π΅π’ Blue-Green Deployment with AWS ALB & Jenkins
This document explains Blue-Green Deployment using AWS ALB, EC2, Target Groups, VPC design, NAT Gateway strategy, and Jenkins automation with practical examples and real-world notes. π
π Blue-Green Deployment & Sticky Sessionsβ
β οΈ Why Sticky Sessions Are Disabledβ
In Blue-Green deployments, it is recommended to disable sticky sessions.
π΄ Problem if enabled:
- If DB schema changes (e.g., a new column is added)
- Users stuck on the old target group (Blue) via sticky session
- The old app wonβt understand the new DB column
- This can cause runtime errors β
β Best Practice:
- Keep applications stateless
- Disable stickiness during traffic switch
π When Sticky Sessions Are Still Usedβ
In some practical scenarios (especially on JB / App servers):
- Keeping temporary files
- Running
grepon logs - Downloading reports
π In such cases, sticky sessions may be used intentionally, but NOT during Blue-Green traffic switching.
π VPC CIDR Strategy (AWS)β
π¦ VPC Overviewβ
- VPC CIDR:
10.0.0.0/16 - Total IPs:
65,536
ποΈ Subnet Designβ
| Purpose | CIDR | AZ | Notes |
|---|---|---|---|
| π Public Subnet 1 | 10.0.0.0/24 | ap-south-1a | ALB & NAT Gateway |
| π Public Subnet 2 | 10.0.1.0/24 | ap-south-1b | ALB & NAT Gateway |
| π Public Subnet 3 | 10.0.2.0/24 | ap-south-1c | Optional AZ |
| π₯οΈ Private Subnet 1 | 10.0.10.0/24 | ap-south-1a | App servers |
| π₯οΈ Private Subnet 2 | 10.0.11.0/24 | ap-south-1b | App servers |
| π₯οΈ Private Subnet 3 | 10.0.12.0/24 | ap-south-1c | Optional AZ |
| ποΈ DB Subnet 1 | 10.0.20.0/24 | ap-south-1a | RDS / DB Tier |
| ποΈ DB Subnet 2 | 10.0.21.0/24 | ap-south-1b | RDS / DB Tier |
β οΈ AWS Reserved IPs (Per Subnet)β
AWS reserves 5 IP addresses in every subnet:
- Network address (all 0s)
- VPC router address (
.1) - AWS DNS address (
.2) - Reserved for future use
- Broadcast address (all 1s β reserved even though AWS doesnβt support broadcast)
π NAT Gateway Explainedβ
πΉ What a NAT Gateway Doesβ
Allows private subnets to access the internet outbound (OS updates, package downloads, APIs) without inbound exposure.
π° Cost: Hourly + Data processed
𧩠NAT Gateway Optionsβ
1οΈβ£ Noneβ
βοΈ Use when:
- Fully isolated workloads
- No internet access required
β Risk:
- No package updates
- No external API access
2οΈβ£ Single NAT Gateway (1 AZ)β
βοΈ Pros:
- Cheaper πΈ
β Cons:
- Single point of failure
βοΈ Use for:
- Dev / Test environments
3οΈβ£ NAT Gateway Per AZ β (Production)β
βοΈ Pros:
- High Availability
- Lower cross-AZ traffic cost
β Cons:
- Higher cost
π‘ Rule of Thumbβ
| Environment | Recommendation |
|---|---|
| π§ͺ Dev / Test | 1 NAT Gateway |
| π Production | NAT Gateway per AZ |
| π Isolated | No NAT Gateway |
π Security Group Setupβ
π Conceptβ
Controls inbound & outbound traffic for EC2 and ALB.
π οΈ Practical Setupβ
- Name:
blue-green-sg - VPC: Blue-Green VPC
π½ Inbound Rulesβ
| Port | Source | Purpose |
|---|---|---|
| 80 | 0.0.0.0/0 | HTTP |
| 443 | 0.0.0.0/0 | HTTPS |
| 22 | Your IP | SSH |
πΌ Outbound Rulesβ
- Allow all traffic
π₯οΈ Launch EC2 Instances (Blue & Green)β
π΅ Blue Server User Dataβ
#!/bin/bash
apt update && apt install -y nginx
echo "<h1>Blue Version</h1>" > /var/www/html/index.html
systemctl enable nginx && systemctl start nginx
π’ Green Server User Dataβ
#!/bin/bash
apt update && apt install -y nginx
echo "<h1>Green Version</h1>" > /var/www/html/index.html
systemctl enable nginx && systemctl start nginx
π― Target Groups & Traffic Switchingβ
-
Create two target groups:
- π΅ Blue Target Group
- π’ Green Target Group
-
Attach EC2 instances accordingly
-
Switch traffic by changing ALB listener rules
π§ͺ AWS CLI Commandsβ
π Describe Listenersβ
aws elbv2 describe-listeners --load-balancer-arn <LB-ARN>
π Describe Target Groupsβ
aws elbv2 describe-target-groups --names Blue Green
π Switch Traffic (Blue β Green)β
aws elbv2 modify-listener \
--listener-arn <LISTENER-ARN> \
--default-actions Type=forward,TargetGroupArn=<GREEN-TG-ARN>
π Rollback (Green β Blue)β
aws elbv2 modify-listener \
--listener-arn <LISTENER-ARN> \
--default-actions Type=forward,TargetGroupArn=<BLUE-TG-ARN>
π€ Jenkins Pipeline β Blue-Green Switchβ
ποΈ Parameter-Based Traffic Switchβ
pipeline {
agent any
parameters {
choice(name: 'TARGET_GROUP', choices: ['Blue', 'Green'], description: 'Select traffic target')
}
stages {
stage('Verify Health Before Switch') {
when { expression { params.TARGET_GROUP == 'Green' } }
steps {
script {
echo "Checking Green target health..."
}
}
}
stage('Switch Traffic') {
steps {
echo "Switching traffic..."
}
}
}
}
βοΈ Weighted Traffic Switching (Canary Style)β
π Get Listener ARNβ
aws elbv2 describe-listeners \
--load-balancer-arn <LB-ARN> \
--query 'Listeners[*].ListenerArn' \
--output text
π€ Jenkins Pipeline β Weighted Routingβ
pipeline {
agent any
parameters {
string(name: 'BLUE_WEIGHT', defaultValue: '1', description: 'Blue TG weight')
string(name: 'GREEN_WEIGHT', defaultValue: '0', description: 'Green TG weight')
}
stages {
stage('Switch Traffic Weights') {
steps {
script {
echo "Updating traffic weights..."
}
}
}
}
}
π§ Key Takeawaysβ
- π΅π’ Blue-Green avoids downtime
- π« Disable sticky sessions during switch
- π Proper VPC & NAT design is critical
- βοΈ Weighted routing enables safe canary releases
- π€ Jenkins automates traffic control