Chaos Engineering
Progressive delivery made your own changes safe to ship — small slices, automatic rollback, kill switches. But most outages aren’t caused by a deploy you controlled. They’re caused by the things you didn’t do: a node dies, a dependency times out, a network link drops, a cloud zone goes dark. Your system is supposed to survive these — you built retries, you run multiple replicas, you have a multi-region plan. But “supposed to” is a hypothesis, not a fact. The uncomfortable truth at the center of this page is simple: you do not actually know your system is resilient until you make it fail and watch what happens.
The resilience features you can’t see working are the most dangerous, because they fail silently — the failover that was misconfigured, the retry that amplifies load instead of absorbing it, the “redundant” component that shared a hidden single point of failure. These flaws are invisible right up until the real incident exposes them, at the worst possible time, with no rehearsal. Chaos engineering is the practice of finding them on your schedule instead.
Resilience is a claim; experiments make it knowledge
Section titled “Resilience is a claim; experiments make it knowledge”Every resilient design is an implicit hypothesis about how the system behaves under stress: “if one replica dies, the load balancer routes around it and users see nothing.” You believe it. But belief built from architecture diagrams is exactly the belief most likely to be wrong, because the diagram shows the intended behavior, not the actual one. Chaos engineering replaces belief with evidence by running the experiment for real:
THE EXPERIMENT LOOP ─────────────────── 1. define STEADY STATE ── a measurable "the system is healthy" signal │ (e.g. checkout success rate ≥ 99.5%) ▼ 2. form a HYPOTHESIS ── "killing one payments replica won't move it" │ ▼ 3. inject FAILURE ── kill the replica ◄── blast radius LIMITED │ (one service, small % of traffic, ready to abort) ▼ 4. OBSERVE steady state ── did the signal hold? │ ├─ held → hypothesis confirmed: this resilience really works └─ broke → you found a real weakness, safely → fix itThe framing is borrowed from science on purpose. You’re not “randomly breaking things” — that’s just sabotage. You’re stating what you expect, breaking one thing in a bounded way, and checking whether reality matched your expectation. A confirmed hypothesis turns a hope into knowledge. A broken one is the prize: you found a real flaw in a controlled experiment, with engineers watching, instead of in a 3 a.m. incident.
Limiting the blast radius — the discipline that makes it safe
Section titled “Limiting the blast radius — the discipline that makes it safe”Chaos engineering is not recklessness; the entire discipline is built around controlling the damage. “Break it on purpose” only works because the break is bounded and reversible. The guardrails:
- Start in non-production. Run early experiments in staging, where a wrong hypothesis costs nothing. Production experiments come later, when you’ve earned confidence in the experiment itself.
- Smallest possible injection. Kill one replica, not the whole service. Add latency to one dependency. Test the hypothesis with the least failure that can falsify it.
- Limit the affected slice. Inject failure for a small percentage of traffic or one cell/zone, the same blast-radius logic as a canary.
- An abort button. Always have a way to stop the experiment instantly and return to normal. If the steady-state metric drops past a threshold, you halt — you do not “see how bad it gets.”
RECKLESS CHAOS ENGINEERING ──────── ───────────────── break things randomly one fault, stated hypothesis in prod, no plan bounded slice, in staging first "let's see what happens" steady-state metric watched live no way to stop abort the instant the metric dips = an outage = a controlled experimentGame days: rehearsing the response, not just the system
Section titled “Game days: rehearsing the response, not just the system”A game day is a scheduled, often larger-scale chaos exercise where a team comes together to inject a significant failure — a whole zone outage, a critical dependency going down — and works the response as if it were real. The point is broader than the system: it tests the humans and the process too.
Because the failure is rehearsed, a game day surfaces the things that only show up under real pressure: the runbook step that’s out of date, the dashboard that doesn’t exist, the on-call who doesn’t have the right access, the alert that never fires. These are exactly the gaps that turn a survivable incident into a long one — and they’re nearly impossible to find any way except rehearsal.
This is the direct tie to disaster recovery. A DR plan that has never been exercised is a document, not a capability. The failover you’ve never actually triggered is the one that won’t work when you need it — the backup that never restored, the secondary region missing a dependency, the DNS change nobody has rights to make. A game day that forces a real failover is the only way to convert the plan from a hope into a tested, rehearsed procedure. Chaos engineering is, at bottom, the practice of rehearsing failure so the real thing is boring.
The thread
Section titled “The thread”The manual, error-prone step chaos engineering removes is discovering your resilience flaws during the real incident — finding out that the failover was misconfigured, the retry amplified load, or the “redundant” path shared a hidden dependency, at the exact moment you can least afford to. It moves that discovery forward in time, into a controlled experiment with a bounded blast radius, an abort button, and engineers watching a steady-state metric. Production gets safer not because nothing ever fails, but because the failure modes that would have surprised you have already been found and fixed on your terms. You trade a small, deliberate, rehearsed failure now for the much larger, unrehearsed one you’d otherwise meet later.
The cost is real discipline: you need solid observability to define a steady-state metric, the maturity to bound a blast radius and actually abort, and organizational nerve to break things on purpose. Done carelessly it’s just an outage you caused — which is why the guardrails are the discipline. The next page returns to building: how to take operational knowledge like “how to safely fail over this database” and encode it into software, with a custom controller — a Kubernetes operator.
The architect’s lens
Section titled “The architect’s lens”Five questions before you break things on purpose:
- Why does it exist? Because resilience is a hypothesis — “if a replica dies, the load balancer routes around it” is what the diagram claims, not verified fact — and unverified resilience features fail silently until the real incident.
- What problem does it solve? Discovering your resilience flaws during the 3 a.m. outage: a bounded, hypothesis-driven experiment (define a steady-state metric → inject one fault → observe → fix) moves that discovery forward into a controlled setting with engineers watching.
- What are the trade-offs? Done without guardrails it simply is an outage — so it demands a defined blast radius, a live steady-state metric, and an abort button, plus solid observability and the organizational nerve to break production on purpose.
- When should I avoid it? In production before you’ve proven the experiment in staging, or without a crisp steady-state metric and an abort — you can’t distinguish a successful experiment from a self-inflicted incident.
- What breaks if I remove it? Resilience stays a claim — the misconfigured failover, the load-amplifying retry, the hidden shared single point of failure all surface for the first time during the real disaster, unrehearsed.
Check your understanding
Section titled “Check your understanding”- Why is “we have retries and replicas, so we’re resilient” a hypothesis rather than a fact? What makes unverified resilience features especially dangerous?
- List the steps of a chaos experiment. Why is the framing borrowed from the scientific method, and why is a broken hypothesis a good outcome?
- What is the steady-state metric, and why can’t you run a meaningful experiment without one? How does it relate to SLOs?
- Name three controls that limit a chaos experiment’s blast radius. What distinguishes a chaos experiment from simply causing an outage?
- What does a game day test that an automated single-fault experiment doesn’t, and why is it the only honest test of a disaster-recovery plan?
Show answers
- The resilience is the intended behavior on a diagram, not the verified actual behavior — failovers can be misconfigured, retries can amplify load, “redundant” paths can share a hidden single point of failure. Unverified features are dangerous because they fail silently until the real incident, at the worst possible moment, with no rehearsal.
- Define a steady-state metric → form a hypothesis → inject a bounded failure → observe whether the metric held. The scientific framing keeps it from being random sabotage — you state an expectation and test it. A broken hypothesis is the prize: you found a real flaw safely, with engineers watching, instead of in a 3 a.m. incident.
- It’s a measurable, usually business-level “the system is healthy” signal (e.g. checkout success rate). Without it you can’t distinguish a successful experiment from an outage you just caused. It’s the same SLO thinking aimed at a fault injection.
- Start in non-production, inject the smallest possible failure, limit the affected slice (a small % of traffic or one zone) — plus always have an abort. What distinguishes it from an outage is exactly those controls: a pre-decided blast radius, a live steady-state metric, and an abort that returns to normal.
- A game day tests the humans and the process — runbooks, dashboards, access, alerts — under real pressure, not just the system. It’s the only honest DR test because an unexercised failover is a document, not a capability; forcing a real failover is the only way to learn it actually works.