradePolicy</span><span class="pi">:</span> <span class="s">DEFAULT</span> <span class="na">http1MaxPendingRequests</span><span class="pi">:</span> <span class="m">50</span> <span class="na">http2MaxRequests</span><span class="pi">:</span> <span class="m">100</span> <span class="na">maxRequestsPerConnection</span><span class="pi">:</span> <span class="m">10</span> <span class="na">outlierDetection</span><span class="pi">:</span> <span class="na">consecutive5xxErrors</span><span class="pi">:</span> <span class="m">3</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">baseEjectionTime</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">maxEjectionPercent</span><span class="pi">:</span> <span class="m">50</span> </code></pre> </div> <h2> Observability for Distributed Communication </h2> <p>Debugging microservice communication without proper observability is like debugging a distributed system blindfolded. Implement these three pillars:</p> <p><strong>Distributed tracing</strong> - propagate trace IDs across service boundaries:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Using OpenTelemetry</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">trace</span><span class="p">,</span> <span class="nx">context</span><span class="p">,</span> <span class="nx">propagation</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">@opentelemetry/api</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// When making an outbound request, propagate context</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">callService</span><span class="p">(</span><span class="nx">url</span><span class="p">,</span> <span class="nx">data</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">headers</span> <span class="o">=</span> <span class="p">{};</span> <span class="nx">propagation</span><span class="p">.</span><span class="nf">inject</span><span class="p">(</span><span class="nx">context</span><span class="p">.</span><span class="nf">active</span><span class="p">(),</span> <span class="nx">headers</span><span class="p">);</span> <span class="k">return</span> <span class="nf">fetch</span><span class="p">(</span><span class="nx">url</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span><span class="p">,</span> <span class="p">...</span><span class="nx">headers</span><span class="p">,</span> <span class="c1">// Includes traceparent header</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">data</span><span class="p">),</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p><strong>Structured logging</strong> - include correlation IDs in every log line:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Every log entry includes the trace/request ID</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="dl">'</span><span class="s1">Processing order</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">traceId</span><span class="p">:</span> <span class="nx">span</span><span class="p">.</span><span class="nf">spanContext</span><span class="p">().</span><span class="nx">traceId</span><span class="p">,</span> <span class="na">orderId</span><span class="p">:</span> <span class="nx">order</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">service</span><span class="p">:</span> <span class="dl">'</span><span class="s1">order-service</span><span class="dl">'</span><span class="p">,</span> <span class="na">action</span><span class="p">:</span> <span class="dl">'</span><span class="s1">create_order</span><span class="dl">'</span><span class="p">,</span> <span class="na">duration_ms</span><span class="p">:</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">-</span> <span class="nx">startTime</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p><strong>Metrics</strong> - track request rate, error rate, and latency (the RED method):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Prometheus metrics</span> <span class="kd">const</span> <span class="nx">httpRequestDuration</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">promClient</span><span class="p">.</span><span class="nc">Histogram</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">http_request_duration_seconds</span><span class="dl">'</span><span class="p">,</span> <span class="na">help</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Duration of HTTP requests</span><span class="dl">'</span><span class="p">,</span> <span class="na">labelNames</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">method</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">route</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">status</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">target_service</span><span class="dl">'</span><span class="p">],</span> <span class="na">buckets</span><span class="p">:</span> <span class="p">[</span><span class="mf">0.01</span><span class="p">,</span> <span class="mf">0.05</span><span class="p">,</span> <span class="mf">0.1</span><span class="p">,</span> <span class="mf">0.5</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">5</span><span class="p">],</span> <span class="p">});</span> </code></pre> </div> <h2> Need Help with Your DevOps? </h2> <p>Designing and implementing microservices communication patterns - from choosing the right broker to implementing sagas and circuit breakers - requires deep infrastructure expertise. At <a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a>, we help startups and SMBs build reliable, scalable microservice architectures - starting at $2,999/mo.</p> <p><a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a free 15-minute consultation</a> to discuss your microservices architecture and communication challenges.</p> microservices architecture devops grpc InstaDevOps Fri, 01 May 2026 13:47:40 +0000 https://dev.to/instadevops/backup-and-disaster-recovery-rtorpo-planning-and-aws-backup-41hn https://dev.to/instadevops/backup-and-disaster-recovery-rtorpo-planning-and-aws-backup-41hn <h2> Introduction </h2> <p>Every startup says they have backups. Very few have actually tested restoring from them. Even fewer have a documented disaster recovery plan with defined recovery objectives. Then something goes wrong - a developer runs a destructive migration against production, a region goes down, ransomware encrypts your EBS volumes - and the team discovers their "backup strategy" was an untested assumption.</p> <p>Disaster recovery does not have to be complicated or expensive, especially on AWS. But it does have to be intentional. This guide walks through building a real DR strategy: defining your recovery objectives, implementing the 3-2-1 backup rule, configuring AWS Backup, setting up cross-region replication, and most importantly, testing that everything actually works.</p> <h2> Understanding RTO and RPO </h2> <p>Before you configure a single backup, you need two numbers:</p> <p><strong>Recovery Point Objective (RPO):</strong> How much data can you afford to lose? If your RPO is 1 hour, you need backups at least every hour. If your RPO is zero, you need synchronous replication.</p> <p><strong>Recovery Time Objective (RTO):</strong> How long can your service be down before the business impact becomes unacceptable? If your RTO is 4 hours, you need a recovery process that can restore full service within 4 hours.</p> <p>These numbers vary by system. Here is a realistic example for a SaaS startup:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>System</th> <th>RPO</th> <th>RTO</th> <th>Strategy</th> </tr> </thead> <tbody> <tr> <td>Primary database (PostgreSQL)</td> <td>5 minutes</td> <td>30 minutes</td> <td>Continuous WAL archiving + read replica</td> </tr> <tr> <td>User uploads (S3)</td> <td>0 (no loss)</td> <td>1 hour</td> <td>Cross-region replication</td> </tr> <tr> <td>Application servers</td> <td>N/A (stateless)</td> <td>15 minutes</td> <td>Auto-scaling group, multi-AZ</td> </tr> <tr> <td>Redis cache</td> <td>1 hour</td> <td>15 minutes</td> <td>Rebuild from DB if needed</td> </tr> <tr> <td>Elasticsearch</td> <td>24 hours</td> <td>4 hours</td> <td>Nightly snapshots to S3</td> </tr> <tr> <td>Configuration/secrets</td> <td>0 (no loss)</td> <td>30 minutes</td> <td>Versioned in AWS Secrets Manager</td> </tr> </tbody> </table></div> <p>The key insight: not everything needs the same level of protection. Your production database needs 5-minute RPO. Your Elasticsearch cluster (which can be rebuilt from the database) can tolerate 24-hour RPO. Treating everything equally means overspending on DR for low-criticality systems.</p> <h2> The 3-2-1 Backup Rule </h2> <p>The 3-2-1 rule is decades old and still the best framework for backup strategy:</p> <ul> <li> <strong>3</strong> copies of your data</li> <li> <strong>2</strong> different storage media/types</li> <li> <strong>1</strong> copy offsite (different region or provider)</li> </ul> <p>In AWS terms:</p> <ol> <li> <strong>Copy 1:</strong> Production data (RDS instance, EBS volumes, S3 buckets)</li> <li> <strong>Copy 2:</strong> AWS Backup vault in the same region (different storage from production)</li> <li> <strong>Copy 3:</strong> Cross-region backup copy (different region entirely)</li> </ol> <p>For truly critical data, consider a fourth copy outside AWS entirely (GCP bucket, Azure blob, or even Backblaze B2). This protects against the unlikely but possible scenario of an AWS account compromise.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Example: backup RDS snapshot to an external provider using pg_dump</span> pg_dump <span class="nt">-h</span> your-rds-endpoint.region.rds.amazonaws.com <span class="se">\</span> <span class="nt">-U</span> dbadmin <span class="nt">-d</span> production <span class="se">\</span> <span class="nt">--format</span><span class="o">=</span>custom <span class="se">\</span> <span class="nt">--file</span><span class="o">=</span>production-<span class="si">$(</span><span class="nb">date</span> +%Y%m%d<span class="si">)</span>.dump <span class="c"># Encrypt and upload to external storage</span> gpg <span class="nt">--symmetric</span> <span class="nt">--cipher-algo</span> AES256 production-<span class="si">$(</span><span class="nb">date</span> +%Y%m%d<span class="si">)</span>.dump aws s3 <span class="nb">cp </span>production-<span class="si">$(</span><span class="nb">date</span> +%Y%m%d<span class="si">)</span>.dump.gpg s3://offsite-backups/ <span class="nt">--storage-class</span> GLACIER_IR </code></pre> </div> <h2> Configuring AWS Backup </h2> <p>AWS Backup provides a centralized service to manage backups across RDS, EBS, EFS, DynamoDB, S3, and more. Here is a production-ready configuration using Terraform:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Backup vault</span> <span class="nx">resource</span> <span class="s2">"aws_backup_vault"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"production-vault"</span> <span class="nx">kms_key_arn</span> <span class="p">=</span> <span class="nx">aws_kms_key</span><span class="p">.</span><span class="nx">backup</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"production"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Cross-region vault for DR</span> <span class="nx">resource</span> <span class="s2">"aws_backup_vault"</span> <span class="s2">"dr"</span> <span class="p">{</span> <span class="nx">provider</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">dr_region</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"production-vault-dr"</span> <span class="nx">kms_key_arn</span> <span class="p">=</span> <span class="nx">aws_kms_key</span><span class="p">.</span><span class="nx">backup_dr</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="c1"># Backup plan</span> <span class="nx">resource</span> <span class="s2">"aws_backup_plan"</span> <span class="s2">"production"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"production-backup-plan"</span> <span class="c1"># Hourly backups retained for 24 hours</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">rule_name</span> <span class="p">=</span> <span class="s2">"hourly"</span> <span class="nx">target_vault_name</span> <span class="p">=</span> <span class="nx">aws_backup_vault</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">name</span> <span class="nx">schedule</span> <span class="p">=</span> <span class="s2">"cron(0 * * * ? *)"</span> <span class="nx">start_window</span> <span class="p">=</span> <span class="mi">60</span> <span class="nx">completion_window</span> <span class="p">=</span> <span class="mi">120</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">delete_after</span> <span class="p">=</span> <span class="mi">1</span> <span class="c1"># days</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Daily backups retained for 30 days</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">rule_name</span> <span class="p">=</span> <span class="s2">"daily"</span> <span class="nx">target_vault_name</span> <span class="p">=</span> <span class="nx">aws_backup_vault</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">name</span> <span class="nx">schedule</span> <span class="p">=</span> <span class="s2">"cron(0 3 * * ? *)"</span> <span class="nx">start_window</span> <span class="p">=</span> <span class="mi">60</span> <span class="nx">completion_window</span> <span class="p">=</span> <span class="mi">180</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">cold_storage_after</span> <span class="p">=</span> <span class="mi">7</span> <span class="nx">delete_after</span> <span class="p">=</span> <span class="mi">30</span> <span class="p">}</span> <span class="c1"># Copy to DR region</span> <span class="nx">copy_action</span> <span class="p">{</span> <span class="nx">destination_vault_arn</span> <span class="p">=</span> <span class="nx">aws_backup_vault</span><span class="p">.</span><span class="nx">dr</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">delete_after</span> <span class="p">=</span> <span class="mi">30</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Weekly backups retained for 1 year</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">rule_name</span> <span class="p">=</span> <span class="s2">"weekly"</span> <span class="nx">target_vault_name</span> <span class="p">=</span> <span class="nx">aws_backup_vault</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">name</span> <span class="nx">schedule</span> <span class="p">=</span> <span class="s2">"cron(0 4 ? * SUN *)"</span> <span class="nx">start_window</span> <span class="p">=</span> <span class="mi">60</span> <span class="nx">completion_window</span> <span class="p">=</span> <span class="mi">300</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">cold_storage_after</span> <span class="p">=</span> <span class="mi">30</span> <span class="nx">delete_after</span> <span class="p">=</span> <span class="mi">365</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Assign resources to backup plan</span> <span class="nx">resource</span> <span class="s2">"aws_backup_selection"</span> <span class="s2">"production"</span> <span class="p">{</span> <span class="nx">iam_role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">backup</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"production-resources"</span> <span class="nx">plan_id</span> <span class="p">=</span> <span class="nx">aws_backup_plan</span><span class="p">.</span><span class="nx">production</span><span class="p">.</span><span class="nx">id</span> <span class="c1"># Backup everything tagged with Backup=true</span> <span class="nx">selection_tag</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"STRINGEQUALS"</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"Backup"</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Tag your resources to include them in the backup plan:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_db_instance"</span> <span class="s2">"production"</span> <span class="p">{</span> <span class="c1"># ... other config</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Backup</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"production"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_ebs_volume"</span> <span class="s2">"data"</span> <span class="p">{</span> <span class="c1"># ... other config</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Backup</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"production"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Cross-Region Replication </h2> <p>For services where you need faster recovery than restoring from backups, set up active replication:</p> <p><strong>RDS Cross-Region Read Replica:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Primary in us-east-1</span> <span class="nx">resource</span> <span class="s2">"aws_db_instance"</span> <span class="s2">"primary"</span> <span class="p">{</span> <span class="nx">identifier</span> <span class="p">=</span> <span class="s2">"production-primary"</span> <span class="nx">engine</span> <span class="p">=</span> <span class="s2">"postgres"</span> <span class="nx">engine_version</span> <span class="p">=</span> <span class="s2">"16.2"</span> <span class="nx">instance_class</span> <span class="p">=</span> <span class="s2">"db.r6g.xlarge"</span> <span class="nx">multi_az</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">backup_retention_period</span> <span class="p">=</span> <span class="mi">7</span> <span class="nx">backup_window</span> <span class="p">=</span> <span class="s2">"03:00-04:00"</span> <span class="p">}</span> <span class="c1"># Cross-region replica in us-west-2</span> <span class="nx">resource</span> <span class="s2">"aws_db_instance"</span> <span class="s2">"dr_replica"</span> <span class="p">{</span> <span class="nx">provider</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">dr_region</span> <span class="nx">identifier</span> <span class="p">=</span> <span class="s2">"production-dr-replica"</span> <span class="nx">replicate_source_db</span> <span class="p">=</span> <span class="nx">aws_db_instance</span><span class="p">.</span><span class="nx">primary</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">instance_class</span> <span class="p">=</span> <span class="s2">"db.r6g.large"</span> <span class="c1"># Can be smaller to save cost</span> <span class="c1"># Can be promoted to primary during DR</span> <span class="nx">auto_minor_version_upgrade</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <p><strong>S3 Cross-Region Replication:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"primary"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"myapp-uploads-primary"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket_versioning"</span> <span class="s2">"primary"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">primary</span><span class="p">.</span><span class="nx">id</span> <span class="nx">versioning_configuration</span> <span class="p">{</span> <span class="nx">status</span> <span class="p">=</span> <span class="s2">"Enabled"</span> <span class="c1"># Required for replication</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket_replication_configuration"</span> <span class="s2">"primary"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">primary</span><span class="p">.</span><span class="nx">id</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">replication</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">=</span> <span class="s2">"replicate-all"</span> <span class="nx">status</span> <span class="p">=</span> <span class="s2">"Enabled"</span> <span class="nx">destination</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">dr</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">storage_class</span> <span class="p">=</span> <span class="s2">"STANDARD_IA"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>DynamoDB Global Tables:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_dynamodb_table"</span> <span class="s2">"sessions"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"sessions"</span> <span class="nx">billing_mode</span> <span class="p">=</span> <span class="s2">"PAY_PER_REQUEST"</span> <span class="nx">hash_key</span> <span class="p">=</span> <span class="s2">"session_id"</span> <span class="nx">attribute</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"session_id"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"S"</span> <span class="p">}</span> <span class="nx">replica</span> <span class="p">{</span> <span class="nx">region_name</span> <span class="p">=</span> <span class="s2">"us-west-2"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Testing Your DR Plan </h2> <p>This is where most organizations fail. A backup strategy without tested recovery procedures is not a strategy - it is a hope.</p> <p><strong>Quarterly DR drill checklist:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="gu">## DR Drill - Q2 2026</span> <span class="gu">### Pre-drill</span> <span class="p">-</span> [ ] Schedule 4-hour maintenance window <span class="p">-</span> [ ] Notify stakeholders <span class="p">-</span> [ ] Document current production state (record counts, latest transactions) <span class="gu">### Database Recovery</span> <span class="p">-</span> [ ] Restore RDS from latest cross-region snapshot <span class="p">-</span> [ ] Verify restore completed without errors <span class="p">-</span> [ ] Compare row counts against production <span class="p">-</span> [ ] Run application smoke tests against restored DB <span class="p">-</span> [ ] Record actual restore time: _____ minutes (RTO target: 30 min) <span class="p">-</span> [ ] Record data loss window: _____ minutes (RPO target: 5 min) <span class="gu">### Application Recovery</span> <span class="p">-</span> [ ] Deploy application stack in DR region using Terraform <span class="p">-</span> [ ] Verify DNS failover configuration works <span class="p">-</span> [ ] Run full integration test suite <span class="p">-</span> [ ] Record actual application recovery time: _____ minutes <span class="gu">### S3 Data Verification</span> <span class="p">-</span> [ ] Compare object counts between primary and DR bucket <span class="p">-</span> [ ] Download and verify random sample of objects <span class="p">-</span> [ ] Verify replication lag: _____ seconds <span class="gu">### Post-drill</span> <span class="p">-</span> [ ] Document any issues encountered <span class="p">-</span> [ ] Update runbooks based on findings <span class="p">-</span> [ ] File tickets for gaps identified <span class="p">-</span> [ ] Update RTO/RPO estimates based on actual times </code></pre> </div> <p>Automate what you can. This script verifies your RDS backup is restorable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># dr-test-rds-restore.sh</span> <span class="nb">set</span> <span class="nt">-euo</span> pipefail <span class="nv">SNAPSHOT_ID</span><span class="o">=</span><span class="si">$(</span>aws rds describe-db-snapshots <span class="se">\</span> <span class="nt">--db-instance-identifier</span> production-primary <span class="se">\</span> <span class="nt">--query</span> <span class="s1">'reverse(sort_by(DBSnapshots, &amp;SnapshotCreateTime))[0].DBSnapshotIdentifier'</span> <span class="se">\</span> <span class="nt">--output</span> text<span class="si">)</span> <span class="nb">echo</span> <span class="s2">"Restoring from snapshot: </span><span class="nv">$SNAPSHOT_ID</span><span class="s2">"</span> aws rds restore-db-instance-from-db-snapshot <span class="se">\</span> <span class="nt">--db-instance-identifier</span> dr-test-restore <span class="se">\</span> <span class="nt">--db-snapshot-identifier</span> <span class="s2">"</span><span class="nv">$SNAPSHOT_ID</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--db-instance-class</span> db.t3.medium <span class="se">\</span> <span class="nt">--no-multi-az</span> <span class="nb">echo</span> <span class="s2">"Waiting for instance to be available..."</span> aws rds <span class="nb">wait </span>db-instance-available <span class="nt">--db-instance-identifier</span> dr-test-restore <span class="nb">echo</span> <span class="s2">"Running verification queries..."</span> <span class="nv">ENDPOINT</span><span class="o">=</span><span class="si">$(</span>aws rds describe-db-instances <span class="se">\</span> <span class="nt">--db-instance-identifier</span> dr-test-restore <span class="se">\</span> <span class="nt">--query</span> <span class="s1">'DBInstances[0].Endpoint.Address'</span> <span class="se">\</span> <span class="nt">--output</span> text<span class="si">)</span> <span class="nv">RESTORED_COUNT</span><span class="o">=</span><span class="si">$(</span>psql <span class="nt">-h</span> <span class="s2">"</span><span class="nv">$ENDPOINT</span><span class="s2">"</span> <span class="nt">-U</span> dbadmin <span class="nt">-d</span> production <span class="nt">-tAc</span> <span class="s2">"SELECT count(*) FROM users"</span><span class="si">)</span> <span class="nv">PROD_COUNT</span><span class="o">=</span><span class="si">$(</span>psql <span class="nt">-h</span> prod-endpoint <span class="nt">-U</span> dbadmin <span class="nt">-d</span> production <span class="nt">-tAc</span> <span class="s2">"SELECT count(*) FROM users"</span><span class="si">)</span> <span class="nb">echo</span> <span class="s2">"Production users: </span><span class="nv">$PROD_COUNT</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Restored users: </span><span class="nv">$RESTORED_COUNT</span><span class="s2">"</span> <span class="c"># Cleanup</span> aws rds delete-db-instance <span class="se">\</span> <span class="nt">--db-instance-identifier</span> dr-test-restore <span class="se">\</span> <span class="nt">--skip-final-snapshot</span> </code></pre> </div> <h2> Common DR Mistakes to Avoid </h2> <p><strong>1. Backing up data but not configuration.</strong> Your database backup is useless if you cannot recreate the VPC, security groups, IAM roles, and application configuration needed to run your service. Infrastructure as code (Terraform, CloudFormation) is a DR requirement, not a nice-to-have.</p> <p><strong>2. Not encrypting backups.</strong> Unencrypted backups in S3 are a security liability. Use KMS encryption on all backup vaults and S3 buckets.</p> <p><strong>3. Using the same KMS key for primary and DR.</strong> If your primary region's KMS key becomes unavailable, you cannot decrypt backups in the DR region. Use separate KMS keys in each region, or use multi-region KMS keys.</p> <p><strong>4. Ignoring DNS TTL.</strong> If you need to failover DNS to a DR region, a 24-hour TTL means clients will keep hitting the dead primary for up to 24 hours. Set TTLs to 60 seconds for any record that might need to change during DR.</p> <p><strong>5. No communication plan.</strong> When production goes down, people panic. Document who gets notified, how (Slack, PagerDuty, phone), and who has the authority to initiate DR procedures. Practice this too.</p> <h2> Need Help with Your DevOps? </h2> <p>Building a disaster recovery strategy that actually works when you need it requires planning, implementation, and regular testing. At <a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a>, we help startups and SMBs implement production-grade backup and DR infrastructure - starting at $2,999/mo.</p> <p><a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a free 15-minute consultation</a> to discuss your backup and disaster recovery needs.</p> aws disasterrecovery devops backup InstaDevOps Thu, 30 Apr 2026 13:47:36 +0000 https://dev.to/instadevops/argocd-gitops-deployment-guide-app-of-apps-and-progressive-delivery-7c7 https://dev.to/instadevops/argocd-gitops-deployment-guide-app-of-apps-and-progressive-delivery-7c7 <h2> Introduction </h2> <p>GitOps is the practice of using Git as the single source of truth for your infrastructure and application configuration. ArgoCD is the most widely adopted GitOps operator for Kubernetes, and for good reason - it watches your Git repositories and automatically reconciles your cluster state to match what is defined in your manifests.</p> <p>But installing ArgoCD is the easy part. The hard part is structuring your repositories, managing multi-environment deployments, implementing progressive delivery, and setting up proper RBAC so your platform team does not become a bottleneck. This guide covers all of that with production-tested patterns.</p> <h2> Installing and Configuring ArgoCD </h2> <p>Start with a production-ready ArgoCD installation using the HA manifest:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create namespace</span> kubectl create namespace argocd <span class="c"># Install ArgoCD HA (recommended for production)</span> kubectl apply <span class="nt">-n</span> argocd <span class="nt">-f</span> https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/ha/install.yaml <span class="c"># Wait for all pods to be ready</span> kubectl <span class="nb">wait</span> <span class="nt">--for</span><span class="o">=</span><span class="nv">condition</span><span class="o">=</span>ready pod <span class="nt">-l</span> app.kubernetes.io/part-of<span class="o">=</span>argocd <span class="nt">-n</span> argocd <span class="nt">--timeout</span><span class="o">=</span>300s <span class="c"># Get initial admin password</span> kubectl <span class="nt">-n</span> argocd get secret argocd-initial-admin-secret <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s2">"{.data.password}"</span> | <span class="nb">base64</span> <span class="nt">-d</span> </code></pre> </div> <p>Expose ArgoCD via an Ingress (assuming you have an ingress controller and cert-manager):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Ingress</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">argocd-server</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">nginx.ingress.kubernetes.io/ssl-passthrough</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">nginx.ingress.kubernetes.io/backend-protocol</span><span class="pi">:</span> <span class="s2">"</span><span class="s">HTTPS"</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ingressClassName</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">tls</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">argocd.yourcompany.com</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">argocd-tls</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="s">argocd.yourcompany.com</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">argocd-server</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">443</span> </code></pre> </div> <p>Configure ArgoCD to connect to your Git repositories. For private repos, use SSH deploy keys:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>argocd repo add git@github.com:yourorg/k8s-manifests.git <span class="se">\</span> <span class="nt">--ssh-private-key-path</span> ~/.ssh/argocd_deploy_key </code></pre> </div> <h2> The App-of-Apps Pattern </h2> <p>The app-of-apps pattern is the standard way to manage multiple ArgoCD applications declaratively. Instead of manually creating each Application resource through the UI or CLI, you define a single root Application that points to a directory of Application manifests.</p> <p>Repository structure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>k8s-manifests/ ├── apps/ # Root app-of-apps directory │ ├── api.yaml # Application manifest for API service │ ├── frontend.yaml # Application manifest for frontend │ ├── worker.yaml # Application manifest for worker │ ├── redis.yaml # Application manifest for Redis │ └── monitoring.yaml # Application manifest for monitoring stack ├── services/ │ ├── api/ │ │ ├── base/ │ │ │ ├── deployment.yaml │ │ │ ├── service.yaml │ │ │ └── kustomization.yaml │ │ └── overlays/ │ │ ├── staging/ │ │ │ └── kustomization.yaml │ │ └── production/ │ │ └── kustomization.yaml │ ├── frontend/ │ │ └── ... │ └── worker/ │ └── ... └── infrastructure/ ├── redis/ └── monitoring/ </code></pre> </div> <p>The root application:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># root-app.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Application</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">root</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">project</span><span class="pi">:</span> <span class="s">default</span> <span class="na">source</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">git@github.com:yourorg/k8s-manifests.git</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s">main</span> <span class="na">path</span><span class="pi">:</span> <span class="s">apps</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://kubernetes.default.svc</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">syncPolicy</span><span class="pi">:</span> <span class="na">automated</span><span class="pi">:</span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">selfHeal</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <p>An individual app manifest within the <code>apps/</code> directory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># apps/api.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Application</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">argocd.argoproj.io/sync-wave</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2"</span> <span class="na">finalizers</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">resources-finalizer.argocd.argoproj.io</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">project</span><span class="pi">:</span> <span class="s">default</span> <span class="na">source</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">git@github.com:yourorg/k8s-manifests.git</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s">main</span> <span class="na">path</span><span class="pi">:</span> <span class="s">services/api/overlays/production</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://kubernetes.default.svc</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">production</span> <span class="na">syncPolicy</span><span class="pi">:</span> <span class="na">automated</span><span class="pi">:</span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">selfHeal</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">syncOptions</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">CreateNamespace=true</span> </code></pre> </div> <p>When you add a new service, you just add a new YAML file to the <code>apps/</code> directory and push to Git. ArgoCD picks it up automatically.</p> <h2> Sync Waves and Resource Ordering </h2> <p>Sync waves control the order in which ArgoCD applies resources. This is critical when you have dependencies - you need namespaces before deployments, CRDs before custom resources, and databases before applications.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Wave -1: Namespaces and CRDs first</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Namespace</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">production</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">argocd.argoproj.io/sync-wave</span><span class="pi">:</span> <span class="s2">"</span><span class="s">-1"</span> <span class="nn">---</span> <span class="c1"># Wave 0: Infrastructure (databases, caches)</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Application</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">redis</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">argocd.argoproj.io/sync-wave</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0"</span> <span class="na">spec</span><span class="pi">:</span> <span class="c1"># ... Redis application config</span> <span class="nn">---</span> <span class="c1"># Wave 1: Shared services (service mesh, secrets)</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Application</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">external-secrets</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">argocd.argoproj.io/sync-wave</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1"</span> <span class="na">spec</span><span class="pi">:</span> <span class="c1"># ... External Secrets Operator config</span> <span class="nn">---</span> <span class="c1"># Wave 2: Application services</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Application</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">argocd.argoproj.io/sync-wave</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2"</span> <span class="na">spec</span><span class="pi">:</span> <span class="c1"># ... API application config</span> </code></pre> </div> <p>Combine sync waves with resource hooks for even finer control:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Run database migration before deploying new version</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">batch/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Job</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">db-migrate</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">argocd.argoproj.io/hook</span><span class="pi">:</span> <span class="s">PreSync</span> <span class="na">argocd.argoproj.io/hook-delete-policy</span><span class="pi">:</span> <span class="s">BeforeHookCreation</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">migrate</span> <span class="na">image</span><span class="pi">:</span> <span class="s">yourorg/api:latest</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">node"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">migrate.js"</span><span class="pi">]</span> <span class="na">restartPolicy</span><span class="pi">:</span> <span class="s">Never</span> <span class="na">backoffLimit</span><span class="pi">:</span> <span class="m">3</span> </code></pre> </div> <h2> Progressive Delivery with Argo Rollouts </h2> <p>ArgoCD handles syncing manifests to your cluster, but it does not manage how traffic shifts to new versions. That is where Argo Rollouts comes in. It replaces the standard Kubernetes Deployment with a Rollout resource that supports canary and blue-green deployment strategies.</p> <p>Install Argo Rollouts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create namespace argo-rollouts kubectl apply <span class="nt">-n</span> argo-rollouts <span class="nt">-f</span> https://github.com/argoproj/argo-rollouts/releases/latest/download/install.yaml </code></pre> </div> <p>A canary rollout with automated analysis:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Rollout</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">production</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">5</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">api</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">api</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api</span> <span class="na">image</span><span class="pi">:</span> <span class="s">yourorg/api:v2.1.0</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">250m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">256Mi</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">500m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">512Mi</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">canary</span><span class="pi">:</span> <span class="na">canaryService</span><span class="pi">:</span> <span class="s">api-canary</span> <span class="na">stableService</span><span class="pi">:</span> <span class="s">api-stable</span> <span class="na">trafficRouting</span><span class="pi">:</span> <span class="na">nginx</span><span class="pi">:</span> <span class="na">stableIngress</span><span class="pi">:</span> <span class="s">api-ingress</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">setWeight</span><span class="pi">:</span> <span class="m">10</span> <span class="pi">-</span> <span class="na">pause</span><span class="pi">:</span> <span class="pi">{</span> <span class="nv">duration</span><span class="pi">:</span> <span class="nv">5m</span> <span class="pi">}</span> <span class="pi">-</span> <span class="na">analysis</span><span class="pi">:</span> <span class="na">templates</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">templateName</span><span class="pi">:</span> <span class="s">success-rate</span> <span class="pi">-</span> <span class="na">setWeight</span><span class="pi">:</span> <span class="m">30</span> <span class="pi">-</span> <span class="na">pause</span><span class="pi">:</span> <span class="pi">{</span> <span class="nv">duration</span><span class="pi">:</span> <span class="nv">5m</span> <span class="pi">}</span> <span class="pi">-</span> <span class="na">analysis</span><span class="pi">:</span> <span class="na">templates</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">templateName</span><span class="pi">:</span> <span class="s">success-rate</span> <span class="pi">-</span> <span class="na">setWeight</span><span class="pi">:</span> <span class="m">60</span> <span class="pi">-</span> <span class="na">pause</span><span class="pi">:</span> <span class="pi">{</span> <span class="nv">duration</span><span class="pi">:</span> <span class="nv">5m</span> <span class="pi">}</span> <span class="pi">-</span> <span class="na">setWeight</span><span class="pi">:</span> <span class="m">100</span> </code></pre> </div> <p>The analysis template that gates each promotion step:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">AnalysisTemplate</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">success-rate</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">metrics</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">success-rate</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">60s</span> <span class="na">count</span><span class="pi">:</span> <span class="m">5</span> <span class="na">successCondition</span><span class="pi">:</span> <span class="s">result[0] &gt;= </span><span class="m">0.99</span> <span class="na">failureLimit</span><span class="pi">:</span> <span class="m">2</span> <span class="na">provider</span><span class="pi">:</span> <span class="na">prometheus</span><span class="pi">:</span> <span class="na">address</span><span class="pi">:</span> <span class="s">http://prometheus.monitoring:9090</span> <span class="na">query</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">sum(rate(http_requests_total{app="api",status=~"2.."}[5m]))</span> <span class="s">/</span> <span class="s">sum(rate(http_requests_total{app="api"}[5m]))</span> </code></pre> </div> <p>If the success rate drops below 99% during any analysis phase, Argo Rollouts automatically rolls back to the stable version. No human intervention required at 3 AM.</p> <h2> RBAC and Multi-Tenancy </h2> <p>For teams with multiple projects or environments, ArgoCD's RBAC system controls who can see and sync what. Define projects to create boundaries:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">AppProject</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">team-payments</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Payments</span><span class="nv"> </span><span class="s">team</span><span class="nv"> </span><span class="s">applications"</span> <span class="na">sourceRepos</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">git@github.com:yourorg/payments-*'</span> <span class="na">destinations</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s1">'</span><span class="s">payments-*'</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://kubernetes.default.svc</span> <span class="na">clusterResourceWhitelist</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">group</span><span class="pi">:</span> <span class="s1">'</span><span class="s">'</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Namespace</span> <span class="na">namespaceResourceWhitelist</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">group</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">kind</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">roles</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">developer</span> <span class="na">description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Payments</span><span class="nv"> </span><span class="s">team</span><span class="nv"> </span><span class="s">developers"</span> <span class="na">policies</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">p, proj:team-payments:developer, applications, get, team-payments/*, allow</span> <span class="pi">-</span> <span class="s">p, proj:team-payments:developer, applications, sync, team-payments/*, allow</span> <span class="na">groups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">payments-team</span> <span class="c1"># Maps to SSO group</span> </code></pre> </div> <p>Configure SSO integration (Dex with GitHub example):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># argocd-cm ConfigMap</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">argocd-cm</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">data</span><span class="pi">:</span> <span class="na">url</span><span class="pi">:</span> <span class="s">https://argocd.yourcompany.com</span> <span class="na">dex.config</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">connectors:</span> <span class="s">- type: github</span> <span class="s">id: github</span> <span class="s">name: GitHub</span> <span class="s">config:</span> <span class="s">clientID: $dex.github.clientID</span> <span class="s">clientSecret: $dex.github.clientSecret</span> <span class="s">orgs:</span> <span class="s">- name: yourorg</span> </code></pre> </div> <h2> Repository Structure Best Practices </h2> <p>After working with dozens of ArgoCD deployments, here are the patterns that hold up:</p> <p><strong>Separate app manifests from app source code.</strong> Keep your Kubernetes manifests in a dedicated repository, not alongside your application code. This gives you independent versioning, cleaner git history, and prevents application CI from triggering ArgoCD syncs.</p> <p><strong>Use Kustomize overlays for environments.</strong> Do not duplicate manifests for staging and production. Use a base with overlays:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># services/api/overlays/production/kustomization.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kustomize.config.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Kustomization</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">../../base</span> <span class="na">patches</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">patch</span><span class="pi">:</span> <span class="pi">|-</span> <span class="s">- op: replace</span> <span class="s">path: /spec/replicas</span> <span class="s">value: 5</span> <span class="na">target</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api</span> <span class="na">images</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">yourorg/api</span> <span class="na">newTag</span><span class="pi">:</span> <span class="s">v2.1.0</span> <span class="c1"># Updated by CI pipeline</span> </code></pre> </div> <p><strong>Automate image tag updates.</strong> Your application CI pipeline should update the image tag in the manifests repo after a successful build. Use <code>kustomize edit set image</code> or a tool like ArgoCD Image Updater:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># In your application CI pipeline (GitHub Actions example)</span> - name: Update manifest repo run: | git clone git@github.com:yourorg/k8s-manifests.git <span class="nb">cd </span>k8s-manifests/services/api/overlays/production kustomize edit <span class="nb">set </span>image yourorg/api<span class="o">=</span>yourorg/api:<span class="k">${</span><span class="p">{ github.sha </span><span class="k">}</span><span class="o">}</span> git add <span class="nb">.</span> git commit <span class="nt">-m</span> <span class="s2">"Update api image to </span><span class="k">${</span><span class="p">{ github.sha </span><span class="k">}</span><span class="s2">}"</span> git push </code></pre> </div> <h2> Need Help with Your DevOps? </h2> <p>Implementing GitOps with ArgoCD properly - from repository structure to progressive delivery to RBAC - takes experience and planning. At <a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a>, we help startups and SMBs set up production-grade Kubernetes infrastructure and deployment pipelines - starting at $2,999/mo.</p> <p><a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a free 15-minute consultation</a> to discuss your Kubernetes and deployment challenges.</p> argocd gitops kubernetes devops InstaDevOps Wed, 29 Apr 2026 13:47:33 +0000 https://dev.to/instadevops/elasticsearch-operations-guide-cluster-sizing-and-performance-tuning-361j https://dev.to/instadevops/elasticsearch-operations-guide-cluster-sizing-and-performance-tuning-361j <h2> Introduction </h2> <p>Elasticsearch is one of those tools that is easy to set up but notoriously difficult to operate at scale. A basic single-node cluster handles your first million documents fine, then things start breaking: slow queries, disk pressure alerts, unbalanced shards, and the dreaded cluster yellow or red status at 3 AM.</p> <p>This guide covers the operational side of Elasticsearch - the things you learn after running it in production for years. We will go through cluster sizing, index lifecycle management (ILM), shard allocation strategies, snapshot and restore procedures, and performance tuning techniques that actually matter.</p> <h2> Cluster Sizing and Hardware Planning </h2> <p>The most common mistake in Elasticsearch sizing is starting with too few nodes and too little memory. Here are the numbers that matter:</p> <p><strong>Memory:</strong> Elasticsearch lives and dies by its JVM heap and filesystem cache. The rule of thumb: give Elasticsearch 50% of available RAM as JVM heap (capped at 31GB to stay under compressed oops threshold), and leave the other 50% for the OS filesystem cache.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># jvm.options</span> <span class="s">-Xms16g</span> <span class="s">-Xmx16g</span> <span class="c1"># Never set heap above 31g - you lose compressed ordinary object pointers</span> </code></pre> </div> <p><strong>For a production logging cluster handling ~100GB/day of logs:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Role</th> <th>Nodes</th> <th>CPU</th> <th>RAM</th> <th>Storage</th> </tr> </thead> <tbody> <tr> <td>Master-eligible</td> <td>3</td> <td>2 vCPU</td> <td>8 GB</td> <td>50 GB SSD</td> </tr> <tr> <td>Data (hot)</td> <td>3</td> <td>8 vCPU</td> <td>64 GB</td> <td>2 TB NVMe SSD</td> </tr> <tr> <td>Data (warm)</td> <td>2</td> <td>4 vCPU</td> <td>32 GB</td> <td>8 TB HDD</td> </tr> <tr> <td>Coordinating</td> <td>2</td> <td>4 vCPU</td> <td>16 GB</td> <td>100 GB SSD</td> </tr> </tbody> </table></div> <p><strong>Dedicated master nodes are non-negotiable</strong> for any production cluster. Master nodes handle cluster state, shard allocation, and index creation. If your master nodes are also serving queries and indexing data, cluster instability follows.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># elasticsearch.yml - dedicated master node</span> <span class="na">node.roles</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">master</span><span class="pi">]</span> <span class="na">cluster.name</span><span class="pi">:</span> <span class="s">production-logs</span> <span class="na">node.name</span><span class="pi">:</span> <span class="s">master-1</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># elasticsearch.yml - hot data node</span> <span class="na">node.roles</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">data_hot</span><span class="pi">,</span> <span class="nv">data_content</span><span class="pi">,</span> <span class="nv">ingest</span><span class="pi">]</span> <span class="na">node.attr.data_tier</span><span class="pi">:</span> <span class="s">hot</span> <span class="na">cluster.name</span><span class="pi">:</span> <span class="s">production-logs</span> <span class="na">node.name</span><span class="pi">:</span> <span class="s">hot-data-1</span> </code></pre> </div> <p><strong>AWS-specific sizing:</strong> On EC2, use <code>r6g</code> instances for data nodes (memory-optimized, Graviton for cost savings) and <code>m6g</code> for master/coordinating nodes. Use gp3 EBS volumes - they offer 3000 baseline IOPS regardless of volume size, which is more cost-effective than gp2 for most Elasticsearch workloads.</p> <h2> Index Lifecycle Management (ILM) </h2> <p>ILM automates the progression of indices through hot, warm, cold, and delete phases. Without ILM, you end up with hundreds of indices eating resources forever, or someone writes a fragile cron job to delete old indices.</p> <p>Here is a production ILM policy for application logs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">PUT</span><span class="w"> </span><span class="err">_ilm/policy/logs-lifecycle</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"policy"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"phases"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"hot"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"min_age"</span><span class="p">:</span><span class="w"> </span><span class="s2">"0ms"</span><span class="p">,</span><span class="w"> </span><span class="nl">"actions"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"rollover"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"max_primary_shard_size"</span><span class="p">:</span><span class="w"> </span><span class="s2">"50gb"</span><span class="p">,</span><span class="w"> </span><span class="nl">"max_age"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1d"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"set_priority"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"priority"</span><span class="p">:</span><span class="w"> </span><span class="mi">100</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"warm"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"min_age"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2d"</span><span class="p">,</span><span class="w"> </span><span class="nl">"actions"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"shrink"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"number_of_shards"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"forcemerge"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"max_num_segments"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"allocate"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"require"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:</span><span class="w"> </span><span class="s2">"warm"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"set_priority"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"priority"</span><span class="p">:</span><span class="w"> </span><span class="mi">50</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"cold"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"min_age"</span><span class="p">:</span><span class="w"> </span><span class="s2">"30d"</span><span class="p">,</span><span class="w"> </span><span class="nl">"actions"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"allocate"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"require"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cold"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"set_priority"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"priority"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"delete"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"min_age"</span><span class="p">:</span><span class="w"> </span><span class="s2">"90d"</span><span class="p">,</span><span class="w"> </span><span class="nl">"actions"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"delete"</span><span class="p">:</span><span class="w"> </span><span class="p">{}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Apply the policy to an index template:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">PUT</span><span class="w"> </span><span class="err">_index_template/logs-template</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"index_patterns"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"logs-*"</span><span class="p">],</span><span class="w"> </span><span class="nl">"template"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"settings"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"number_of_shards"</span><span class="p">:</span><span class="w"> </span><span class="mi">3</span><span class="p">,</span><span class="w"> </span><span class="nl">"number_of_replicas"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"index.lifecycle.name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"logs-lifecycle"</span><span class="p">,</span><span class="w"> </span><span class="nl">"index.lifecycle.rollover_alias"</span><span class="p">:</span><span class="w"> </span><span class="s2">"logs-write"</span><span class="p">,</span><span class="w"> </span><span class="nl">"index.routing.allocation.require.data"</span><span class="p">:</span><span class="w"> </span><span class="s2">"hot"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Key ILM tuning tips:</strong></p> <ul> <li>Rollover on shard size (50GB max primary shard) rather than document count - shard size is what affects performance</li> <li>Force merge to 1 segment in the warm phase to reclaim disk and improve query performance on read-only indices</li> <li>Shrink indices in warm phase if you started with multiple shards for write throughput but no longer need them</li> </ul> <h2> Shard Allocation and Rebalancing </h2> <p>Sharding is where most Elasticsearch performance problems originate. The guidelines are straightforward but frequently violated:</p> <p><strong>Rule 1: Keep shards between 10GB and 50GB.</strong> Shards under 1GB waste resources on overhead. Shards over 50GB make recovery slow and rebalancing painful.</p> <p><strong>Rule 2: Aim for fewer than 20 shards per GB of heap.</strong> A node with 16GB heap should host no more than ~300 shards. Each shard consumes memory for metadata, field data, and segment info regardless of whether it is being queried.</p> <p>Check your current shard distribution:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Shard count per node</span> curl <span class="nt">-s</span> localhost:9200/_cat/allocation?v <span class="c"># Shards sorted by size</span> curl <span class="nt">-s</span> localhost:9200/_cat/shards?v<span class="se">\&amp;</span><span class="nv">s</span><span class="o">=</span>store:desc <span class="c"># Identify hot spots - nodes with too many shards</span> curl <span class="nt">-s</span> localhost:9200/_cat/nodes?v<span class="se">\&amp;</span><span class="nv">h</span><span class="o">=</span>name,heap.percent,disk.used_percent,shards </code></pre> </div> <p>When shards are unevenly distributed, you can adjust allocation awareness:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">PUT</span><span class="w"> </span><span class="err">_cluster/settings</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"persistent"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"cluster.routing.allocation.awareness.attributes"</span><span class="p">:</span><span class="w"> </span><span class="s2">"zone"</span><span class="p">,</span><span class="w"> </span><span class="nl">"cluster.routing.allocation.awareness.force.zone.values"</span><span class="p">:</span><span class="w"> </span><span class="s2">"us-east-1a,us-east-1b,us-east-1c"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This ensures that primary and replica shards land in different availability zones, giving you zone-failure resilience.</p> <h2> Snapshot and Restore </h2> <p>Snapshots are your safety net. Without them, a bad mapping change, accidental index deletion, or cluster corruption means data loss. Set up automated snapshots to S3:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">PUT</span><span class="w"> </span><span class="err">_snapshot/s</span><span class="mi">3</span><span class="err">-backup</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3"</span><span class="p">,</span><span class="w"> </span><span class="nl">"settings"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"bucket"</span><span class="p">:</span><span class="w"> </span><span class="s2">"my-es-snapshots"</span><span class="p">,</span><span class="w"> </span><span class="nl">"region"</span><span class="p">:</span><span class="w"> </span><span class="s2">"us-east-1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"base_path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"production"</span><span class="p">,</span><span class="w"> </span><span class="nl">"max_snapshot_bytes_per_sec"</span><span class="p">:</span><span class="w"> </span><span class="s2">"200mb"</span><span class="p">,</span><span class="w"> </span><span class="nl">"max_restore_bytes_per_sec"</span><span class="p">:</span><span class="w"> </span><span class="s2">"200mb"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Create a snapshot lifecycle management (SLM) policy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">PUT</span><span class="w"> </span><span class="err">_slm/policy/nightly-backup</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"schedule"</span><span class="p">:</span><span class="w"> </span><span class="s2">"0 0 2 * * ?"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&lt;nightly-snap-{now/d}&gt;"</span><span class="p">,</span><span class="w"> </span><span class="nl">"repository"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3-backup"</span><span class="p">,</span><span class="w"> </span><span class="nl">"config"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"indices"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"logs-*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"metrics-*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"app-*"</span><span class="p">],</span><span class="w"> </span><span class="nl">"ignore_unavailable"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"include_global_state"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"retention"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"expire_after"</span><span class="p">:</span><span class="w"> </span><span class="s2">"30d"</span><span class="p">,</span><span class="w"> </span><span class="nl">"min_count"</span><span class="p">:</span><span class="w"> </span><span class="mi">7</span><span class="p">,</span><span class="w"> </span><span class="nl">"max_count"</span><span class="p">:</span><span class="w"> </span><span class="mi">30</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Test your restores regularly.</strong> A snapshot you have never restored is a backup you do not have. Schedule a quarterly restore drill:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Restore a specific index to verify backup integrity</span> curl <span class="nt">-X</span> POST <span class="s2">"localhost:9200/_snapshot/s3-backup/nightly-snap-2026.04.01/_restore"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Content-Type: application/json'</span> <span class="nt">-d</span> <span class="s1">'{ "indices": "logs-2026.03.31", "rename_pattern": "(.+)", "rename_replacement": "restored-$1" }'</span> <span class="c"># Verify document count matches</span> curl <span class="nt">-s</span> <span class="s2">"localhost:9200/restored-logs-2026.03.31/_count"</span> curl <span class="nt">-s</span> <span class="s2">"localhost:9200/logs-2026.03.31/_count"</span> </code></pre> </div> <h2> Performance Tuning </h2> <p>Here are the performance levers that have the biggest real-world impact, ranked by effort-to-benefit ratio:</p> <p><strong>1. Use bulk indexing, always.</strong> Single-document indexing is orders of magnitude slower. Aim for bulk requests of 5-15MB.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Bad: indexing one document at a time</span> curl <span class="nt">-X</span> POST <span class="s2">"localhost:9200/logs/_doc"</span> <span class="nt">-d</span> <span class="s1">'{"message": "log entry"}'</span> <span class="c"># Good: bulk indexing</span> curl <span class="nt">-X</span> POST <span class="s2">"localhost:9200/_bulk"</span> <span class="nt">-H</span> <span class="s1">'Content-Type: application/x-ndjson'</span> <span class="nt">--data-binary</span> @bulk-data.ndjson </code></pre> </div> <p><strong>2. Tune refresh interval for write-heavy indices.</strong> The default 1-second refresh creates a new Lucene segment every second, which is expensive. For logging use cases where near-real-time search is not critical:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">PUT</span><span class="w"> </span><span class="err">logs-write/_settings</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"index"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"refresh_interval"</span><span class="p">:</span><span class="w"> </span><span class="s2">"30s"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>3. Use doc_values and avoid fielddata.</strong> For aggregations and sorting on text fields, use the <code>keyword</code> type or multi-field mapping. Never enable fielddata on analyzed text fields - it loads the entire inverted index into heap memory.</p> <p><strong>4. Profile slow queries.</strong> Enable slow log to catch queries that degrade cluster performance:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">PUT</span><span class="w"> </span><span class="err">logs-*/_settings</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"index.search.slowlog.threshold.query.warn"</span><span class="p">:</span><span class="w"> </span><span class="s2">"5s"</span><span class="p">,</span><span class="w"> </span><span class="nl">"index.search.slowlog.threshold.query.info"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2s"</span><span class="p">,</span><span class="w"> </span><span class="nl">"index.search.slowlog.threshold.fetch.warn"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1s"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>5. Disable swapping entirely.</strong> Swapped JVM heap is a death sentence for Elasticsearch performance. Configure this at the OS level:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># /etc/sysctl.conf</span> vm.swappiness <span class="o">=</span> 1 <span class="c"># elasticsearch.yml</span> bootstrap.memory_lock: <span class="nb">true</span> </code></pre> </div> <h2> Monitoring and Alerting </h2> <p>At minimum, monitor these metrics (Prometheus with elasticsearch_exporter, Datadog, or Elastic's own monitoring):</p> <ul> <li> <strong>Cluster health</strong> - yellow means missing replicas, red means missing primaries</li> <li> <strong>JVM heap pressure</strong> - alert at 75%, panic at 85%</li> <li> <strong>Disk watermark</strong> - ES stops allocating at 85% (low), marks read-only at 95% (flood)</li> <li> <strong>Thread pool rejections</strong> - search, write, and bulk thread pool rejections indicate saturation</li> <li> <strong>GC pause time</strong> - young GC pauses over 100ms or old GC pauses over 1s are problems </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Quick health check script</span> curl <span class="nt">-s</span> localhost:9200/_cluster/health | jq <span class="s1">'{ status, number_of_nodes, active_primary_shards, relocating_shards, unassigned_shards }'</span> <span class="c"># Thread pool rejections</span> curl <span class="nt">-s</span> localhost:9200/_cat/thread_pool/search,write?v<span class="se">\&amp;</span><span class="nv">h</span><span class="o">=</span>node_name,name,active,rejected,completed </code></pre> </div> <h2> Need Help with Your DevOps? </h2> <p>Running Elasticsearch in production requires ongoing attention to cluster health, capacity planning, and performance optimization. At <a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a>, we help startups and SMBs manage complex infrastructure like Elasticsearch clusters without the cost of a full-time hire - starting at $2,999/mo.</p> <p><a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a free 15-minute consultation</a> to discuss your Elasticsearch challenges.</p> elasticsearch devops performance operations InstaDevOps Tue, 28 Apr 2026 13:47:28 +0000 https://dev.to/instadevops/git-branching-strategies-trunk-based-vs-gitflow-vs-github-flow-4ejb https://dev.to/instadevops/git-branching-strategies-trunk-based-vs-gitflow-vs-github-flow-4ejb <h2> Introduction </h2> <p>Your Git branching strategy directly impacts how fast you ship code, how often deployments break, and how much time your team wastes on merge conflicts. Yet most teams pick a branching model once and never revisit it, even as their team size, deployment frequency, and product complexity change.</p> <p>In this guide, we will compare the three most popular branching strategies - trunk-based development, GitFlow, and GitHub Flow - with honest assessments of when each works and when each falls apart. We will also cover feature flags, release management, and monorepo-specific considerations that most branching guides skip entirely.</p> <h2> Trunk-Based Development </h2> <p>Trunk-based development (TBD) means everyone commits to a single branch (main/trunk), either directly or through very short-lived feature branches that last no more than a day or two. Google, Meta, and Netflix all practice trunk-based development at massive scale.</p> <p>The core rules are simple:</p> <ul> <li>The main branch is always deployable</li> <li>Feature branches live less than 24-48 hours</li> <li>Broken code is hidden behind feature flags, not long-lived branches</li> <li>CI runs on every commit and blocks merges on failure</li> </ul> <p>Here is a typical workflow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Start work</span> git checkout main git pull origin main git checkout <span class="nt">-b</span> feature/add-retry-logic <span class="c"># Work for a few hours, then push</span> git add <span class="nt">-A</span> git commit <span class="nt">-m</span> <span class="s2">"Add exponential backoff to API client"</span> git push origin feature/add-retry-logic <span class="c"># Open PR, get review, merge same day</span> <span class="c"># Delete branch immediately after merge</span> </code></pre> </div> <p><strong>When it works:</strong> Teams with strong CI/CD pipelines, good test coverage (70%+ meaningful coverage), and engineers comfortable with feature flags. Ideal for continuous deployment where you ship multiple times per day.</p> <p><strong>When it breaks down:</strong> Teams without automated testing, regulated industries requiring formal release sign-off, or junior-heavy teams where code review bottlenecks cause branches to pile up.</p> <p>The biggest misconception about trunk-based development is that it means no code review. You absolutely still review code - you just review smaller, more frequent changes rather than massive PRs that touch 50 files.</p> <h2> GitFlow </h2> <p>GitFlow uses long-lived branches to manage releases: <code>main</code> holds production code, <code>develop</code> holds the next release, <code>feature/*</code> branches come off develop, <code>release/*</code> branches stabilize a release, and <code>hotfix/*</code> branches patch production emergencies.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>main ───────────────────────────────────────────── │ ▲ ▲ │ │ │ └──▶ develop ────────────────────────────────── │ ▲ │ ▲ │ │ │ │ └── feature/x ──┘ └── feature/y ──┘ </code></pre> </div> <p>A typical GitFlow release cycle:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Start a feature</span> git checkout develop git checkout <span class="nt">-b</span> feature/new-dashboard <span class="c"># ... work for days/weeks ...</span> <span class="c"># Merge back to develop</span> git checkout develop git merge <span class="nt">--no-ff</span> feature/new-dashboard <span class="c"># Cut a release</span> git checkout <span class="nt">-b</span> release/2.4.0 develop <span class="c"># Stabilize (bug fixes only)</span> git commit <span class="nt">-m</span> <span class="s2">"Fix date formatting in dashboard"</span> <span class="c"># Finalize release</span> git checkout main git merge <span class="nt">--no-ff</span> release/2.4.0 git tag <span class="nt">-a</span> v2.4.0 <span class="nt">-m</span> <span class="s2">"Release 2.4.0"</span> git checkout develop git merge <span class="nt">--no-ff</span> release/2.4.0 </code></pre> </div> <p><strong>When it works:</strong> Teams shipping versioned software (desktop apps, mobile apps, SDKs, on-prem installations), teams with scheduled release cycles (bi-weekly, monthly), and teams that need to maintain multiple release versions simultaneously.</p> <p><strong>When it breaks down:</strong> Web applications deploying continuously, small teams (under 5 engineers) where the overhead is not justified, and teams that end up with feature branches living for weeks, creating merge hell.</p> <p>The honest truth about GitFlow in 2026: it was designed for a world where shipping software meant burning a CD. If you deploy a web application, GitFlow is almost certainly more process than you need.</p> <h2> GitHub Flow </h2> <p>GitHub Flow is the middle ground. You have one long-lived branch (main), create feature branches off it, open pull requests, and merge back to main after review. Main is always deployable.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create feature branch from main</span> git checkout main git pull origin main git checkout <span class="nt">-b</span> add-health-check-endpoint <span class="c"># Work, commit, push</span> git add src/health.ts git commit <span class="nt">-m</span> <span class="s2">"Add /health endpoint with dependency checks"</span> git push origin add-health-check-endpoint <span class="c"># Open PR on GitHub</span> gh <span class="nb">pr </span>create <span class="nt">--title</span> <span class="s2">"Add health check endpoint"</span> <span class="se">\</span> <span class="nt">--body</span> <span class="s2">"Adds /health endpoint that checks DB and Redis connectivity"</span> <span class="c"># After review and CI passes, merge via GitHub UI</span> <span class="c"># Deploy automatically from main</span> </code></pre> </div> <p><strong>When it works:</strong> Most web application teams. It is simple enough for small teams, scales well to medium teams (5-30 engineers), and pairs naturally with CI/CD pipelines that deploy on every merge to main.</p> <p><strong>When it breaks down:</strong> When feature branches live too long (the same problem as GitFlow but less structured), or when you need to maintain multiple production versions.</p> <h2> Feature Flags as a Branching Strategy </h2> <p>Feature flags are not a replacement for branching - they are a complement that makes trunk-based development and GitHub Flow viable for complex features that take weeks to build.</p> <p>Here is a practical implementation using environment variables for simple flags and a feature flag service for anything more complex:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Simple approach: environment-based flags</span> <span class="c1"># docker-compose.yml</span> <span class="na">services</span><span class="pi">:</span> <span class="na">api</span><span class="pi">:</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">FEATURE_NEW_BILLING=false</span> <span class="pi">-</span> <span class="s">FEATURE_V2_SEARCH=true</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Application code</span> <span class="kd">function</span> <span class="nf">getSearchResults</span><span class="p">(</span><span class="nx">query</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">FEATURE_V2_SEARCH</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">true</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">searchV2</span><span class="p">(</span><span class="nx">query</span><span class="p">);</span> <span class="c1">// New implementation</span> <span class="p">}</span> <span class="k">return</span> <span class="nf">searchV1</span><span class="p">(</span><span class="nx">query</span><span class="p">);</span> <span class="c1">// Existing implementation</span> <span class="p">}</span> </code></pre> </div> <p>For production systems, use a proper feature flag service (LaunchDarkly, Unleash, Flagsmith, or even a simple Redis-backed solution):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Using Unleash (open source)</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">initialize</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">unleash-client</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">unleash</span> <span class="o">=</span> <span class="nf">initialize</span><span class="p">({</span> <span class="na">url</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://unleash.yourcompany.com/api</span><span class="dl">'</span><span class="p">,</span> <span class="na">appName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">api-service</span><span class="dl">'</span><span class="p">,</span> <span class="na">customHeaders</span><span class="p">:</span> <span class="p">{</span> <span class="na">Authorization</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">UNLEASH_TOKEN</span> <span class="p">},</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/dashboard</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">unleash</span><span class="p">.</span><span class="nf">isEnabled</span><span class="p">(</span><span class="dl">'</span><span class="s1">new-dashboard</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span> <span class="p">}))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="k">await</span> <span class="nf">getNewDashboard</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">));</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="k">await</span> <span class="nf">getLegacyDashboard</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">));</span> <span class="p">});</span> </code></pre> </div> <p>The critical rule with feature flags: <strong>clean them up</strong>. Every flag should have an expiration date. Dead flags are technical debt that makes code harder to reason about. Set a calendar reminder to remove each flag within 2 weeks of full rollout.</p> <h2> Release Management Patterns </h2> <p>Regardless of your branching strategy, you need a release management approach. Here are three patterns ranked by deployment frequency:</p> <p><strong>Pattern 1: Continuous Deployment (trunk-based or GitHub Flow)</strong></p> <p>Every merge to main deploys to production automatically. Requires:</p> <ul> <li>Full automated tests</li> <li>Feature flags for incomplete work</li> <li>Canary or blue-green deployments</li> <li>Fast rollback capability </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># GitHub Actions - deploy on every merge to main</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci &amp;&amp; npm test</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm run build</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy to production</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">aws ecs update-service \</span> <span class="s">--cluster production \</span> <span class="s">--service api \</span> <span class="s">--force-new-deployment</span> </code></pre> </div> <p><strong>Pattern 2: Release Trains (GitHub Flow with scheduled deploys)</strong></p> <p>Merge to main anytime, but deploy on a schedule (daily, twice a week). Good for teams building confidence in their pipeline.</p> <p><strong>Pattern 3: Versioned Releases (GitFlow)</strong></p> <p>Cut release branches, stabilize, tag, and deploy. Necessary for software with multiple live versions.</p> <h2> Monorepo Branching Considerations </h2> <p>Monorepos add complexity to any branching strategy because a single branch may contain changes to multiple services. Key considerations:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>monorepo/ ├── services/ │ ├── api/ │ ├── worker/ │ └── frontend/ ├── packages/ │ ├── shared-types/ │ └── utils/ └── infrastructure/ ├── terraform/ └── k8s/ </code></pre> </div> <p>Use path-based CI triggers so changes to one service do not trigger builds for unrelated services:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># GitHub Actions with path filters</span> <span class="na">name</span><span class="pi">:</span> <span class="s">API CI</span> <span class="na">on</span><span class="pi">:</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">services/api/**'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">packages/shared-types/**'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">packages/utils/**'</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">cd services/api &amp;&amp; npm ci &amp;&amp; npm test</span> </code></pre> </div> <p>For monorepos, trunk-based development or GitHub Flow works far better than GitFlow. Long-lived feature branches in a monorepo are a recipe for merge conflicts across service boundaries.</p> <h2> Choosing the Right Strategy for Your Team </h2> <p>Here is a decision framework:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Factor</th> <th>Trunk-Based</th> <th>GitHub Flow</th> <th>GitFlow</th> </tr> </thead> <tbody> <tr> <td>Team size</td> <td>Any</td> <td>2-30</td> <td>5-50+</td> </tr> <tr> <td>Deploy frequency</td> <td>Multiple/day</td> <td>Daily-weekly</td> <td>Weekly-monthly</td> </tr> <tr> <td>Test coverage</td> <td>High (required)</td> <td>Medium-high</td> <td>Any</td> </tr> <tr> <td>Feature flag maturity</td> <td>High</td> <td>Low-medium</td> <td>Not needed</td> </tr> <tr> <td>Multiple live versions</td> <td>No</td> <td>No</td> <td>Yes</td> </tr> <tr> <td>Regulatory requirements</td> <td>Works with flags</td> <td>Works fine</td> <td>Natural fit</td> </tr> </tbody> </table></div> <p><strong>For most startups and SMBs deploying web applications:</strong> Start with GitHub Flow. It has the lowest overhead and the fewest ways to shoot yourself in the foot. Move to trunk-based development when your CI/CD pipeline and test coverage are mature enough to support it.</p> <p><strong>Avoid GitFlow unless</strong> you are shipping versioned software (mobile apps, SDKs, on-prem products) or you have regulatory requirements that demand formal release branches.</p> <h2> Need Help with Your DevOps? </h2> <p>Setting up the right branching strategy, CI/CD pipeline, and deployment workflow is just the beginning. At <a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a>, we help startups and SMBs build production-grade DevOps infrastructure at a fraction of the cost of a full-time hire - starting at $2,999/mo.</p> <p><a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a free 15-minute consultation</a> to discuss your team's workflow and deployment challenges.</p> git devops workflow cicd