DisasterRecovery

Your Multi-Region strategy is a fantasy

The recent failure showed us the truth: your data is stuck, and active-active failover is a fantasy for 99% of us. Here’s a pragmatic high-availability strategy that actually works.

Well, that was an intense week.

When the great AWS outage of October 2025 hit, I did what every senior IT person does: I grabbed my largest coffee mug, opened our monitoring dashboard, and settled in to watch the world burn. us-east-1, the internet’s stubbornly persistent center of gravity, was having what you’d call a very bad day.

And just like clockwork, as the post-mortems rolled in, the old, tired refrain started up on social media and in Slack: “This is why you must be multi-region.”

I’m going to tell you the truth that vendors, conference speakers, and that one overly enthusiastic junior dev on your team won’t. For 99% of companies, “multi-region” is a lie.

It’s an expensive, complex, and dangerous myth sold as a silver bullet. And the recent outage just proved it.

The “Just Be Multi-Region” fantasy

On paper, it sounds so simple. It’s a lullaby for VPs.

You just run your app in us-east-1 (Virginia) and us-west-2 (Oregon). You put a shiny global load balancer in front, and if Virginia decides to spontaneously become an underwater volcano, poof! All your traffic seamlessly fails over to Oregon. Zero downtime. The SREs are heroes. Champagne for everyone.

This is a fantasy.

It’s a fantasy that costs millions of dollars and lures development teams into a labyrinth of complexity they will never escape. I’ve spent my career building systems that need to stay online. I’ve sat in the planning meetings and priced out the “real” cost. Let me tell you, true active-active multi-region isn’t just “hard”; it’s a completely different class of engineering.

And it’s one that your company almost certainly doesn’t need.

The three killers of Multi-Region dreams

It’s not the application servers. Spinning up EC2 instances or containers in another region is the easy part. That’s what we have Infrastructure as Code for. Any intern can do that.

The problem isn’t the compute. The problem is, and always has been, the data.

Killer 1: Data has gravity, and it’s a jerk

This is the single most important concept in cloud architecture. Data has gravity.

Your application code is a PDF. It’s stateless and lightweight. You can email it, copy it, and run it anywhere. Your 10TB PostgreSQL database is not a PDF. It’s the 300-pound antique oak desk the computer is sitting on. You can’t just “seamlessly fail it over” to another continent.

To have a true seamless failover, your data must be available in the second region at the exact moment of the failure. This means you need synchronous, real-time replication across thousands of miles.

Guess what that does to your write performance? It’s like trying to have a conversation with someone on Mars. The latency of a round-trip from Virginia to Oregon adds hundreds of milliseconds to every single database write. The application becomes unusably slow. Every time a user clicks “save,” they have to wait for a photon to physically travel across the country and back. Your users will hate it.

“Okay,” you say, “we’ll use asynchronous replication!”

Great. Now when us-east-1 fails, you’ve lost the last 5 minutes of data. Every transaction, every new user sign-up, every shopping cart order. Vanished. You’ve traded a “Recovery Time” of zero for a “Data Loss” that is completely unacceptable. Go explain to the finance department that you purposefully designed a system that throws away the most recent customer orders. I’ll wait.

This is the trap. Your compute is portable; your data is anchored.

Killer 2: The astronomical cost

I was on a project once where the CTO, fresh from a vendor conference, wanted a full active-active multi-region setup. We scoped it.

Running 2x the servers was fine. The real cost was the inter-region data transfer.

AWS (and all cloud providers) charge an absolute fortune for data moving between their regions. It’s the “hotel minibar” of cloud services. Every single byte your database replicates, every log, every file transfer… cha-ching.

Our projected bill for the data replication and the specialized services (like Aurora Global Databases or DynamoDB Global Tables) was three times the cost of the entire rest of the infrastructure.

You are paying a massive premium for a fleet of servers, databases, and network gateways that are sitting idle 99.9% of the time. It’s like buying the world’s most expensive gym membership and only going once every five years to “test” it. It’s an insurance policy so expensive, you can’t afford the disaster it’s meant to protect you from.

Killer 3: The crushing complexity

A multi-region system isn’t just two copies of your app. It’s a brand new, highly complex, slightly psychotic distributed system that you now have to feed and care for.

You now have to solve problems you never even thought about:

Global DNS failover: How does Route 53 know a region is down? Health checks fail. But what if the health check itself fails? What if the health check thinks Virginia is fine, but it’s just hallucinating?
Data write conflicts: This is the fun part. What if a user in New York (writing to us-east-1) and a user in California (writing to us-west-2) update the same record at the same time? Welcome to the world of split-brain. Who wins? Nobody. You now have two “canonical” truths, and your database is having an existential crisis. Your job just went from “Cloud Architect” to “Data Therapist.”
Testing: How do you even test a full regional failover? Do you have a big red “Kill Virginia” button? Are you sure you know what will happen when you press it? On a Tuesday afternoon? I didn’t think so.

You haven’t just doubled your infrastructure; you’ve 10x’d your architectural complexity.

But we have Kubernetes because we are Cloud Native

This was my favorite part of the October 2025 outage.

I saw so many teams that thought Kubernetes would save them. They had their fancy federated K8s clusters spanning multiple regions, YAML files as far as the eye could see.

And they still went down.

Why? Because Kubernetes doesn’t solve data gravity!

Your K8s cluster in us-west-2 dutifully spun up all your application pods. They woke up, stretched, and immediately started screaming: “WHERE IS MY DISK?!”

Your persistent volumes (PVs) are backed by EBS or EFS. That ‘E’ stands for ‘Elastic,’ not ‘Extradimensional.’ That disk is physically, stubbornly, regionally attached to Virginia. Your pods in Oregon can’t mount a disk that lives 3,000 miles away.

Unless you’ve invested in another layer of incredibly complex, eye-wateringly expensive storage replication software, your “cloud-native” K8s cluster was just a collection of very expensive, very confused applications shouting into the void for a database that was currently offline.

A pragmatic high availability strategy that actually works

So if multi-region is a lie, what do we do? Just give up? Go home? Take up farming?

Yes. You accept some downtime.

You stop chasing the “five nines” (99.999%) myth and start being honest with the business. Your goal is not “zero downtime.” Your goal is a tested and predictable recovery.

Here is the sane strategy.

1. Embrace Multi-AZ (The real HA)

This is what AWS actually means by “high availability.” Run your application across multiple Availability Zones (AZs) within a single region. An AZ is a physically separate data center. us-east-1a and us-east-1b are miles apart, with different power and network.

This is like having a backup generator for your house. Multi-region is like building an identical, fully-furnished duplicate house in another city just in case a meteor hits your first one.

Use a Multi-AZ RDS instance. Use an Auto Scaling Group that spans AZs. This protects you from 99% of common failures: a server rack dying, a network switch failing, or a construction crew cutting a fiber line. This should be your default. It’s cheap, it’s easy, and it works.

2. Focus on RTO and RPO

Stop talking about “nines” and start talking about two simple numbers:

RTO (Recovery Time Objective): How fast do we need to be back up?
RPO (Recovery Point Objective): How much data can we afford to lose?

Get a real answer from the business, not a fantasy. Is a 4-hour RTO and a 15-minute RPO acceptable? For almost everyone, the answer is yes.

3. Build a “Warm Standby” (The sane DR)

This is the strategy that actually works. It’s the “fire drill” plan, not the “build a duplicate city” plan.

Infrastructure: Your entire infrastructure is defined in Terraform or CloudFormation. You can rebuild it from scratch in any region with a single command.
Data: You take regular snapshots of your database (e.g., every 15 minutes) and automatically copy them to your disaster recovery region (us-west-2).
The plan: When us-east-1 dies, you declare a disaster. The on-call engineer runs the “Deploy-to-DR” script.

Here’s a taste of what that “sane” infrastructure-as-code looks like. You’re not paying for two of everything. You’re paying for a blueprint and a backup.

# main.tf (in your primary region module)
# This is just a normal server
resource "aws_instance" "app_server" {
  count         = 3 # Your normal production count
  ami           = "ami-0abcdef123456"
  instance_type = "t3.large"
  # ... other config
}

# dr.tf (in your DR region module)
# This server doesn't even exist... until you need it.
resource "aws_instance" "dr_app_server" {
  # This is the magic.
  # This resource is "off" by default (count = 0).
  # You flip one variable (is_disaster = true) to build it.
  count         = var.is_disaster ? 3 : 0
  provider      = aws.dr_region # Pointing to us-west-2
  ami           = "ami-0abcdef123456" # Same AMI
  instance_type = "t3.large"
  # ... other config
}

resource "aws_db_instance" "dr_database" {
  count                   = var.is_disaster ? 1 : 0
  provider                = aws.dr_region
  
  # Here it is: You build the new DB from the
  # latest snapshot you've been copying over.
  replicate_source_db     = var.latest_db_snapshot_arn
  
  instance_class          = "db.r5.large"
  # ... other config
}

You flip a single DNS record in Route 53 to point all traffic to the new load balancer in us-west-2.

Yes, you have downtime (your RTO of 2–4 hours). Yes, you might lose 15 minutes of data (your RPO).

But here’s the beautiful part: it actually works, it’s testable, and it costs a tiny fraction of an active-active setup.

The AWS outage in October 2025 wasn’t a lesson in the need for multi-region. It was a global, public, costly lesson in humility. It was a reminder to stop chasing mythical architectures that look good on a conference whiteboard and focus on building resilient, recoverable systems.

So, stop feeling guilty because your setup doesn’t span three continents. You’re not lazy; you’re pragmatic. You’re the sane one in a room full of people passionately arguing about the best way to build a teleporter for that 300-pound antique oak desk.

Let them have their complex, split-brain, data-therapy sessions. You’ve chosen a boring, reliable, testable “warm standby.” You’ve chosen to get some sleep.

AWS Disaster Recovery simplified for every business

Let’s talk about something really important, even if it’s not always the most glamorous topic: keeping your AWS-based applications running, no matter what. We’re going to explore the world of High Availability (HA) and Disaster Recovery (DR). Think of it as building a castle strong enough to withstand a dragon attack, or, you know, a server outage..

Why all the fuss about Disaster Recovery?

Businesses run on applications. These are the engines that power everything from online shopping to, well, pretty much anything digital. If those engines sputter and die, bad things happen. Money gets lost. Customers get frustrated. Reputations get tarnished. High Availability and Disaster Recovery are all about making sure those engines keep running, even when things go wrong. It’s about resilience.

Before we jump into solutions, we need to understand two key measurements:

Recovery Time Objective (RTO): How long can you afford to be down? Minutes? Hours? Days? This is your RTO.
Recovery Point Objective (RPO): How much data can you afford to lose? The last hour’s worth? The last days? That’s your RPO.

Think of RTO and RPO as your “pain tolerance” levels. A low RTO and RPO mean you need things back up and running fast, with minimal data loss. A higher RTO and RPO mean you can tolerate a bit more downtime and data loss. The correct option will depend on your business needs.

Disaster recovery strategies on AWS, from basic to bulletproof

AWS offers a toolbox of options, from simple backups to fully redundant, multi-region setups. Let’s explore a few common strategies, like choosing the right level of armor for your knight:

Pilot Light: Imagine keeping the pilot light lit on your stove. It’s not doing much, but it’s ready to ignite the main burner at any moment. In AWS terms, this means having the bare minimum running, maybe a database replica syncing data in another region, and your server configurations saved as templates (AMIs). When disaster strikes, you “turn on the gas”, launch those servers, connect them to the database, and you’re back in business.
- Good for: Cost-conscious applications where you can tolerate a few hours of downtime.
- AWS Services: RDS Multi-AZ (for database replication), Amazon S3 cross-region replication, EC2 AMIs.
Warm Standby: This is like having a smaller, backup stove already plugged in and warmed up. It’s not as powerful as your main stove, but it can handle the basic cooking while the main one is being repaired. In AWS, you’d have a scaled-down version of your application running in another region. It’s ready to handle traffic, but you might need to scale it up (add more “burners”) to handle the full load.
- Good for: Applications where you need faster recovery than Pilot Light, but you still want to control costs.
- AWS Services: Auto Scaling (to automatically adjust capacity), Amazon EC2, Amazon RDS.
Active/Active (Multi-Region): This is the “two full kitchens” approach. You have identical setups running in multiple AWS regions simultaneously. If one kitchen goes down, the other one is already cooking, and your customers barely notice a thing. You use AWS Route 53 (think of it as a smart traffic controller) to send users to the closest or healthiest “kitchen.”
- Good for: Mission-critical applications where downtime is simply unacceptable.
- AWS Services: Route 53 (with health checks and failover routing), Amazon EC2, Amazon RDS, DynamoDB global tables.

Picking the right armor, It’s all about trade-offs

There’s no “one-size-fits-all” answer. The best strategy depends on those RTO/RPO targets we talked about, and, of course, your budget.

Here’s a simple way to think about it:

Tight RTO/RPO, Budget No Object? Active/Active is your champion.
Need Fast Recovery, But Watching Costs? Warm Standby is a good compromise.
Can Tolerate Some Downtime, Prioritizing Cost Savings? Pilot Light is your friend.
Minimum RTO/RPO and Minimum Budget? Backups.

The trick is to be honest about your real needs. Don’t build a fortress if a sturdy wall will do.

A quick glimpse at implementation

Let’s say you’re going with the Pilot Light approach. You could:

Set up Amazon S3 Cross-Region Replication to copy your important data to another AWS region.
Create an Amazon Machine Image (AMI) of your application server. This is like a snapshot of your server’s configuration.
Store that AMI in the backup region.

In a disaster scenario, you’d launch EC2 instances from that AMI, connect them to your replicated data, and point your DNS to the new instances.

Tools like AWS Elastic Disaster Recovery (a managed service) or CloudFormation (for infrastructure-as-code) can automate much of this process, making it less of a headache.

Testing, Testing, 1, 2, 3…

You wouldn’t buy a car without a test drive, right? The same goes for disaster recovery. You must test your plan regularly.

Simulate a failure. Shut down resources in your primary region. See how long it takes to recover. Use AWS CloudWatch metrics to measure your actual RTO and RPO. This is how you find the weak spots before a real disaster hits. It’s like fire drills for your application.

The takeaway, be prepared, not scared

Disaster recovery might seem daunting, but it doesn’t have to be. AWS provides the tools, and with a bit of planning and testing, you can build a resilient architecture that can weather the storm. It’s about peace of mind, knowing that your business can keep running, no matter what. Start small, test often, and build up your defenses over time.

March 13, 2025 by Fernando SRE Cloud stuff DevOps stuff

Fast database recovery using Aurora Backtracking

Let’s say you’re a barista crafting a perfect latte. The espresso pours smoothly, the milk steams just right, then a clumsy elbow knocks over the shot, ruining hours of prep. In databases, a single misplaced command or faulty deployment can unravel days of work just as quickly. Traditional recovery tools like Point-in-Time Recovery (PITR) in Amazon Aurora are dependable, but they’re the equivalent of tossing the ruined latte and starting fresh. What if you could simply rewind the spill itself?

Let’s introduce Aurora Backtracking, a feature that acts like a “rewind” button for your database. Instead of waiting hours for a full restore, you can reverse unwanted changes in minutes. This article tries to unpack how Backtracking works and how to use it wisely.

What is Aurora Backtracking? A time machine for your database

Think of Aurora Backtracking as a DVR for your database. Just as you’d rewind a TV show to rewatch a scene, Backtracking lets you roll back your database to a specific moment in the past. Here’s the magic:

Backtrack Window: This is your “recording buffer.” You decide how far back you want to keep a log of changes, say, 72 hours. The larger the window, the more storage you’ll use (and pay for).
In-Place Reversal: Unlike PITR, which creates a new database instance from a backup, Backtracking rewrites history in your existing database. It’s like editing a document’s revision history instead of saving a new file.

Limitations to Remember :

It can’t recover from instance failures (use PITR for that).
It won’t rescue data obliterated by a DROP TABLE command (sorry, that’s a hard delete).
It’s only for Aurora MySQL-Compatible Edition, not PostgreSQL.

When backtracking shines

Oops, I Broke Production
Scenario: A developer runs an UPDATE query without a WHERE clause, turning all user emails to “oops@example.com .”
Solution: Backtrack 10 minutes and undo the mistake—no downtime, no panic.
Bad Deployment? Roll It Back
Scenario: A new schema migration crashes your app.
Solution: Rewind to before the deployment, fix the code, and try again. Faster than debugging in production.
Testing at Light Speed
Scenario: Your QA team needs to reset a database to its original state after load testing.
Solution: Backtrack to the pre-test state in minutes, not hours.

How to use backtracking

Step 1: Enable Backtracking

Prerequisites: Use Aurora MySQL 5.7 or later.
Setup: When creating or modifying a cluster, specify your backtrack window (e.g., 24 hours). Longer windows cost more, so balance need vs. expense.

Step 2: Rewind Time

AWS Console: Navigate to your cluster, click “Backtrack,” choose a timestamp, and confirm.
CLI Example :

aws rds backtrack-db-cluster --db-cluster-identifier my-cluster --backtrack-to "2024-01-15T14:30:00Z"

Step 3: Monitor Progress

Use CloudWatch metrics like BacktrackChangeRecordsApplying to track the rewind.

Best Practices:

Test Backtracking in staging first.
Pair it with database cloning for complex rollbacks.
Never rely on it as your only recovery tool.

Backtracking vs. PITR vs. Snapshots: Which to choose?

Method	Speed	Best For	Limitations
Backtracking	🚀 Fastest	Reverting recent human error	In-place only, limited window
PITR	🐢 Slower	Disaster recovery, instance failure	Creates a new instance
Snapshots	🐌 Slowest	Full restores, compliance	Manual, time-consuming

Decision Tree :

Need to undo a mistake made today? Backtrack.
Recovering from a server crash? PITR.
Restoring a deleted database? Snapshot.

Rewind, Reboot, Repeat

Aurora Backtracking isn’t a replacement for backups, it’s a scalpel for precision recovery. By understanding its strengths (speed, simplicity) and limits (no magic for disasters), you can slash downtime and keep your team agile. Next time chaos strikes, sometimes the best way forward is to hit “rewind.”

March 6, 2025 by Fernando SRE Cloud stuff DevOps stuff SRE stuff

Business Continuity through AWS Solutions for Unforeseen Disasters

Safeguarding your critical applications and data against unforeseen disasters is paramount in cloud computing. A robust backup and disaster recovery (BDR) strategy on AWS ensures that your business can weather any storm, minimize downtime, and recover swiftly. In this article, we’ll delve into the essential components of a comprehensive BDR strategy, leveraging AWS services like Amazon RDS snapshots, Amazon S3 versioning, AWS Backup, cross-region replication, and the strategic deployment of pilot light and warm standby architectures.

Building Blocks of a Resilient BDR Strategy

Amazon RDS Snapshots: Think of snapshots as time capsules for your databases. We configure Amazon RDS to automatically capture these snapshots at regular intervals, ensuring we always have a recent copy of our data. Retention policies are then put in place to manage the lifecycle of these snapshots, gracefully retiring older ones to maintain a lean and efficient backup system.
Amazon S3 Versioning: The beauty of Amazon S3 versioning lies in its ability to preserve every iteration of your data. By enabling versioning on S3 buckets, we create a safety net that allows us to retrieve prior versions of objects, even if they are accidentally deleted or modified. Lifecycle policies further enhance this mechanism by transitioning older versions to cost-effective storage tiers like S3 Glacier, optimizing costs without compromising data integrity.
AWS Backup: The maestro of our BDR (backup and disaster recovery) orchestra, AWS Backup centralizes and automates the backup process across many AWS resources, including Amazon RDS, EBS, DynamoDB, and S3. With AWS Backup, we orchestrate backup plans that define the cadence and retention periods for our backups, ensuring comprehensive coverage of critical data and resources.
Cross-Region Replication: To fortify our BDR strategy against regional outages, we embrace cross-region replication. This entails configuring S3 buckets and Amazon RDS instances to replicate data seamlessly across geographically distinct regions. In the event of a disaster in one region, we can swiftly switch over to the secondary region, ensuring uninterrupted access to our applications and data.
Pilot Light and Warm Standby: These strategies add an extra layer of preparedness to our BDR arsenal. A pilot light architecture involves replicating critical application components (databases, configurations) in a secondary region, ready to be ignited in case of a disaster. Warm standby takes this a step further by maintaining a scaled-down version of the infrastructure in the secondary region, poised to rapidly scale up and assume the full workload if the primary region falters.
Testing and Documentation: A BDR strategy is only as good as its execution. Regular disaster recovery simulations and failover tests validate the effectiveness of our configurations and procedures. Meticulous documentation serves as a guiding light for the operations team, providing clear instructions on how to navigate the complexities of disaster recovery.

The Symphony of AWS Services

Picture our BDR (backup and disaster recovery) strategy as a finely-tuned orchestra, each AWS service playing a crucial role in the grand performance of disaster recovery. Amazon RDS snapshots and S3 versioning act as time-traveling historians, meticulously preserving past versions of our data, allowing us to ‘rewind’ in case of accidental deletions or corruptions. AWS Backup takes the conductor’s podium, ensuring that every instrument in the orchestra, our diverse AWS resources, is backed up according to a well-defined schedule. Cross-region replication extends the stage, creating a ‘mirror image’ of our performance in another geographical location, ensuring the show goes on even if one stage is unexpectedly closed.

And then we have the understudies, always ready to step in: pilot light and warm standby. These architectures keep a scaled-down version of our performance running in the wings, ready to take center stage at a moment’s notice should the main performance be interrupted. Together, these services create a symphony of resilience, ensuring that even if disaster strikes, the music never stops.

In a Few Words

By adopting this multi-faceted BDR strategy, we empower our organization to face any adversity with confidence. Our critical applications and data are shielded by layers of protection, ensuring their availability and integrity even in the face of unforeseen disasters. Regular testing and comprehensive documentation further bolster our preparedness, enabling swift and effective recovery. With this BDR strategy in place, we can rest assured that our business can weather any storm and emerge stronger on the other side.

August 20, 2024 by Fernando SRE Cloud stuff

Types of Failover in Amazon Route 53 Explained Easily

Imagine Amazon Route 53 as a city’s traffic control system that directs cars (internet traffic) to different streets (servers or resources) based on traffic conditions and road health (the health and configuration of your AWS resources).

Active-Active Failover

In an active-active scenario, you have two streets leading to your destination (your website or application), and both are open to traffic all the time. If one street gets blocked (a server fails), traffic simply continues flowing through the other street. This is useful when you want to balance the load between two resources that are always available.

Active-active failover gives you access to all resources during normal operation. In this example, both region 1 and region 2 are active all the time. When a resource becomes unavailable, Route 53 can detect that it’s unhealthy and stop including it when responding to queries.

Active-Passive Failover

In active-passive failover, you have one main street that you prefer all traffic to use (the primary resource) and a secondary street that’s only used if the main one is blocked (the secondary resource is activated only if the primary fails). This method is useful when you have a preferred resource to handle requests but need a backup in case it fails.

Use an active-passive failover configuration when you want a primary resource or group of resources to be available the majority of the time and you want a secondary resource or group of resources to be on standby in case all the primary resources become unavailable.

Configuring Active-Passive Failover with One Primary and One Secondary Resource

This approach is like having one big street and one small street. You use the big street whenever possible because it can handle more traffic or get you to your destination more directly. You only use the small street if there’s construction or a blockage on the big street.

Configuring Active-Passive Failover with Multiple Primary and Secondary Resources

Now imagine you have several big streets and several small streets. All the big ones are your preferred options, and all the small ones are your backup options. Depending on how many big streets are available, you’ll direct traffic to them before considering using the small ones.

Configuring Active-Passive Failover with Weighted Records

This is like having multiple streets leading to your destination, but you give each street a “weight” based on how often you want it used. Some streets (resources) are preferred more than others, and that preference is adjusted by weight. You still have a backup street for when your preferred options aren’t available.

Evaluating Target Health

“Evaluate Target Health” is like having traffic sensors that instantly tell you if a street is blocked. If you’re routing traffic to AWS resources for which you can create alias records, you don’t need to set up separate health checks for those resources. Instead, you enable “Evaluate Target Health” on your alias records, and Route 53 will automatically check the health of those resources. This simplifies setup and keeps your traffic flowing to streets (resources) that are open and healthy without needing additional health configurations.

In short, Amazon Route 53 offers a powerful set of tools that you can use to manage the availability and resilience of your applications through a variety of ways to apply failover configurations. Implementation of such knowledge into the practice of failover strategy will result in keeping your application up and available for the users in cases when any kind of resource fails or gets a downtime outage.

April 1, 2024 by Fernando SRE Cloud stuff SRE stuff