Operational Resilience
Chaos engineering, disaster recovery, backups, runbooks, and practices for keeping the system running in the face of failures.
What is operational resilience?
Operational resilience is a system’s ability to keep running (or recover quickly) in the face of failures, errors, and unexpected situations. It’s not about preventing failures — in distributed systems, failures are inevitable — but about designing the system to tolerate them.
Operational resilience covers:
- Failure prevention through robust design
- Rapid problem detection
- Automatic or assisted recovery
- Continuous learning from incidents
Chaos engineering
Chaos engineering is the practice of deliberately injecting failures into the system to verify that it can handle them. The premise is simple: if you don’t test for failures in a controlled environment, you’ll discover them in production.
Principles
- Define the steady state: what does the system look like when it’s working well? (metrics, latency, error rate)
- Formulate a hypothesis: “If service X fails, the system should degrade gracefully”
- Inject the failure: simulate the failure condition
- Observe the impact: did the system behave as we expected?
- Learn and improve: document findings and fix weaknesses
Types of experiments
- Terminating instances: what happens if a pod dies suddenly?
- Injecting latency: what happens if a downstream service responds slowly?
- Simulating network errors: what happens if the connection between services is lost?
- Filling up the disk: what happens if storage runs out?
- Saturating CPU/memory: what happens under extreme resource pressure?
Tools
- Chaos Monkey (Netflix): randomly terminates instances in production
- Litmus Chaos: chaos engineering framework for Kubernetes
- Gremlin: commercial chaos engineering platform
- Chaos Mesh: open source tool for Kubernetes
- Toxiproxy: proxy for simulating adverse network conditions
Best practices
- Start in staging environments before production
- Begin with small, controlled experiments
- Always have a rollback plan
- Involve the team — chaos engineering is a team exercise
- Document every experiment and its results
Disaster recovery
Disaster recovery (DR) is the plan for recovering the system after a catastrophic failure: loss of a datacenter, massive data corruption, or a security attack.
Key metrics
- RTO (Recovery Time Objective): maximum acceptable time to restore service
- RPO (Recovery Point Objective): maximum amount of data that can be lost (measured in time)
| Level | RTO | RPO | Strategy |
|---|---|---|---|
| Basic | 24h | 24h | Daily backups, manual restore |
| Intermediate | 4h | 1h | Frequent backups, pre-configured infrastructure |
| High | 15min | 5min | Multi-region active-passive, continuous replication |
| Critical | ~0 | ~0 | Multi-region active-active, synchronous replication |
Disaster recovery plan
- Identify critical systems: which services are essential to the business?
- Define RTO and RPO: for each critical system
- Design the strategy: backups, replication, multi-region
- Document the process: step by step for recovery
- Test regularly: an untested plan is a plan that doesn’t work
- Update the plan: every change in the architecture can affect DR
Backups
Backups are the last line of defense against data loss.
Types of backup
- Full backup: complete copy of all data
- Incremental backup: only the data that changed since the last backup
- Differential backup: the data that changed since the last full backup
3-2-1 rule
- 3 copies of the data
- 2 different storage types
- 1 offsite copy (in another geographic location)
Best practices
- Automate: manual backups get forgotten
- Verify: regularly test that backups can be restored
- Encrypt: backups contain sensitive data
- Retention: define clear policies for how long they’re kept
- Monitor: alert if a backup fails
Example backup policy
Primary database:
- Full backup: daily at 02:00 UTC
- Incremental: every 1 hour
- Retention: 30 days for daily, 7 days for incremental
- Storage: S3 with cross-region replication
- Verification: automatic weekly restore in test environment
Runbooks
A runbook is a document that describes step by step how to respond to an incident or perform an operation. It’s the difference between a chaotic response and an orderly one.
Structure of a runbook
- Title and description: which incident or operation it covers
- Symptoms: how the problem is detected (alerts, metrics, logs)
- Impact: what is affected and how serious it is
- Diagnosis: steps to confirm the root cause
- Resolution: exact steps to resolve the problem
- Verification: how to confirm the problem is resolved
- Post-mortem: what to document after the incident
Example: runbook for high API latency
## High latency in API Gateway
### Symptoms
- Alert: p99 latency > 2s for 5 minutes
- Dashboard: latency chart in red
### Diagnosis
1. Check CPU/memory metrics of the pods
2. Review recent error logs
3. Check latency of downstream services
4. Check database connections
### Resolution
If CPU > 90%:
→ Scale horizontally: kubectl scale deployment api --replicas=X
If DB connections saturated:
→ Check connection pool settings
→ Restart pods if there are connection leaks
If downstream service slow:
→ Check the service's health
→ Activate circuit breaker if necessary
### Verification
- Confirm that p99 latency < 500ms
- Verify that error rate < 0.1%
- Monitor for 15 minutes
Incident management
Incident response process
- Detection: automatic alerts or manual report
- Triage: assess severity and impact
- Communication: notify stakeholders
- Investigation: diagnose the root cause
- Mitigation: restore service as soon as possible
- Resolution: apply the definitive fix
- Post-mortem: document what happened, why, and how to prevent it
Severity levels
| Level | Description | Response |
|---|---|---|
| SEV1 | System down, all users affected | Immediate response, war room |
| SEV2 | Critical functionality degraded | Response within 30 minutes |
| SEV3 | Non-critical functionality affected | Response within 4 hours |
| SEV4 | Minor issue, workaround available | Next business day |
Blameless post-mortem
After every significant incident, conduct a blameless post-mortem:
- What happened: detailed timeline of the incident
- Why it happened: root cause analysis (5 whys)
- What we did well: what worked in the response
- What we can improve: concrete actions to prevent recurrence
- Action items: assigned tasks with owners and dates
Summary
Operational resilience is not optional in distributed systems. Chaos engineering validates that the system tolerates failures, disaster recovery prepares for the worst, backups protect the data, runbooks guide incident response, and incident management organizes recovery. The key is to practice, document, and continuously improve.