Networking & Content Delivery

Using AWS Global Accelerator to achieve blue/green deployments

AWS Global Accelerator is a network layer service that directs traffic to optimal endpoints over the AWS global network, this improves the availability and performance of your internet applications. It provides two static anycast IP addresses that act as a fixed entry point to your application endpoints in a single or multiple AWS Regions, such as your Application Load Balancers, Network Load Balancers, Elastic IP addresses or Amazon EC2 instances, in a single or in multiple AWS regions.

Blue/green deployment is a technique for releasing applications by shifting traffic between two identical environments running different versions of the application: “Blue” is the current running version and “green” the new version. This type of deployment gives you an opportunity to test features in the green environment without impacting the current running version of your application. When you’re satisfied that the green version is working properly, you can gradually reroute the traffic from the old blue environment to the new green environment. Blue/green deployments can mitigate common risks associated with deploying software, such as downtime and rollback capability.

AWS Global Accelerator uses endpoint weights to determine the proportion of traffic that is directed to endpoints in an endpoint group, and traffic dials to control the percentage of traffic that is directed to an endpoint group (an AWS region where your application is deployed). In this blog post you will learn about the advantages of using AWS Global Accelerator for blue/green deployments, and how to use the service to implement blue/green deployments for single and multi-region applications.

Many customers use DNS weighted routing to implement blue/green deployments. Once you bring the green environment up and validate the new version of the application, you start shifting traffic from the blue to the green environment. You can do that using Route 53 weighted routing, this feature allows you to route traffic to multiple resources in proportions that you specify, and is an easy way to push more traffic to the green environment or revert traffic back to the blue environment in case of issues.

While relying on the DNS service is a great option for blue/green deployments, it may not fit use-cases that require a fast and controlled transition of the traffic. Some client devices and internet resolvers cache DNS answers for long periods of time; this DNS feature improves the efficiency of the DNS service as it reduces the DNS traffic across the Internet, and serves as a resiliency technique by preventing authoritative name-server overloads. The downside of this in blue/green deployments is that you don’t know how long it will take before all of your users receive updated IP addresses when you update a record, change your routing preference or when there is an application failure.

With AWS Global Accelerator, you can shift traffic gradually or all at once between the blue and the green environment and vice-versa without being subject to DNS caching on client devices and internet resolvers, traffic dials and endpoint weights changes are effective within seconds. In addition, with AWS Global Accelerator, you get two static anycast IP addresses that provide a fixed entry point to your applications. This lets you easily move your infrastructure between Availability Zones or between AWS Regions, without having to update the DNS configuration or client-facing applications.

Depending on your use-case, you can use Global Accelerator endpoint weights, traffic dials or a combination of the two features to implement a blue/green deployment. In both single-region and multi-region blue/green deployments, if you want to test the green environment before routing traffic to it, configure a test listener with a different port (or port range) and protocol, add an endpoint group to the listener, and the endpoints that have the green environment to the endpoint group, use this accelerator endpoint to test the green environment.

Single-region blue/green deployment with AWS Global Accelerator

If you want to perform a blue/green deployment for an application implemented in a single AWS region, use endpoint weights. An endpoint weight is a value that determines the proportion of traffic that Global Accelerator directs to an endpoint. Once you create the new version of your application, first add it as endpoint to the Accelerator endpoint group with an endpoint weight of 0.

When the new green endpoint is healthy, shift the traffic all at once by updating the endpoint weight from 0 to 128 for the green endpoint, and from 128 to 0 for the blue endpoint, or gradually increase the endpoint weight for the green endpoint from 0 to 128, and gradually decrease the endpoint weight from 128 to 0 for the blue environment. This provides the ability to perform canary analysis where a small percentage of production traffic is introduced to the new environment. Global Accelerator calculates the sum of the weights for the endpoints in an endpoint group, and then directs traffic to the endpoints based on the ratio of each endpoint’s weight to the total, for more information see how endpoint weights work in the documentation.

AWS Global Accelerator endpoint weights

AWS Global Accelerator endpoint weights

If issues arise during the deployment, achieve rollback by updating the endpoint weights to 0 for the new green endpoint and to its original value for the blue environment.

Updating endpoint weights can be done via AWS Global Accelerator console or the following CLI command:

$ aws globalaccelerator update-endpoint-group \
  --endpoint-group-arn arn:aws:globalaccelerator::123456789012:accelerator/1234abcd-abcd-1234-abcd-1234abcdefgh/listener/6789vxyz-vxyz-6789-vxyz-6789lmnopqrs/endpoint-group/ab88888example \
  --endpoint-configurations \
     EndpointId=arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/<ALB-Blue-Environment>/51d17e5a74de77fe,Weight=0 \
     EndpointId=arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/<ALB-Green-Environment>/bff20bb5a450f72e,Weight=128
Endpoint group in US-WEST-2 region with 2 endpoints having 128 and 0 as endpoint weights

Endpoint group in US-WEST-2 region with 2 endpoints having 128 and 0 as endpoint weights

Note: If your accelerator endpoints are Application Load Balancers, consider using the ALB weighted target groups feature for blue/green deployments, it does not rely on the DNS service, in addition you don’t need to create new ALBs for the green environment.

Multi-region blue/green deployment with AWS Global Accelerator

If you want to perform a blue/green deployment across different AWS Regions, use Global Accelerator traffic dials to dial up or down traffic to a specific AWS Region. For each AWS Region (or endpoint group), you set a traffic dial to control the percentage of traffic that is directed to that Region.

Once you create and test the new version of your application, first set the traffic dial to 0 to cut off traffic for the green Region, the next available Region will serve the traffic that was supposed to be served by the green region. Remove the previous endpoints from the endpoint group (or set their endpoint weights to 0), add the new version of the application as endpoints to the endpoint group.

When the new endpoints are healthy, shift the traffic all at once by updating the traffic dial from 0% to 100% for the green Region and from 100% to 0% for the blue Region, or gradually increase the traffic dial for the green Region from 0% to 100%, and gradually decrease the traffic dial from 100% to 0% for the blue Region. This provides the ability to perform canary analysis where a small percentage of production traffic is introduced to the new environment.

AWS Global Accelerator traffic dials

AWS Global Accelerator traffic dials

If issues arise during the deployment, achieve rollback by updating the traffic dial to 0 for the green Region, removing the new (green) endpoints, adding the previous (blue) endpoints or setting their endpoint weights back to the original, update the traffic dial to 100% for the green Region.

Updating traffic dials can be done via AWS Global Accelerator console or the following CLI command:

$ aws globalaccelerator update-endpoint-group \
  --endpoint-group-arn arn:aws:globalaccelerator::123456789012:accelerator/1234abcd-abcd-1234-abcd-1234abcdefgh/listener/6789vxyz-vxyz-6789-vxyz-6789lmnopqrs/endpoint-group/ab88888example \
  --traffic-dial-percentage 0
Accelerator with endpoint groups in EU-WEST-1 and US-WEST-2 having 100% and 0% as traffic dials

Accelerator with endpoint groups in EU-WEST-1 and US-WEST-2 having 100% and 0% as traffic dials

Example of blue/green deployment for a multi-region application

I would like to implement a blue/green deployment for a multi-region application deployed in two AWS Regions: US-WEST-2 (Oregon) and EU-WEST-1 (Dublin). The application consists of an Application Load Balancer in each Region, acting as endpoints for our accelerator.

Accelerator with endpoint groups in US-WEST-2 and EU-WEST-1 regions

Accelerator with endpoint groups in US-WEST-2 and EU-WEST-1 regions

Before you continue make sure that you understand the basic concepts of AWS Global Accelerator and know how to create an accelerator. For a step-by-step guide on how to create and configure an accelerator see Getting started with AWS Global Accelerator in the documentation, or take the self-paced workshop on Introduction to AWS Global Accelerator.

In this example I execute the following Bash script that uses cURL to simulate 100 requests to the accelerator DNS and output a count of where each request was processed:

$ for ((i=0;i<100;i++)); do curl http://aebd116200e8c28ad.awsglobalaccelerator.com/ --silent >> output.txt; done; cat output.txt | sort | uniq -c ; rm output.txt;

For more information on how Global Accelerator routes client requests, see how AWS Global Accelerator works in the documentation.

Requests from a client who should be served by US-WEST-2 region:

$ for ((i=0;i<100;i++)); do curl http://aebd116200e8c28ad.awsglobalaccelerator.com/ --silent >> output.txt; done; cat output.txt | sort | uniq -c ; rm output.txt;
 100 requests processed in US-WEST-2 (BLUE Environment)

I would like to deploy the green environment in US-WEST-2 region, for this I set the traffic dial to 0 for the endpoint group to cut off traffic for the green Region, this can be done via Global Accelerator console or via APIs:

$ aws globalaccelerator update-endpoint-group \
  --endpoint-group-arn arn:aws:globalaccelerator::123456789012:accelerator/1234abcd-abcd-1234-abcd-1234abcdefgh/listener/6789vxyz-vxyz-6789-vxyz-6789lmnopqrs/endpoint-group/ab88888example \
  --traffic-dial-percentage 0
Traffic dials in EU-WEST-1 and US-WEST-2 regions are 100% and 0% respectively

Traffic dials in EU-WEST-1 and US-WEST-2 regions are 100% and 0% respectively

Requests from a client who should be served by US-WEST-2 region:

$ for ((i=0;i<100;i++)); do curl http://aebd116200e8c28ad.awsglobalaccelerator.com/ --silent >> output.txt; done; cat output.txt | sort | uniq -c ; rm output.txt;
 100 requests processed in EU-WEST-1 (BLUE Environment)

All the new traffic is now served from the next available endpoint group, which is EU-WEST-1.

I’ve updated my application in US-WEST-2 Region and would like to test it, I set its traffic dial to 10% – the endpoint group should handle 10% of traffic that is supposed to go in US-WEST-2

Traffic dials in EU-WEST-1 and US-WEST-2 regions are 100% and 10% respectively

Traffic dials in EU-WEST-1 and US-WEST-2 regions are 100% and 10% respectively

Requests from a client who should be served by US-WEST-2 region:

$ for ((i=0;i<100;i++)); do  curl http://aebd116200e8c28ad.awsglobalaccelerator.com/ --silent >> output.txt; done; cat output.txt | sort | uniq -c ; rm output.txt;
  90 requests processed in EU-WEST-1 (BLUE Environment)
  10 requests processed in US-WEST-2 (GREEN Environment)

10% of the new US-WEST-2 traffic is served from the green environment (US-WEST-2), and 90% from the blue environment (EU-WEST-1).

Note: Traffic dials control the percentage of traffic that is directed to the group. The percentage is applied only to traffic that is already directed to the endpoint group, not to all listener traffic. If you want for example the green environment to serve 10% of all your traffic, set its traffic dial to 10% and the one for the blue environment to 90%. For more information see Adjusting traffic flow with traffic dials in the documentation.

Gradually increase the traffic dial until 100% for the green Region.

Traffic dials in EU-WEST-1 and US-WEST-2 regions are 100%

Traffic dials in EU-WEST-1 and US-WEST-2 regions are 100%

Requests from a client who should be served by US-WEST-2 region:

$ for ((i=0;i<100;i++)); do curl http://aebd116200e8c28ad.awsglobalaccelerator.com/ --silent >> output.txt; done; cat output.txt | sort | uniq -c ; rm output.txt;
 100 requests processed in US-WEST-2 (GREEN Environment)

Users that should be served from US-WEST-2 region all now have the green environment. Repeat the same process to update the application in EU-WEST-1 Region. If issues arise during the deployment, achieve rollback by updating the traffic dial to 0 for the green Region, adding the previous blue environment and change the traffic dial back to 100%.

Conclusion

By following this blog post, you can quickly implement blue/green and canary deployments for single or multi-region applications using AWS Global Accelerator. This solution is easy to implement, and does not relay on DNS, so you are not impacted by DNS caching and long DNS TTLs. Beyond traffic dials and endpoint groups, Global Accelerator also provides many other features such as failover, client affinity, health checking, and DDoS protection. To learn more about all of the Global Accelerator features visit our website.

Jibril Touzi

Jibril Touzi

Jibril Touzi is a Senior Edge Specialist Solutions Architect at AWS. Helping partners and customers to innovate using AWS Networking and Edge services is what keeps him motivated. Jibril is a passionate photographer; when he is not working, he enjoys spending time with family in outdoor activities.