Canary testing: What it is and how to implement it

Canary testing asks whether a release remains healthy under limited production exposure before the team expands its blast radius.
A canary test runs a candidate version or feature for a controlled slice of real production conditions. The team directs synthetic checks, selected users, or a small percentage of traffic to it, compares the results with the stable version, and decides whether to promote, pause, or roll back.
The practice catches problems that lower environments miss: production-scale traffic, real identity and permission combinations, live dependency behavior, regional routing, configuration drift, and long-tail data. Its safety comes from containment and fast reversal, not from a belief that a small audience cannot be harmed.
Canary testing works when the release has a well-defined boundary, the cohort is observable, health criteria are explicit, shared state remains compatible, and rollback is rehearsed. Without those pieces, the team has merely released to fewer users and started watching dashboards.
Canary testing versus canary deployment
The terms are closely related but describe different parts of the workflow.
- Canary deployment is the release mechanism: run stable and candidate versions together and route limited traffic to the candidate.
- Canary testing is the validation activity: execute checks, compare telemetry, evaluate guardrails, and make a promotion decision.
Google Cloud defines a canary deployment as a progressive traffic split between an existing and new version. Its phases and optional analysis provide the infrastructure on which canary tests run.
A canary can also be feature-level. The code is deployed broadly, but a feature flag exposes one behavior to employees, beta accounts, or a deterministic percentage. GrowthBook's guide to feature flags in CI/CD shows how deployment and feature release can be separate events.
Choose the layer that matches the risk:
| Change | Useful canary control |
|---|---|
| Runtime, container, dependency, or service revision | Weighted infrastructure traffic |
| Isolated product feature or model choice | Feature flag targeting |
| Region-specific infrastructure | Region or cluster ring |
| Database schema | Backward-compatible migration plus version canary |
| Mobile feature | Remote flag constrained by app version |
Teams often combine them. First canary the application revision for operational health, then canary a flag-gated feature for user and product behavior.
What canary testing can and cannot prove
A successful canary provides evidence that the candidate passed specified checks for the observed cohort and window. It does not guarantee the release will remain healthy at 100% traffic.
Canary tests are good at finding:
- Elevated errors and crashes.
- Latency regressions.
- Resource and connection pressure.
- Broken configuration and permissions.
- Dependency incompatibility.
- Common workflow defects.
- Obvious product guardrail degradation.
They can miss:
- Failures that appear only at full scale.
- Rare paths absent from the cohort.
- Long-running leaks or delayed jobs.
- Harm concentrated in an unrepresented segment.
- Shared-state corruption that affects stable users later.
- Small product effects requiring a powered experiment.
A canary answers "did this candidate violate our release-health criteria?" A controlled experiment asks whether a change caused a measurable product outcome. GrowthBook's guide to canary releases as experiments explains why the two questions should not be collapsed.
Build the canary test plan
1. Define the release boundary
List the artifacts and behavior being changed: image, service, dependency, flag, model, schema, configuration, or infrastructure. Map every downstream system and shared resource.
The traffic percentage is not the real blast radius when the canary writes to a common database, publishes messages consumed by stable services, warms shared caches, or consumes a global quota. Identify those paths before choosing exposure.
2. List failure modes
Write concrete release-specific risks:
- New parser rejects a legacy payload.
- Increased memory grows until a pod restarts.
- A query creates lock contention.
- A payment partner receives duplicate retries.
- An authorization change blocks one plan tier.
- A model increases latency or cost despite healthy HTTP status.
Each risk should map to a test, metric, or explicit limitation. Generic CPU and error dashboards will not catch a semantic data error unless the system emits a corresponding signal.
3. Choose the cohort
Start with the smallest cohort that can exercise the important paths:
- Synthetic test identities.
- Employees or internal accounts.
- Opt-in beta users.
- A low-risk region or tenant ring.
- A deterministic percentage of eligible traffic.
Representativeness matters. Employees may use administrator permissions and clean data. A low-volume region may not exercise production concurrency. Move from forgiving internal users to a real customer slice before broad promotion.
Use sticky routing by user or account when state and experience persist. Random request-level routing can alternate versions within one workflow and make diagnosis harder.
4. Establish the stable baseline
Compare canary and stable traffic concurrently. Baseline at least:
- Request and task success.
- Error and exception rates.
- Latency percentiles.
- CPU, memory, queues, pools, and saturation.
- Dependency calls and timeouts.
- Data-integrity checks.
- Change-specific business guardrails.
Instrument every signal with revision, environment, region, and cohort. The OpenTelemetry signal model connects metrics, logs, and traces; for canary testing, the essential requirement is that each can be filtered to the candidate.
5. Define promotion and rollback rules
Replace "looks healthy" with thresholds:
Minimum: 50,000 candidate requests and one peak-traffic window
Error: candidate <= stable + 0.10 percentage points
Latency: candidate p95 <= stable p95 * 1.10
Data integrity: zero reconciliation mismatches
Business guardrail: checkout success no more than 0.5 points below stableUse both relative and absolute rules. A candidate only slightly worse than an already unhealthy stable version may still violate the service objective.
Define who can override automation, why, and how the override is logged. An approval should not silently waive a data-integrity failure.
6. Rehearse rollback
Confirm the stable artifact remains available, routing can return traffic, flags can be disabled, and the on-call owner has permission. Test the path before exposing customers.
Rollback also needs state compatibility:
- Old code can read new writes.
- Migrations follow expand-and-contract sequencing.
- Queued jobs are safe if the producer reverts.
- Caches and sessions do not preserve broken behavior.
- External side effects have compensating actions.
If rollback takes 20 minutes, the canary size and stop threshold must account for 20 minutes of continued exposure.
Implement canary testing step by step
Stage 1: Validate the candidate artifact
Before production exposure, run unit, integration, security, contract, migration, and performance tests. Build one immutable artifact and promote it through environments rather than rebuilding for production.
Canary testing addresses residual production uncertainty. It should not replace defects the pipeline can find earlier and more cheaply.
Stage 2: Deploy dark or without user traffic
Start the candidate instances and confirm they become ready without routing customer requests. Check configuration, secrets access, health endpoints, dependency connectivity, migrations, logging, tracing, and metric labels.
In Kubernetes, a Deployment manages replicas and rolling state, while a service mesh or rollout controller may provide weighted routing. Readiness probes should indicate ability to serve; they are not substitutes for end-to-end tests.
Stage 3: Run synthetic smoke tests
Send known, non-destructive requests directly to the candidate. Cover:
- Authentication and authorization.
- One critical read and write path.
- Dependency calls.
- Schema compatibility.
- Expected error handling.
- Telemetry emission.
Use dedicated test accounts and idempotency keys. Do not create fake production transactions or customer-visible state without cleanup and approval.
Microsoft's Kubernetes canary pipeline example includes a load-testing job against the deployed sample application, illustrating how an explicit validation task can gate promotion.
Stage 4: Route limited real traffic
Begin with a small, stable cohort. Amazon ECS canary deployments use an initial traffic shift followed by a full shift after the canary phase succeeds. Other systems support several intermediate steps.
The right first percentage depends on volume and severity. One percent of a billion requests is large; one percent of 1,000 daily requests may never exercise a rare path. Define both percentage and minimum observations.
Stage 5: Hold for the relevant observation window
Time should follow the failure mode:
- Minutes for a high-volume error regression.
- A traffic peak for autoscaling or pool exhaustion.
- A scheduled cycle for a batch job.
- Hours or days for a memory leak.
- A mature outcome window for a business guardrail.
Do not promote merely because a timer expired. Require the minimum evidence and passing thresholds.
Stage 6: Expand progressively
An example sequence is:
synthetic -> internal -> 2% -> 10% -> 25% -> 50% -> 100%Re-evaluate at every stage. Nonlinear load failures may appear only after 25% or 50%. New cohorts may introduce permissions, devices, or data shapes absent earlier.
GrowthBook's guide to progressive delivery treats each expansion as an evidence-based release decision rather than one automatic countdown.
Stage 7: Complete and keep watching
At 100%, the concurrent stable comparison may disappear and the candidate handles full load. Retain the previous revision during a defined recovery window and continue monitoring.
Document the observed metrics, stage timings, alerts, manual actions, and final decision. A canary that rolled back quickly can be more successful than one that promoted with an undetected defect.
Feature-flag canary testing
A feature flag can test an isolated behavior without shifting an entire service revision. The implementation pattern is:
- Deploy both old and new code paths with the flag off.
- Verify the disabled path does not change behavior.
- Enable for test identities and QA each supported state.
- Target an eligible, sticky customer cohort.
- Monitor technical and business guardrails.
- Expand exposure or disable the flag.
- Remove the temporary flag after full rollout.
GrowthBook feature flags support targeting, ramp schedules, guardrails, and rollback controls. Log flag exposure with the user's outcome so canary behavior can be compared with the stable path.
Flag failure behavior matters. Decide what happens if configuration is stale or unavailable. A safe default depends on the feature: old behavior, disabled feature, cached value, or a local fallback. Test that path deliberately.
Automate without losing diagnostic quality
Automation can route traffic, execute smoke tests, query telemetry, and pause or roll back faster than a human. It should also preserve evidence.
Every automated decision should record:
- Release and artifact identifiers.
- Canary cohort and traffic level.
- Test results and raw metric links.
- Thresholds and observation window.
- Boundary crossed and action taken.
- Owner and any override.
Avoid a single opaque "canary score." Separate failure reasons so an engineer can see whether the issue is latency, errors, data integrity, or missing observations.
GrowthBook's release management practices emphasize approval, versioning, and auditability alongside progressive exposure.
Common canary testing mistakes
Testing only the happy path
Include permissions, malformed input, dependency failure, cancellation, retry, and rollback paths. Candidate behavior under failure is often the risk.
Using an unrepresentative cohort
Internal success does not validate customer scale or data. Plan a progression toward representative users.
Watching averages
Mean latency can hide a severe p99 regression. Aggregate success can hide one region or plan. Predefine a small set of important percentiles and segments.
Ignoring shared state
A 1% candidate can write data consumed by 100% of stable traffic. Treat schemas, messages, caches, and jobs as part of the blast radius.
Destructive synthetic tests
Synthetic traffic should use controlled identities, isolated resources where possible, idempotency, and cleanup. Never assume "test" labels make production side effects harmless.
Promoting on absence of alerts
No alert may mean no problem, insufficient traffic, broken telemetry, or thresholds that cannot fire. Require positive evidence that the canary was exercised.
Leaving the flag or second revision indefinitely
Temporary paths create operational and code complexity. Define cleanup and stable-version retirement as release tasks.
Canary testing checklist
Before exposure:
- Candidate and stable artifacts are identifiable.
- Failure modes map to checks and metrics.
- Cohort is contained, sticky, and increasingly representative.
- Shared-state compatibility is verified.
- Stable baseline and absolute service limits are recorded.
- Promotion, pause, and rollback thresholds are explicit.
- Synthetic tests are safe and observable.
- Rollback permissions and mechanics are rehearsed.
- Minimum traffic and observation window are defined.
- Full-load monitoring and cleanup have owners.
During and after exposure, record the evidence at each stage rather than only the final status.
Test the release, not merely the deployment command
Canary testing is the evidence layer around limited production exposure. The deployment mechanism creates a candidate cohort; tests and telemetry determine whether that cohort earns broader traffic.
Use lower-environment tests first. In production, validate configuration and smoke paths, then compare real candidate and stable traffic against explicit technical, data, and product guardrails. Expand in meaningful stages, keep rollback safe, and continue watching at full load.
To canary feature behavior with targeted exposure, guardrails, and controlled rollback, explore GrowthBook feature flags.
Related Articles
Ready to ship faster?
No credit card required. Start with feature flags, experimentation, and product analytics—free.

