All posts

Blue-Green Deployment Solves the Wrong Half of the Release Problem

·5 min read·
progressive deliveryblue-green deploymentdeployment risk

Every few months an engineering leader asks me some version of the same question: should we invest in blue-green deployment, or in progressive delivery tools? The framing assumes these are two points on a single spectrum, with blue-green as the simpler, more mature choice and progressive delivery as the ambitious, complex one you graduate into. That mental model is wrong, and it leads teams to spend a quarter standing up duplicate environments to solve a problem they don't actually have — while leaving the problem they do have completely untouched.

Blue-green and progressive delivery are not two implementations of the same idea. They operate at different layers, and they optimize for different things. Understanding the real tradeoff starts with being precise about what each one actually does.

What blue-green actually optimizes

Blue-green deployment is an infrastructure pattern. You run two identical production environments. One serves traffic, one sits idle. You deploy the new version to the idle environment, warm it up, run smoke tests, and then flip the load balancer so all traffic moves to the new version at once. If something breaks, you flip back. The whole appeal is the rollback: reverting is a routing change, not a redeploy, so it's fast and it's clean.

Notice what blue-green treats as the unit of risk: the deployment. The entire release is atomic. Every code change that shipped in that build goes live together, to everyone, in a single instant. Blue-green makes that atomic switch cheap to reverse, and that's genuinely valuable — but it says nothing about what is in the build or who is exposed to it. It's a binary. Blue, or green. All users on the old version, or all users on the new one.

That binary was a fine model when deployments were rare, large, and carefully coordinated. If you ship once every two weeks and a release is a curated batch of tested changes, then making the whole batch reversible in seconds is exactly the safety property you want. Blue-green is the right answer to "how do I undo a scary, infrequent, all-or-nothing release quickly."

But the deploy stopped being the unit of risk

Here's the thing that broke the model: most teams don't ship that way anymore. If you're doing trunk-based development and continuous deployment — and most organizations between twenty and two hundred engineers are at least trying to — a single deploy contains changes from six different people touching four different features. The deploy is no longer a curated, coherent unit. It's just whatever merged since the last one.

And that turns blue-green's atomicity from a feature into a liability. When one feature in that build misbehaves, your only rollback lever reverts the entire environment — including the five good changes that shipped alongside the bad one. You've coupled the fate of every change in the build to the worst change in the build. The more often you deploy, the more changes each rollback drags down with it, and the more your "fast, clean" rollback becomes a blunt instrument that punishes everyone for one person's regression.

This is where the actual tradeoff lives, and it has nothing to do with complexity. Blue-green controls risk at the infrastructure layer. Progressive delivery controls risk at the change layer. Blue-green asks "which version of the whole system is live?" Progressive delivery asks "which users see this specific change, and should we keep going?" Those are different questions, and for a team shipping many independent changes per day, the second one is the one that actually matters.

What progressive delivery does instead

Progressive delivery — canary deployment strategy, gradual feature rollout, percentage rollout strategy for SaaS features, whatever label you reach for — decouples deploying code from releasing behavior. The code ships to everyone. The behavior is gated, and you turn it on for one percent, then five, then twenty-five, watching error rates and latency at each step before you widen exposure. If it goes wrong, you don't roll back the deployment. You turn off one behavior for the fraction of users who had it, and every other change in that build stays exactly where it is.

The blast radius is the whole point. Blue-green's blast radius for a bad change is one hundred percent of users the instant you flip. Progressive delivery's blast radius is whatever percentage you'd ramped to when the problem surfaced — and if your abort criteria are any good, that's a single-digit number. You're not trading away rollback speed to get this; a flag flip is just as fast as a load-balancer flip. You're getting finer-grained rollback, per-change instead of per-deploy, without paying for a second full copy of production.

That last point matters more than people admit. The unspoken cost of blue-green is that you're running two production environments, which roughly doubles the infrastructure footprint of your serving tier and adds real operational surface: data synchronization, session draining, migrations that have to be compatible with both environments at once. Progressive delivery through feature flags needs none of that. It's a decision made in the request path, not a duplicated fleet.

Where blue-green still wins — and where neither one saves you

I'm not arguing blue-green is obsolete. For a monolithic release where the whole build genuinely is the unit — a runtime upgrade, a framework bump, a change that touches the entire process — atomic environment swapping is still the cleanest tool, because there's nothing finer-grained to gate. And progressive delivery has a real cost of its own: it pushes risk management into application code, which means someone has to own the flags and clean them up, or you trade deployment debt for flag debt.

But here's what neither pattern handles on its own, and where the "which should we buy" question usually goes wrong: the stateful changes. Blue-green can't flip a schema migration back once the new environment has written data in the new shape. Progressive delivery gates the code path but not the backfill. The hardest release risk lives below both abstractions, in the data layer, and choosing between blue and green doesn't touch it.

So the honest version of the tradeoff is this: blue-green gives you cheap reversal of an entire deployment, which is worth a lot when the deployment is your unit of risk and worth progressively less as you ship more often. Progressive delivery gives you per-change control and small blast radius, which is what continuous delivery actually needs — at the cost of managing the flags that make it work.

That last cost is the one worth engineering away, and it's the bet DeployRamp is built on. Progressive delivery only beats blue-green if the flags are cheap to create, safe to ramp, and don't rot into technical debt. So we put the flag in the pull request automatically, wire it to error-rate and latency monitoring so the rollout aborts itself before the blast radius grows, and open the cleanup PR once the change is fully rolled out. The goal isn't to sell you a third deployment strategy. It's to make change-layer risk control cheap enough that you stop paying for a second copy of production to get safety you can have in the request path.

Let DeployRamp handle the flags

Install the GitHub App, drop in the SDK, and ship a flagged PR in minutes. Book a demo and we'll show you how.

We use cookies to analyze site usage and improve your experience.