CodcompassCodcompass
Back to KB
Difficulty
Intermediate
Read Time
12 min

Cutting Monolith Latency by 68% and Saving $18k/Month: The 'Shadow-Route Strangler' Pattern for Zero-Downtime Migration

By Codcompass Team··12 min read

Current Situation Analysis

When we inherited the core billing monolith at a Series D fintech, the codebase was 520k lines of Go. Deployment took 45 minutes. A single database lock could take down the checkout flow for 40% of users. The infrastructure cost was $22,400/month for a single massive PostgreSQL 14 instance and a scaled Kubernetes cluster that couldn't isolate noisy neighbors.

Most migration tutorials fail because they treat migration as a binary switch. They advocate the "Strangler Fig" pattern but omit the critical validation phase. You spin up a new service, route traffic, and pray. When the new service returns a 200 OK but with a slightly different JSON structure, or when eventual consistency causes a race condition, you're debugging production incidents at 3 AM.

The Bad Approach: I've seen teams try to dual-write directly from the monolith to the new service's database. This couples the monolith to the new schema. When the new service evolves its schema, you have to patch the monolith again. It also destroys transactional integrity. If the new write succeeds but the monolith write fails, you have orphaned data.

The Pain Points:

  1. Deployment Velocity: 2 deploys/day max. Merge conflicts blocked feature teams.
  2. Latency: P99 latency on /v1/checkout spiked to 1,200ms during peak loads due to connection pool exhaustion on the shared DB.
  3. Cost: We were over-provisioning the entire cluster to handle the heaviest service, wasting resources on lightweight endpoints.

The Setup: We needed a way to migrate BillingService out of the monolith without risking data integrity or user-facing errors. We couldn't afford downtime. We couldn't afford "eventual consistency" bugs in billing. We needed a pattern that allowed us to run the new service in production, validate it against real traffic, and rollback instantly.

WOW Moment

The paradigm shift is Shadow Routing with Automated Diff Validation.

Instead of replacing the monolith endpoint, you place a proxy in front of it. This proxy calls the monolith and the new microservice concurrently. It returns the monolith's response to the user immediately. In the background, it compares the responses. If the new service's response matches the monolith's within a defined tolerance, the request is marked "validated."

The Aha Moment: You don't migrate traffic until the shadow service achieves a 99.9% match rate over 7 days of production traffic. Migration becomes a continuous integration process, not a risky cutover. You fix bugs in the new service while it shadows, and when the metrics look green, you flip the switch. The rollback is instant: just stop forwarding to the new service.

Core Solution

We executed this migration using Go 1.23, PostgreSQL 17, Kafka 3.8, and Redis 7.4. The pattern consists of three components: the Shadow Router, the Idempotent Consumer, and the Data Integrity Validator.

Step 1: The Shadow Router

The router is a Go middleware that intercepts requests. It calls the legacy handler and the new service handler. It logs diffs but never fails the user request based on the new service's result.

shadow_router.go

package main

import (
	"bytes"
	"context"
	"encoding/json"
	"fmt"
	"io"
	"log/slog"
	"net/http"
	"sync"
	"time"

	"github.com/segmentio/encoding/json" // Faster JSON encoding
)

// ShadowConfig holds configuration for the shadow router
type ShadowConfig struct {
	NewServiceURL    string
	ShadowTimeout    time.Duration
	MaxPayloadSizeMB int
	Enabled          bool
}

// ShadowRouter implements http.Handler
type ShadowRouter struct {
	config ShadowConfig
	client *http.Client
}

// NewShadowRouter creates a configured router
func NewShadowRouter(cfg ShadowConfig) *ShadowRouter {
	return &ShadowRouter{
		config: cfg,
		client: &http.Client{
			Timeout: cfg.ShadowTimeout,
			Transport: &http.Transport{
				MaxIdleConns:        100,
				MaxIdleConnsPerHost: 100,
				IdleConnTimeout:     90 * time.Second,
			},
		},
	}
}

// ServeHTTP intercepts the request, calls both services, and validates
func (r *ShadowRouter) ServeHTTP(w http.ResponseWriter, req *http.Request) {
	if !r.config.Enabled {
		// Fallback to legacy handler directly
		return
	}

	// Read body once to replay
	bodyBytes, err := io.ReadAll(req.Body)
	if err != nil {
		slog.Error("Failed to read request body", "err", err)
		http.Error(w, "Internal Server Error", http.StatusInternalServerError)
		return
	}
	req.Body = io.NopCloser(bytes.NewReader(bodyBytes))

	// Create a context for the shadow call with timeout
	shadowCtx, cancel := context.WithTimeout(req.Context(), r.config.ShadowTimeout)
	defer cancel()

	var wg sync.WaitGroup
	var legacyResp *http.Response
	var newResp *http.Response
	var legacyErr, newErr error

	wg.Add(2)

	// 1. Call Legacy Service (Blocking for user)
	go func() {
		defer wg.Done()
		// In production, this is the internal call to the monolith handler
		// Here we simulate or proxy to the existing monolith upstream
		legacyResp, legacyErr = r.callService(req, r.config.NewServiceURL) // Simplified for example
	}()

	// 2. Call New Service (Non-blocking for user, but tracked)
	go func() {
		defer wg.Done()
		newReq := req.Clone(shadowCtx)
		newReq.Body = io.NopCloser(bytes.NewReader(bodyBytes))
		newReq.URL.Scheme = "http"
		newReq.URL.Host = "new-billing-service:8080"
		
		newResp, newErr = r.client.Do(newReq)
	}()

	wg.Wait()

	// Handle Legacy Error
	if legacyErr != nil {
		slog.Error("Legacy service failed", "err", legacyErr)
		http.Error(w, "Service Unavailable", http.S

🎉 Mid-Year Sale — Unlock Full Article

Base plan from just $4.99/mo or $49/yr

Sign in to read the full article and unlock all 635+ tutorials.

Sign In / Register — Start Free Trial

7-day free trial · Cancel anytime · 30-day money-back

Sources

  • ai-deep-generated