Skip to content

SYSTEM Cited by 1 source

Netflix Conformity Monkey

Conformity Monkey is the Simian Army member that finds instances violating operational best-practices and shuts them down, forcing the owning team to re-launch them correctly. Introduced in Netflix's 2011 TechBlog post (Source: sources/2026-01-02-netflix-the-netflix-simian-army).

Purpose

"Conformity Monkey finds instances that don't adhere to best-practices and shuts them down. For example, we know that if we find instances that don't belong to an auto-scaling group, that's trouble waiting to happen. We shut them down to give the service owner the opportunity to re-launch them properly."

Role in the Simian Army

Conformity Monkey is a drift detector, not a fault injector. The operational assumption: an instance that is not in an auto-scaling group cannot benefit from ASG-driven replacement on failure โ€” so its existence is already a latent failure waiting to surface. Terminating it now forces the correct- shape re-launch, while the team is paying attention.

The named example in the post is instance membership in an ASG. The post doesn't enumerate the full best-practice rule set, but the pattern generalises: any invariant the fleet must satisfy to survive future failures can be made a Conformity Monkey rule.

Relationship to Security Monkey

systems/netflix-security-monkey is explicitly described as "an extension of Conformity Monkey" focused on security-posture drift (mis-configured security groups, expiring certs). The architectural shape is the same; only the rule domain differs.

Enforcement mechanism

From the 2011 post, the enforcement action is instance termination. The reasoning: "We shut them down to give the service owner the opportunity to re-launch them properly." Termination is a coarse but effective signal โ€” it forces the team to re-deploy through the correct pipeline, which by definition enforces the invariant.

Implementation gaps in the 2011 post

  • Full rule set not enumerated.
  • Rule authoring / deployment mechanism undocumented.
  • Grace period / notification flow undocumented.
  • Interaction with ASG capacity floors not described.
  • Opt-out / exceptions mechanism undocumented.

Operational numbers

None disclosed.

Seen in

Last updated ยท 319 distilled / 1,201 read