⚡ Engineering War Stories from the Trenches

When Big Tech Breaks
& How They Fix It

The postmortems they published. The outages they survived. The fixes that saved millions of users. Read the real story — not the press release.

Case Studies

Companies

∞

Things Broke

100%

No Fiction

Netflix Chaos Engineering

Netflix Unleashed a Monkey With a Weapon in Its Own Data Center — On Purpose

It was 2011 and Netflix had just migrated hundreds of microservices to AWS. Their architecture was distributed, horizontally scaled, and theoretically fault-tolerant. But theory and production are different things. The only way to know if a system could survive failures was to cause failures — constantly, deliberately, during business hours, and in production. So they built a monkey.

July 19 2011 blog published Business-hours instance killing 10 Simian Army members +3

Read full story →

Hotstar Live Streaming

When MS Dhoni Got Out: How Hotstar Survived 25 Million Concurrent Users

July 9th, 2019. India vs New Zealand, Cricket World Cup semi-final. MS Dhoni walks to the crease and 1.1 million new viewers join Hotstar every single minute. Then he gets run out — and 24 million people hit the back button almost simultaneously.

25.3M peak concurrent 1.1M users/min growth 5.7 Tbps bandwidth +3

Read full story →

GitHub Databases

How GitHub Upgraded 1200 MySQL Hosts Without Dropping a Single Query

MySQL 5.7 was hitting end-of-life, and GitHub's production database fleet spanned 1,200 hosts, 300 terabytes of data, and 5.5 million queries every second. Getting from here to MySQL 8.0 without disrupting 100 million developers was going to take more than a weekend.

1,200+ MySQL hosts upgraded 300+ TB data migrated 5.5M queries/sec maintained +3

Read full story →

Slack Reliability

Slack Built a Big Red Button to Drain an Entire Data Center in Five Minutes

On June 30, 2021, a network link connecting one AWS availability zone failed — and Slack users felt it, despite Slack running in multiple availability zones. The postmortem question was brutal: why did a single AZ failure affect users at all? The answer drove 18 months of architecture work.

2021-06-30 AZ outage trigger 1.5 years migration time AZ drain in <5 minutes +3

Read full story →

Cloudflare Reliability

Cloudflare Fixed a React Security Vulnerability and Broke the Entire Network

In late 2025, Cloudflare was rolling out a fix for a React security vulnerability. To do so, they needed to disable an internal testing tool with a global killswitch. The killswitch, unexpectedly, triggered a bug that sent HTTP 500 errors across Cloudflare's entire global network. This was the third major configuration-related global outage in two years.

Dec 2025 global outage React CVE fix triggered outage Global killswitch bug +3

Read full story →

LinkedIn Messaging

LinkedIn Needed a Message Queue. They Built the One the Entire Internet Runs On.

In 2010, LinkedIn was drowning in data it couldn't move. Every ML model, every recommendation engine, every real-time feature was starving because there was no reliable way to get activity data from the website into the systems that needed it. Jay Kreps, Jun Rao, and Neha Narkhede spent a year building a fix. They named it after Franz Kafka. The rest of the internet adopted it.

1B events/day at launch (2011) 1T messages/day by 2015 7T messages/day by 2019 +3

Read full story →

Discord Databases

How Discord Migrated Trillions of Messages and Fired Their Garbage Collector

It is 2022 and Discord's on-call engineers are babysitting a 177-node database cluster, manually rebooting nodes after Java GC pauses spiral out of control. The system holding every message ever sent is becoming the thing everyone fears touching most.

177 → 72 nodes p99 latency 15ms (was 40–125ms) 9-day migration (was 3-month est.) +3

Read full story →

Discord Reliability

Discord Killed the MacBook Dev Environment and Never Looked Back

Discord's engineering team had tripled in size and was drowning in a swamp of 'works on my machine' bugs — some engineers running macOS, some Ubuntu, all of them slowly. The solution was radical: no one gets a local dev environment anymore.

3x engineering org growth Mac→V1→V2 (two migrations) Began 2020, V2 done 2023 +3

Read full story →

Netflix Distributed Systems

Netflix Hit the AWS Instance Ceiling and Built a Workflow Engine That Scales Forever

Netflix's Meson orchestrator was handling hundreds of thousands of daily data and ML jobs — and running out of machine. Vertically scaling on AWS had a hard ceiling, and the workflows were doubling in size every year. The only way out was a complete architectural rethink.

2M+ jobs/day at peak Hundreds of thousands of workflows Meson → Maestro 2020 +3

Read full story →

Slack Reliability

Slack's Worst Day: When a Better Cache Manager Made Everything Worse

On February 22, 2022, Slack went down for many users — including the engineer designated as Incident Commander, who was authoring the postmortem from a position of personal experience. The culprit was a new component that worked exactly as designed.

Feb 22 2022 outage Consul rollout to 75% of fleet Cache hit rate collapsed +3

Read full story →

Stripe Databases

How Stripe Moves Petabytes Between Database Shards Without Stopping the Money

Stripe processed over $1 trillion in payment volume in 2023 while maintaining 99.999% uptime — five nines, fewer than 6 minutes of downtime all year. The infrastructure secret is a database platform called DocDB and a migration engine that moves petabytes of financial data between shards without any application knowing it happened.

$1T+ payment volume 2023 99.999% uptime achieved 5M database queries/sec +3

Read full story →

Slack Distributed Systems

Slack Rewrote Its Core Architecture for Enterprise — Because the Old One Was a Lie

Slack was built for teams in single workspaces. Enterprise customers were using it across dozens of workspaces simultaneously — and the architecture had never been designed for that. Every major enterprise feature was a workaround on top of a foundation that assumed one workspace per person. Slack spent two years rebuilding the foundation.

2 years development time Workspace-centric → org-wide Thousands of APIs refactored +3

Read full story →

Slack Reliability

Slack Cut Deploy-Related Customer Impact by 90% in Eighteen Months

73% of Slack's customer-facing incidents were being triggered by Slack itself — by its own code deploys. The team stopped treating each outage as a one-off and started treating deploy safety as a program, with metrics, milestones, and automated rollbacks. Eighteen months later, customer impact hours were down 90%.

73% incidents from own deploys 90% reduction in impact hours Manual → automatic rollbacks +3

Read full story →

Atlassian Reliability

How a Two-Line Script Silently Deleted 883 Customer Cloud Sites

At 07:38 UTC on April 5th, 2022, a maintenance script begins its run — methodical, peer-reviewed, totally routine. Twenty-three minutes later, 883 Atlassian Cloud sites have been permanently deleted, and the company's own incident management tool, Opsgenie, is one of the casualties.

883 sites deleted 14 days max outage 775 customers affected +3

Read full story →

Netflix Live Streaming

65 Million Streams: How Netflix Rebuilt Its Guts for Live

November 15, 2024: 65 million people log on to watch Mike Tyson fight Jake Paul, the largest live sports stream in history. Behind the scenes, Netflix engineers are white-knuckling a system they built from scratch — one where a single bad video segment, a CDN request storm, or a missed 2-second write deadline means millions of viewers see a black screen.

65M concurrent streams 113ms → 25ms p50 latency 200Gbps+ read throughput +3

Read full story →

Stripe Performance

Stripe Converted 3.7 Million Lines of JavaScript in One Pull Request on a Sunday

On Sunday, March 6, 2022, Stripe merged a single pull request that converted their entire largest JavaScript codebase from Flow to TypeScript. 3.7 million lines of code. Hundreds of engineers arrived Monday morning to start writing TypeScript. The migration had been invisible until it wasn't.

3.7M lines converted in 1 PR Single Sunday deploy Largest JS codebase at Stripe +3

Read full story →

GitHub Reliability

The Test That Broke GitHub: A Failover Drill Goes Live

June 29, 2023, 17:39 UTC: GitHub engineers initiate a planned live failover test of their brand-new second Internet edge facility — six months of infrastructure work designed to eliminate a single point of failure. Within seconds, instead of validating their redundancy, they've created an outage that takes GitHub offline for millions of developers across North America and South America.

32-minute outage 2-min detect-to-revert US East + South America +3

Read full story →

Shopify Databases

Shopify Sharded a Rails Database With Vitess and the App Never Knew It Happened

The Shop app was growing exponentially. Its single MySQL database was approaching vertical scaling limits. Shopify needed horizontal sharding — but they had a Rails monolith that expected a single database, and a system that couldn't have downtime during a commerce platform used by millions daily.

KateSQL → Vitess migration user_id as sharding key VTGate transparent to app +3

Read full story →

Shopify Databases

Shopify's Engineers Hunted Deadlocks at 19 Million Queries per Second

During Black Friday and Cyber Monday 2023, Shopify's MySQL fleet was handling 19 million queries per second. At that scale, even rare deadlock patterns become common enough to cause real incidents. The engineering team published a detailed playbook for diagnosing and eliminating MySQL deadlocks in high-concurrency production environments.

19M MySQL QPS at BFCM peak 58M requests/min app servers 99.999%+ uptime maintained +3

Read full story →

Cloudflare Reliability

Cloudflare's Datacenter Partner Failed and the Control Plane Went Dark for 40 Hours

On November 2, 2023, Cloudflare's primary datacenter partner experienced a power failure. The control plane — the system that lets customers configure DNS, firewall rules, and every Cloudflare service — went dark. It stayed dark, in various forms, for nearly 40 hours. The postmortem introduced a concept Cloudflare hadn't had before: Code Orange.

Nov 2–4 2023 outage ~40 hours control plane down Flexential datacenter failure +3

Read full story →

Cloudflare Reliability

A Database Permission Change in ClickHouse Took Down 28% of Cloudflare's HTTP Traffic

On November 2, 2023 — the same day as the control plane datacenter failure — Cloudflare also experienced a separate six-hour global outage. The cause: a database permission change in ClickHouse generated a corrupt configuration file that was silently propagated to every server in Cloudflare's Bot Management system, crashing it globally.

Nov 2 2023 outage 28% HTTP traffic impacted 6 hours total duration +3

Read full story →

Netflix Performance

Netflix Made Their Workflow Orchestrator 100x Faster by Rewriting the Engine Nobody Thought Was Slow

Maestro had been running Netflix's data and ML workflows successfully for two and a half years. Then Live, Ads, and Games drove sub-hourly scheduling requirements that revealed the orchestrator's overhead — not in crashes or alerts, but in slow step launches that nobody had measured. The fix was a complete engine rewrite that delivered 100x throughput improvement.

100x throughput improvement 2.5 years before overhead visible Sub-hourly scheduling trigger +3

Read full story →

Netflix Performance

Netflix's Containers Were Fighting Their Own CPUs — and Losing

Netflix ran millions of containers per day on modern multi-core CPUs. The containers performed well on benchmarks. In production, under certain workloads, they were mysteriously slower than expected — slower than the hardware should have allowed. The culprit was CPU topology: the operating system was scheduling container workloads in ways that violated modern CPU cache architecture. They called the investigation 'Mount Mayhem.'

Mount Mayhem investigation Modern multi-core CPU topology NUMA and cache locality +3

Read full story →

Netflix Reliability

Netflix Streamed Live Sports for Millions — and the Hard Part Wasn't the Video

When Netflix began streaming live events — boxing, NFL games, comedy specials — the engineering challenge wasn't encoding or delivery. It was building the human infrastructure: the operations team, the escalation paths, the real-time decision systems, and the runbooks that let engineers respond to live event failures in seconds, not minutes.

Live events at Netflix scale Sub-second escalation paths NFL Christmas Day 2023 +3

Read full story →

Figma Databases

Figma's Database Grew 100x in Four Years — Here's How a Small Team Kept It From Toppling

In 2020, Figma ran on a single Postgres instance on AWS's largest available machine. Four years later, that database had grown nearly 100x. Some tables had swelled to several terabytes and billions of rows. The Postgres vacuum process — the background job that keeps Postgres alive — was causing reliability incidents. They had months of runway left before hitting the IOPS ceiling. A small databases team had nine months to fix it.

100x DB growth since 2020 Single instance → horizontal shards 9-month migration +3

Read full story →

Datadog Reliability

Datadog Went Dark for 24 Hours and Came Back With a Different Philosophy

On March 8, 2023, Datadog — the platform engineers use to know when their own infrastructure is broken — broke. For more than 24 hours, across five regions on three cloud providers, metrics stopped arriving, logs disappeared, and dashboards showed nothing. The people whose job was to fix it couldn't see what was happening. It cost $5 million. It changed how Datadog thinks about building software.

24h+ global outage $5M revenue loss 50–60% Kubernetes nodes lost +3

Read full story →

OpenAI Databases

OpenAI Runs ChatGPT for 800 Million Users on One PostgreSQL Instance — and It Works

ChatGPT has 800 million users. It handles millions of database queries per second. And it runs on a single primary PostgreSQL instance on Azure — one writer, backed by about fifty read replicas. No sharding. No distributed SQL. Just Postgres, pushed further than almost anyone thought possible through obsessive optimization and ruthless operational discipline.

800M users, 1 primary PG instance ~50 read replicas globally Millions of QPS, p99 <20ms +3

Read full story →

Uber Security

Uber Had 150,000 Secrets Scattered Across 25 Vaults — So They Built One Platform to Rule Them

150,000 secrets. 25 separate vaults. Hundreds of teams managing their own credentials in their own ways, some in plain text in version control. At Uber's scale — 5,000 microservices, 5,000 databases, 500,000 analytical jobs per day — secrets sprawl is not a compliance problem. It is an incident waiting to happen. A team of ten engineers decided to fix it.

150,000 secrets managed 25 vaults → 6 managed vaults 5,000 microservices secured +3

Read full story →

Shopify Reliability

The 80% Problem: Why Getting an LLM System to 'Works in Demo' Is 20% of the Work

Every team building with LLMs discovers the same brutal truth: 80% quality arrives in a few weeks. The final 15% — the gap between 'impressive demo' and 'product I'd trust with my customers' — takes the rest of the time. Shopify's Flow agent and Sidekick teams lived this curve and came back with a systematic playbook. It is mostly about measurement.

LLM judge: 0.02 → 0.61 Kappa 300-example hand-crafted benchmark Production mirroring closes gap in 2 weeks +3

Read full story →

GitHub · Reliability

The Test That Broke GitHub: A Failover Drill Goes Live

The Story

32 min

Duration of the June 29 outage, caused not by an external attack or software bug but by GitHub's own validation test of infrastructure designed to prevent exactly this kind of outage

2 min

Time from alert firing to engineers reverting the failover and bringing the primary edge facility back online — fast human response, but the damage was done the moment the test ran

6 months

Approximate age of GitHub's second Internet edge facility when the test ran — built in January 2023 and actively routing production traffic since then, yet the configuration flaw was never discovered

55 min

Maximum delay GitHub Actions workflows experienced during the June 7 incident — a separate but equally instructive outage where one customer's pathological repository data starved the entire Git push queue

GitHub is the infrastructure underpinning virtually all software development on Earth. Over 100 million developers use it to store code, run CI/CD pipelines via , and collaborate on projects ranging from weekend hobby projects to the world's most critical open-source software. When GitHub goes down, the entire software industry's ability to ship code grinds to a halt. This is not a theoretical concern — it is the reality GitHub's infrastructure team lives with every day. For years, the team had known about a in their network architecture at the Internet edge. The fix was a second Internet edge facility, completed in January 2023.

The second edge facility had been routing live production traffic since January, operating alongside the primary in a architecture. Six months of real traffic without incident. The team's next step was logical and responsible: perform a live failover test — deliberately route all traffic to the secondary, as if the primary had failed — to verify the redundancy actually worked. June 29, 2023. The test began. The secondary facility could not function as a primary. GitHub went down.

Unfortunately, during this failover test we inadvertently caused a production outage. The test exposed a network pathing configuration issue in the secondary side that prevented it from properly functioning as the primary facility.

— GitHub Status Page — Incident gqx5l06jjxhp, June 29, 2023

The Hidden Configuration Flaw

The root cause was a network path configuration issue in the secondary Internet edge facility. The secondary had been designed to route traffic alongside the primary in a shared , but its specific network routing configuration was never validated for the scenario where it had to handle all traffic alone. This is the subtle trap of active-active HA: a facility can route 50% of traffic flawlessly for six months and still fail when asked to route 100%, because some of its internal network paths — in particular — were only configured to work in the context of the primary being present. The facility was a co-pilot that had never practiced landing the plane alone.

Problem

Failover Test Initiated

At 17:39 UTC on June 29, 2023, GitHub engineers begin a planned live validation of the secondary Internet edge facility by shifting all traffic away from the primary. Within seconds, parts of North America (especially the US East Coast) and South America begin experiencing connectivity failures to GitHub.

Cause

Secondary Cannot Function as Primary

The secondary facility has a network path configuration issue that was invisible while it shared load with the primary but becomes critical when it must handle all traffic alone. cannot happen correctly because the secondary's own configuration is broken.

Solution

Revert in 2 Minutes

GitHub's monitoring fires immediately. Within two minutes of being alerted, engineers revert the failover change and bring the primary facility back online. The revert itself is fast — but once online, border routers across the internet need time to reconverge, meaning GitHub service is not instantly restored even after the primary is running.

Result

Fixed, Then Tested Better

The network path configuration issue in the secondary is corrected. GitHub commits to improved failover testing procedures that minimize customer impact — specifically, scheduling future tests in a way that reduces blast radius. The test that caused the outage was ironically the most valuable test the team ever ran: it found the flaw that would have caused a much longer, unplanned outage during a real emergency.

The Reconvergence Penalty

Even after GitHub reverted the failover and the primary came back online, users could not immediately reach GitHub. The internet's needed time to reconverge — to undo the routing changes that the failover had caused. This is the hidden cost of network-level failures: the fix is fast, the recovery is slow.

The June 7 Incident: A Different Kind of Queue Starvation

Three weeks before the failover outage, GitHub experienced a completely separate but equally instructive incident. On June 7 at 16:11 UTC, GitHub's internal job queue for processing Git pushes began experiencing increasing delays. The monitoring system alerted engineers after 19 minutes. Customers experienced GitHub Actions workflow delays of up to 55 minutes and pull requests that failed to reflect new commits. The root cause was a single customer pushing to a repository with a specific, unusual data shape — a shape that caused the Git backend to throttle the processing jobs, making them slow. These slow jobs that served all other users. One customer's pathological repository data silently starved the global Git push queue for nearly two and a half hours.

Tenant Isolation in Shared Queues

The June 7 incident is a textbook case of in a shared job queue. GitHub's fix — making the Git backend throttle behavior fail faster and reducing the Git client timeout — prevents any single customer's workload from holding a worker slot indefinitely. The principle applies anywhere a shared queue serves diverse workloads.

GitHub spent six months routing real traffic through a backup facility, and it took a deliberate test to discover the backup couldn't actually back anything up — which is the whole point of testing, just not quite how they planned.TechLogStack — built at scale, broken in public, rebuilt by engineers

The Fix

Fixing the Failover Test Outage

The immediate fix for the June 29 outage was surgical and fast: engineers identified the network path configuration issue exposed by the failover test and corrected it in the secondary edge facility. But the more important fix was procedural — changing how future failover tests are designed and scheduled. A live failover test that takes GitHub fully offline for users in two continents is not a sustainable validation strategy. GitHub committed to scheduling tests in ways that minimize customer impact, likely through phased traffic migration (moving a small percentage of traffic first), to identify configuration gaps before they cause outages, and off-peak timing to reduce the blast radius if something goes wrong. The secondary facility was fixed and is now genuinely capable of functioning as a primary.

python

# Simplified model of a safer failover test strategy
# Instead of "flip all traffic to secondary", use staged validation

def run_failover_validation(primary: EdgeFacility, secondary: EdgeFacility):
    """
    Safe failover validation: verify the secondary can function as primary
    without causing a production outage.
    """

    # Step 1: Shadow test — route 0% of real traffic, compare responses
    # Checks routing and config WITHOUT touching user requests
    shadow_result = shadow_test(secondary, sample_requests=SYNTHETIC_TRAFFIC)
    if not shadow_result.routes_correctly:
        # ✅ Caught here — no user impact
        alert_team("Secondary cannot route independently — config issue found")
        return FailoverResult.ABORTED

    # Step 2: Canary — shift 1% of traffic to secondary, monitor error rates
    with traffic_shift(secondary, percentage=1):
        if error_rate() > ACCEPTABLE_THRESHOLD:
            rollback()  # Instant revert, only 1% of users briefly affected
            return FailoverResult.ABORTED

    # Step 3: Gradual ramp — 10% → 25% → 50% → 100%
    # At each stage, verify secondary handles the load correctly
    for percentage in [10, 25, 50, 100]:
        with traffic_shift(secondary, percentage=percentage):
            # Monitor BGP convergence, latency, error rates
            health = monitor(duration_seconds=300)
            if not health.acceptable:
                rollback()  # Revert to last good state
                return FailoverResult.ABORTED

    # Step 4: Full failover validated — secondary proved capable
    return FailoverResult.SUCCESS


# The June 29 incident used the equivalent of jumping straight to step 4.
# A broken secondary had no chance to be caught before users felt it.

The BGP Reconvergence Reality

When GitHub's primary facility came back online after the revert, engineers could not simply flip a switch and restore service. Border routers across the internet needed time to reconverge — each network that had learned the (broken) route to GitHub's secondary needed to update its routing tables back to the primary. This is unavoidable, which is why the outage lasted 32 minutes even though the fix itself took under 2 minutes.

The June 7 Git push queue fix was more technically nuanced. The Git backend's throttling behavior was changed to fail faster — instead of a throttled job slowly consuming a worker slot while retrying indefinitely, it now returns a failure quickly so the slot is released for another repository's work. The Git client timeout within the job was also reduced, preventing a hung upstream connection from holding a worker open. These two changes together mean a pathological repository data shape can no longer starve the shared worker pool. Additional improvements were added to reduce detection and diagnosis time for future incidents of this type.

The Outage That Validated the Investment

GitHub's engineering team noted a pointed irony: the test that caused the outage was exactly the right test to run. Without it, the hidden configuration flaw would have remained undetected until a real infrastructure failure — at which point the outage would have been unplanned, potentially longer, and without the fast human revert that limited the June 29 impact to 32 minutes. A self-inflicted outage you can control is always better than a real one you cannot.

TWO INCIDENTS, ONE JUNE

June 2023 gave GitHub two distinct outage patterns in a single month. The June 7 incident (2h28m) was caused by a shared resource exhaustion — one customer's data starving a global queue. The June 29 incident (32 min) was caused by untested redundancy — infrastructure built for resilience that had never been validated as a solo primary. Both share a root: assumptions that were never tested in production conditions.

The Hidden Cost of Active-Active HA

The secondary facility had routed live production traffic for six months without incident — because it was always operating alongside the primary, not instead of it. Active-active HA gives you a false signal of readiness. A facility that handles 50% of traffic when the primary is healthy has never been proven to handle 100% of traffic when the primary is gone. Failover capability must be explicitly validated at full load, not inferred from shared-load health.

The most important long-term fix was cultural: GitHub's team committed to making failover testing a regular practice, not a one-time event. Regular failover tests — scheduled with appropriate notice, designed to minimize blast radius, and run at off-peak times — are the only way to keep redundancy validated over time. Infrastructure drifts: routers get reconfigured, network policies change, and a facility that was a fully functional backup six months ago may not be today. Untested redundancy is not redundancy. It is the comforting fiction that your system is more resilient than it actually is.

Architecture

GitHub's Internet edge architecture is the layer that connects the global internet to GitHub's internal infrastructure. Every request from every developer in the world — whether pushing code, pulling a repository, or triggering a GitHub Action — flows through an Internet edge facility. For years, this was a single point of failure: one facility, one set of , and one path in from the internet. The second facility, completed in January 2023, was designed to eliminate this vulnerability. What the architecture diagrams did not capture was the specific network path configuration that would only become a problem when the secondary had to stand alone.

Before: Single Point of Failure at the Internet Edge

flowchart TD internet["Global Internet"] -->|"All traffic"| edge_primary["Primary Edge Facility"] edge_primary --> bgp_primary["Border Routers (Primary)"] bgp_primary --> lb["Load Balancer"] lb --> github_rails["GitHub Rails Monolith"] lb --> actions["GitHub Actions"] lb --> git_backend["Git Storage Backend"] lb --> api["GitHub API"] note_spof["⚠️ Single edge facility = single point of failure\nAny failure here = total internet-to-GitHub disruption"] style edge_primary fill:#ef4444,color:#fff style note_spof fill:#fef3c7,color:#92400e

After: HA Architecture with Secondary Edge — and the Hidden Flaw

flowchart TD internet["Global Internet"] internet -->|"50% of traffic"| edge_primary["Primary Edge Facility"] internet -->|"50% of traffic"| edge_secondary["Secondary Edge Facility (Jan 2023)"] edge_primary --> bgp_p["Border Routers (Primary)"] edge_secondary --> bgp_s["Border Routers (Secondary)"] bgp_p --> lb["Internal Load Balancer"] bgp_s --> lb lb --> github_rails["GitHub Rails Monolith"] lb --> actions["GitHub Actions"] lb --> git_backend["Git Storage Backend"] lb --> api["GitHub API"] subgraph failover_test["June 29 Failover Test"] test_trigger["Shift all traffic to Secondary"] test_trigger -->|"Exposes hidden flaw"| broken_path["Secondary cannot route as primary"] broken_path --> outage["32-minute outage"] end style edge_secondary fill:#f59e0b,color:#000 style broken_path fill:#ef4444,color:#fff style outage fill:#ef4444,color:#fff

The architecture diagram shows the deceptive appearance of redundancy. Two edge facilities, both actively routing traffic, both connected to the same internal load balancer — it looks bulletproof. But the diagram does not show the network path configuration inside the secondary: the specific that tell the global internet how to reach GitHub, and the internal routing rules that control traffic flow within the facility. When the secondary was asked to function as the primary during the failover test, those configurations were incorrect for the solo-primary role. The redundancy was a drawing on paper, not a tested fact.

Border Router Reconvergence: The Delay Nobody Talks About

When GitHub's primary facility came back online, the recovery was not instant. Every network on the internet that had updated its to route via the broken secondary had to learn the new path to the primary. This propagation delay is inherent to how the internet works and is unavoidable once a failover has been initiated. It is one more reason to avoid unnecessary failover events — even a 2-minute fix can result in 30 minutes of degraded service.

June 2023 GitHub incidents — two outages, two root causes, one shared theme

Incident	Date	Duration	Root Cause	Fix
Git Push Queue Starvation	June 7	2h 28m	Single customer's pathological data shape throttled jobs, exhausting the shared worker pool	Fail-faster throttling, reduced Git client timeout
Failover Test Outage	June 29	32 min	Secondary edge facility had hidden network path config flaw that only manifested when operating solo	Fixed secondary config; improved failover test procedures
Common thread	Both	—	Assumptions about system behavior that were never validated under the actual failure conditions	Testing at the real failure boundary, not the assumed one

Lessons

June 2023 gave GitHub — and the industry — two clean case studies in the same month. Neither outage was caused by a novel bug or an obscure race condition. Both were caused by things that look like good engineering on paper but hadn't been tested at the right failure boundary. These lessons apply to any team operating infrastructure with redundancy assumptions they have never validated.

Untested redundancy is not redundancy — it is a liability. GitHub's secondary edge facility routed 50% of live production traffic for six months without revealing the flaw that prevented it from functioning as a primary. does not validate failover capability; it validates shared-load operation. Test your redundancy by actually removing the primary, not by observing the secondary under normal conditions.

Failover tests should be staged, not binary. Shifting 100% of traffic to an untested secondary in a single step is a high-stakes gamble with no abort option. Canary failovers — shifting 1%, then 10%, then 25%, validating at each stage before proceeding — expose configuration issues before they cause full outages. The extra complexity of staged testing is trivially small compared to the cost of a production outage discovered mid-test.

Reverting fast does not mean recovering fast. GitHub reverted the failover change in under 2 minutes, but the outage lasted 32 minutes because takes time that no amount of engineering can compress. Build your incident response timelines around recovery time, not just fix time.

Shared queues need tenant isolation to prevent noisy neighbor failures. The June 7 incident is a canonical example of one tenant's unusual workload consuming all of a shared resource. Design queue systems with per-tenant rate limits and fast-fail timeouts so that a single job never holds a worker slot long enough to starve the entire pool. The fix — making the Git backend throttle faster — is a one-line change that protects millions of users from one user's edge case.

The test that breaks production is the most valuable test you ever run. GitHub's team made a pointed admission: without the June 29 failover test, the network path flaw would have remained hidden until a real infrastructure emergency forced a failover under far worse conditions — with no time to prepare, no clean revert path, and no certainty about what was broken. Deliberately probing your redundancy in a controlled environment, even at the cost of a brief outage, is the engineering equivalent of a fire drill: painful in the moment, essential in the long run.

THE IRONY THEOREM

The infrastructure designed to prevent an outage caused the outage. The test designed to validate resilience proved the resilience didn't exist. And the 32-minute disruption designed to be the worst case turned out to be far better than the real-emergency case it prevented. Sometimes the most constructive thing you can do for your reliability is schedule an outage before the universe schedules one for you.

Document Your Assumptions Before You Test Them

A pre-test checklist should include: what does the secondary need to do independently? Not just what load it handles, but what configuration it needs — BGP route advertisements, internal routing policies, health check endpoints, TLS certificates. Every assumption about how the secondary behaves when the primary is absent should be written down and verified before the test runs, not discovered by watching production users experience an outage.

GitHub built a backup facility, routed real traffic through it for six months, and then discovered it was a backup that couldn't actually back anything up — all of which was fine, because they found out during a test instead of a Thursday morning at 3am.TechLogStack — built at scale, broken in public, rebuilt by engineers