All posts

Canary Releases Without the Infrastructure: A Ring-Based Rollout Strategy for Growing Teams

·6 min read·
progressive deliverycanary deploymentsfeature flags

Canary deployments show up in every engineering blog post about safe production releases, every SRE handbook, every conference talk about progressive delivery. They are also quietly not done by the vast majority of teams under two hundred engineers. Not because those teams don't want safer releases. Because the standard implementation assumes infrastructure investment most growing teams haven't made and can't justify yet.

The canonical canary setup — route 5% of traffic to the new version at the load balancer, watch your service mesh telemetry, roll back by adjusting the traffic split — requires Kubernetes, something like Argo Rollouts or Flagger, and ideally a service mesh. It requires dedicated platform engineering to set up and maintain. For a fifty-person team with one or two platform engineers and a hundred competing priorities, that's a real ask.

So teams don't do it. They ship to production all at once, watch dashboards manually for twenty minutes, and call that a progressive rollout. Or they build a release train with deployment windows, batching changes together until someone senior is available to supervise. Neither is what the people who wrote the SRE books meant.

Here's what most of those books skip: infrastructure-level traffic splitting is not the only way to implement a canary deployment strategy. Feature flags are an application-layer alternative that work on any stack, require no platform infrastructure to adopt, and in several dimensions are more capable than infrastructure-based approaches.

Progressive Delivery vs. Blue-Green: The Tradeoff Worth Being Honest About

Before getting into mechanics, it's worth being precise about when progressive delivery is the right choice and when it isn't.

Blue-green deployment is optimized for confidence. You stand up the new version alongside the old, test it in a production-equivalent environment, then cut all traffic in a single step. Rollback is instant: flip the load balancer back. The model assumes you've validated the change thoroughly before users touch it, and it protects you by making that validation rigorous rather than by limiting exposure.

Progressive delivery is optimized for uncertainty. You don't fully know how users will interact with a new behavior until they interact with it. Formal testing catches bugs, but it can't catch every emergent property of real production traffic — edge cases in your data, usage patterns your test suite didn't model, third-party integrations that behave differently under real load. A gradual feature rollout gives you production signal with limited blast radius.

The tradeoff is concrete. Blue-green requires confidence before the switch; progressive delivery accepts uncertainty and manages it through gradual exposure. Auth system changes often call for blue-green — the failure mode is severe and you can test exhaustively. New product features touching complex user flows call for progressive delivery — real user behavior is the only full validator.

Both patterns are legitimate. The mistake is defaulting to blue-green for everything because progressive delivery sounds like it requires a service mesh.

Rings as Application-Layer Infrastructure

A ring-based deployment strategy divides your users into progressively larger groups, each representing higher risk tolerance. In Kubernetes-native environments, rings often map to node pools or cluster segments. In an application-layer model, they map to feature flag evaluation rules. Same concept, different layer.

A practical ring structure for a SaaS product looks like this:

Ring 0: Internal. Your own employees. New behavior is on for everyone on your team's email domain. This catches obvious regressions before any customers see them and sets a cultural expectation that your team dog-foods everything first.

Ring 1: Beta users. Customers who've opted into early access — typically your most engaged users, with higher tolerance for rough edges and a stronger feedback loop back to you. Useful for getting real usage signal before general availability without the full blast radius.

Ring 2: Canary cohort. A percentage rollout strategy that samples randomly from your full user base — typically 5-10%. This is your signal ring. Its health determines whether you proceed.

Ring 3: General availability. 100%.

Each ring is a flag evaluation rule. Ring 0 is a user attribute filter. Ring 1 is a segment membership check. Ring 2 is a percentage hash: the flag system hashes the user ID against the flag key and evaluates whether it falls below the threshold. None of this requires your infrastructure to know anything about it. The logic lives in the application.

This is also where application-layer canaries outperform infrastructure-level traffic splitting in a meaningful dimension: request-level traffic splitting is random by request, not by user. The same user might see both code paths across sessions, which creates inconsistency and makes metrics noisier. User-level percentage rollout gives each user a consistent experience throughout the rollout, which makes your signals more interpretable and your A/B-style analysis cleaner.

Validating a Canary: The Question Teams Get Wrong

How to validate a canary release before full rollout is where most implementations fall short. Teams set up rings, then watch a single number — usually error rate — and call it done.

Error rates catch bugs. They don't catch behavioral regressions that don't manifest as exceptions. A change that reduces 404 errors but quietly doubles p99 latency on the checkout page might never trip an error threshold. A rendering inconsistency on a specific browser version produces no server-side errors at all. A subtle change to recommendation ranking that hurts click-through rate looks fine in your error dashboards.

The right framing is: for this specific change, what would a regression look like, and which metrics would surface it first? A checkout flow change should be watched against conversion rate alongside error rate. A performance-adjacent change needs p99 latency distributions, not just means. A search algorithm change needs engagement metrics downstream from the changed code.

Good rollout abort criteria are defined per-deployment, not globally. They're defined before the rollout starts, while you still have the context to think clearly about failure modes. And they need to be encoded in the system — not in a mental checklist — so they can be evaluated continuously against incoming telemetry without a human in the critical path making judgment calls.

The Manual Version Is a Trap

What I've described so far is achievable without specialized tooling. You can implement rings in an existing flag system, define thresholds in an existing metrics platform, and write a runbook for advancing through the rings. Teams do this. It mostly works.

The problem is that the manual version recreates the exact bottleneck that makes deployment windows persist. Someone has to watch the metrics. Someone has to decide when Ring 2 has been stable long enough to advance. Someone has to change the flag percentage and verify the change propagated. At 3 PM on a Thursday, that person exists and is paying attention. On a Monday morning after a long weekend, when a change has been sitting at Ring 2 for seventy-two hours because nobody remembered to advance it, the gradual rollout process has quietly become a deployment hold.

The automated version closes this loop. The system encodes abort criteria upfront, monitors them against live telemetry, advances the rollout when signals are healthy, and halts or reverses when they're not. Engineers are in the loop as designers — they set the criteria, they review advancement decisions, they investigate halts — but they're not required to be watching dashboards in real time for the routine cases.

That's the shift that makes canary deployment without kubernetes actually practical rather than aspirational. The infrastructure dependency was never the hard part. The monitoring and advancement logic was the hard part. And that logic lives in software, not in cluster configuration. You can implement it on a stack that's never seen a Kubernetes manifest, for a team that hasn't hired a dedicated platform engineer yet.

Progressive delivery tools have historically been marketed at the infrastructure layer because that's where the load balancer is. But the load balancer doesn't know who your users are. It doesn't know which customers are on your beta program, which user IDs hashed into the canary cohort, or which enterprise account you definitely don't want to hit with an untested change. Application-layer progressive delivery knows all of that, because the application knows its own users.

DeployRamp is built on this model — rings defined at the flag level, monitoring feeding directly into rollout progression, abort criteria encoded at rollout start rather than evaluated manually during it. The goal isn't to replicate what Argo Rollouts does at the infrastructure layer. It's to give any team, on any stack, the ability to ship gradually and safely without adding to their infrastructure footprint. The ring-based deployment strategy doesn't require a service mesh. It requires a flag system with user-level percentage rollout and an automated feedback loop between what the system observes and what the rollout does next.

Let DeployRamp handle the flags

Install the GitHub App, drop in the SDK, and ship a flagged PR in minutes. Free for up to 3 devs.

Get started freeMore posts

We use cookies to analyze site usage and improve your experience.