Wolf-Tech Logo
Back to Blog

Blue-Green Deployment Without Kubernetes: A Single-Server Pattern That Works

#blue-green deployment without Kubernetes
Sandor Farkas - Founder & Lead Developer at Wolf-Tech

Sandor Farkas

Founder & Lead Developer

Expert in software development and legacy code optimization

Most teams first hear about blue-green deployment in a Kubernetes talk, which leaves a quiet assumption hanging in the air: that zero-downtime releases require an orchestrator, a service mesh, and a platform team to keep them running. That assumption is wrong, and it costs smaller teams more than they realize. Blue-green deployment without Kubernetes is not only possible, it is straightforward on a single virtual machine, and it gives a two-person SaaS team the same instant-rollback safety net that large platform teams pay dearly for.

The core idea predates Kubernetes by years. You run two identical copies of your application side by side. One is live and serving traffic (call it blue), the other is idle and ready to receive the next release (green). You deploy the new version to the idle copy, run health checks against it while no users can see it, and only then flip a switch so traffic moves to the freshly deployed copy. The previous version stays running, untouched, for as long as you want. If something goes wrong after the cutover, rollback is flipping the switch back, not redeploying. That is the whole pattern, and none of it needs a cluster.

Why a Single Server Is Enough for Most SaaS

The instinct to reach for Kubernetes usually comes from a real fear: that a release will take the site down in front of paying customers. Blue-green deployment removes that fear directly, and it does so at any scale. A single well-provisioned VPS running a Symfony or Node application comfortably serves thousands of daily active users, and the overwhelming majority of B2B SaaS products never outgrow one or two application servers behind a managed database. Adopting an orchestrator to solve a deployment-safety problem is solving the right problem with the wrong tool, and you pay for the mismatch every week in operational overhead.

What you actually need for safe releases is three things: two running copies of the app, a way to check the new copy is healthy before users touch it, and an atomic switch between them. A reverse proxy gives you the switch. A health endpoint gives you the check. systemd or a process manager gives you the two copies. Everything else Kubernetes provides (autoscaling, multi-node scheduling, self-healing across machines) is solving problems you do not have yet. When you genuinely outgrow a single box, the deployment discipline you built here transfers cleanly. Choosing the right stack for your stage rather than the most fashionable one is exactly the kind of decision our tech stack strategy work exists to get right.

The Anatomy of the Pattern

Picture two application instances on the same host. Blue listens on port 8001, green on port 8002. In front of them sits a reverse proxy (Nginx, Caddy, or HAProxy) that forwards requests to an upstream defined in one small include file. That include file is the switch. It contains a single line pointing at either 8001 or 8002. Changing which port it names, then reloading the proxy, moves all new traffic from one instance to the other without dropping a single in-flight request, because a proxy reload finishes serving existing connections before applying the new configuration.

Both instances share the same database, the same Redis, and the same uploaded-file storage. This is the one architectural constraint that matters: because blue and green run against the same data at the same moment during a cutover, your schema changes must be backward compatible across the two application versions for the duration of the switch. That is a healthy discipline regardless of how you deploy, and we will come back to it.

A deploy script ties it together. It detects which instance is currently live, deploys the new release to the idle one, starts it, polls its health endpoint until it reports ready, rewrites the upstream include to point at the newly healthy instance, and reloads the proxy. If the health check never passes, the script exits without touching the proxy, and live traffic keeps flowing to the old version that was never disturbed.

A Concrete Walkthrough

Start with the proxy. In your server block, the upstream is read from an included file so the switch lives in exactly one place.

upstream app {
    include /etc/nginx/conf.d/active-upstream.inc;
}

server {
    listen 443 ssl;
    server_name app.example.com;
    location / {
        proxy_pass http://app;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

The active-upstream.inc file holds one line, for example server 127.0.0.1:8001;. Run blue and green as two systemd services, identical except for the port they bind and the release directory they run from. Give the application a real health endpoint that checks the things a release can break: that the database connection opens, that required environment variables are present, and that any critical dependency answers. A health check that only returns 200 from the web layer tells you the process started, not that the release works.

The deploy script is the heart of it:

#!/usr/bin/env bash
set -euo pipefail

ACTIVE=$(grep -oE '800[12]' /etc/nginx/conf.d/active-upstream.inc)
if [ "$ACTIVE" = "8001" ]; then
  IDLE_PORT=8002; IDLE=green
else
  IDLE_PORT=8001; IDLE=blue
fi

echo "Live is on $ACTIVE, deploying to $IDLE ($IDLE_PORT)"
deploy_release_to "$IDLE"          # pull code, install deps, build assets
systemctl restart "app@${IDLE}"

for i in $(seq 1 30); do
  if curl -fsS "http://127.0.0.1:${IDLE_PORT}/health" >/dev/null; then
    echo "$IDLE healthy"; break
  fi
  [ "$i" = "30" ] && { echo "health check failed, aborting"; exit 1; }
  sleep 2
done

echo "server 127.0.0.1:${IDLE_PORT};" > /etc/nginx/conf.d/active-upstream.inc
nginx -t && systemctl reload nginx
echo "Traffic switched to $IDLE"

Rollback is the same switch in reverse. Because the previous instance is still running its previous release, you point the include back at the old port and reload. No rebuild, no database restore, no waiting for a deploy pipeline. Recovery time is measured in the seconds a proxy reload takes, which is what makes this pattern feel like the orchestrator-grade safety net it actually is.

The Database Discipline Nobody Mentions

The pattern's one sharp edge is schema migration, and it is the same edge Kubernetes deployments hit. During a cutover, two application versions talk to one database. If your new release renames a column and you run the migration before the switch, the old version breaks the moment the migration lands. If you run it after, the new version breaks until it does. The way out is the expand-and-contract pattern: split every breaking change into backward-compatible steps. To rename a column you add the new column, deploy code that writes to both and reads the new one, backfill, switch traffic, and only in a later release drop the old column once nothing references it.

This is more discipline than firing off a destructive migration during deploy, but it is the discipline that makes any zero-downtime deployment safe, blue-green or rolling, Kubernetes or not. Teams that skip it discover the hard way that their "zero-downtime" setup still has a downtime window hiding inside every schema change. Untangling migrations that were written without this constraint is a recurring theme in our legacy code optimization engagements, and it is worth getting the habit right before it becomes a production incident.

When This Is the Wrong Tool

Be honest about the limits. This single-server pattern doubles the memory footprint of your app on one host, because two copies run at once, so size the machine accordingly. It does not give you high availability against hardware failure, since one VPS is one point of failure; if that machine dies, both blue and green die with it. If your uptime requirements genuinely demand surviving a node loss, you need at least two machines and a load balancer in front, at which point the same blue-green logic applies across hosts. And if you are running dozens of services that need independent scaling and scheduling, that is the point where an orchestrator starts earning its complexity.

For the team shipping a focused SaaS product on one or two servers, though, this pattern delivers most of what people install Kubernetes for, at a fraction of the operational cost. The right deployment architecture is the one matched to your actual scale and failure tolerance, and choosing it deliberately is part of how we approach custom software development from day one.

Getting Started

You can adopt this incrementally. Add a real health endpoint first, then stand up a second instance and a deploy script, and keep your existing release process as a fallback until you trust the switch. Within a week most teams have instant rollback they never had before, with no cluster to maintain. If you want a second set of eyes on your deployment setup or your migration strategy before you flip the first switch in production, we are happy to help. Reach us at hello@wolf-tech.io or at wolf-tech.io, and we will walk through your stack with you.