<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Postmortem on Azarudeen.com</title><link>http://azarudeen.com/tags/postmortem/</link><description>Recent content in Postmortem on Azarudeen.com</description><generator>Hugo</generator><language>en-us</language><lastBuildDate>Tue, 01 Jul 2025 10:00:00 +0530</lastBuildDate><atom:link href="http://azarudeen.com/tags/postmortem/index.xml" rel="self" type="application/rss+xml"/><item><title>Agents On Call: DNS Races, Feature Files, and the AI-Assisted Postmortem</title><link>http://azarudeen.com/posts/11-jul-2025-to-present-agents-on-call/</link><pubDate>Tue, 01 Jul 2025 10:00:00 +0530</pubDate><guid>http://azarudeen.com/posts/11-jul-2025-to-present-agents-on-call/</guid><description>&lt;h1 id="agents-on-call-jul-2025--jul-2026"&gt;Agents On Call (Jul 2025 – Jul 2026)&lt;/h1&gt;
&lt;p&gt;This window opened with a brutal autumn: within a month, AWS, Azure, and
Cloudflare each suffered a headline global outage, making &amp;ldquo;the internet is three
companies in a trench coat&amp;rdquo; a mainstream news take. Meanwhile the biggest
&lt;em&gt;practice&lt;/em&gt; shift since the SRE book has been underway — AI agents moving from
summarizing incidents to responding to them.&lt;/p&gt;
&lt;h2 id="the-incidents-defining-the-period-so-far"&gt;The incidents defining the period (so far)&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;AWS us-east-1, October 20, 2025&lt;/strong&gt; — A &lt;strong&gt;latent race condition in DynamoDB&amp;rsquo;s
automated DNS management&lt;/strong&gt; produced an empty DNS record for the regional
endpoint; the automation couldn&amp;rsquo;t self-repair, and failures cascaded through
the many AWS services (and thousands of customer apps) that depend on DynamoDB
in us-east-1. Roughly 14–15 hours of disruption; Snapchat alone drew ~3 million
outage reports. The most consequential us-east-1 event since December 2021 —
and an &amp;ldquo;automation deadlock&amp;rdquo; case study: the fix required humans to disable
the automation that was supposed to prevent exactly this.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Azure Front Door, October 29, 2025&lt;/strong&gt; — An inadvertent configuration change
broke Microsoft&amp;rsquo;s global edge/CDN layer for ~8 hours, taking down the Azure
portal, M365 entry points, and customer sites — days before earnings, a week
after AWS&amp;rsquo;s turn. A separate &lt;strong&gt;East US2 networking config outage lasting
roughly 50 hours&lt;/strong&gt; underlined that regional incidents can now outlast news
cycles.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Cloudflare, November 18, 2025&lt;/strong&gt; — A database permissions change caused the
Bot Management &lt;strong&gt;feature file to double in size&lt;/strong&gt;, exceeding a hard-coded
limit in the core proxy; processes crash-looped globally. X, ChatGPT, and
Canva threw 5xx errors for hours. Cloudflare&amp;rsquo;s same-week postmortem
(&lt;a href="https://blog.cloudflare.com/18-november-2025-outage/"&gt;blog.cloudflare.com&lt;/a&gt;)
echoed their 2019 regex writeup: an internally-generated &amp;ldquo;content&amp;rdquo; artifact,
globally propagated, hitting an untested limit.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Cloudflare, December 5, 2025 and February 20, 2026&lt;/strong&gt; — A ~25-minute traffic
outage, then a BGP withdrawal affecting Bring-Your-Own-IP customers — smaller
events, but notable for the now-routine speed and detail of disclosure.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;em&gt;(This is a living post, updated through July 2026.)&lt;/em&gt;&lt;/p&gt;</description></item><item><title>The CrowdStrike Reckoning: Third-Party Risk Becomes Everyone's Root Cause</title><link>http://azarudeen.com/posts/10-apr-2024-to-jun-2025-the-crowdstrike-reckoning/</link><pubDate>Mon, 01 Apr 2024 10:00:00 +0530</pubDate><guid>http://azarudeen.com/posts/10-apr-2024-to-jun-2025-the-crowdstrike-reckoning/</guid><description>&lt;h1 id="the-crowdstrike-reckoning-apr-2024--jun-2025"&gt;The CrowdStrike Reckoning (Apr 2024 – Jun 2025)&lt;/h1&gt;
&lt;p&gt;One Friday in July 2024 produced the largest IT outage in history — and it
wasn&amp;rsquo;t a cloud provider. This window&amp;rsquo;s postmortems are dominated by &lt;em&gt;other
people&amp;rsquo;s software&lt;/em&gt; running inside your trust boundary: security agents in the
kernel, a dealer platform for an entire industry, a cloud vendor deleting a
customer, and a quota policy pushed worldwide.&lt;/p&gt;
&lt;h2 id="the-incidents-that-defined-the-period"&gt;The incidents that defined the period&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Google Cloud / UniSuper, May 2024&lt;/strong&gt; — A misconfiguration during provisioning
led Google Cloud to &lt;strong&gt;delete an entire customer&amp;rsquo;s private cloud subscription&lt;/strong&gt;
— a ~$125B pension fund — causing ~two weeks of disruption. Recovery leaned on
UniSuper&amp;rsquo;s own third-party backups. The joint apology statement was
unprecedented; &amp;ldquo;what if our cloud account itself is the failure domain?&amp;rdquo;
entered every DR review.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;CDK Global, June 2024&lt;/strong&gt; — Ransomware took down the SaaS platform underpinning
~15,000 North American car dealerships for weeks. A whole industry discovered
it had a single point of failure it had never load-tested: its vendor.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;CrowdStrike, July 19, 2024&lt;/strong&gt; — A faulty &lt;strong&gt;Rapid Response Content&lt;/strong&gt; update
(Channel File 291) hit an out-of-bounds read in the Falcon sensor running in
the Windows kernel: ~8.5 million machines blue-screened. Airlines, hospitals,
banks, 911 centers. Insured losses in the billions; Delta alone claimed ~$500M.
The RCA and Congressional testimony detailed the gap: sensor &lt;em&gt;code&lt;/em&gt; was staged
and tested; &lt;em&gt;content&lt;/em&gt; updates were validated by a checker with a bug and
deployed globally at once
(&lt;a href="https://www.crowdstrike.com/falcon-content-update-remedial-and-preventative-actions/"&gt;crowdstrike.com RCA&lt;/a&gt;).&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Azure Central US, July 30, 2024&lt;/strong&gt; — A DDoS defense misconfiguration amplified
rather than mitigated an attack, in a summer of repeated Microsoft incidents.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;OpenAI, December 11, 2024&lt;/strong&gt; — A new telemetry service overwhelmed Kubernetes
API servers across clusters; DNS caching masked the rollout risk, and engineers
were &lt;strong&gt;locked out of the control planes they needed to revert&lt;/strong&gt;. A modern
classic: observability tooling as the outage trigger, published with unusual
candor for an AI lab.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Google Cloud, June 12, 2025&lt;/strong&gt; — A new Service Control policy feature with a
&lt;strong&gt;null-pointer path, no feature flag, and instant global metadata replication&lt;/strong&gt;
crash-looped API management worldwide (~3 hours; ~7.5h for us-central1).
Cloudflare (whose Workers KV depended on GCS), Spotify, and dozens of others
went down with it. The postmortem&amp;rsquo;s own action items read like this series'
greatest hits: flag-gate everything, stagger global propagation, add backoff.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="what-the-postmortems-reveal"&gt;What the postmortems reveal&lt;/h2&gt;
&lt;p&gt;&lt;strong&gt;1. &amp;ldquo;Content&amp;rdquo; updates are code.&lt;/strong&gt; CrowdStrike&amp;rsquo;s split — rigorous staging for
binaries, instant global push for configuration content — is the same pattern as
Cloudflare 2019 and Google 2025. The industry&amp;rsquo;s hardest-won lesson keeps
recurring one abstraction level up: &lt;em&gt;anything that changes runtime behavior
needs canaries&lt;/em&gt;, whether it&amp;rsquo;s called code, config, content, or policy.&lt;/p&gt;</description></item><item><title>The Platform Engineering Pivot: Datadog's $5M Lesson and the First AI Whispers</title><link>http://azarudeen.com/posts/09-jan-2023-to-mar-2024-the-platform-engineering-pivot/</link><pubDate>Sun, 01 Jan 2023 10:00:00 +0530</pubDate><guid>http://azarudeen.com/posts/09-jan-2023-to-mar-2024-the-platform-engineering-pivot/</guid><description>&lt;h1 id="the-platform-engineering-pivot-jan-2023--mar-2024"&gt;The Platform Engineering Pivot (Jan 2023 – Mar 2024)&lt;/h1&gt;
&lt;p&gt;This window&amp;rsquo;s marquee postmortem came from an observability vendor taking its
own medicine, while the industry around it reorganized: &amp;ldquo;platform engineering&amp;rdquo;
absorbed much of DevOps&amp;rsquo;s identity, and the first LLM assistants quietly joined
incident channels.&lt;/p&gt;
&lt;h2 id="the-incidents-that-defined-the-period"&gt;The incidents that defined the period&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;FAA NOTAM outage, January 2023&lt;/strong&gt; — A corrupted database file (linked to a
contractor&amp;rsquo;s procedural error during maintenance) grounded all US flight
departures for hours — the first nationwide ground stop since 9/11. Decades-old
systems with no hot failover became a congressional topic.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Microsoft Azure WAN, January 25, 2023&lt;/strong&gt; — A &lt;strong&gt;router configuration change&lt;/strong&gt;
(a command evaluated differently than intended across devices) rippled through
Microsoft&amp;rsquo;s global WAN, breaking Azure, Teams, and M365 worldwide for hours.
Config-change-to-global-blast-radius, the classic, at telco scale.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Datadog, March 8, 2023&lt;/strong&gt; — The one everyone studied: an &lt;strong&gt;automatic security
update to systemd&lt;/strong&gt; across their fleet triggered a network stack reset on tens
of thousands of nodes across &lt;strong&gt;multiple cloud providers simultaneously&lt;/strong&gt;
(&lt;a href="https://www.datadoghq.com/blog/2023-03-08-multiregion-infrastructure-connectivity-issue/"&gt;datadoghq.com&lt;/a&gt;).
Days of degraded service, a reported ~$5M revenue impact, and an exemplary
multi-part postmortem. Being multi-cloud didn&amp;rsquo;t help — the &lt;em&gt;same OS update
channel&lt;/em&gt; spanned all of them. Correlated failure via configuration management,
proven at scale.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;AWS us-east-1, June 13, 2023&lt;/strong&gt; — A capacity-management issue in Lambda
degraded dozens of services for ~3 hours; notable postmortem admission:
AWS&amp;rsquo;s own support-case system was impaired, again.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;UK air traffic control (NATS), August 2023&lt;/strong&gt; — A single flight plan with
duplicate waypoint names hit an unhandled edge case; primary &lt;em&gt;and&lt;/em&gt; identical
backup failed the same way. The independent review became a classic on
common-mode software failure.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Optus, November 2023&lt;/strong&gt; — A routing update from an upstream network cascaded
into a ~14-hour national outage in Australia (emergency calls affected);
the CEO resigned. Executive accountability for reliability, made explicit.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="what-the-postmortems-reveal"&gt;What the postmortems reveal&lt;/h2&gt;
&lt;p&gt;&lt;strong&gt;1. Correlated failure became the top-of-mind risk.&lt;/strong&gt; Datadog&amp;rsquo;s incident
(one update channel, every cloud) and NATS (identical primary/backup software)
showed that redundancy without &lt;em&gt;diversity&lt;/em&gt; is bookkeeping. Postmortems began
asking: what update, config, or code path is shared across our &amp;ldquo;independent&amp;rdquo;
copies?&lt;/p&gt;</description></item><item><title>When the Map Burns with the Territory: BGP Lockouts and Cascading Dependencies</title><link>http://azarudeen.com/posts/08-oct-2021-to-dec-2022-when-the-map-burns-with-the-territory/</link><pubDate>Fri, 01 Oct 2021 10:00:00 +0530</pubDate><guid>http://azarudeen.com/posts/08-oct-2021-to-dec-2022-when-the-map-burns-with-the-territory/</guid><description>&lt;h1 id="when-the-map-burns-with-the-territory-oct-2021--dec-2022"&gt;When the Map Burns with the Territory (Oct 2021 – Dec 2022)&lt;/h1&gt;
&lt;p&gt;The defining image of this window is Facebook engineers reportedly unable to
badge into their own buildings because the outage had taken down the systems
that controlled the doors. Incident after incident showed recovery tooling,
communications, and even physical access welded to the infrastructure they were
supposed to repair.&lt;/p&gt;
&lt;h2 id="the-incidents-that-defined-the-period"&gt;The incidents that defined the period&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Facebook/Meta, October 4, 2021&lt;/strong&gt; — A routine maintenance command
disconnected Facebook&amp;rsquo;s backbone; its DNS servers, by design, &lt;strong&gt;withdrew their
BGP routes&lt;/strong&gt; when they couldn&amp;rsquo;t reach the datacenters. Facebook, Instagram,
and WhatsApp vanished from the internet for ~6 hours. Internal tools and
remote access died too, forcing physical datacenter visits
(&lt;a href="https://engineering.fb.com/2021/10/04/networking-traffic/outage/"&gt;engineering.fb.com&lt;/a&gt;).&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Roblox, October 28–31, 2021&lt;/strong&gt; — A 73-hour outage from a subtle interaction
between a Consul feature and BoltDB performance. The postmortem, co-published
with HashiCorp months later, was praised for depth and for neither party
hiding behind the other.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;AWS us-east-1, December 7, 2021&lt;/strong&gt; — An automated scaling activity triggered
a thundering herd on the &lt;strong&gt;internal network&lt;/strong&gt; connecting AWS&amp;rsquo;s own services;
monitoring and support tooling were among the casualties, slowing diagnosis
(&lt;a href="https://aws.amazon.com/message/12721/"&gt;aws.amazon.com/message/12721&lt;/a&gt;).
Two further December us-east-1 incidents made &amp;ldquo;why is everything in one
region?&amp;rdquo; a CTO-level question.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Log4Shell, December 2021&lt;/strong&gt; — A logging library CVE that turned every Java
shop&amp;rsquo;s December into an incident. The response was run like an outage and
postmortem&amp;rsquo;d like one; SBOMs went from acronym to mandate.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Atlassian, April 2022&lt;/strong&gt; — A maintenance script given the wrong IDs
&lt;strong&gt;permanently deleted&lt;/strong&gt; ~400 customers&amp;rsquo; cloud sites; restoration took up to
two weeks because recovery was designed for whole-service rollback, not
per-customer restore. The postmortem&amp;rsquo;s candor about that gap was the lesson.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Rogers, July 8, 2022&lt;/strong&gt; — A maintenance update removed a routing filter and
the resulting BGP flood crashed Canada&amp;rsquo;s largest network — including 911
access and Interac payments — for ~a day. National reviews followed;
reliability became telecom regulation.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Cloudflare, June 21, 2022&lt;/strong&gt; — A BGP change during a datacenter conversion
took down 19 of their busiest locations; postmortem published same day.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;UK heatwave, July 2022&lt;/strong&gt; — Google and Oracle cloud regions in London
throttled by cooling failures: climate as a reliability factor.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Southwest Airlines, December 2022&lt;/strong&gt; — Crew-scheduling software collapsed
under a winter storm; ~17,000 flights cancelled. The eventual reckoning
(including a record fine) made &amp;ldquo;legacy system risk&amp;rdquo; a board agenda item.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="what-the-postmortems-reveal"&gt;What the postmortems reveal&lt;/h2&gt;
&lt;p&gt;&lt;strong&gt;1. Recovery must not depend on the thing being recovered.&lt;/strong&gt; Facebook&amp;rsquo;s DNS,
AWS&amp;rsquo;s monitoring, Atlassian&amp;rsquo;s restore tooling — each incident extended because
the repair path ran through the failure. Out-of-band management networks,
break-glass access, and offline runbooks became the era&amp;rsquo;s universal action item.&lt;/p&gt;</description></item><item><title>The us-east-1 Problem: Control Planes, Quotas, and a 49-Second CDN Outage</title><link>http://azarudeen.com/posts/07-jul-2020-to-sep-2021-the-us-east-1-problem/</link><pubDate>Wed, 01 Jul 2020 10:00:00 +0530</pubDate><guid>http://azarudeen.com/posts/07-jul-2020-to-sep-2021-the-us-east-1-problem/</guid><description>&lt;h1 id="the-us-east-1-problem-jul-2020--sep-2021"&gt;The us-east-1 Problem (Jul 2020 – Sep 2021)&lt;/h1&gt;
&lt;p&gt;The incidents of this window share a shape: a small, deep dependency — a thread
limit, a quota system, one customer&amp;rsquo;s config — radiating outward until half the
internet notices. Postmortem readers learned to ask a new first question: &lt;em&gt;what
does everything else depend on?&lt;/em&gt;&lt;/p&gt;
&lt;h2 id="the-incidents-that-defined-the-period"&gt;The incidents that defined the period&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;AWS Kinesis / us-east-1, November 25, 2020&lt;/strong&gt; — Adding capacity to Kinesis&amp;rsquo;s
front-end fleet pushed servers past an &lt;strong&gt;OS thread limit&lt;/strong&gt;; the fleet needed a
slow full restart, and dependent services (Cognito, CloudWatch — and vendors'
status pages) failed with it
(&lt;a href="https://aws.amazon.com/message/11201/"&gt;aws.amazon.com/message/11201&lt;/a&gt;).
The postmortem taught thousands of engineers what a cell-based architecture is
— by describing its absence.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Google, December 14, 2020&lt;/strong&gt; — The identity/quota system took down Gmail,
YouTube, and Google Cloud auth for ~47 minutes: an automated quota migration
reported usage as zero and rationed the auth service to death. Safety systems
that can&amp;rsquo;t distinguish &amp;ldquo;no usage&amp;rdquo; from &amp;ldquo;no data&amp;rdquo; became a postmortem archetype.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Slack, January 4, 2021&lt;/strong&gt; — First workday of the year; provisioning couldn&amp;rsquo;t
scale up in AWS fast enough, and Slack&amp;rsquo;s own dashboards were degraded during
the response (&lt;a href="https://slack.engineering/slacks-outage-on-january-4th-2021/"&gt;slack.engineering&lt;/a&gt;).&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;OVHcloud fire, March 2021&lt;/strong&gt; — A Strasbourg datacenter burned; some customers
learned their &amp;ldquo;backups&amp;rdquo; lived in the building that was on fire. Physical DR
returned to the conversation.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Fastly, June 8, 2021&lt;/strong&gt; — A dormant bug shipped in May was triggered by &lt;strong&gt;one
customer&amp;rsquo;s valid configuration change&lt;/strong&gt;, dropping ~85% of Fastly&amp;rsquo;s network.
Global outage in seconds; identified in minutes; largely restored in under an
hour (&lt;a href="https://www.fastly.com/blog/summary-of-june-8-outage"&gt;fastly.com&lt;/a&gt;).
Reuters, gov.uk, and Amazon went dark together — 49 minutes that made
&amp;ldquo;CDN concentration&amp;rdquo; a mainstream news topic.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Akamai Edge DNS, July 2021&lt;/strong&gt; — A bug triggered by a configuration update took
down banks and airlines for about an hour. Same lesson, different CDN.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="what-the-postmortems-reveal"&gt;What the postmortems reveal&lt;/h2&gt;
&lt;p&gt;&lt;strong&gt;1. Control plane vs data plane became the sharpest lens.&lt;/strong&gt; Google&amp;rsquo;s quota
system, AWS&amp;rsquo;s front-end metadata fleet, Fastly&amp;rsquo;s config distribution — in each
case the &lt;em&gt;management&lt;/em&gt; machinery failed while the underlying capacity was fine.
&amp;ldquo;Static stability&amp;rdquo; (the data plane keeps working when the control plane is
down) became the design goal to cite.&lt;/p&gt;</description></item><item><title>One Regex and a Pandemic: Global Blast Radius Meets Global Load</title><link>http://azarudeen.com/posts/06-apr-2019-to-jun-2020-one-regex-and-a-pandemic/</link><pubDate>Mon, 01 Apr 2019 10:00:00 +0530</pubDate><guid>http://azarudeen.com/posts/06-apr-2019-to-jun-2020-one-regex-and-a-pandemic/</guid><description>&lt;h1 id="one-regex-and-a-pandemic-apr-2019--jun-2020"&gt;One Regex and a Pandemic (Apr 2019 – Jun 2020)&lt;/h1&gt;
&lt;p&gt;This window bookends neatly: it opens with self-inflicted global outages at
Cloudflare and Google that sharpened the industry&amp;rsquo;s thinking about staged
rollouts, and closes with COVID-19 stress-testing every capacity plan on Earth.&lt;/p&gt;
&lt;h2 id="the-incidents-that-defined-the-period"&gt;The incidents that defined the period&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Google Cloud, June 2, 2019&lt;/strong&gt; — A maintenance automation event descheduled
network control-plane jobs across multiple regions; congestion throttled
Google Cloud, YouTube, and Gmail for ~4 hours. The postmortem detail everyone
remembers: &lt;strong&gt;the outage impaired the tools engineers needed to fix the outage.&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Cloudflare, July 2, 2019&lt;/strong&gt; — A single WAF rule containing a
&lt;strong&gt;catastrophically backtracking regex&lt;/strong&gt; was pushed globally (WAF rules were
exempt from staged rollout, by design, for emergency response) and pinned every
CPU on Cloudflare&amp;rsquo;s edge. 27 minutes of global 502s, and one of the finest
postmortems ever written
(&lt;a href="https://blog.cloudflare.com/details-of-the-cloudflare-outage-on-july-2-2019/"&gt;blog.cloudflare.com&lt;/a&gt;) —
including a mini-lecture on regex complexity and why their kill switch was slow.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Verizon BGP route leak, June 24, 2019&lt;/strong&gt; — A small ISP&amp;rsquo;s route optimizer leaked
routes through Verizon, blackholing chunks of the internet including Cloudflare.
Cloudflare&amp;rsquo;s blunt public writeup (&amp;ldquo;a small heart attack&amp;rdquo;) pushed RPKI adoption
into the mainstream.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Stripe, July 2019&lt;/strong&gt; — Two coupled database failures; Stripe published a
detailed root-cause report, notable for a payments company.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Salesforce, May 2019&lt;/strong&gt; — A database script granted broad permissions across
orgs; the remediation (revoking permissions widely) caused more disruption than
the bug. Recovery-as-second-incident became a named pattern.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;COVID-19 surge, March–June 2020&lt;/strong&gt; — Zoom grew ~30x; Robinhood suffered
repeated trading-day outages (thundering-herd load on launch-day architecture);
streaming services voluntarily degraded quality in Europe; unemployment systems
running on mainframes buckled. Not one incident but a planetary load test.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="what-the-postmortems-reveal"&gt;What the postmortems reveal&lt;/h2&gt;
&lt;p&gt;&lt;strong&gt;1. Emergency paths are the most dangerous paths.&lt;/strong&gt; Cloudflare&amp;rsquo;s WAF pipeline
skipped staged rollout &lt;em&gt;on purpose&lt;/em&gt; — speed against attackers. The lesson wasn&amp;rsquo;t
&amp;ldquo;never ship fast&amp;rdquo; but &amp;ldquo;your fastest pipeline needs the strongest circuit
breakers.&amp;rdquo; Global-instant anything became a red flag in design reviews.&lt;/p&gt;</description></item><item><title>When Automation Fights Back: Split Brains, Lightning Strikes, and SLOs at Scale</title><link>http://azarudeen.com/posts/05-jan-2018-to-mar-2019-when-automation-fights-back/</link><pubDate>Mon, 01 Jan 2018 10:00:00 +0530</pubDate><guid>http://azarudeen.com/posts/05-jan-2018-to-mar-2019-when-automation-fights-back/</guid><description>&lt;h1 id="when-automation-fights-back-jan-2018--mar-2019"&gt;When Automation Fights Back (Jan 2018 – Mar 2019)&lt;/h1&gt;
&lt;p&gt;By 2018 the industry had automated failover, orchestration, and recovery — and
the defining postmortems of this window are about that automation making the
wrong call. The question shifted from &amp;ldquo;why did the component fail?&amp;rdquo; to &amp;ldquo;why did
our self-healing make it worse?&amp;rdquo;&lt;/p&gt;
&lt;h2 id="the-incidents-that-defined-the-period"&gt;The incidents that defined the period&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;TSB Bank migration, April 2018&lt;/strong&gt; — A big-bang core-banking migration locked
UK customers out of accounts for weeks. The subsequent independent review
became required reading on cutover risk, and regulators started treating
operational resilience as a compliance domain.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;GitHub, October 21, 2018&lt;/strong&gt; — 43 seconds of network partition between US East
and West Coast datacenters; orchestration software promoted a West Coast MySQL
primary while the East Coast primary still held unreplicated writes.
&lt;strong&gt;Split-brain.&lt;/strong&gt; GitHub chose data consistency over uptime, running degraded
for ~24 hours, and published a superb hour-by-hour analysis
(&lt;a href="https://github.blog/2018-10-30-oct21-post-incident-analysis/"&gt;github.blog&lt;/a&gt;).&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Microsoft Azure South Central US, September 2018&lt;/strong&gt; — A &lt;strong&gt;lightning strike&lt;/strong&gt;
caused a cooling failure; hardware shut down to protect itself, and the
regional outage revealed how many &amp;ldquo;global&amp;rdquo; Azure services (including Azure AD
and the status portal) had hidden dependencies on one region.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Google Cloud, July 2018&lt;/strong&gt; — A global load-balancing configuration event
briefly broke customers worldwide, feeding a growing theme: global control
planes mean global blast radius.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Facebook, March 13, 2019&lt;/strong&gt; — A ~14-hour outage of Facebook, Instagram, and
WhatsApp attributed to a &lt;strong&gt;server configuration change&lt;/strong&gt; — at the time the
longest outage in the company&amp;rsquo;s history.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Wells Fargo, February 2019&lt;/strong&gt; — A fire-suppression system triggered a
datacenter shutdown, and banking customers lost app and card access. Banks
officially had SRE-shaped problems.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="what-the-postmortems-reveal"&gt;What the postmortems reveal&lt;/h2&gt;
&lt;p&gt;&lt;strong&gt;1. Automated failover needs a theory of data.&lt;/strong&gt; GitHub&amp;rsquo;s incident became &lt;em&gt;the&lt;/em&gt;
case study: failover automation that optimizes for availability can silently
sacrifice consistency. Postmortems started asking &amp;ldquo;what does our orchestrator do
during a partition?&amp;rdquo; — a Jepsen-style question applied to ops tooling.&lt;/p&gt;</description></item><item><title>Typos That Broke the Internet: S3, GitLab, and Radical Transparency</title><link>http://azarudeen.com/posts/04-oct-2016-to-dec-2017-typos-that-broke-the-internet/</link><pubDate>Sat, 01 Oct 2016 10:00:00 +0530</pubDate><guid>http://azarudeen.com/posts/04-oct-2016-to-dec-2017-typos-that-broke-the-internet/</guid><description>&lt;h1 id="typos-that-broke-the-internet-oct-2016--dec-2017"&gt;Typos That Broke the Internet (Oct 2016 – Dec 2017)&lt;/h1&gt;
&lt;p&gt;If one window proved that public, honest postmortems build more trust than they
cost, it&amp;rsquo;s this one. A livestreamed database recovery and a typo that took down
half the web produced two of the most-read incident reports in history.&lt;/p&gt;
&lt;h2 id="the-incidents-that-defined-the-period"&gt;The incidents that defined the period&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Dyn DNS DDoS, October 21, 2016&lt;/strong&gt; — The Mirai botnet, built from IoT devices,
took down a major managed-DNS provider and with it Twitter, Netflix, Reddit,
and GitHub for much of a day. The industry&amp;rsquo;s introduction to &lt;em&gt;dependency
concentration&lt;/em&gt;: dozens of &amp;ldquo;independent&amp;rdquo; sites shared one DNS provider.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;GitLab database incident, January 31, 2017&lt;/strong&gt; — An exhausted engineer, fighting
replication lag, ran &lt;code&gt;rm -rf&lt;/code&gt; on the &lt;strong&gt;primary&amp;rsquo;s&lt;/strong&gt; data directory. Five backup
mechanisms failed or were misconfigured. GitLab &lt;strong&gt;livestreamed the recovery on
YouTube&lt;/strong&gt; and published a minute-by-minute postmortem
(&lt;a href="https://about.gitlab.com/blog/2017/02/10/postmortem-of-database-outage-of-january-31/"&gt;about.gitlab.com&lt;/a&gt;).
~6 hours of data was lost — and GitLab&amp;rsquo;s reputation arguably &lt;em&gt;improved&lt;/em&gt;.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;AWS S3 us-east-1, February 28, 2017&lt;/strong&gt; — An operator debugging the billing
system mistyped a playbook parameter and removed far more capacity than
intended; the index subsystem required a full restart it hadn&amp;rsquo;t had in years
(&lt;a href="https://aws.amazon.com/message/41926/"&gt;aws.amazon.com/message/41926&lt;/a&gt;).
Thousands of sites broke — including, memorably, AWS&amp;rsquo;s own status page, whose
health icons were hosted on S3.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Cloudbleed, February 2017&lt;/strong&gt; — A parser bug leaked memory across Cloudflare
customers into cached pages. Cloudflare&amp;rsquo;s forensic-grade disclosure set a new
bar for security postmortems.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;British Airways, May 2017&lt;/strong&gt; — A datacenter power event (a contractor and a
UPS) grounded flights globally; the vague public explanation became the
counterexample to GitLab-style transparency.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Equifax breach, 2017&lt;/strong&gt; — An unpatched Struts vulnerability; the postmortem
lesson was less about the bug than about asset inventory and patch governance.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="what-the-postmortems-reveal"&gt;What the postmortems reveal&lt;/h2&gt;
&lt;p&gt;&lt;strong&gt;1. Transparency won, decisively.&lt;/strong&gt; GitLab and AWS gave specifics (the command,
the parameter, the safety checks now added); BA gave vagueness. The market
noticed which companies it trusted more afterward. &amp;ldquo;Publish the real postmortem&amp;rdquo;
became a competitive strategy, not a legal risk.&lt;/p&gt;</description></item><item><title>The SRE Book Era: Error Budgets Meet Cascading Failure</title><link>http://azarudeen.com/posts/03-jul-2015-to-sep-2016-the-sre-book-era/</link><pubDate>Wed, 01 Jul 2015 10:00:00 +0530</pubDate><guid>http://azarudeen.com/posts/03-jul-2015-to-sep-2016-the-sre-book-era/</guid><description>&lt;h1 id="the-sre-book-era-jul-2015--sep-2016"&gt;The SRE Book Era (Jul 2015 – Sep 2016)&lt;/h1&gt;
&lt;p&gt;Google published &lt;em&gt;Site Reliability Engineering&lt;/em&gt; in April 2016 and handed the
industry a shared vocabulary: SLOs, error budgets, toil, and a whole chapter on
postmortem culture. Meanwhile, the period&amp;rsquo;s biggest incidents were masterclasses
in cascading failure — systems that fell over not from the initial fault, but
from their own recovery behavior.&lt;/p&gt;
&lt;h2 id="the-incidents-that-defined-the-period"&gt;The incidents that defined the period&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;AWS DynamoDB, September 20, 2015&lt;/strong&gt; — The canonical cascading-failure
postmortem (&lt;a href="https://aws.amazon.com/message/5467D2/"&gt;aws.amazon.com/message/5467D2&lt;/a&gt;).
A network disruption caused storage servers to re-request membership metadata
simultaneously; the metadata service, already near capacity from a new index
feature, couldn&amp;rsquo;t serve the herd; retries made it worse. DynamoDB&amp;rsquo;s outage
cascaded into EC2, SQS, and CloudWatch in us-east-1. Action items — capacity
headroom, longer timeouts, segmented retries — read like a distributed-systems
syllabus.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Salesforce NA14, May 2016&lt;/strong&gt; — A database failure plus a failed failover left
a major instance degraded for nearly a day, with some data unrecoverable.
It pushed &amp;ldquo;your SaaS vendor&amp;rsquo;s DR plan is your DR plan&amp;rdquo; into procurement
conversations.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Southwest Airlines (July 2016) and Delta (August 2016)&lt;/strong&gt; — Back-to-back
airline meltdowns from single-point-of-failure infrastructure (a failed router;
a datacenter power incident) cancelling thousands of flights. Boards started
asking about technical debt.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Telstra, 2016&lt;/strong&gt; — A string of national mobile outages in Australia, one
triggered by a single node being taken offline incorrectly, normalized the
telco postmortem press release.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="what-the-postmortems-reveal"&gt;What the postmortems reveal&lt;/h2&gt;
&lt;p&gt;&lt;strong&gt;1. Retry storms became a named enemy.&lt;/strong&gt; The DynamoDB writeup made &amp;ldquo;metastable
failure&amp;rdquo; patterns mainstream years before the academic term: exponential backoff,
jitter, circuit breakers, and load shedding moved from Netflix blog posts into
default library behavior (and into everyone&amp;rsquo;s action items).&lt;/p&gt;</description></item><item><title>Shared Fate: Heartbleed, Mass Reboots, and the Limits of Cloud Trust</title><link>http://azarudeen.com/posts/02-apr-2014-to-jun-2015-shared-fate-in-the-cloud/</link><pubDate>Tue, 01 Apr 2014 10:00:00 +0530</pubDate><guid>http://azarudeen.com/posts/02-apr-2014-to-jun-2015-shared-fate-in-the-cloud/</guid><description>&lt;h1 id="shared-fate-in-the-cloud-apr-2014--jun-2015"&gt;Shared Fate in the Cloud (Apr 2014 – Jun 2015)&lt;/h1&gt;
&lt;p&gt;This window is when the industry learned that moving to the cloud means sharing
your provider&amp;rsquo;s fate — their hypervisor patches, their config rollouts, and
their operators&amp;rsquo; keystrokes. It&amp;rsquo;s also when security incidents started being
written up with the same discipline as availability incidents.&lt;/p&gt;
&lt;h2 id="the-incidents-that-defined-the-period"&gt;The incidents that defined the period&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Heartbleed, April 2014&lt;/strong&gt; — The OpenSSL bug that forced mass certificate
rotation across the internet. Its real operational lesson: almost nobody had
an inventory of where TLS terminated, so &amp;ldquo;patch and rotate&amp;rdquo; took weeks.
Shellshock (September 2014) repeated the drill for bash.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Joyent, May 2014&lt;/strong&gt; — An operator running a routine update &lt;strong&gt;rebooted an
entire data center&amp;rsquo;s worth of customer systems&lt;/strong&gt; with one command. Joyent&amp;rsquo;s
postmortem was admirably direct: the problem wasn&amp;rsquo;t the operator, it was that
the tooling &lt;em&gt;allowed&lt;/em&gt; a datacenter-wide target with no confirmation. A textbook
blameless writeup.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;AWS Xen reboot, September 2014&lt;/strong&gt; — AWS rebooted a large fraction of EC2
instances to patch a Xen vulnerability before disclosure. Customers who had
followed the &amp;ldquo;design for instance failure&amp;rdquo; gospel (Netflix, famously) sailed
through; those who hadn&amp;rsquo;t discovered pet servers the hard way.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Microsoft Azure Storage, November 2014&lt;/strong&gt; — A performance fix was rolled out
&lt;strong&gt;globally, skipping the staged &amp;ldquo;flighting&amp;rdquo; process&lt;/strong&gt;, and an infinite loop in
the blob frontends took down storage across regions. Microsoft&amp;rsquo;s postmortem
admitted the human deviation from their own rollout policy — one of the most
cited config-change postmortems ever.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;NYSE, United Airlines, and the WSJ — July 8, 2015&lt;/strong&gt; — Three unrelated
same-day outages that the public assumed were connected. A lesson in how
reliability failures become news cycles.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="what-the-postmortems-reveal"&gt;What the postmortems reveal&lt;/h2&gt;
&lt;p&gt;&lt;strong&gt;1. Configuration change became the leading villain.&lt;/strong&gt; The Azure writeup
crystallized a pattern that dominates postmortems to this day: the code was
fine; the &lt;em&gt;rollout&lt;/em&gt; of a config flag was the failure. &amp;ldquo;All deploys are staged,
no exceptions, including configuration&amp;rdquo; started appearing in action items.&lt;/p&gt;</description></item><item><title>The Blameless Awakening: How Postmortems Became Engineering Culture</title><link>http://azarudeen.com/posts/01-jan-2013-to-mar-2014-the-blameless-awakening/</link><pubDate>Tue, 01 Jan 2013 10:00:00 +0530</pubDate><guid>http://azarudeen.com/posts/01-jan-2013-to-mar-2014-the-blameless-awakening/</guid><description>&lt;h1 id="the-blameless-awakening-jan-2013--mar-2014"&gt;The Blameless Awakening (Jan 2013 – Mar 2014)&lt;/h1&gt;
&lt;p&gt;In early 2013, the public postmortem was still a novelty. Most companies treated
outages as PR problems to be minimized, not learning opportunities to be shared.
By the spring of 2014, that had visibly changed — and this 15-month window is
where the modern postmortem culture took root.&lt;/p&gt;
&lt;h2 id="the-incidents-that-defined-the-period"&gt;The incidents that defined the period&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Microsoft Azure, February 2013&lt;/strong&gt; — A worldwide Azure Storage outage caused by
an &lt;strong&gt;expired SSL certificate&lt;/strong&gt;. The lesson — certificate lifecycle management is
an operational discipline, not a checkbox — still gets relearned every year.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Google, August 2013&lt;/strong&gt; — Google went dark for roughly 2–5 minutes, and global
internet traffic reportedly dropped ~40%. The first mainstream glimpse of how
concentrated the web had become.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Amazon.com, August 2013&lt;/strong&gt; — A ~30-minute outage of the retail site, widely used
to popularize &amp;ldquo;downtime costs $X per minute&amp;rdquo; math in reliability business cases.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;NASDAQ &amp;ldquo;Flash Freeze,&amp;rdquo; August 2013&lt;/strong&gt; — A three-hour trading halt traced to a
software flaw in the Securities Information Processor, showing that finance&amp;rsquo;s
bespoke infrastructure had the same failure modes as web systems.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;HealthCare.gov, October 2013&lt;/strong&gt; — Not a cloud outage but the era&amp;rsquo;s defining
systems failure: a big-bang launch with no load testing, no incremental rollout,
and no operational ownership. Its rescue by a small team of web-industry
engineers seeded what later became the US Digital Service — and became the
canonical argument for DevOps practices in government and enterprise.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="what-the-postmortems-reveal"&gt;What the postmortems reveal&lt;/h2&gt;
&lt;p&gt;&lt;strong&gt;1. &amp;ldquo;Blameless&amp;rdquo; went from Etsy blog post to industry norm.&lt;/strong&gt; John Allspaw&amp;rsquo;s
writing on blameless postmortems and Etsy&amp;rsquo;s open-sourced &lt;strong&gt;Morgue&lt;/strong&gt; tool (their
internal postmortem tracker) gave teams both the philosophy and the software.
The core idea — engineers closest to the failure have the most information, and
punishing them destroys that information — started appearing in conference talks
everywhere.&lt;/p&gt;</description></item></channel></rss>