⚡ Engineering War Stories from the Trenches

When Big Tech Breaks
& How They Fix It

The postmortems they published. The outages they survived. The fixes that saved millions of users. Read the real story — not the press release.

Case Studies

Companies

∞

Things Broke

100%

No Fiction

Netflix Chaos Engineering

Netflix Unleashed a Monkey With a Weapon in Its Own Data Center — On Purpose

It was 2011 and Netflix had just migrated hundreds of microservices to AWS. Their architecture was distributed, horizontally scaled, and theoretically fault-tolerant. But theory and production are different things. The only way to know if a system could survive failures was to cause failures — constantly, deliberately, during business hours, and in production. So they built a monkey.

July 19 2011 blog published Business-hours instance killing 10 Simian Army members +3

Read full story →

Hotstar Live Streaming

When MS Dhoni Got Out: How Hotstar Survived 25 Million Concurrent Users

July 9th, 2019. India vs New Zealand, Cricket World Cup semi-final. MS Dhoni walks to the crease and 1.1 million new viewers join Hotstar every single minute. Then he gets run out — and 24 million people hit the back button almost simultaneously.

25.3M peak concurrent 1.1M users/min growth 5.7 Tbps bandwidth +3

Read full story →

GitHub Databases

How GitHub Upgraded 1200 MySQL Hosts Without Dropping a Single Query

MySQL 5.7 was hitting end-of-life, and GitHub's production database fleet spanned 1,200 hosts, 300 terabytes of data, and 5.5 million queries every second. Getting from here to MySQL 8.0 without disrupting 100 million developers was going to take more than a weekend.

1,200+ MySQL hosts upgraded 300+ TB data migrated 5.5M queries/sec maintained +3

Read full story →

Slack Reliability

Slack Built a Big Red Button to Drain an Entire Data Center in Five Minutes

On June 30, 2021, a network link connecting one AWS availability zone failed — and Slack users felt it, despite Slack running in multiple availability zones. The postmortem question was brutal: why did a single AZ failure affect users at all? The answer drove 18 months of architecture work.

2021-06-30 AZ outage trigger 1.5 years migration time AZ drain in <5 minutes +3

Read full story →

Cloudflare Reliability

Cloudflare Fixed a React Security Vulnerability and Broke the Entire Network

In late 2025, Cloudflare was rolling out a fix for a React security vulnerability. To do so, they needed to disable an internal testing tool with a global killswitch. The killswitch, unexpectedly, triggered a bug that sent HTTP 500 errors across Cloudflare's entire global network. This was the third major configuration-related global outage in two years.

Dec 2025 global outage React CVE fix triggered outage Global killswitch bug +3

Read full story →

LinkedIn Messaging

LinkedIn Needed a Message Queue. They Built the One the Entire Internet Runs On.

In 2010, LinkedIn was drowning in data it couldn't move. Every ML model, every recommendation engine, every real-time feature was starving because there was no reliable way to get activity data from the website into the systems that needed it. Jay Kreps, Jun Rao, and Neha Narkhede spent a year building a fix. They named it after Franz Kafka. The rest of the internet adopted it.

1B events/day at launch (2011) 1T messages/day by 2015 7T messages/day by 2019 +3

Read full story →

Discord Databases

How Discord Migrated Trillions of Messages and Fired Their Garbage Collector

It is 2022 and Discord's on-call engineers are babysitting a 177-node database cluster, manually rebooting nodes after Java GC pauses spiral out of control. The system holding every message ever sent is becoming the thing everyone fears touching most.

177 → 72 nodes p99 latency 15ms (was 40–125ms) 9-day migration (was 3-month est.) +3

Read full story →

Discord Reliability

Discord Killed the MacBook Dev Environment and Never Looked Back

Discord's engineering team had tripled in size and was drowning in a swamp of 'works on my machine' bugs — some engineers running macOS, some Ubuntu, all of them slowly. The solution was radical: no one gets a local dev environment anymore.

3x engineering org growth Mac→V1→V2 (two migrations) Began 2020, V2 done 2023 +3

Read full story →

Netflix Distributed Systems

Netflix Hit the AWS Instance Ceiling and Built a Workflow Engine That Scales Forever

Netflix's Meson orchestrator was handling hundreds of thousands of daily data and ML jobs — and running out of machine. Vertically scaling on AWS had a hard ceiling, and the workflows were doubling in size every year. The only way out was a complete architectural rethink.

2M+ jobs/day at peak Hundreds of thousands of workflows Meson → Maestro 2020 +3

Read full story →

Slack Reliability

Slack's Worst Day: When a Better Cache Manager Made Everything Worse

On February 22, 2022, Slack went down for many users — including the engineer designated as Incident Commander, who was authoring the postmortem from a position of personal experience. The culprit was a new component that worked exactly as designed.

Feb 22 2022 outage Consul rollout to 75% of fleet Cache hit rate collapsed +3

Read full story →

Stripe Databases

How Stripe Moves Petabytes Between Database Shards Without Stopping the Money

Stripe processed over $1 trillion in payment volume in 2023 while maintaining 99.999% uptime — five nines, fewer than 6 minutes of downtime all year. The infrastructure secret is a database platform called DocDB and a migration engine that moves petabytes of financial data between shards without any application knowing it happened.

$1T+ payment volume 2023 99.999% uptime achieved 5M database queries/sec +3

Read full story →

Slack Distributed Systems

Slack Rewrote Its Core Architecture for Enterprise — Because the Old One Was a Lie

Slack was built for teams in single workspaces. Enterprise customers were using it across dozens of workspaces simultaneously — and the architecture had never been designed for that. Every major enterprise feature was a workaround on top of a foundation that assumed one workspace per person. Slack spent two years rebuilding the foundation.

2 years development time Workspace-centric → org-wide Thousands of APIs refactored +3

Read full story →

Slack Reliability

Slack Cut Deploy-Related Customer Impact by 90% in Eighteen Months

73% of Slack's customer-facing incidents were being triggered by Slack itself — by its own code deploys. The team stopped treating each outage as a one-off and started treating deploy safety as a program, with metrics, milestones, and automated rollbacks. Eighteen months later, customer impact hours were down 90%.

73% incidents from own deploys 90% reduction in impact hours Manual → automatic rollbacks +3

Read full story →

Atlassian Reliability

How a Two-Line Script Silently Deleted 883 Customer Cloud Sites

At 07:38 UTC on April 5th, 2022, a maintenance script begins its run — methodical, peer-reviewed, totally routine. Twenty-three minutes later, 883 Atlassian Cloud sites have been permanently deleted, and the company's own incident management tool, Opsgenie, is one of the casualties.

883 sites deleted 14 days max outage 775 customers affected +3

Read full story →

Netflix Live Streaming

65 Million Streams: How Netflix Rebuilt Its Guts for Live

November 15, 2024: 65 million people log on to watch Mike Tyson fight Jake Paul, the largest live sports stream in history. Behind the scenes, Netflix engineers are white-knuckling a system they built from scratch — one where a single bad video segment, a CDN request storm, or a missed 2-second write deadline means millions of viewers see a black screen.

65M concurrent streams 113ms → 25ms p50 latency 200Gbps+ read throughput +3

Read full story →

Stripe Performance

Stripe Converted 3.7 Million Lines of JavaScript in One Pull Request on a Sunday

On Sunday, March 6, 2022, Stripe merged a single pull request that converted their entire largest JavaScript codebase from Flow to TypeScript. 3.7 million lines of code. Hundreds of engineers arrived Monday morning to start writing TypeScript. The migration had been invisible until it wasn't.

3.7M lines converted in 1 PR Single Sunday deploy Largest JS codebase at Stripe +3

Read full story →

GitHub Reliability

The Test That Broke GitHub: A Failover Drill Goes Live

June 29, 2023, 17:39 UTC: GitHub engineers initiate a planned live failover test of their brand-new second Internet edge facility — six months of infrastructure work designed to eliminate a single point of failure. Within seconds, instead of validating their redundancy, they've created an outage that takes GitHub offline for millions of developers across North America and South America.

32-minute outage 2-min detect-to-revert US East + South America +3

Read full story →

Shopify Databases

Shopify Sharded a Rails Database With Vitess and the App Never Knew It Happened

The Shop app was growing exponentially. Its single MySQL database was approaching vertical scaling limits. Shopify needed horizontal sharding — but they had a Rails monolith that expected a single database, and a system that couldn't have downtime during a commerce platform used by millions daily.

KateSQL → Vitess migration user_id as sharding key VTGate transparent to app +3

Read full story →

Shopify Databases

Shopify's Engineers Hunted Deadlocks at 19 Million Queries per Second

During Black Friday and Cyber Monday 2023, Shopify's MySQL fleet was handling 19 million queries per second. At that scale, even rare deadlock patterns become common enough to cause real incidents. The engineering team published a detailed playbook for diagnosing and eliminating MySQL deadlocks in high-concurrency production environments.

19M MySQL QPS at BFCM peak 58M requests/min app servers 99.999%+ uptime maintained +3

Read full story →

Cloudflare Reliability

Cloudflare's Datacenter Partner Failed and the Control Plane Went Dark for 40 Hours

On November 2, 2023, Cloudflare's primary datacenter partner experienced a power failure. The control plane — the system that lets customers configure DNS, firewall rules, and every Cloudflare service — went dark. It stayed dark, in various forms, for nearly 40 hours. The postmortem introduced a concept Cloudflare hadn't had before: Code Orange.

Nov 2–4 2023 outage ~40 hours control plane down Flexential datacenter failure +3

Read full story →

Cloudflare Reliability

A Database Permission Change in ClickHouse Took Down 28% of Cloudflare's HTTP Traffic

On November 2, 2023 — the same day as the control plane datacenter failure — Cloudflare also experienced a separate six-hour global outage. The cause: a database permission change in ClickHouse generated a corrupt configuration file that was silently propagated to every server in Cloudflare's Bot Management system, crashing it globally.

Nov 2 2023 outage 28% HTTP traffic impacted 6 hours total duration +3

Read full story →

Netflix Performance

Netflix Made Their Workflow Orchestrator 100x Faster by Rewriting the Engine Nobody Thought Was Slow

Maestro had been running Netflix's data and ML workflows successfully for two and a half years. Then Live, Ads, and Games drove sub-hourly scheduling requirements that revealed the orchestrator's overhead — not in crashes or alerts, but in slow step launches that nobody had measured. The fix was a complete engine rewrite that delivered 100x throughput improvement.

100x throughput improvement 2.5 years before overhead visible Sub-hourly scheduling trigger +3

Read full story →

Netflix Performance

Netflix's Containers Were Fighting Their Own CPUs — and Losing

Netflix ran millions of containers per day on modern multi-core CPUs. The containers performed well on benchmarks. In production, under certain workloads, they were mysteriously slower than expected — slower than the hardware should have allowed. The culprit was CPU topology: the operating system was scheduling container workloads in ways that violated modern CPU cache architecture. They called the investigation 'Mount Mayhem.'

Mount Mayhem investigation Modern multi-core CPU topology NUMA and cache locality +3

Read full story →

Netflix Reliability

Netflix Streamed Live Sports for Millions — and the Hard Part Wasn't the Video

When Netflix began streaming live events — boxing, NFL games, comedy specials — the engineering challenge wasn't encoding or delivery. It was building the human infrastructure: the operations team, the escalation paths, the real-time decision systems, and the runbooks that let engineers respond to live event failures in seconds, not minutes.

Live events at Netflix scale Sub-second escalation paths NFL Christmas Day 2023 +3

Read full story →

Figma Databases

Figma's Database Grew 100x in Four Years — Here's How a Small Team Kept It From Toppling

In 2020, Figma ran on a single Postgres instance on AWS's largest available machine. Four years later, that database had grown nearly 100x. Some tables had swelled to several terabytes and billions of rows. The Postgres vacuum process — the background job that keeps Postgres alive — was causing reliability incidents. They had months of runway left before hitting the IOPS ceiling. A small databases team had nine months to fix it.

100x DB growth since 2020 Single instance → horizontal shards 9-month migration +3

Read full story →

Datadog Reliability

Datadog Went Dark for 24 Hours and Came Back With a Different Philosophy

On March 8, 2023, Datadog — the platform engineers use to know when their own infrastructure is broken — broke. For more than 24 hours, across five regions on three cloud providers, metrics stopped arriving, logs disappeared, and dashboards showed nothing. The people whose job was to fix it couldn't see what was happening. It cost $5 million. It changed how Datadog thinks about building software.

24h+ global outage $5M revenue loss 50–60% Kubernetes nodes lost +3

Read full story →

OpenAI Databases

OpenAI Runs ChatGPT for 800 Million Users on One PostgreSQL Instance — and It Works

ChatGPT has 800 million users. It handles millions of database queries per second. And it runs on a single primary PostgreSQL instance on Azure — one writer, backed by about fifty read replicas. No sharding. No distributed SQL. Just Postgres, pushed further than almost anyone thought possible through obsessive optimization and ruthless operational discipline.

800M users, 1 primary PG instance ~50 read replicas globally Millions of QPS, p99 <20ms +3

Read full story →

Uber Security

Uber Had 150,000 Secrets Scattered Across 25 Vaults — So They Built One Platform to Rule Them

150,000 secrets. 25 separate vaults. Hundreds of teams managing their own credentials in their own ways, some in plain text in version control. At Uber's scale — 5,000 microservices, 5,000 databases, 500,000 analytical jobs per day — secrets sprawl is not a compliance problem. It is an incident waiting to happen. A team of ten engineers decided to fix it.

150,000 secrets managed 25 vaults → 6 managed vaults 5,000 microservices secured +3

Read full story →

Shopify Reliability

The 80% Problem: Why Getting an LLM System to 'Works in Demo' Is 20% of the Work

Every team building with LLMs discovers the same brutal truth: 80% quality arrives in a few weeks. The final 15% — the gap between 'impressive demo' and 'product I'd trust with my customers' — takes the rest of the time. Shopify's Flow agent and Sidekick teams lived this curve and came back with a systematic playbook. It is mostly about measurement.

LLM judge: 0.02 → 0.61 Kappa 300-example hand-crafted benchmark Production mirroring closes gap in 2 weeks +3

Read full story →

Cloudflare · Reliability

Cloudflare's Datacenter Partner Failed and the Control Plane Went Dark for 40 Hours

The Story

We have not had such a process in the past, but it's clear today we need to implement a version of it ourselves: Code Orange.

— Cloudflare Engineering — via Post-Mortem on the Cloudflare Control Plane and Analytics Outage, November 2023

Cloudflare operates one of the world's largest content delivery and security networks, with hundreds of handling customer traffic across the globe. These PoPs operate largely autonomously from the control plane — once configurations are pushed, the network continues operating even if the control plane has issues. But when the control plane goes down, customers can't configure anything. They can't add DNS records, update firewall rules, change SSL settings, or deploy new Workers. The network keeps running, but it becomes effectively immutable. On November 2, 2023, at 11:43 UTC, that's exactly what happened.

The cause was a power failure at Flexential, Cloudflare's primary datacenter partner hosting the control plane infrastructure. Flexential is not a cloud provider — it's a colocation facility where Cloudflare runs its own physical servers. Power failures in colocation facilities, while rare, happen. What made this incident severe was that the control plane recovery was not automatic. Failover to Cloudflare's disaster recovery facility required manual orchestration, and some services — particularly raw log delivery — were not replicated to the DR facility and therefore couldn't be recovered until the primary datacenter came back. Services were still not fully restored 40 hours after the initial failure.

Cloudflare's control plane infrastructure ran in a colocation datacenter — physical servers in a facility owned by a third party, not in a public cloud. This architecture gives Cloudflare hardware control and cost efficiency but means datacenter-level failures require manual failover coordination rather than cloud provider automated region failover.

Problem

Flexential Power Failure at 11:43 UTC Nov 2

Cloudflare's primary datacenter partner experienced a power failure. The control plane — API, dashboard, analytics services — went offline. Edge traffic continued operating normally (PoPs are autonomous), but customers could not make any configuration changes. Internal monitoring and log analytics were also impacted.

Cause

Control Plane Not Designed for Autonomous Failover

Unlike Cloudflare's edge network, the control plane was not designed for automatic failover. Recovery required manual orchestration to bring services up at the DR facility. Some data — particularly raw log streams — was not replicated to DR, meaning certain services could not be restored until the primary facility recovered.

Solution

DR Failover + Manual Service Restoration

Control plane core functionality was restored at the DR facility at 17:57 UTC on Nov 2 — ~6 hours after the incident started. Many customers saw restored API access at this point. However, some services continued to experience issues until Nov 4 as teams worked through recovery of systems that had data in the primary datacenter only.

Result

Full Restoration Nov 4, Code Orange Invented

Services were fully restored at 04:25 UTC on November 4, nearly 40 hours after the initial failure. The incident prompted Cloudflare to create a new process — Code Orange — modeled on Google's Code Yellow/Red, for major incidents requiring all-hands engineering mobilization.

CODE ORANGE: A NEW INCIDENT PROCESS IS BORN

Google has a practice where significant crises trigger a Code Yellow or Code Red — most engineering resources are shifted to address the issue. Cloudflare had no equivalent process before this incident. The 40-hour outage demonstrated the need for a structured mechanism to mobilize engineering resources across all teams for critical incidents. Code Orange was created as Cloudflare's version of this concept. The process includes defined escalation paths, cross-team coordination protocols, and clear criteria for when to invoke it.

The log push service — Cloudflare's product that delivers raw access logs directly to customer storage buckets in real time — was unavailable for the majority of the outage duration. Unlike the control plane API, which could be brought up at the DR facility using replicated state, the log pipeline infrastructure was primarily hosted in the primary datacenter and not fully replicated to DR. Customers who relied on log push for security monitoring, compliance logging, or billing reconciliation had gaps in their log data that could not be recovered. Cloudflare's postmortem explicitly noted that some datasets which are not replicated in the EU would have persistent gaps — data that would never be recovered regardless of DR restoration success.

The 'Expect Entire Datacenters to Fail' Principle

The postmortem contained a striking engineering principle statement: we must expect that entire data centers may fail. This is a design requirement, not a risk acceptance. Any system that would be materially impaired by a single datacenter failure needs to be redesigned so that it either operates independently of any single datacenter or fails over automatically when one goes dark. The control plane architecture had not been held to this standard — and the 40-hour outage was the consequence.

Questions for Flexential Still Outstanding

As of the postmortem publication, Cloudflare stated it had a number of questions that needed to be answered from Flexential. A power failure of this duration at a major colocation facility raises questions about redundant power systems, UPS capacity, diesel generator performance, and facility operations procedures. The postmortem was transparent about this outstanding accountability — an unusual admission that the root cause investigation wasn't complete.

The Data Plane Continued Running

During the entire 40-hour control plane outage, Cloudflare's data plane continued operating normally — DDoS mitigation, CDN caching, SSL termination, and traffic routing were all functioning. Customers using Cloudflare for traffic performance and security saw no degradation. This is a testament to Cloudflare's edge-resilient architecture — PoPs operate autonomously from the control plane once configured. The outage was exclusively a management plane failure: you couldn't change anything, but what was already configured kept working.

Analytics and Dashboard Dark for Enterprise Customers

For Cloudflare's enterprise customers, the control plane outage had real operational consequences beyond configuration changes. Security dashboards showing live attack traffic, WAF logs, DNS analytics, and firewall event monitoring were all unavailable. During a 40-hour window when customers couldn't see what was happening on their infrastructure, security teams had reduced visibility precisely when they might have needed it most. The monitoring and analytics darkness was in some ways more operationally painful than the configuration lock.

THE CUSTOMER EXPERIENCE ASYMMETRY

Cloudflare's customer base experienced the outage very differently based on what they used Cloudflare for. Performance-focused customers (CDN, caching) saw nothing — their traffic ran fine. Security-focused customers (WAF, DDoS mitigation) had protection but lost visibility into attacks. Developer customers (Workers, Pages, DNS) were locked out of deploying changes for 40 hours. Analytics-dependent customers had data gaps that couldn't be recovered. Same outage, four different impact profiles.

The Fix

Post-Incident Architecture Changes

The November 2023 control plane outage forced Cloudflare to confront a fundamental architectural gap: the network edge (PoPs) was designed for resilience and independence, but the control plane was not. The fixes needed were architectural — not configuration tweaks. The postmortem identified several categories of required investment: automatic failover for control plane services, expanded data replication to DR, staged rollouts for configuration changes to prevent future single-change outages, and the Code Orange process for mobilizing resources during major incidents.

~40h

Total outage duration from power failure to full service restoration across all affected services — November 2–4, 2023

Time to partial restoration at DR facility — core API and dashboard functions restored at 17:57 UTC on November 2 after the 11:43 UTC failure

Data recovery possible for log push gaps — certain log streams not replicated to DR resulted in permanent data loss for the outage window

New process created: Code Orange — Cloudflare's all-hands engineering mobilization protocol for major incidents, modeled on Google's Code Yellow/Red

yaml

# Conceptual DR architecture requirements derived from the incident
# Every control plane service needs to meet these criteria:

control_plane_service:
  # Recovery requirements
  automatic_failover:
    enabled: true  # No manual orchestration needed
    rto: "< 30 minutes"  # Recovery Time Objective
    rpo: "< 5 minutes"   # Recovery Point Objective
  
  # Data replication requirements
  data_replication:
    primary_dc: "colo-us-east"
    dr_dc: "colo-us-west"    # replicated to DR
    replication_lag: "< 60s"  # data freshness at DR
    log_streams:              # ALL streams, not just some
      replicated: true        # persistent log gaps = customer data loss
  
  # Configuration safety
  config_rollout:
    staged: true             # NOT global instant propagation
    health_checks: true      # validate before wider rollout
    rollback_trigger: "auto" # revert on health check failure

THE CONFIGURATION ROLLOUT PROBLEM (FORESHADOWING)

In the postmortem, Cloudflare identified a specific action item: 'Hardening ingestion of Cloudflare-generated configuration files in the same way we would for user-generated input' — including staged rollouts rather than global instant propagation of configuration files. This action item would become prophetic: weeks after the November 2023 outage, a global configuration change for Bot Management caused another major outage. The staged rollout work hadn't been completed in time.

Code Orange: The All-Hands Protocol

Cloudflare's new Code Orange process, modeled on Google's Code Yellow/Red, provides a structured mechanism for major incidents. When Code Orange is declared, most or all engineering resources shift to the incident. The process defines: who has authority to declare Code Orange, how resources are mobilized, what communication protocols apply, and what the criteria are for declaring the incident resolved. Before Code Orange, major incidents relied on informal escalation — which is slower and less coordinated under pressure.

The Colocation Trade-Off

Cloudflare chose colocation over cloud hosting for the control plane for cost and hardware control reasons. This decision is defensible — cloud hosting at Cloudflare's scale would be extremely expensive. But it comes with a trade-off: manual failover instead of automated region failover. The November 2023 incident makes this trade-off concrete: 40 hours of control plane impact versus the cost of cloud hosting or of building proper automatic DR. Organizations must make this trade-off explicitly, not accidentally.

The DR Facility Limitation

Cloudflare's disaster recovery facility was able to handle core API and dashboard functionality after the 6-hour manual failover. But it could not handle everything. Services that stored state locally in the primary datacenter without replication — including the log push pipeline — could not be restored at DR. The architectural lesson: DR readiness is not a single binary state. Each service needs to be evaluated individually for DR completeness: which data is replicated, which processes can be restarted at DR, and what the residual capability is when the primary is down.

Questions for Flexential Still Open

Cloudflare's postmortem noted they had outstanding questions for Flexential about the power failure — specifically about the adequacy of redundant power systems, UPS performance, and datacenter operations. This transparency is notable: Cloudflare publicly acknowledged that they didn't yet have the full picture of why a colocation facility experienced a power failure significant enough to take down their control plane for 40 hours, and that accountability from the vendor was part of the recovery process.

Architecture

Cloudflare's architecture has a conceptual split: the data plane (PoPs, edge servers, traffic processing) and the control plane (API, dashboard, configuration management, analytics). The data plane is designed for resilience — distributed across 300+ locations, able to continue serving traffic even if the control plane is unavailable. The control plane was designed for correctness and consolidation — centralized, manageable, cost-efficient. The November 2023 incident exposed the asymmetry: data plane is nearly indestructible; control plane is a single point of failure.

Cloudflare's Architecture: Data Plane vs Control Plane

flowchart TD subgraph data_plane["DATA PLANE (resilient — continued during outage)"] pop1["PoP: Dallas"] pop2["PoP: London"] pop3["PoP: Singapore"] internet["Internet Traffic"] --> pop1 internet --> pop2 internet --> pop3 end subgraph control_plane["CONTROL PLANE (centralized — failed during outage)"] api["Cloudflare API"] dashboard["Dashboard"] analytics["Analytics"] log_push["Log Push Service"] flexential["Flexential Datacenter\n(power failed Nov 2)"] api --> flexential dashboard --> flexential analytics --> flexential log_push --> flexential end dr["DR Facility\n(partial recovery)"] -.->|"manual failover\n6h after failure"| api flexential -->|"⚠️ POWER FAILURE"| outage

After: Required Control Plane Architecture (DR + Replication)

THE EDGE IS RESILIENT. THE CENTER IS NOT.

Cloudflare's network architecture reflects a common pattern in distributed systems: the edges are designed for resilience; the center is designed for convenience. Edge nodes must work autonomously during control plane outages. Centralized control planes are often designed for operational simplicity rather than failure resilience — because failures at the center are rare and the cost of the engineering to harden them is high. The November 2023 incident makes the explicit argument that for systems managing global internet infrastructure, the center must be designed with the same resilience standards as the edges.

Log Data Persistence: A Gap in DR Planning

The log push service's inability to be restored at the DR facility reveals a gap in DR planning that is common in operational log pipelines: log data is often considered less critical than application data and receives less investment in replication and DR. But for Cloudflare's enterprise customers, raw access logs are security audit trails, compliance records, and billing evidence. A gap in log data can trigger regulatory issues, security investigations, and customer trust problems that persist long after service is restored.

Colocation vs Cloud: The Resilience Trade-Off Made Explicit

The Cloudflare control plane outage makes concrete a trade-off that every infrastructure team makes implicitly: colocation is cheaper and gives hardware control, but requires manual failover during datacenter failures. Public cloud providers offer automated region failover but at significantly higher cost. The November 2023 incident is the explicit data point for how expensive the colocation approach can be during a once-a-decade power failure: 40 hours of control plane impact, customer trust damage, and the engineering investment required to build DR parity that cloud providers offer by default.

Lessons

The November 2023 Cloudflare control plane outage is a master class in the asymmetry between designing edges and designing centers. The edge was fine. The center failed. The lesson is to apply the same resilience standards to both.

Expect entire data centers to fail. This is not a pessimistic assumption — it's a design requirement. Any system that cannot survive the loss of a single datacenter needs to be redesigned. Resilience is not about preventing failure; it's about maintaining operation through it.

versus manual failover is the difference between a 30-minute recovery and a 6-hour recovery. Colocation is cost-efficient, but if it requires manual failover orchestration, the cost of the efficiency is availability during rare but consequential failures.

Replicate all data to your DR facility, not just the most critical data. Log pipelines, analytics streams, and operational data that is not replicated to DR creates irrecoverable data gaps during primary datacenter failures. The cost of replication is fixed; the cost of data loss is unbounded.

Large incidents benefit from an explicit all-hands mobilization process. Google's Code Yellow/Red, Cloudflare's new Code Orange — these are mechanisms for concentrating engineering attention on critical problems without the usual resource negotiation overhead. If your organization doesn't have an equivalent, the first time you need one will be too late to create it.

Configuration changes to global infrastructure need staged rollouts, not global instant propagation. The November 2023 postmortem explicitly identified this as a required improvement. The subsequent December 2023 global outage from a Bot Management configuration change was a direct consequence of that improvement not yet being implemented. Infrastructure safety systems must be built before the next incident, not after.

The Staged Rollout Action Item and the December Outage

The November 2023 postmortem explicitly identified staged configuration rollouts as a required improvement. The December 2023 Bot Management outage happened because that work hadn't been completed yet — another global configuration change propagated instantly and caused a systemwide outage. This sequence is a stark illustration of why postmortem action items need urgency tracking: the cost of the follow-on incident exceeded the cost of the work that would have prevented it.

DATA REPLICATION IS NOT OPTIONAL FOR LOGS

The log push service's permanent data gaps during the outage elevated a truth that gets underinvested in: operational log data is customer data. For security audits, compliance requirements, billing reconciliation, and forensic investigation, log streams are as important as application data. Organizations that treat logs as ephemeral operational noise rather than durable customer data will find this assumption tested during major incidents.

Cloudflare routed traffic for half the internet the entire time their control plane was dark — which proves the edge works and proves the center matters, simultaneously.TechLogStack — built at scale, broken in public, rebuilt by engineers