Overview
In the wake of global outages on November 18, 2025, and December 5, 2025, Cloudflare launched an intensive engineering initiative internally codenamed 'Code Orange: Fail Small'. The goal was to make the network more resilient, secure, and reliable for every customer. This guide walks through the key principles and practical steps that Cloudflare teams adopted—centered on health-mediated deployment, the new Snapstone system, and improved incident response procedures. By the end, you'll understand how to apply these concepts to your own network configuration management to minimize blast radius and recover rapidly.
Prerequisites
Before diving into the implementation details, ensure you have:
- A basic understanding of configuration management systems (e.g., Ansible, Puppet, or custom pipelines).
- Familiarity with CI/CD concepts (progressive rollout, canary deploys, automated rollback).
- Access to observability tools (metrics, logs, health checks) for real-time monitoring.
- If you're a Cloudflare customer, you'll benefit from understanding how the network processes traffic and receives configuration updates.
No coding experience is required, but we'll include conceptual examples using YAML to illustrate Snapstone configuration packages.
Step-by-Step Instructions
1. Identify High-Risk Configuration Pipelines
The first step is to map all configuration changes that affect customer traffic. In Cloudflare's case, the November 18 outage was caused by a data file; the December 5 outage by a control flag. Audit your configuration pipelines to find those with the highest blast radius. Prioritize pipelines that can instantly alter routing, security policies, or global settings.
2. Implement Health-Mediated Deployment
Instead of pushing changes globally in one shot, adopt a progressive rollout with health monitoring. Create a deployment workflow that:
- Bundles the configuration change into a versioned package.
- Rolls out to a small subset of nodes (e.g., 5% of edge servers).
- Runs health checks on those nodes for a defined period (e.g., 5 minutes).
- Automatically halts and reverts if metrics exceed thresholds (error rate, latency, etc.).
Example health criteria: CPU usage < 80%, error rate < 0.1%, latency increase < 10%.
3. Use Snapstone for Unified Configuration Deployment
Cloudflare built Snapstone to bring health-mediated deployment to all configuration changes. Snapstone allows teams to define any unit of configuration as a deployable artifact. Below is a simplified conceptual YAML example:
configuration_package:
name: rate_limit_rule_update
version: 1.2.0
target: global_config_system
rollout:
strategy: canary
initial_percentage: 10
increment: 10
interval_minutes: 5
health_check:
metric_source: prometheus
queries:
- error_rate < 0.05
- p99_latency < 200ms
failure_threshold: 2
auto_rollback: trueThis package would roll out to 10% of nodes, check health, then increase by 10% each interval until 100%, or roll back if two consecutive checks fail.
4. Automate Rollback and Drift Prevention
Snapstone's auto-rollback is key, but you also need to prevent configuration drift over time. Use version control for every configuration package, and enforce that the network state must match the declared state. Cloudflare added measures to ensure regressions are caught pre-deployment by running synthetic tests against the new configuration.
- Store all configuration packages in a Git repository.
- Run a diff check before any deployment to verify no unintended changes.
- Schedule recurring audits that compare live configuration to the last known good state.
5. Enhance Incident Communication
During an outage, timely communication is critical. Cloudflare strengthened its internal escalation processes and external customer updates. For your own network:
- Set up automated alerts that trigger status page updates when incidents are declared.
- Define templated messages for common failure scenarios.
- Train teams on the 'break glass' procedures for emergency configuration changes (which are still needed but now have guardrails).
6. Iterate and Learn
After each deployment or incident, conduct a post-mortem. Update your health check criteria and rollout strategies. The 'Fail Small' mindset means constantly improving the mean time to recovery (MTTR) and reducing the scope of each failure.
Common Mistakes to Avoid
- Deploying Configuration Changes Instantly – The old approach. Even if you trust your change, a single typo can cascade globally. Always use progressive rollout, even for 'emergency' changes, unless you have a dedicated override with stricter controls.
- Neglecting Health Checks – Without real-time monitoring, you're flying blind. Define specific, measurable health criteria for each configuration type. Don't rely solely on system-wide indicators.
- Ignoring Configuration Drift – Over time, manual fixes can cause the network state to diverge from the intended configuration. Automate reconciliation and perform regular audits.
- Allowing Team-Specific Implementations – Before Snapstone, each team handled health mediation differently, leading to gaps. Use a unified system to enforce consistency across all configuration pipelines.
- Inadequate Incident Communication – Silence during an outage erodes trust. Establish clear channels for customer updates and internal coordination before you need them.
Summary
Cloudflare's 'Code Orange: Fail Small' project transformed configuration management from a high-risk, all-or-nothing operation into a systematic, health-mediated process. By adopting Snapstone, enforcing progressive rollouts, and automating rollbacks, the network became significantly more resilient. The key takeaway for any organization: treat configuration changes like software deployments, complete with canary testing, monitoring, and automated recovery. With these principles in place, you can reduce the blast radius of failures and keep your services reliable for users.