All posts

Observability Without Control Is Just Expensive Alerting

·5 min read·
rolloutsobservabilityreliability

The engineering industry has spent a decade building increasingly sophisticated observability stacks. We instrument everything. Dashboards multiply. Alert configs sprawl. And yet mean time to recovery for a bad deployment hasn't improved at the pace those investments promised.

The reason is architectural: observability and deployment control live in separate systems, connected by a human. Someone watches the dashboard. Someone decides the error rate is high enough to matter. Someone opens the terminal to roll back. That gap — from detection to action — is where most of the pain lives.

Here's the specific argument I want to make: for teams doing progressive rollouts, observability that can't directly control the rollout percentage isn't observability. It's expensive alerting.

The False Comfort of "We Have Monitoring"

When engineering teams describe their progressive rollout process, it usually goes like this: deploy behind a feature flag, ramp from 1% to 5% to 20% manually, watch the dashboards, and roll back if something looks wrong. They feel good about this because they have Datadog or Grafana open in a tab. They have alerts configured. They have a runbook.

What they don't have is a closed loop. Their observability system can emit a signal — PagerDuty fires, Slack lights up — but acting on that signal requires a human to wake up, assess it, and do something. At 3am, that's a 15-minute minimum. At 2% traffic on a Friday afternoon when the on-call engineer is in a meeting, it might be 45 minutes.

For rollout error monitoring during a gradual feature rollout to actually protect you, the monitoring needs to be coupled to the control plane. The system that detects an anomaly needs to be the same system — or deeply integrated with the system — that adjusts the traffic percentage. Anything less is a pager that wakes someone up to do a job a machine should be doing.

What Abort Criteria Actually Mean

"How to set rollout abort criteria before deployment" is a question most teams handle wrong. They pick a single threshold — error rate above 2%, alert fires — and treat that as protection. But a hard threshold is almost always wrong.

At 1% traffic, your error rate denominator is tiny. A handful of unusual requests can spike your rate to 5% without indicating anything real. At 50% traffic, a 0.3% error rate increase might represent thousands of users experiencing failures. The same number means something completely different at different traffic volumes.

Good abort criteria are statistical, not absolute. They account for baseline variance, traffic volume, and the specific risk profile of the change. A payment flow change deserves tighter thresholds than a UI color tweak. A migration touching a core entity needs different monitoring than a new opt-in feature flag for a settings panel.

And critically: abort criteria shouldn't require a human to evaluate them in real time. The right architecture is one where those criteria are encoded upfront — before the rollout starts — and the system evaluates them continuously against incoming telemetry. When a criterion trips, the system acts. Not a person who may or may not be paying attention.

Observability-Driven Rollout in Microservice Architectures

This gets harder in microservice architectures, and that's where most deployment observability tools fall short. A single feature might touch three services. Latency regressions might not appear on the service where the flag is evaluated — they manifest downstream, two hops away. You're looking for signals across a distributed system, trying to attribute them to a specific code change at a specific traffic percentage.

This is where alerting-based approaches collapse. Your rollout error monitoring needs to understand causality: not just "p99 latency went up," but "p99 latency went up in the recommendations service, starting at the same time we ramped feature flag X from 5% to 15%, and the affected requests all share the flag evaluation context." Anomaly detection during a canary release requires attributing anomalies to the right cause — not pattern-matching on metrics in isolation.

The practical implication: feature flag context needs to propagate through your request traces. If you're using distributed tracing — OpenTelemetry, Jaeger, whatever — the flag evaluation result should be a span attribute. When you're investigating a latency spike, you can filter by flag value and immediately see whether the regression is correlated with the new code path. Alerting on p99 latency regression during progressive rollout is only actionable if you can tie the regression to the specific rollout. Otherwise you're watching the metric go up and guessing.

The Coupling Problem Nobody Talks About

Here's the architectural gap most teams eventually hit: their tracing and metrics infrastructure is separate from their feature flag system, which is separate from their deployment tooling. Integrating them requires custom plumbing. Someone writes a webhook that reads a Datadog monitor alarm and calls the LaunchDarkly API to set a flag to 0%. Someone maintains that webhook. Someone tests it. When the LaunchDarkly API changes, someone updates it.

This is the toil that doesn't appear in incident retrospectives but quietly kills engineering velocity. Senior engineers spend time on rollout plumbing instead of product work. The plumbing is fragile — validated in staging but not under real incident pressure, dependent on API credentials that expire, failing in edge cases nobody anticipated.

An observability-driven rollout strategy only works if the observability and rollout control are deeply integrated, not duct-taped together. The engine that decides what percentage of requests gets the new code path needs to consume rollout signals natively — not through a chain of webhooks with three potential failure modes.

What a Closed Loop Actually Looks Like

A team with a genuinely closed loop between observability and deployment control operates differently. Before a rollout starts, they define the metrics that matter — error rate, p99 latency, business-level conversion events — and the thresholds that would indicate a problem, calibrated for expected traffic volume. The rollout system starts at 1%, samples metrics against those thresholds, and advances automatically if everything looks healthy. If something trips, the system halts or reverses without a human decision in the critical path.

The humans in this scenario have a different job. They're not watching dashboards waiting to intervene during the rollout window. They're designing criteria upfront and reviewing automated decisions afterward. Engineering time goes to policy, not execution.

This is the shift progressive delivery actually promised — not just giving teams a dial to turn, but making the dial turn itself based on observed system behavior. The monitoring isn't a dashboard someone watches. It's an input to the control system.

DeployRamp is built around this closed loop. The rollout scheduler that advances traffic percentages and the error monitoring that can halt or reverse a rollout are the same system — not separate tools bridged by webhooks. When you define abort criteria before a rollout, those criteria are evaluated against live telemetry on every advancement decision. The goal isn't to page an engineer faster. It's to make the pager unnecessary for the routine cases so engineers can focus on the failures that actually require judgment.

Let DeployRamp handle the flags

Install the GitHub App, drop in the SDK, and ship a flagged PR in minutes. Free for up to 3 devs.

Get started freeMore posts

We use cookies to analyze site usage and improve your experience.