Redundancy Patterns: Building Systems That Never Fail

In November 2017, Amazon Web Services experienced a major S3 outage that cascaded across thousands of websites and applications. The four-hour disruption cost S&P 500 companies an estimated $150 million. In 2021, Facebook's BGP misconfiguration took down WhatsApp, Instagram, and Facebook simultaneously for six hours, affecting 3.5 billion users and costing the company approximately $100 million in lost revenue.

These incidents share a common lesson: single points of failure are catastrophic at scale. When a system serves millions of users or processes billions of dollars in transactions, even minutes of downtime translate to significant business impact. This reality drives one of the most fundamental principles in system design: redundancy.

Active-passive redundancy represents the foundational pattern for eliminating single points of failure. It's the architectural equivalent of having a spare tire in your car—a standby component ready to take over the moment the primary fails. While conceptually simple, implementing active-passive redundancy correctly requires deep understanding of failure detection, state synchronization, failover mechanics, and the subtle tradeoffs that determine whether your system gracefully handles failures or creates new problems.

Active-passive redundancy, also known as primary-standby or master-slave architecture, is a high availability pattern where one component (the active or primary) handles all requests while one or more identical components (the passive or standby) remain idle, ready to assume the primary role if failure occurs.

The Core Principle:

At its heart, active-passive redundancy embodies a simple proposition: maintain a fully functional copy of your critical system that can take over instantly when needed. The passive component isn't just a backup of data—it's a complete, operational replica capable of serving production traffic the moment it's activated.

This pattern appears throughout computing infrastructure:

• Database systems: A primary database handles all writes while a standby replica maintains synchronized data, ready for promotion
• Load balancers: A primary load balancer routes traffic while a standby monitors health and assumes control during failures
• Application servers: Primary instances serve requests while standby instances wait in warm or hot standby states
• Network equipment: Primary routers handle traffic while backup routers maintain routing tables for instant failover

Why Choose Active-Passive?

Active-passive redundancy offers several compelling advantages that explain its widespread adoption:

Simplicity: Unlike active-active configurations, there's no need to handle concurrent writes, resolve conflicts, or manage distributed consensus. The primary handles all operations, eliminating coordination complexity.

Consistency: With a single writer, data consistency is inherently maintained. There's no risk of conflicting updates or split-brain scenarios during normal operation.

Cost Efficiency: The passive component can run on less powerful hardware or remain in a reduced capacity state, lowering operational costs compared to fully active replicas.

Predictable Behavior: Traffic always flows through the primary, making performance characteristics predictable and debugging straightforward.

A robust active-passive implementation consists of several interconnected components working in concert. Understanding each component's role is essential for designing systems that fail gracefully.

1. The Primary (Active) Component

The primary component handles all production workload:

• Processes incoming requests from clients
• Maintains authoritative state (database records, session data, etc.)
• Generates replication streams for standby synchronization
• Reports health status to monitoring systems
• Participates in leader election protocols

2. The Standby (Passive) Component

The standby component maintains failover readiness:

• Receives and applies replication streams from the primary
• Maintains near-current copy of all critical state
• Monitors primary health through heartbeat mechanisms
• Stands ready to assume primary role on failure detection
• May serve read-only queries in some configurations

3. Health Monitoring System

The monitoring layer detects failures and triggers failover:

• Implements heartbeat/ping protocols
• Distinguishes between component failure and network partitions
• Makes promotion decisions based on configurable policies
• Prevents split-brain scenarios through quorum or fencing
• Logs all state transitions for debugging and auditing

4. Traffic Routing Mechanism

Routing ensures clients connect to the active component:

• Virtual IP (VIP): A floating IP address that moves between primary and standby during failover
• DNS-based routing: DNS records updated to point to the new primary
• Load balancer: Health-checked backend pools that remove failed primaries
• Service discovery: Dynamic registration systems like Consul or etcd

5. Fencing Mechanism

Fencing prevents split-brain scenarios:

• STONITH (Shoot The Other Node In The Head): Physically powers off the failed node
• Resource fencing: Revokes access to shared storage or network
• Application-level fencing: Invalidates sessions, revokes tokens

Each component must be carefully designed and tested together. A monitoring system that detects failures but can't route traffic is useless. A replication system that falls behind makes failover lossy. These components form an integrated whole.

Failure detection is the most critical and challenging aspect of active-passive systems. Detecting failures too slowly extends downtime; detecting them too aggressively causes unnecessary failovers that disrupt service. The art of failure detection lies in finding the optimal balance.

Heartbeat Protocols

Heartbeats are periodic signals that indicate a component is alive and functioning. They form the foundation of most failure detection systems:

Push-based heartbeats: The primary actively sends signals to the standby or monitor at regular intervals. Missing heartbeats trigger failure investigation.

Pull-based health checks: The monitor actively queries the primary's health endpoint. Failed queries or timeout responses indicate potential failure.

Bidirectional heartbeats: Both primary and standby exchange heartbeats, enabling either to detect the other's failure.

Configuring Detection Parameters

The three critical parameters for heartbeat configuration are:

Heartbeat Interval: How frequently health checks occur. Shorter intervals detect failures faster but increase network and CPU overhead. Typical values range from 100ms for latency-sensitive systems to 30 seconds for less critical components.

Timeout Period: How long to wait for a response before considering a check failed. Must account for network latency, garbage collection pauses, and temporary load spikes. Setting this too low causes false positives; too high delays failure detection.

Failure Threshold: How many consecutive failures trigger failover. A single missed heartbeat could be a network blip; three consecutive failures suggest genuine failure. Higher thresholds reduce false positives but extend detection time.

The Detection Time Formula:

Maximum Detection Time = (Failure Threshold × Heartbeat Interval) + Timeout

For example, with 5-second intervals, 3-second timeouts, and a threshold of 3:

• Maximum detection time = (3 × 5) + 3 = 18 seconds

This 18-second window represents the worst-case time between actual failure and failover initiation.

For the standby to assume the primary role effectively, it must maintain sufficiently current state. The synchronization strategy determines how much data might be lost during failover and how quickly the standby can take over.

Synchronous Replication

In synchronous replication, the primary waits for the standby to acknowledge receipt of each change before confirming success to the client:

1. Client sends write request to primary
2. Primary applies change locally
3. Primary sends change to standby
4. Standby applies change and acknowledges
5. Primary confirms success to client

Advantages:

• Zero data loss during failover (RPO = 0)
• Standby always has complete, consistent state
• No recovery replay needed after promotion

Disadvantages:

• Higher latency for every write operation
• Standby failure blocks primary operations
• Network latency directly impacts performance

Asynchronous Replication

In asynchronous replication, the primary confirms success immediately and replicates changes independently:

1. Client sends write request to primary
2. Primary applies change and confirms success
3. Primary queues change for replication
4. Standby receives and applies change (eventually)

Advantages:

• Lower write latency (no waiting for standby)
• Standby failures don't affect primary performance
• Works across high-latency network links

Disadvantages:

• Potential data loss during failover (RPO > 0)
• Replication lag creates inconsistency windows
• May require recovery replay after promotion

Semi-Synchronous Replication

Semi-synchronous replication offers a middle ground:

• Primary waits for acknowledgment from at least one standby
• If no acknowledgment within timeout, falls back to asynchronous
• Balances data safety with availability

MySQL, PostgreSQL, and many databases support this mode, allowing operators to tune the tradeoff based on requirements.

When failure is detected, the system must execute a coordinated sequence of steps to promote the standby to primary status. This process must be reliable, fast, and safe from split-brain scenarios.

The Failover Sequence:

Step 1: Failure Confirmation

• Multiple monitors confirm the primary is unreachable
• Distinguish between primary failure and network partition
• Quorum-based decision prevents false positives

Step 2: Fencing the Failed Primary

• Ensure the old primary cannot continue serving requests
• Revoke access to shared resources (storage, network)
• STONITH (power off) for hardware-level certainty

Step 3: Standby Promotion

• Stop replication from the failed primary
• Apply any pending replication log entries
• Transition from read-only to read-write mode
• Update internal state to reflect primary role

Step 4: Traffic Redirection

• Move Virtual IP to the new primary
• Update DNS records (with TTL considerations)
• Reconfigure load balancer backends
• Update service discovery registrations

Step 5: Validation

• Verify the new primary is accepting connections
• Confirm data integrity and consistency
• Run health checks against the promoted system
• Alert operations team of completed failover

Implementing active-passive redundancy correctly requires attention to numerous details. These best practices, learned from production experience, help avoid common pitfalls.

1. Test Failover Regularly

Failover that isn't tested is failover that doesn't work. Regular testing reveals:

• Configuration drift between primary and standby
• Replication lag issues
• Fencing mechanism failures
• Traffic routing problems
• Recovery time reality vs expectations

Schedule monthly or quarterly failover drills. Automate what you can, but ensure humans practice the manual steps too.

2. Maintain Standby at Full Capacity

A standby that can't handle production load is not a viable failover target. Ensure:

• Standby hardware matches primary specifications
• Standby is running same software versions
• Standby has equivalent network capacity
• Standby configuration mirrors production settings

3. Monitor Replication Continuously

Replication health determines failover quality:

• Track replication lag in real-time
• Alert on lag exceeding thresholds
• Monitor replication throughput and queue depth
• Verify data consistency periodically

4. Implement Proper Timeouts

Timeout configuration requires careful tuning:

• Account for garbage collection pauses
• Consider network latency variability
• Allow for temporary load spikes
• Balance detection speed vs false positive risk

PostgreSQL Streaming Replication

PostgreSQL implements active-passive through streaming replication:

• Primary streams Write-Ahead Log (WAL) to standby
• Standby replays WAL to maintain synchronized state
• Supports both synchronous and asynchronous modes
• Tools like Patroni automate failover and leader election

MySQL Group Replication (Single-Primary Mode)

MySQL's Group Replication can operate in single-primary mode:

• One member is elected primary and accepts writes
• Other members are secondaries that replicate synchronously
• Automatic primary election on failure
• Built-in conflict detection (though conflicts shouldn't occur)

AWS RDS Multi-AZ

Amazon RDS implements active-passive at the managed service level:

• Primary instance in one Availability Zone
• Synchronous standby in different AZ
• Automatic failover with DNS update
• Transparent to applications using the endpoint DNS

Redis Sentinel

Redis uses Sentinel for active-passive high availability:

• Sentinel processes monitor Redis master and replicas
• Automatic failover when master unreachable
• Client libraries query Sentinel for current master
• Supports notification and scripting on state changes

Active-passive redundancy is the foundational pattern for high availability. While conceptually simple—keep a spare ready—correct implementation requires careful attention to failure detection, state synchronization, failover mechanics, and split-brain prevention.

Next Steps:

Active-passive redundancy excels at simplicity and consistency but leaves standby resources idle. In the next page, we'll explore active-active redundancy, where all nodes handle production traffic simultaneously—eliminating wasted capacity but introducing new challenges around coordination and conflict resolution.