Chaos Engineering & Resilience

The Chaos Method

18 min Lesson 2 of 27

The Chaos Method

Chaos engineering is often mistaken for "randomly breaking things and seeing what happens." That framing is dangerous — it describes sabotage, not science. The practice that Netflix, Google, AWS, and Microsoft run in production has a rigorous, repeatable structure. Every experiment follows the same loop: define the normal, form a hypothesis, constrain the blast radius, run the experiment with an abort condition, and learn. This lesson dissects each component of that loop and shows you how to implement it at production scale.

Steady State: The Baseline You Are Protecting

A chaos experiment does not start with failure injection. It starts with a precise definition of what normal looks like for the system under test. This is the steady state — a measurable, observable description of system behavior when nothing is wrong.

A good steady state is not "the service is up." That is unobservable and meaningless. A production-grade steady state is a set of quantified SLI readings taken over a representative time window (typically 30 minutes to 1 hour of traffic):

  • Request success rate: e.g., 99.97% of HTTP responses are 2xx over a 5-minute sliding window
  • Latency percentiles: p50 < 80 ms, p99 < 400 ms at current traffic load
  • Error budget consumption rate: e.g., burning < 0.5% of the 30-day error budget per hour
  • Queue depth or saturation: e.g., Kafka consumer lag < 10 000 messages per partition
  • Downstream health: dependent services reporting < 0.1% error rate to this service
Key idea: Steady state must be expressed in the same metrics your SLOs already track — because the experiment success criterion is "steady state was maintained despite the injected fault." If you cannot define steady state, you cannot conclude anything from the experiment. Capturing the baseline before every run is non-negotiable, even if the system has been stable for weeks.

In practice, you query Prometheus or Datadog at experiment start, record the values, and compare them during and after fault injection. Many chaos platforms (Gremlin, AWS Fault Injection Service) expose a "steady-state hypothesis check" hook that runs these queries automatically and halts the experiment if pre-conditions are not met.

# Example: capture steady-state baseline via Prometheus before an experiment. # Run this query 5 minutes before fault injection begins. # Success rate (last 10 minutes, gateway service) curl -sG 'http://prometheus:9090/api/v1/query' \ --data-urlencode 'query=sum(rate(http_requests_total{job="gateway",code=~"2.."}[10m])) / sum(rate(http_requests_total{job="gateway"}[10m]))' \ | jq '.data.result[0].value[1]' # p99 latency (last 10 minutes) curl -sG 'http://prometheus:9090/api/v1/query' \ --data-urlencode 'query=histogram_quantile(0.99, sum by(le) (rate(http_request_duration_seconds_bucket{job="gateway"}[10m])))' \ | jq '.data.result[0].value[1]' # Store values in experiment metadata. # Compare these exact values against readings taken during injection.

The Hypothesis: Falsifiable, Not Aspirational

With steady state defined, the next step is forming a hypothesis — a specific, falsifiable claim about how the system will behave when a particular failure condition is introduced. The hypothesis is the heart of the scientific method applied to infrastructure.

A hypothesis has three parts:

  1. The fault: a precise description of what you are injecting (e.g., "we kill 1 of 3 Cassandra nodes in us-east-1a")
  2. The expected behavior: a prediction grounded in your architecture and resilience patterns (e.g., "the read path will reroute to the surviving nodes; consistency level ONE will be maintained")
  3. The measurable outcome: steady-state metrics remain within SLO bounds (e.g., "success rate stays above 99.9% and p99 latency stays below 500 ms during the failure window")
Production pitfall — the aspirational hypothesis trap: Teams new to chaos engineering write hypotheses like "the system will be resilient." That is not a hypothesis; it is a wish. A real hypothesis must be falsifiable — there must be observable evidence that could prove it wrong. If your hypothesis cannot be disproven, your experiment cannot teach you anything. Write hypotheses your architecture might actually fail.

The hypothesis also forces you to articulate why you believe the system will hold. If you cannot explain the mechanism (circuit breaker trips, retry budget absorbs, replica takes over), you do not understand the system well enough to design the experiment safely. That gap itself is a finding.

Blast Radius: Constraining the Damage Envelope

Blast radius is the maximum scope of impact the experiment is permitted to cause — in terms of users affected, services disrupted, data at risk, and revenue exposed. Controlling blast radius is the engineering discipline that separates chaos engineering from reckless downtime.

Blast radius has two dimensions:

  • Spatial: which components, instances, regions, or user segments are in scope. An experiment targeting 1 replica out of 5 has a much smaller spatial blast radius than one targeting an entire availability zone.
  • Temporal: how long the fault persists. A 5-minute injection at 2 % traffic is a very different blast radius than a 30-minute injection at 100 % traffic.

Production best practice from Netflix and Google: start experiments at 1 % of traffic or 1 instance out of N, and expand the scope only after confirming the system behaves as hypothesized at small scale. The smallest blast radius that can generate a meaningful signal is the right starting point. Common blast radius controls include:

  • Feature flags / traffic shadows: inject faults only for a canary cohort (e.g., 1 % of users routed via LaunchDarkly flag)
  • Instance targeting: select a single pod or EC2 instance by label rather than a whole deployment
  • Time window: run only during low-traffic periods (e.g., 02:00–04:00 UTC on weekdays) to minimize user exposure
  • Rollback readiness: have a one-command revert ready before the experiment starts — e.g., kubectl rollout undo or a Terraform workspace restore
Pro practice: Document your blast radius in the experiment ticket before you run anything. A one-sentence statement like "this experiment affects at most 2 % of checkout traffic for at most 10 minutes in us-east-1" forces clarity and creates an audit trail. At regulated companies (SOC 2, PCI-DSS), this documentation is a compliance requirement — the change-advisory board needs it before approving the experiment window.

Abort Conditions: The Experiment's Safety Net

Abort conditions are pre-defined, automatically evaluated criteria that terminate the experiment immediately and trigger rollback if the system is diverging from steady state faster than expected. They are the most important safety mechanism in chaos engineering.

The distinction between the steady-state hypothesis and abort conditions is important:

  • The hypothesis defines what success looks like — metrics staying within SLO bounds despite the fault.
  • Abort conditions define what "this is getting out of hand" looks like — metrics crossing a hard threshold that indicates real user harm, not just interesting degradation.

Abort conditions are typically set at a threshold worse than the hypothesis but better than a full outage:

  • Success rate drops below 99.0 % (hypothesis: stays above 99.9 %; real SLO floor: 99.5 %)
  • p99 latency exceeds 2 000 ms (hypothesis: stays below 500 ms)
  • On-call pager fires (any PagerDuty alert escalation in the affected service during the window)
  • Error budget burn rate exceeds the fast-burn threshold (e.g., 14.4x rate that would exhaust the monthly budget in 1 hour)
  • A dependent service (payments, auth) reports elevated error rates — indicating blast radius has escaped its intended scope

The Chaos Experiment Loop (Diagrammed)

The four components — steady state, hypothesis, blast radius, and abort conditions — form a closed loop. The diagram below shows how they connect and how control flows during a live experiment.

Chaos Experiment Loop: Steady State, Hypothesis, Blast Radius, Abort Conditions 1. Steady State Measure baseline SLI / SLO values 2. Hypothesis Fault + expected behaviour + metric 3. Blast Radius Scope + duration + abort thresholds Inject Fault controlled failure Monitor SLIs continuous polling Abort Triggered? Stop + Rollback halt & restore YES Hypothesis Met? NO Learn & Expand widen blast radius YES Fix Weakness patch, re-run NO
The chaos experiment loop: steady state flows into hypothesis and blast radius definition, then fault injection with continuous monitoring. Abort conditions gate the path to rollback; a passed hypothesis leads to learning and scope expansion.

Abort Condition Implementation in Practice

Abort conditions must be automatically enforced, not relied on human vigilance. The engineer running the experiment may be watching 5 dashboards simultaneously; they will miss a spike. Modern chaos platforms evaluate abort conditions on a polling interval (typically 10–30 seconds) and halt injection automatically. If you are running experiments without a platform, wire the abort logic into your runbook as a scripted health check:

#!/usr/bin/env bash # abort-check.sh — run every 15 seconds during a chaos experiment. # If any abort condition fires, call the stop function and exit 1. PROMETHEUS="http://prometheus:9090" EXPERIMENT_ID="${1:?must pass experiment ID}" stop_experiment() { echo "ABORT: $1 — stopping fault injection" # Platform-specific stop command; replace with your tooling: # gremlin halt --experiment-id "$EXPERIMENT_ID" # aws fis stop-experiment --experiment-id "$EXPERIMENT_ID" exit 1 } # Abort condition 1: success rate below 99.0% SUCCESS_RATE=$(curl -sG "$PROMETHEUS/api/v1/query" \ --data-urlencode 'query=sum(rate(http_requests_total{job="gateway",code=~"2.."}[5m])) / sum(rate(http_requests_total{job="gateway"}[5m]))' \ | jq -r '.data.result[0].value[1]') if (( $(echo "$SUCCESS_RATE < 0.990" | bc -l) )); then stop_experiment "success rate ${SUCCESS_RATE} is below 0.990 abort threshold" fi # Abort condition 2: p99 latency above 2 000 ms P99=$(curl -sG "$PROMETHEUS/api/v1/query" \ --data-urlencode 'query=histogram_quantile(0.99,sum by(le)(rate(http_request_duration_seconds_bucket{job="gateway"}[5m]))) * 1000' \ | jq -r '.data.result[0].value[1]') if (( $(echo "$P99 > 2000" | bc -l) )); then stop_experiment "p99 latency ${P99}ms exceeds 2000ms abort threshold" fi echo "Abort check PASSED at $(date -u +%H:%M:%SZ) — success_rate=$SUCCESS_RATE p99=${P99}ms"
Pro practice — the "run book first" discipline: Before any experiment runs in production, write the full run book: the steady-state baseline values, the exact hypothesis statement, the blast radius bounds, the abort thresholds with their Prometheus queries, and the one-command rollback procedure. The run book is reviewed in a pre-experiment sync with the on-call engineer. At Google and Netflix, no chaos experiment runs without on-call awareness and a shared communication channel open during the window. This is not bureaucracy — it is the difference between a planned learning event and an unplanned outage.

Why the Loop Beats Intuition Every Time

The chaos method is not just process overhead — it is the mechanism that transforms gut feeling about system resilience into empirical evidence. Before the experiment, you believe your circuit breaker handles Cassandra node loss. After a properly structured experiment, you know — with a specific blast radius, under measured load, in the actual production environment — whether it does or does not. The gap between belief and knowledge is exactly the gap that chaos engineering closes.

At Google SRE scale, every hypothesis that is disproven is treated as a high-priority production finding. The failing experiment is a gift: it revealed a fragility that the architecture review, the load test, and the code review all missed. The cost of finding it in a controlled experiment is a fraction of the cost of finding it during an actual incident at 3 AM with customers affected and executives paging.

Previous Lesson Why Break Things on Purpose?
Next Lesson Failure Modes of Distributed Systems
Back to Course