Google Cloud Dual Run Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Migration

Category

Migration

1. Introduction

What this service is

Dual Run in Google Cloud Migration is a migration strategy/pattern where you run the legacy (source) system and the new (target) system in parallel, compare outcomes, and then progressively shift production traffic and/or data processing from old to new with a safe rollback path.

One-paragraph simple explanation

If you’re migrating an application or data pipeline to Google Cloud and you’re worried about outages, incorrect results, or missed edge cases, Dual Run lets you keep the old system working while the new system “proves” it can handle real workloads. You can start with a small percentage of traffic, validate behavior, and then increase gradually—without a risky big-bang cutover.

One-paragraph technical explanation

Technically, Dual Run is implemented by running two production-capable stacks at the same time and controlling traffic distribution, data synchronization, and result validation. In Google Cloud, Dual Run commonly uses tools such as Cloud Run / GKE, Cloud Load Balancing, Cloud Logging & Monitoring, Database Migration Service (DMS) for replication, Pub/Sub for event duplication, Dataflow for parallel pipelines, and CI/CD (Cloud Build / Cloud Deploy or your existing toolchain) for controlled rollouts. Dual Run is not a single managed “product SKU”; it’s a disciplined approach built using Google Cloud services.

What problem it solves

Dual Run solves the hardest part of Migration: confidence at cutover. It reduces: – Downtime risk (move gradually instead of switching instantly) – Correctness risk (compare outputs under real load) – Operational risk (learn performance characteristics in production) – Rollback risk (fail back quickly by shifting traffic back)

Naming note (important): At the time of writing, “Dual Run” is not a standalone Google Cloud product with its own console page, API, or pricing SKU. It appears in migration guidance as a parallel-run strategy (sometimes also called parallel run). If your organization’s migration program uses “Dual Run” as an internal phase name or a Google Cloud reference architecture term, confirm the exact scope in the official Google Cloud migration documentation. When in doubt, verify in official docs.

---

2. What is Dual Run?

Official purpose

The purpose of Dual Run is to enable safe, measurable, and reversible migrations by operating old and new systems simultaneously until the new system meets agreed success criteria (SLOs, correctness checks, security controls, and cost/performance targets).

Core capabilities (what Dual Run enables)

Dual Run enables you to: – Run two versions of a workload at once (legacy and target) – Split, shape, or duplicate traffic to the new environment (gradual rollout, shadow tests, canary) – Validate results (functional outputs, data integrity, latency, error rate) – Roll back quickly (shift traffic back to legacy if needed) – Cut over safely when confidence thresholds are met

Major components (typical building blocks on Google Cloud)

Because Dual Run is a pattern, components vary by workload. Common building blocks include:

• Compute runtime(s): Cloud Run, Google Kubernetes Engine (GKE), Compute Engine, App Engine (legacy), or managed services
• Traffic management: Cloud Run traffic splitting, Cloud Load Balancing, service mesh (Cloud Service Mesh / Istio) for advanced routing (verify capabilities per product version)
• Data sync/replication: Database Migration Service (DMS), Cloud SQL read replicas (where supported), storage replication patterns, streaming duplication via Pub/Sub
• Observability: Cloud Logging, Cloud Monitoring, Error Reporting, Trace (as applicable)
• CI/CD and release control: Cloud Build, Cloud Deploy, Artifact Registry, and policy guardrails
• Security controls: IAM, Secret Manager, VPC, firewall policies, Cloud Audit Logs, organization policies

Service type

• Type: Migration strategy / operating model (not a managed product)
• Scope: Applies at workload level; implemented within one or more Google Cloud projects and environments (dev/test/prod)
• Regional/global considerations: Depends on chosen services (for example, Cloud Run is regional; Cloud Load Balancing can be global; databases are regional with replicas depending on product)

How it fits into the Google Cloud ecosystem

Dual Run is typically used as part of a broader Google Cloud Migration program: – Assess and plan (inventory, dependency mapping, landing zone) – Build foundations (networking, IAM, logging, org policies) – Migrate and modernize (move workloads and data) – Dual Run (parallel operations + validation) – Cutover and decommission (final shift, retire legacy)

Google Cloud’s architecture guidance and migration best practices (see Architecture Center) commonly recommend progressive cutovers and validation mechanisms—Dual Run is where those controls become operational reality.

---

3. Why use Dual Run?

Business reasons

• Reduce revenue risk: Avoid long outages or severe incidents during migration.
• Protect customer trust: Roll out changes gradually, detect issues early.
• Lower migration program risk: Replace “one big date” with measurable gates.
• Enable stakeholder confidence: Provide objective proof (metrics, comparisons) before cutover.

Technical reasons

• Correctness under real production data: Staging rarely matches production edge cases.
• Performance profiling: Validate latency, throughput, and scaling behavior under actual load.
• Compatibility and integration testing: Confirm upstream/downstream systems behave correctly.
• Safer data transitions: Validate replication, schema changes, and consistency.

Operational reasons

• Incremental rollout: Slowly increase traffic and watch SLOs.
• Faster rollback: Shift traffic back without redeploying or restoring backups (in many patterns).
• Operational learning: Build runbooks and on-call readiness while legacy remains a safety net.
• Controlled decommissioning: Retire legacy components only after proof.

Security/compliance reasons

• Validate security controls: Ensure IAM, encryption, audit logging, and network policies work in production.
• Evidence collection: Dual Run creates measurable validation artifacts (logs, dashboards, change records).
• Regulated change management: Supports phased approvals and risk reduction strategies.

Scalability/performance reasons

• Progressively scale: Confirm autoscaling and capacity planning.
• Reduce blast radius: Initial small traffic share limits impact if issues exist.
• Tune caching and database performance: Identify bottlenecks before full cutover.

When teams should choose it

Choose Dual Run when: – You need high confidence migration with limited risk tolerance. – Downtime is expensive and rollback must be fast. – The workload is complex or business-critical. – You can afford temporary duplicate run costs.

When teams should not choose it

Avoid or limit Dual Run when: – The workload is simple and low risk (a short maintenance window cutover is fine). – Running two systems in parallel creates data consistency hazards you can’t mitigate. – Budget constraints cannot support parallel operations. – The legacy system cannot be safely operated in parallel (licensing, capacity, or compliance constraints).

---

4. Where is Dual Run used?

Industries

Dual Run is common in environments where downtime or incorrect outcomes are costly: – Financial services (payments, trading, risk) – Healthcare (clinical systems, patient portals) – Retail/e-commerce (checkout, inventory) – Media/streaming (content delivery, billing) – SaaS and B2B platforms (multi-tenant workloads) – Manufacturing/logistics (ERP integration, IoT pipelines) – Public sector (citizen services with strict change control)

Team types

• Platform engineering teams building migration factories
• DevOps/SRE teams responsible for production stability
• Application teams modernizing services
• Data engineering teams migrating ETL/ELT pipelines
• Security and compliance teams validating controls
• Enterprise architects coordinating multi-system cutovers

Workloads

• HTTP APIs and web apps
• Event-driven systems (Pub/Sub, Kafka migrations)
• Batch and streaming data pipelines
• Databases (especially when changing engines or versions)
• Identity and authentication flows (careful: dual run can introduce subtle issues)

Architectures

• Microservices (dual run per service)
• Monolith-to-microservices (strangler patterns + dual run validation)
• Hybrid (on-prem + Google Cloud)
• Multi-region or active-active (advanced; requires careful data strategy)

Real-world deployment contexts

• Production Dual Run: the most valuable—real load validates correctness.
• Pre-production Dual Run: lower risk but less representative.
• Dev/test Dual Run: useful for tooling and automation rehearsal.

---

5. Top Use Cases and Scenarios

Below are realistic Dual Run scenarios on Google Cloud. Each example highlights the problem, why Dual Run fits, and a short scenario.

1) Web API migration with gradual traffic shift

• Problem: A critical API must move to Cloud Run with minimal risk.
• Why Dual Run fits: Split traffic between old and new, monitor errors/latency, roll back instantly.
• Example: Start at 1% traffic to the Cloud Run revision, then ramp to 10/50/100%.

2) Monolith decomposition using parallel validation

• Problem: You’re extracting a “billing” module into a microservice, but outputs must match.
• Why Dual Run fits: Run old module and new service concurrently and compare results.
• Example: The monolith still produces invoices, while the new service produces invoices in parallel for comparison.

3) Database engine migration with read-only dual run

• Problem: Migrating from self-managed PostgreSQL to Cloud SQL; you want to ensure query performance and correctness.
• Why Dual Run fits: Replicate data to Cloud SQL and direct read-only queries to the new database first.
• Example: Move reporting dashboards to Cloud SQL reads while writes stay on legacy until stable.

4) Event streaming migration (Kafka to Pub/Sub)

• Problem: Changing event backbone without losing events or breaking consumers.
• Why Dual Run fits: Duplicate publishing to both systems temporarily; migrate consumers gradually.
• Example: Producers publish to Kafka and Pub/Sub; consumers are moved one by one.

5) Data pipeline modernization (on-prem Spark to Dataflow)

• Problem: A nightly pipeline must produce identical aggregates.
• Why Dual Run fits: Run both pipelines for days/weeks, compare outputs before decommission.
• Example: Dataflow writes to a parallel BigQuery dataset; results are compared with legacy outputs.

6) Authentication service migration (with strict rollback)

• Problem: Moving auth to a new identity provider integration.
• Why Dual Run fits: Start with a small segment of users; roll back quickly if login issues appear.
• Example: Route 5% of login traffic to new auth flow; monitor success rate and latency.

7) Multi-region failover rehearsal during migration

• Problem: Migrating while also improving resiliency.
• Why Dual Run fits: Keep legacy as fallback while testing multi-region routing.
• Example: New stack runs in two regions; legacy remains available for rollback.

8) SaaS feature flag rollout during migration

• Problem: New platform changes behavior; customers should opt in gradually.
• Why Dual Run fits: Parallel run combined with feature flags provides controlled exposure.
• Example: Premium tenants are migrated first, with quick opt-out.

9) Legacy queue migration (RabbitMQ to Pub/Sub)

• Problem: Message semantics differ; you need to confirm ordering/duplication handling.
• Why Dual Run fits: Run both queues; verify consumer idempotency.
• Example: Consumers read from Pub/Sub with dedup logic while RabbitMQ remains primary.

10) Network perimeter migration (on-prem ingress to Cloud Load Balancing)

• Problem: Changing edge routing can break clients, TLS, or headers.
• Why Dual Run fits: Gradual DNS/traffic shift reduces risk and reveals edge-case clients.
• Example: Weighted routing moves 10% of traffic to Google Cloud Load Balancing, then increases.

11) Storage migration with parallel reads

• Problem: Moving from on-prem object storage to Cloud Storage; applications must continue serving files.
• Why Dual Run fits: Copy data and read from both; compare checksums and access patterns.
• Example: App reads from Cloud Storage first, falls back to legacy if missing, until fully synchronized.

12) FinOps validation during migration

• Problem: New architecture must meet cost constraints.
• Why Dual Run fits: Run both stacks and measure real cost/performance before committing.
• Example: Compare Cloud Run cost vs GKE cost for same traffic profile before finalizing.

---

6. Core Features

Because Dual Run is a strategy, “features” are best understood as capabilities you implement using Google Cloud services. The list below focuses on what matters most in real migrations.

1) Parallel production operation

• What it does: Runs legacy and target systems at the same time.
• Why it matters: Enables real-world validation without stopping the old system.
• Practical benefit: Reduced cutover risk and easier rollback.
• Limitations/caveats: Costs can double temporarily; requires careful operational discipline.

2) Controlled traffic shifting (progressive delivery)

• What it does: Moves traffic in increments (1% → 10% → 50% → 100%).
• Why it matters: Limits blast radius and surfaces issues early.
• Practical benefit: Safer than big-bang cutovers.
• Limitations/caveats: Requires routing control (Cloud Run traffic splitting, Cloud Load Balancing, service mesh, or DNS strategies).

3) Shadow testing / request duplication (when applicable)

• What it does: Sends production requests to the new system without impacting user responses (the legacy response is still returned).
• Why it matters: Validates correctness under real traffic before serving users.
• Practical benefit: Finds subtle correctness/performance issues.
• Limitations/caveats: Not always supported at the load balancer layer; often requires service mesh/proxy patterns. Verify in official docs for your chosen routing layer.

4) Data replication and synchronization

• What it does: Keeps target data store in sync with legacy (e.g., DMS replication).
• Why it matters: Prevents stale data and enables read traffic shift.
• Practical benefit: Enables phased read/write migration strategies.
• Limitations/caveats: Replication lag, schema drift, and compatibility differences can be significant.

5) Dual-write or write-forward patterns (advanced)

• What it does: Writes to both old and new systems during a transition.
• Why it matters: Supports zero-downtime write cutovers in some cases.
• Practical benefit: Enables faster final cutover.
• Limitations/caveats: Risky if not idempotent; can create divergence if one write fails.

6) Automated validation and diffing

• What it does: Compares outputs, database rows, aggregates, or API responses.
• Why it matters: Correctness is the #1 migration risk.
• Practical benefit: Objective go/no-go criteria.
• Limitations/caveats: Requires defining “equivalence” (e.g., timestamps, ordering, floating point rounding).

7) Observability and SLO gating

• What it does: Uses metrics/logs/traces to determine if the new system is healthy enough to scale traffic.
• Why it matters: Prevents “hope-based” cutovers.
• Practical benefit: Faster detection and safer ramp-ups.
• Limitations/caveats: Logging can become expensive; dashboards must be designed intentionally.

8) Rapid rollback

• What it does: Shifts traffic back to legacy quickly if issues are detected.
• Why it matters: Reduces MTTR during migration.
• Practical benefit: Avoids emergency redeploys and complex restores.
• Limitations/caveats: Rollback may be complicated if dual writes already occurred.

9) Environment and configuration isolation

• What it does: Separates configs, secrets, and IAM so both stacks can run safely.
• Why it matters: Prevents accidental cross-environment access.
• Practical benefit: Cleaner governance and reduced security risk.
• Limitations/caveats: Requires consistent naming/tagging and policy controls.

10) Release orchestration and approvals

• What it does: Uses CI/CD to enforce repeatable deployments and approval gates.
• Why it matters: Dual Run often lasts weeks; manual steps introduce risk.
• Practical benefit: Repeatability and auditability.
• Limitations/caveats: Tooling integration takes effort; avoid over-automation without guardrails.

---

7. Architecture and How It Works

High-level architecture

Dual Run has two “lanes”: 1. Legacy lane: current production system (on-prem or older platform) 2. Target lane: new system in Google Cloud

Traffic and/or data flows are controlled so you can: – Start with low risk (shadow or small percentage) – Validate (correctness + SLOs) – Ramp up – Cut over and decommission legacy

Request/data/control flow

Typical flow for an API migration: 1. Clients send requests to an entry point (DNS, load balancer, API gateway). 2. Routing splits traffic between legacy and new. 3. Observability captures request metrics and logs from both. 4. Validation compares outcomes; errors trigger alerts. 5. CI/CD promotes a new target release or rolls back. 6. Once success criteria are met, routing shifts fully to new.

For data migrations: 1. Data replicates from legacy DB to target DB (e.g., DMS). 2. Read traffic shifts first to target. 3. Write cutover happens when replication lag is acceptable and the application is ready. 4. Legacy becomes read-only, then is decommissioned.

Integrations with related services

Common Google Cloud integrations: – Cloud Run / GKE / Compute Engine for runtime – Cloud Load Balancing for ingress and traffic management (or Cloud Run native traffic splitting) – Cloud Logging / Cloud Monitoring for observability – Secret Manager for secrets – Cloud KMS for encryption keys (when needed) – Database Migration Service for DB replication – Pub/Sub for event duplication and decoupling – Artifact Registry for container images – Cloud Build / Cloud Deploy for CI/CD – VPC / Cloud VPN / Cloud Interconnect for hybrid connectivity

Dependency services

Dual Run depends on whichever services implement: – Routing/traffic control – Compute runtime(s) – Data sync method(s) – Logging/metrics and alerting – IAM, networking, secrets, and policy guardrails

Security/authentication model

• IAM governs who can deploy, route traffic, view logs, and manage data replication.
• Workloads typically use service accounts with least privilege.
• Network controls (VPC, firewall policies, Private Service Connect, VPC connectors) reduce exposure.
• Cloud Audit Logs record admin and data access events for many services (verify for each service).

Networking model

Dual Run can be: – Internet-facing (external clients, public endpoints) – Private (internal clients, internal load balancing, private service access) – Hybrid (on-prem + Google Cloud over VPN/Interconnect)

A key networking design decision: whether legacy and target can be reached via a single entry point (ideal for controlled routing) or require DNS-based split (more limited control).

Monitoring/logging/governance considerations

• Define migration SLOs (error rate, p95 latency, throughput, correctness checks).
• Create dashboards per lane and per version/revision.
• Decide log retention and sampling to manage cost.
• Use labels/tags consistently for cost allocation and governance.

---

Simple architecture diagram (Mermaid)

flowchart LR
  U[Users/Clients] --> R[Traffic Split / Router]
  R --> L[Legacy Service]
  R --> N[New Service on Google Cloud]
  L --> O[Logs & Metrics]
  N --> O[Logs & Metrics]
  O --> G[Go/No-Go Gates\n(SLOs + Validation)]
  G -->|Increase traffic| R
  G -->|Rollback| R

Production-style architecture diagram (Mermaid)

flowchart TB
  subgraph Clients
    C1[Web/Mobile Clients]
    C2[Partner Systems]
  end

  subgraph Edge
    DNS[Cloud DNS / External DNS]
    LB[Cloud Load Balancing\n(or Cloud Run Traffic Split)]
  end

  subgraph Legacy
    LEGAPP[Legacy App\n(on-prem / old platform)]
    LEGDB[Legacy DB]
  end

  subgraph GoogleCloud[Google Cloud Project(s)]
    direction TB

    subgraph Runtime
      NEWAPP[New App\nCloud Run or GKE]
      AR[Artifact Registry]
      CICD[Cloud Build / Cloud Deploy]
    end

    subgraph Data
      DMS[Database Migration Service\n(replication)]
      NEWDB[Cloud SQL / AlloyDB / Spanner\n(target)]
      PS[Pub/Sub\n(optional event duplication)]
    end

    subgraph Observability
      LOG[Cloud Logging]
      MON[Cloud Monitoring]
      ALERT[Alerting + SLOs]
    end

    subgraph Security
      IAM[IAM + Service Accounts]
      SM[Secret Manager]
      KMS[Cloud KMS\n(optional)]
      VPC[VPC + Connectivity\nVPN/Interconnect]
    end
  end

  C1 --> DNS --> LB
  C2 --> DNS --> LB

  LB -->|x%| LEGAPP
  LB -->|y%| NEWAPP

  LEGAPP --> LEGDB
  DMS --> NEWDB
  LEGDB --> DMS

  NEWAPP --> NEWDB
  NEWAPP --> PS

  LEGAPP --> LOG
  NEWAPP --> LOG
  NEWDB --> LOG
  LOG --> MON --> ALERT

  CICD --> AR --> NEWAPP

  IAM --- NEWAPP
  SM --- NEWAPP
  VPC --- NEWAPP

---

8. Prerequisites

Because Dual Run is a pattern, prerequisites depend on the chosen implementation. For the hands-on lab in this tutorial (Dual Run using Cloud Run traffic splitting), you need:

Account/project requirements

• A Google Cloud account with access to create or use a Google Cloud project
• Billing enabled on the project (Cloud Run and build operations require billing)

Permissions / IAM roles

Minimum suggested roles for the lab (project-level): – Cloud Run Admin (roles/run.admin) – Service Account User (roles/iam.serviceAccountUser) on the runtime service account – Cloud Build Editor (roles/cloudbuild.builds.editor) or permissions to run builds – Logs Viewer (roles/logging.viewer) for validation in Cloud Logging

In production, split these duties across separate personas and use least privilege.

CLI/SDK/tools needed

• Google Cloud CLI (gcloud)
• A local terminal with:
• curl
• Optional: jq (for formatting), and a load tool like hey (optional)

Region availability

• Cloud Run is regional. Choose a region where Cloud Run is available.
• Verify current Cloud Run locations: https://cloud.google.com/run/docs/locations

Quotas/limits

• Cloud Run has quotas for services, revisions, requests, and CPU/memory per region.
• Cloud Logging has ingestion and retention considerations that can affect cost.
• Always check quotas in IAM & Admin → Quotas and service-specific quota docs. Verify in official docs.

Prerequisite services/APIs

Enable these APIs in the project (the lab will do this via gcloud): – Cloud Run Admin API – Cloud Build API – Artifact Registry API (optional, depending on build approach) – Cloud Logging API (typically enabled by default)

---

9. Pricing / Cost

Pricing model (accurate framing)

Dual Run itself has no direct price because it is not a separately billed Google Cloud product. The cost comes from running two environments in parallel and from the services you use to route traffic, replicate data, and observe results.

Pricing dimensions (what you pay for)

Common cost dimensions in a Dual Run migration include:

1. Compute costs (duplicated during Dual Run) – Cloud Run: billed by request, CPU/memory time, and networking (see official pricing). – GKE: cluster management + node compute + networking. – Compute Engine: VM hours, disks, load balancers, etc.

2. Traffic management – Cloud Load Balancing: typically billed by forwarding rules, data processed, and sometimes additional features (SKU-specific).
   Pricing: https://cloud.google.com/load-balancing/pricing

3. Data replication and storage – Database Migration Service: pricing depends on source/target and replication approach.
   DMS docs/pricing: verify in official docs (start here: https://cloud.google.com/database-migration) – Cloud SQL/AlloyDB/Spanner: instance size, storage, I/O, backups, replicas.

4. Observability – Cloud Logging: ingestion volume, retention beyond included amounts, log-based metrics.
   Pricing: https://cloud.google.com/logging/pricing – Cloud Monitoring: metrics volume, uptime checks, alerting policies (see pricing).
   Pricing: https://cloud.google.com/monitoring/pricing

5. Network egress – Cross-region traffic, internet egress, and hybrid connectivity egress can be major cost drivers. – Hybrid connectivity (Cloud VPN / Cloud Interconnect) has its own pricing model.

Free tier (if applicable)

Some services (notably Cloud Run and Cloud Logging) may include free usage tiers or included allocations depending on account and region. These details change over time—verify in official pricing pages: – Cloud Run pricing: https://cloud.google.com/run/pricing – Cloud Logging pricing: https://cloud.google.com/logging/pricing

Biggest cost drivers in Dual Run

• Running two stacks at “production readiness” capacity
• Increased logging/metrics due to parallel validation
• Data replication (continuous replication, additional replicas)
• Network egress between legacy and cloud or between regions
• Duplicate third-party licensing (legacy software + new platform, if applicable)

Hidden/indirect costs to plan for

• Extended Dual Run duration (weeks/months) due to validation or org approvals
• Engineering time building validation harnesses and runbooks
• Incident response load (two systems to operate)
• Additional QA requirements in regulated environments

How to optimize cost

• Keep Dual Run duration as short as risk allows—define success criteria early.
• Start with shadow tests or small traffic, then ramp up deliberately.
• Implement log sampling and structured logs to reduce ingestion.
• Use budgets and alerts; separate cost centers via labels.
• Use right-sized resources for the “new” system early; avoid overprovisioning.
• If hybrid traffic is expensive, keep validation data local where feasible or use private connectivity efficiently.

Example low-cost starter estimate (qualitative)

A small lab-style Dual Run for a web service might cost primarily: – Cloud Run requests and compute time (often low for minimal load) – Cloud Build minutes for a few builds – Cloud Logging ingestion for test requests

Exact cost depends on region and usage. Use: – Google Cloud Pricing Calculator: https://cloud.google.com/products/calculator

Example production cost considerations

In production Dual Run, expect: – Near 2× compute (legacy + new), at least for the migrated component – Additional database replicas or replication instances – Increased logging/metrics volume during validation – Possible additional load balancing or connectivity costs

A practical FinOps rule: before starting, estimate cost per day of Dual Run and multiply by an expected duration + buffer. This avoids surprise overruns.

---

10. Step-by-Step Hands-On Tutorial

This lab demonstrates Dual Run using Cloud Run traffic splitting. It’s a realistic, low-risk way to practice parallel operation and progressive cutover for a web service.

Objective

Deploy a Cloud Run service with two revisions (v1 and v2), run them in parallel, split traffic (e.g., 90/10), validate using responses and Cloud Logging, then cut over (100% to v2) and learn how to roll back.

Lab Overview

You will: 1. Set up a Google Cloud project and enable APIs. 2. Build and deploy a simple containerized web service to Cloud Run (revision v1). 3. Deploy an updated revision (v2) without sending traffic. 4. Configure traffic splitting between v1 and v2 (Dual Run). 5. Generate requests and verify distribution and logs. 6. Cut over to v2 (and optionally roll back). 7. Clean up resources.

---

Step 1: Create/select a project, set region, and enable APIs

1) In your terminal, authenticate and set a project:

gcloud auth login
gcloud config set project YOUR_PROJECT_ID

2) Choose a region (example: us-central1) and set it:

export REGION="us-central1"
gcloud config set run/region "$REGION"

3) Enable required APIs:

gcloud services enable \
  run.googleapis.com \
  cloudbuild.googleapis.com \
  artifactregistry.googleapis.com \
  logging.googleapis.com

Expected outcome – APIs enable successfully (may take a minute). – Your gcloud context points to the correct project and region.

---

Step 2: Create a minimal Cloud Run app (containerized)

Create a new folder and add these files.

1) main.py

import os
import time
from flask import Flask, request, jsonify

app = Flask(__name__)

@app.get("/")
def root():
    version = os.environ.get("APP_VERSION", "unknown")
    # Correlation ID for tracing across systems (client can send one too)
    rid = request.headers.get("X-Request-Id", f"auto-{int(time.time() * 1000)}")
    return jsonify({
        "service": "dualrun-demo",
        "version": version,
        "request_id": rid
    })

if __name__ == "__main__":
    app.run(host="0.0.0.0", port=int(os.environ.get("PORT", "8080")))

2) requirements.txt

Flask==3.0.3
gunicorn==22.0.0

3) Dockerfile

FROM python:3.12-slim

WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

COPY main.py .

ENV PORT=8080
CMD ["gunicorn", "-b", ":8080", "main:app"]

Expected outcome – You have a buildable container that returns JSON including a version.

---

Step 3: Build the container image with Cloud Build

Use Artifact Registry (recommended) for images.

1) Create an Artifact Registry repository (one-time):

export REPO="dualrun-repo"
gcloud artifacts repositories create "$REPO" \
  --repository-format=docker \
  --location="$REGION" \
  --description="Images for Dual Run lab"

2) Configure Docker auth for Artifact Registry:

gcloud auth configure-docker "$REGION-docker.pkg.dev"

3) Build and push the image:

export PROJECT_ID="$(gcloud config get-value project)"
export IMAGE="$REGION-docker.pkg.dev/$PROJECT_ID/$REPO/dualrun-demo:latest"

gcloud builds submit --tag "$IMAGE" .

Expected outcome – Cloud Build completes successfully. – An image named dualrun-demo:latest exists in Artifact Registry.

---

Step 4: Deploy revision v1 (legacy) to Cloud Run

Deploy the service and tag the revision as v1.

export SERVICE="dualrun-demo"

gcloud run deploy "$SERVICE" \
  --image "$IMAGE" \
  --allow-unauthenticated \
  --set-env-vars "APP_VERSION=v1" \
  --tag "v1"

Fetch the service URL:

export URL="$(gcloud run services describe "$SERVICE" --format='value(status.url)')"
echo "$URL"

Test:

curl -s "$URL" | python -m json.tool

Expected outcome – Response includes "version": "v1". – Service is reachable via the Cloud Run URL.

---

Step 5: Deploy revision v2 (new) with NO traffic (Dual Run preparation)

Deploy a second revision, tag it as v2, but do not send traffic yet:

gcloud run deploy "$SERVICE" \
  --image "$IMAGE" \
  --allow-unauthenticated \
  --set-env-vars "APP_VERSION=v2" \
  --tag "v2" \
  --no-traffic

List revisions:

gcloud run revisions list --service "$SERVICE"

Expected outcome – Two revisions exist for the same service. – v2 exists but receives 0% traffic.

---

Step 6: Start Dual Run by splitting traffic (e.g., 90% v1, 10% v2)

Update traffic:

gcloud run services update-traffic "$SERVICE" \
  --to-tags "v1=90,v2=10"

Confirm traffic:

gcloud run services describe "$SERVICE" \
  --format="table(status.traffic[].tag,status.traffic[].percent,status.traffic[].revisionName)"

Expected outcome – The service routes ~90% of requests to v1 and ~10% to v2.

---

Step 7: Generate traffic and observe version distribution

Send 50 requests and count versions:

for i in $(seq 1 50); do
  curl -s -H "X-Request-Id: req-$i" "$URL" | python -c "import sys, json; print(json.load(sys.stdin)['version'])"
done | sort | uniq -c

Expected outcome – Counts should be roughly 45 responses from v1 and 5 from v2 (not exact due to randomness and small sample size).

---

Step 8: Validate with Cloud Logging (revision-level visibility)

In Google Cloud Console: – Go to Logging → Logs Explorer – Use a query like:

resource.type="cloud_run_revision"
resource.labels.service_name="dualrun-demo"

To filter by revision tag, use the revision name shown in the traffic table output (Cloud Run logs label revisions). For example:

resource.type="cloud_run_revision"
resource.labels.service_name="dualrun-demo"
resource.labels.revision_name="YOUR_REVISION_NAME"

Expected outcome – You can see request logs for both revisions. – You can correlate by X-Request-Id if included in logs (headers may or may not be logged by default). If you need deeper request correlation, implement structured logging in the app.

Tip: For real Dual Run migrations, define explicit validation signals: – Error rate (5xx) – p95 latency – Business correctness checks (domain-specific)

---

Step 9: Cut over to v2 (100% traffic) and keep rollback option

Cut over:

gcloud run services update-traffic "$SERVICE" \
  --to-tags "v2=100"

Verify:

curl -s "$URL" | python -m json.tool

Expected outcome – Responses show "version": "v2" consistently.

Optional rollback practice If v2 had issues, roll back instantly:

gcloud run services update-traffic "$SERVICE" \
  --to-tags "v1=100"

---

Validation

Use this checklist:

1) Traffic split configured – Confirm with: bash gcloud run services describe "$SERVICE" --format="table(status.traffic[].tag,status.traffic[].percent)"

2) Parallel runtime – Confirm two revisions exist: bash gcloud run revisions list --service "$SERVICE"

3) Functional validation – Confirm both versions respond: – curl $URL repeatedly shows both during 90/10 stage.

4) Observability – Logs Explorer shows entries for both revisions.

---

Troubleshooting

Issue: PERMISSION_DENIED when deploying – Fix: ensure you have roles/run.admin and roles/iam.serviceAccountUser on the runtime service account. – Also confirm billing is enabled.

Issue: Cloud Build fails to push to Artifact Registry – Fix: ensure Artifact Registry API is enabled and Docker auth configured: bash gcloud services enable artifactregistry.googleapis.com gcloud auth configure-docker "$REGION-docker.pkg.dev"

Issue: 401/403 errors accessing the service – If you removed --allow-unauthenticated, you must call with authentication. – For a public lab, ensure: bash gcloud run services get-iam-policy dualrun-demo and that allUsers has roles/run.invoker (public). For production, do not use public access unless required.

Issue: Traffic splitting doesn’t seem to match percentages – Small sample sizes fluctuate. Increase request count. – Ensure your traffic update succeeded and that caches aren’t masking results.

---

Cleanup

To avoid ongoing charges, delete resources:

1) Delete the Cloud Run service:

gcloud run services delete "$SERVICE" --region "$REGION"

2) Delete the Artifact Registry repository (and images):

gcloud artifacts repositories delete "$REPO" --location "$REGION"

3) (Optional) If this was a dedicated lab project, delete the project (most thorough cleanup): – Console: IAM & Admin → Manage resources → Delete project – Or via CLI (use with caution): bash gcloud projects delete "$PROJECT_ID"

---

11. Best Practices

Architecture best practices

• Design for reversibility: Every Dual Run plan should include a clear rollback mechanism (traffic shift, feature flag, or DNS rollback).
• Prefer progressive rollout over big-bang cutovers for critical services.
• Decouple with events where feasible (Pub/Sub) so consumers migrate independently.
• Plan data strategy early: replication method, lag tolerance, schema evolution, and conflict handling.

IAM/security best practices

• Use least-privilege service accounts per component (runtime, CI/CD, replication).
• Separate roles for deployers vs approvers (where required).
• Use Secret Manager for secrets; avoid embedding secrets in images or env vars without controls.
• Turn on and review Cloud Audit Logs for admin activity.

Cost best practices

• Set a Dual Run timebox (e.g., 2 weeks) and define extension criteria.
• Implement log-based sampling and structured logging to reduce ingestion.
• Use labels (e.g., env=dualrun, app=..., migration-wave=...) for cost allocation.
• Use budgets and alerts during Dual Run; costs often spike unexpectedly.

Performance best practices

• Define SLOs per revision/version and measure:
• p95/p99 latency
• error rate
• saturation (CPU, memory, DB connections)
• Load test the new system before ramping traffic.
• Watch downstream bottlenecks (DB connection limits are common when traffic increases).

Reliability best practices

• Automate rollback actions (runbooks + predefined commands).
• Use multi-zone/regional designs where appropriate for the target stack.
• Make the application idempotent (especially important with retries and event duplication).

Operations best practices

• Maintain a single pane of glass dashboard comparing legacy vs new.
• Use consistent request correlation IDs across both systems for debugging.
• Keep an up-to-date migration runbook and on-call readiness checklist.
• Use change management gates: “no traffic increase unless SLOs are green for N hours”.

Governance/tagging/naming best practices

• Standardize naming for versions and environments:
• service-name, service-name-canary, service-name-shadow
• Use resource labels:
• owner, cost-center, env, migration-wave, data-classification
• Apply org policies (where applicable) to restrict risky configs (public access, weak TLS, etc.).

---

12. Security Considerations

Identity and access model

• Humans: Use groups and roles; avoid direct user permissions where possible.
• Workloads: Use service accounts with the minimum required roles.
• CI/CD: Ensure build/deploy identities cannot access production data unless needed.

Encryption

• In Google Cloud, data is encrypted at rest by default for many services, with options for customer-managed keys (Cloud KMS) depending on service.
• For regulated workloads:
• Consider CMEK (customer-managed encryption keys) where supported.
• Verify CMEK support for each service in official docs.

Network exposure

Common risks during Dual Run: – Accidentally exposing internal test endpoints publicly. – Running legacy and new with inconsistent TLS or header handling.

Recommendations: – Prefer private connectivity patterns when possible. – Use load balancers/gateways to centralize TLS policy. – Restrict ingress via IAM (Cloud Run Invoker) or network controls.

Secrets handling

• Store secrets in Secret Manager.
• Rotate secrets during migration when feasible.
• Avoid dual-run configurations that require copying long-lived secrets broadly.

Audit/logging

• Ensure Cloud Audit Logs are enabled appropriately at org/folder/project levels.
• Ensure logs contain enough information for incident response without leaking sensitive data.

Compliance considerations

Dual Run can help compliance by providing: – Evidence of staged rollout controls – Audit trails for approvals and changes – Validation results recorded over time

But it can hurt compliance if: – Data is duplicated into environments without proper classification/controls – Access expands broadly “temporarily” and never gets tightened

Common security mistakes

• Leaving canary/shadow endpoints publicly accessible
• Over-permissioned service accounts “for speed”
• Copying production secrets into dev/test for dual-run testing
• Logging sensitive payloads while validating outputs

Secure deployment recommendations

• Use separate projects or clearly separated environments for prod vs non-prod.
• Use organization policies to enforce baseline constraints.
• Use VPC Service Controls (where appropriate) to reduce data exfiltration risk (verify applicability to your services).

---

13. Limitations and Gotchas

Known limitations (pattern-level)

• Cost duplication: Dual Run often increases spend significantly.
• Complexity: Two systems to operate means more moving parts and more operational overhead.
• Data consistency: Dual writes and replication introduce divergence risk.
• Behavioral differences: Timezones, locale, floating-point math, and ordering can break “exact equality” comparisons.
• Third-party dependencies: External APIs can behave differently based on IP ranges, TLS stacks, or request headers.

Quotas and service constraints

• Cloud Run revision/service quotas can limit how many parallel versions you keep.
• Logging/monitoring quotas and cost controls can constrain how much validation telemetry you can store.
• Database connection limits are a frequent bottleneck when traffic increases.

Always validate the current quotas for your chosen services. Verify in official docs.

Regional constraints

• Some services are regional; dual run across regions may add latency and egress.
• If legacy is on-prem, hybrid connectivity latency can affect comparisons.

Pricing surprises

• Logging ingestion and long retention
• Egress from on-prem to cloud during replication/validation
• Load balancing data processing at scale
• Double database costs (replicas + target + backups)

Compatibility issues

• Schema differences during database migration
• Differences in retry policies and timeouts
• Event ordering differences between messaging systems

Operational gotchas

• Comparing results requires robust normalization (ignore fields that are expected to differ).
• Rollback may not be simple if writes have already moved.
• Teams often forget to decommission legacy, paying for it indefinitely.

Migration challenges

• Defining what “success” means (SLOs + correctness)
• Building validation harnesses that don’t overload production systems
• Coordinating cutover across multiple dependent services

Vendor-specific nuances (Google Cloud)

• Traffic splitting is easy in some runtimes (e.g., Cloud Run revisions) but more complex across heterogeneous backends. Plan routing early.
• Observability is powerful but can be expensive at high volume; plan sampling and metrics strategy.

---

14. Comparison with Alternatives

Dual Run is one option among several migration cutover strategies. Here’s how it compares.

Options to consider

• Big-bang cutover: switch everything at once during a maintenance window
• Blue/Green deployment: maintain two environments and switch traffic
• Canary release: small percentage to new version, gradually increase
• Shadow traffic: duplicate traffic to new version without serving responses
• Strangler pattern: incrementally replace parts of a monolith behind routing rules
• Active-active: run both as authoritative systems (hard; requires careful data strategy)

Comparison table

Option	Best For	Strengths	Weaknesses	When to Choose
Dual Run (parallel run)	Critical migrations needing high confidence	Real-world validation, safer cutover, fast rollback potential	Higher cost, operational complexity, data consistency challenges	When correctness and uptime matter more than temporary cost
Big-bang cutover	Small/low-risk systems	Simple plan, short overlap	High risk, hard rollback, downtime	When downtime is acceptable and system is simple
Blue/Green	Web apps/APIs with clear routing boundary	Clear rollback (switch back), isolated envs	Often requires duplicate infra; DB changes complicate rollback	When you can keep DB compatible or use compatible migration steps
Canary (progressive delivery)	Services that can tolerate some user exposure	Lower risk than big-bang, fast feedback	Still exposes users; needs strong monitoring	When you can handle small failures and have good SLOs
Shadow traffic	Validating correctness without user impact	Very safe for users; strong validation	Harder to implement; doubles load; output comparison complexity	When you need correctness proof before serving users
Strangler pattern	Monolith modernization	Incremental replacement, reduces scope of each change	Requires routing layer and careful domain boundaries	When refactoring is needed and you want continuous value delivery
Active-active	Global, high-availability systems	High resilience, no single cutover	Very complex, data conflict resolution	When business requires multi-site active operation

Nearest services in Google Cloud (how they relate) – Cloud Run traffic splitting: a practical way to implement Dual Run for HTTP services. – Cloud Load Balancing: implements traffic steering across backends and environments. – Cloud Deploy: release orchestration and approvals (may complement Dual Run). – Cloud Service Mesh: advanced routing and telemetry patterns (verify current features). – Database Migration Service: supports replication-based transitions for databases.

Nearest services in other clouds (conceptual parallels) – AWS: weighted routing with Application Load Balancer/Route 53; CodeDeploy canary/blue-green. – Azure: Front Door/Traffic Manager weighted routing; deployment slots in App Service. (These are comparisons of approach, not identical products.)

Open-source/self-managed alternatives – Kubernetes-based progressive delivery: Argo Rollouts, Flagger – Service mesh routing with Istio/Envoy – Custom traffic splitting via NGINX/HAProxy These can implement Dual Run but require additional ops overhead.

---

15. Real-World Example

Enterprise example (regulated, mission-critical)

Problem
A bank is migrating a payment authorization API from on-prem middleware to Google Cloud (Cloud Run + Cloud SQL). The API must meet strict uptime, auditability, and correctness requirements.

Proposed architecture – Cloud Load Balancing (or API gateway) as a controlled entry point – Legacy payment API remains primary initially – New Cloud Run service deployed in Google Cloud – Database Migration Service replicates on-prem DB to Cloud SQL (or a target database chosen for the workload) – Cloud Logging/Monitoring dashboards compare: – auth success rate – p95 latency – downstream error types – Change approvals via CI/CD with gated promotions

Why Dual Run was chosen – Payment correctness must be proven under real traffic. – The bank needs a rapid rollback path. – Compliance requires audit evidence of staged rollout and controls.

Expected outcomes – Reduced cutover risk and fewer high-severity incidents – Objective go/no-go decisions based on SLOs – Cleaner decommissioning plan with audit trails

---

Startup/small-team example (fast-moving SaaS)

Problem
A SaaS startup is moving from a single VM-based API to Cloud Run for autoscaling and simpler ops. They want to avoid extended downtime and reduce incident risk with a small team.

Proposed architecture – Cloud Run service with two revisions: v1 (legacy behavior) and v2 (optimized) – Cloud Run traffic splitting for 95/5 → 80/20 → 50/50 → 100 cutover – Logging-based validation and basic dashboards – Simple rollback runbook: shift traffic back to v1

Why Dual Run was chosen – The team wants safer deployments without building complex infrastructure. – Cloud Run makes parallel revisions and traffic splitting straightforward.

Expected outcomes – Faster deployment cadence with lower risk – Autoscaling under spikes without pre-provisioning – Reduced maintenance compared to managing VMs

---

16. FAQ

1) Is Dual Run a Google Cloud product I can enable?
No. Dual Run is a migration strategy implemented using Google Cloud services (routing, compute, data replication, and observability).

2) Is Dual Run the same as blue/green?
They’re related. Blue/green is a deployment pattern with two environments and a switch. Dual Run emphasizes running both for validation and often includes comparison gates and longer parallel periods.

3) How long should Dual Run last?
As short as possible while meeting confidence requirements. Many teams timebox it (days to weeks). Long Dual Runs increase cost and complexity.

4) What’s the safest Dual Run approach for APIs?
Often: start with shadow traffic (if feasible), then small canary percentages, with strong SLO monitoring and rollback.

5) How do I implement Dual Run quickly on Google Cloud?
For HTTP services, Cloud Run traffic splitting is one of the fastest practical methods.

6) What about data—how do I dual run databases safely?
Commonly: replicate data to the target, shift read traffic first, then plan a controlled write cutover. Dual writes are possible but risky.

7) Does Dual Run always require traffic splitting?
No. Some migrations dual-run batch jobs or pipelines by running both and comparing outputs, without splitting interactive traffic.

8) How do I compare outputs between legacy and new systems?
Use a validation harness: store outputs, normalize expected differences, and compare with thresholds. For APIs, capture structured responses and error codes.

9) What metrics should gate traffic increases?
At minimum: error rate, latency (p95/p99), saturation (CPU/memory/DB connections), and domain correctness checks.

10) What is the biggest risk during Dual Run?
Data inconsistency and operational confusion. Clear ownership, runbooks, and strong observability reduce risk.

11) Will Dual Run double my cloud bill?
Not always exactly double, but it often increases costs materially because you run two stacks plus additional observability and replication.

12) How do I roll back safely if I’ve already migrated writes?
Rollback is harder after write cutover. Plan for this by: – delaying write cutover until high confidence – using backups and point-in-time recovery – ensuring compatibility or a forward-fix plan

13) Can I use Dual Run for migrating to GKE?
Yes. You can run legacy and GKE services in parallel and use load balancing/service mesh for routing. The exact routing method depends on your entry point and mesh strategy.

14) Is Dual Run useful for compliance audits?
Often yes—if you capture evidence: change records, dashboards, alerts, approvals, and validation results.

15) What’s the simplest rollback mechanism in Google Cloud?
If you’re using Cloud Run revisions, rollback can be as simple as shifting traffic back to the previous revision.

16) Does Dual Run require two projects?
Not required, but common in larger orgs (separate projects/environments). For smaller teams, one project with strict separation can work.

---

17. Top Online Resources to Learn Dual Run

Since Dual Run is a strategy, the best resources are a combination of migration guidance and the specific services used to implement it.

Resource Type	Name	Why It Is Useful
Official architecture guidance	Migration to Google Cloud (Architecture Center) – https://cloud.google.com/architecture/migration-to-google-cloud	Foundational migration concepts, patterns, and phases that often include parallel-run ideas
Official architecture center	Google Cloud Architecture Center – https://cloud.google.com/architecture	Reference architectures and best practices for implementing migration patterns
Official service docs	Cloud Run documentation – https://cloud.google.com/run/docs	Practical traffic splitting via revisions; operational guidance
Official pricing	Cloud Run pricing – https://cloud.google.com/run/pricing	Understand request/compute billing when running multiple revisions
Official service docs	Cloud Load Balancing documentation – https://cloud.google.com/load-balancing/docs	Traffic management patterns for multi-backend or hybrid dual run
Official pricing	Cloud Load Balancing pricing – https://cloud.google.com/load-balancing/pricing	Cost model for routing/edge services during migration
Official observability docs	Cloud Logging documentation – https://cloud.google.com/logging/docs	Logging queries and strategies for validating parallel systems
Official pricing	Cloud Logging pricing – https://cloud.google.com/logging/pricing	Manage log ingestion/retention costs during Dual Run
Official observability docs	Cloud Monitoring documentation – https://cloud.google.com/monitoring/docs	SLOs, alerting, and dashboards for go/no-go gates
Official pricing	Cloud Monitoring pricing – https://cloud.google.com/monitoring/pricing	Understand metrics/monitoring cost factors
Official migration service	Database Migration Service – https://cloud.google.com/database-migration	Common building block for dual-run database replication patterns
Official CI/CD docs	Cloud Build documentation – https://cloud.google.com/build/docs	Build automation for repeated deployments during Dual Run
Official CI/CD docs	Cloud Deploy documentation – https://cloud.google.com/deploy/docs	Release orchestration and approval flows (complements Dual Run)
Official calculator	Google Cloud Pricing Calculator – https://cloud.google.com/products/calculator	Estimate costs for parallel run periods
Video (official)	Google Cloud Tech YouTube – https://www.youtube.com/googlecloudtech	Architecture and operations content; search for migration and progressive delivery topics

---

18. Training and Certification Providers

Institute	Suitable Audience	Likely Learning Focus	Mode	Website URL
DevOpsSchool.com	DevOps engineers, SREs, platform teams, architects	DevOps, CI/CD, cloud operations, migration practices	Check website	https://www.devopsschool.com/
ScmGalaxy.com	Beginners to intermediate DevOps practitioners	SCM, DevOps foundations, tooling and processes	Check website	https://www.scmgalaxy.com/
CLoudOpsNow.in	Cloud engineers, operations teams	Cloud operations, monitoring, reliability, cost awareness	Check website	https://www.cloudopsnow.in/
SreSchool.com	SREs, production engineers, incident responders	SRE practices, SLOs, observability, reliability engineering	Check website	https://www.sreschool.com/
AiOpsSchool.com	Ops teams exploring automation	AIOps concepts, automation, monitoring analytics	Check website	https://www.aiopsschool.com/

---

19. Top Trainers

Platform/Site	Likely Specialization	Suitable Audience	Website URL
RajeshKumar.xyz	DevOps/cloud training and guidance (verify offerings)	Beginners to working engineers	https://www.rajeshkumar.xyz/
devopstrainer.in	DevOps tooling, CI/CD, cloud practices (verify offerings)	DevOps engineers, students	https://www.devopstrainer.in/
devopsfreelancer.com	Freelance DevOps support/training (verify offerings)	Small teams needing hands-on help	https://www.devopsfreelancer.com/
devopssupport.in	DevOps support and training resources (verify offerings)	Ops/DevOps teams	https://www.devopssupport.in/

---

20. Top Consulting Companies

Company	Likely Service Area	Where They May Help	Consulting Use Case Examples	Website URL
cotocus.com	Cloud/DevOps consulting (verify exact scope)	Migration planning, CI/CD, cloud operations	Dual Run rollout planning, observability dashboards, cost controls	https://cotocus.com/
DevOpsSchool.com	DevOps consulting and enablement (verify exact scope)	DevOps transformation, training + implementation	Migration factory setup, CI/CD pipelines, deployment guardrails	https://www.devopsschool.com/
DEVOPSCONSULTING.IN	DevOps consulting services (verify exact scope)	Delivery automation, reliability practices	Progressive delivery, monitoring/alerting, runbook automation	https://www.devopsconsulting.in/

---

21. Career and Learning Roadmap

What to learn before Dual Run

To execute Dual Run well on Google Cloud, build fundamentals in: – Google Cloud projects, IAM, service accounts – VPC networking basics (subnets, routing, firewall rules) – Cloud Logging and Cloud Monitoring basics – Containers and CI/CD (Cloud Build, Artifact Registry) – Basic SRE concepts: SLOs, SLIs, error budgets, incident response

What to learn after Dual Run

Once comfortable, level up with: – Advanced traffic management (Cloud Load Balancing, service mesh patterns) – Database migration deeper skills (DMS, replication, cutover planning) – Event-driven migrations (Pub/Sub patterns, idempotent consumers) – Policy-as-code and governance (organization policies, IAM conditions) – FinOps practices for migration programs (budgets, cost attribution, optimization)

Job roles that use it

• Cloud Solutions Architect
• Cloud/Platform Engineer
• DevOps Engineer
• Site Reliability Engineer (SRE)
• Migration Lead / Technical Program Lead
• Data Engineer (for pipeline dual runs)

Certification path (if available)

Dual Run is a strategy, not a cert topic by itself, but it maps strongly to: – Google Cloud Professional Cloud Architect – Google Cloud Professional Cloud DevOps Engineer – Google Cloud Associate Cloud Engineer

Verify current certification paths: https://cloud.google.com/learn/certification

Project ideas for practice

• Implement Cloud Run dual run with traffic splitting + SLO-based gating.
• Migrate a sample database using replication, shift reads first, then plan write cutover.
• Build a shadow traffic harness with a proxy (advanced; verify feasibility with your stack).
• Create a “migration dashboard” comparing legacy vs new error rates and latency.
• Implement idempotent event consumers and dual publish to two topics for a migration period.

---

22. Glossary

• Dual Run: Running legacy and new systems in parallel during Migration to validate and reduce cutover risk.
• Parallel Run: Another term commonly used for Dual Run.
• Cutover: The act of switching production traffic and/or writes to the new system.
• Rollback: Switching back to the legacy system after issues are detected.
• Canary: Releasing to a small subset of traffic/users to reduce risk.
• Blue/Green: Two environments; one serves production while the other is staged, then traffic switches.
• Shadow traffic: Duplicating production traffic to a new system without returning its response to users.
• SLO/SLI: Service Level Objective / Indicator; quantitative reliability targets and measurements.
• Idempotency: Repeating an operation produces the same effect; crucial for retries and duplicated events.
• Replication lag: Delay between source and target data stores during replication.
• Revision (Cloud Run): An immutable version of a Cloud Run service created per deployment.
• Traffic splitting (Cloud Run): Assigning percentage-based traffic to revisions/tags.
• Artifact Registry: Google Cloud service to store container images and artifacts.
• Cloud Logging: Central log ingestion, query, and retention service.
• Cloud Monitoring: Metrics, dashboards, alerting, and SLO tooling.

---

23. Summary

Dual Run (Google Cloud Migration) is a parallel-run migration strategy where you operate the legacy and new systems simultaneously, validate correctness and SLOs under real conditions, and then progressively cut over with a rollback option.

It matters because Migration failures are usually caused by unknown production behaviors—Dual Run turns those unknowns into measurable signals before you fully commit. In Google Cloud, Dual Run is commonly implemented using Cloud Run/GKE/Compute Engine, traffic management (Cloud Run splitting or Cloud Load Balancing), data replication (often via DMS), and observability (Cloud Logging and Monitoring).

Key cost/security points: – Cost often increases temporarily due to duplicate compute, additional telemetry, and replication/egress. – Security requires tight IAM, careful endpoint exposure, and disciplined secrets handling.

Use Dual Run when the workload is business-critical, downtime is expensive, and you need high confidence. The best next step is to practice the lab using Cloud Run traffic splitting, then extend the pattern to your real workload with production-grade validation gates and data migration planning.