Search Infrastructure R&D — Zero-Downtime Reindex

Situation

The platform assumed the search engine was causing the downtime. Four alternatives were formally evaluated across pricing, geo search, typo tolerance, alias-swap support, auto-scaling, and operational overhead before drawing any conclusions.

Options Considered

• Algolia — dropped, unpredictable cost at scale
• Typesense — capable, but new infrastructure and cost without sufficient justification
• AWS OpenSearch Serverless — dropped, $525/month floor unjustified at current scale
• Elastic Cloud Serverless — dropped, existing managed clusters were already sufficient

Decision

Stayed on the existing AWS OpenSearch managed clusters. The investigation found that the downtime was caused by the reindex implementation — no alias management, no automated rollover, manual AWS console steps, no resume path on failure. OpenSearch has supported alias-swap reindexing since v1.0. The existing clusters already had everything needed. The fix was an implementation change, not a platform migration.

Situation

The existing approach rewrote the live index in place, taking it offline for the entire duration of the rebuild. Any schema change meant downtime. If the process failed mid-run, there was no rollback path.

Options Considered

• Continue with in-place reindex — simple, but causes downtime and has no rollback
• Alias-swap — build the new versioned index in the background while the old stays live, then swap atomically on completion

Decision

Implemented the alias-swap pattern. All search queries go through an alias name, never directly to a versioned index. A new versioned index (e.g. events_v4) builds in the background while events_v3 stays live and serves all traffic. The swap is a single atomic operation on OpenSearch — no window where the alias points nowhere. If the new index fails to build, the old index stays live with no impact on users.

Situation

A full reindex can run for a long time. If the service crashes or is redeployed mid-job, the question is whether the job restarts from scratch or can resume where it stopped.

Options Considered

• Restart from scratch on any crash — stateless, simple, but wastes work and can loop if the crash is consistent
• Cursor-based resume — persist the last processed row ID to the database and resume from exactly there on restart

Decision

Cursor-based resume. All reindex job state is persisted in MySQL — current phase (backfill, alias swap, cleanup), documents processed so far, and the last processed row ID. If the service crashes at any point, the next startup reads the job record and resumes without re-processing any already-indexed documents. Crash recovery behaviour is also phase-aware: a crash during alias swap checks whether the swap already completed before re-attempting it; a crash during cleanup retries deletion safely since deleting an already-deleted index is treated as success.

Situation

A backfill can run for minutes or longer. During that time, live data keeps changing — new bookings, event updates, venue changes. Without a strategy, the new index could hold stale versions of recently updated documents once they are overwritten by their batch entry.

Options Considered

• Pause live writes during reindex — eliminates the staleness problem but causes write downtime
• Re-index all changed documents at the end — adds complexity and still has a race window
• Dual-write — for every live update, write to both the current live index and the new index being built simultaneously

Decision

Dual-write. Every real-time update writes to both the live index and the new index throughout the backfill. If the dual-write to the new index fails, the error is logged and the backfill loop self-heals — when the batch loop reaches that document's row ID, it writes the correct version from the database. The live index write is never affected by dual-write failures.