How do we handle database changes with zero downtime?

Use expand/migrate/contract. Additive schema first (columns, indexes), backfill idempotently in chunks, introduce compatibility triggers or views, and keep old code paths working. Only remove old fields once the new path has soaked cleanly for 24–72 hours.

Do we need service mesh to do this?

No, but it helps. You can pull this off with Nginx/HAProxy or an ALB with weighted target groups. A mesh like Istio gives you clean mirroring, retries, circuit breakers, and telemetry consistency.

What if we discover data drift during the cutover?

Don’t proceed. Keep replication running, pause the canary, and run a targeted reconcile using CDC offsets or row-level diffs. Only resume when drift is zero and lag is back under your threshold.

How do we test rollback safely?

Rehearse in staging with prod-like load using k6/Locust. Time the command sequence and make sure traffic weights snap back within 60s, state replication continues, and business KPIs recover to baseline.

What about AI-generated code/configs in the migration?

Treat them as untrusted drafts. Run static checks, policy-as-code (Open Policy Agent/Conftest), and peer reviews. We’ve seen AI-written Helm charts misconfigure liveness probes and take clusters down. Lock versions and diff everything before go-time.

Guides · Nov 16, 2025 · 10 minute read

The Cutover Checklist We Use When Moving Money: Zero-Downtime Migration, Step by Step

You don’t get a second chance with critical workloads. Here’s the exact, battle-tested checklist we use to move prod with no customer-facing blips—and fast rollbacks when reality bites.

Back to all posts

The Cutover Checklist We Use When Moving Money: Zero-Downtime Migration, Step by Step

Key takeaways

Implementation checklist