Redundancy Patterns: Building Systems That Never Fail

On February 28, 2017, a typo in a command took down Amazon S3 in the US-East-1 region for nearly four hours. The impact was staggering: thousands of websites and applications became unavailable, including major services like Slack, Quora, and Business Insider. Companies lost millions in revenue, and the internet—for many users—seemed broken.

The companies that survived unscathed shared one characteristic: geographic redundancy. They had deployed their systems across multiple AWS regions, so when US-East-1 failed, traffic automatically shifted to other regions where their services continued running.

Geographic redundancy extends the redundancy concept beyond individual servers to entire physical locations. It protects against disasters that affect whole datacenters or regions: power grid failures, natural disasters, fiber cuts, or even geopolitical events. For systems requiring true high availability, geographic redundancy isn't optional—it's essential.

But geographic distribution introduces profound challenges: data consistency across continents, latency management, cost multiplication, and operational complexity. This page provides a comprehensive framework for designing, implementing, and operating geographically redundant systems.

Geographic redundancy exists at multiple levels, each providing different protection against different failure modes:

Availability Zones (AZs)

Cloud providers divide regions into availability zones—physically separate datacenters with independent power, cooling, and networking, connected by high-bandwidth, low-latency links.

• Distance: Typically 1-100km apart within a metro area
• Latency: Sub-millisecond to single-digit milliseconds
• Protection: Power failures, cooling failures, localized disasters
• Limitation: Same region, susceptible to regional outages

Regions

Geographically separated collections of availability zones, typically hundreds or thousands of kilometers apart.

• Distance: Hundreds to thousands of kilometers
• Latency: Tens to hundreds of milliseconds
• Protection: Regional disasters, regional network failures, regional power grid failures
• Limitation: Same continent, cost of inter-region traffic

Continents/Global

Distribution across multiple continents for maximum geographic isolation.

• Distance: Thousands of kilometers
• Latency: 100-300+ milliseconds
• Protection: Continental disasters, geopolitical issues, undersea cable cuts
• Limitation: Extreme latency, complex data sovereignty

Choosing Your Level:

The appropriate level depends on your availability requirements and constraints:

• Multi-AZ: Baseline for any production system; handles most common failures
• Multi-Region: Required for 99.99%+ availability SLAs, global user bases, or regulatory requirements
• Multi-Continent: Reserved for truly global services, specific compliance needs, or maximum disaster resilience

Most organizations should implement multi-AZ by default and add multi-region for critical systems. Multi-continent is typically only justified for the largest global platforms.

Several architectural patterns exist for geographic redundancy, each with distinct tradeoffs:

1. Active-Passive (Pilot Light)

One region handles all traffic; secondary region maintains minimal infrastructure ready for activation.

• Primary region: Full capacity, all traffic
• Secondary region: Core infrastructure running, minimal compute, replicated data
• Failover: Spin up compute, redirect traffic
• RTO: Minutes to hours (depends on spin-up time)
• Cost: Lower (passive region is minimal)
• Best for: Cost-sensitive applications with tolerance for some downtime

2. Active-Passive (Warm Standby)

Secondary region runs reduced capacity, fully functional, ready for immediate promotion.

• Primary region: Full capacity, all traffic
• Secondary region: Reduced capacity, synchronized data, running application
• Failover: Scale up compute, redirect traffic
• RTO: Minutes (pre-warmed environment)
• Cost: Moderate (partial capacity in secondary)
• Best for: Applications needing fast recovery without full active-active complexity

3. Active-Active

Both regions handle production traffic simultaneously, each capable of absorbing the other's load.

• Both regions: Full or high capacity, serving traffic
• Traffic: Split by geography, round-robin, or user affinity
• Failover: Traffic reroutes automatically
• RTO: Seconds (no spin-up needed)
• Cost: Higher (2x or near-2x capacity)
• Best for: Highest availability requirements, global user distribution

Data replication across geographic regions faces the fundamental constraint of physics: the speed of light. A round-trip from US-East to EU-West takes approximately 80-100ms minimum. This latency fundamentally shapes replication strategies.

Asynchronous Replication

Changes are made locally and replicated in the background:

• Latency impact: None—writes complete locally
• Consistency: Eventually consistent, possible data loss during failover
• RPO: Seconds to minutes (replication lag)
• Implementation: Database log shipping, change data capture, message queues

Synchronous Replication

Changes wait for acknowledgment from remote region before completing:

• Latency impact: Significant—every write includes cross-region round-trip
• Consistency: Strong—both regions always synchronized
• RPO: Zero—no data loss during failover
• Limitation: Usually impractical for cross-region (100ms+ per write)

Semi-Synchronous Replication

Changes wait for at least one replica (can be same-region) before completing:

• Latency impact: Moderate—local region sync, async to remote
• Consistency: Strong within region, eventual across regions
• RPO: Seconds—limited by cross-region replication lag

Conflict-Free Replication (CRDTs)

Data structures designed to merge concurrent modifications automatically:

• Latency impact: None—fully local writes
• Consistency: Eventually consistent but convergent
• RPO: Language varies by type (counters, sets, registers)
• Best for: Specific data types (counters, sets, LWW registers)

Practical Replication Patterns:

Primary-Secondary (Master-Slave)

One region owns all writes; others replicate and serve reads:

• Simple to implement and reason about
• Cross-region writes require routing to primary region
• Failover involves promoting secondary to primary

Multi-Primary with Conflict Resolution

All regions accept writes; conflicts resolved by policy:

• Maximum availability (write anywhere)
• Requires conflict resolution strategy
• Best with last-write-wins or application-specific logic

Sharded by Region

Different data owned by different regions:

• Users in US write to US; users in EU write to EU
• No conflicts for region-local data
• Cross-region access requires remote calls

Routing traffic across regions and executing failover when regions fail requires specialized infrastructure and careful planning.

Global Traffic Management Options:

1. GeoDNS

DNS servers return different IP addresses based on client geographic location:

• How it works: DNS resolver location determines response
• Failover: Update DNS records, wait for TTL expiration
• Latency: TTL-dependent failover (seconds to minutes)
• Providers: Route 53, Cloudflare, NS1

2. Global Server Load Balancing (GSLB)

DNS-based load balancing with health checks and intelligent routing:

• How it works: Monitors endpoint health, routes to healthy regions
• Failover: Automatic when health checks fail
• Latency: Health check interval + TTL
• Providers: F5, Citrix, AWS Global Accelerator

3. Anycast

Same IP address announced from multiple locations; BGP routes to nearest:

• How it works: Network layer routing to closest healthy endpoint
• Failover: BGP withdrawal from failed region
• Latency: Seconds (BGP convergence)
• Providers: Cloudflare, Akamai, custom BGP deployment

4. CDN-Based Routing

CDN edge handles routing decisions based on rules and health:

• How it works: Edge logic determines origin server
• Failover: Edge detects origin failure, routes to backup
• Latency: Near-instant (at edge)
• Providers: Cloudflare Workers, AWS CloudFront with Lambda@Edge

Understanding different regional failure modes helps design appropriate responses:

Complete Region Outage

The entire region becomes unreachable (power, network, or cloud provider failure):

• Detection: External health checks fail from multiple vantage points
• Response: Redirect all traffic to surviving regions
• Challenge: May be sudden, high traffic surge to remaining regions
• Example: AWS US-East-1 outages, Azure region failures

Partial Region Degradation

Some services in the region fail while others continue:

• Detection: Specific health checks fail while others pass
• Response: Fail over affected services only; maintain working services locally
• Challenge: Complex decision-making—full failover vs partial
• Example: A specific AZ within a region fails

Network Partition

Region is reachable from some locations but not others:

• Detection: Conflicting health check results from different vantage points
• Response: Route affected users to reachable regions
• Challenge: Split-brain risk if some users can still reach the partition
• Example: Submarine cable cuts, regional internet disruptions

Performance Degradation

Region is operational but slow or experiencing high error rates:

• Detection: Latency or error rate thresholds exceeded
• Response: Shift traffic gradually to reduce load; maintain some traffic
• Challenge: Determining threshold for action vs waiting for recovery
• Example: Overloaded services, degraded database performance

Operating geographically distributed systems requires specialized practices and tooling:

Multi-Region Deployment

Deployments must coordinate across regions safely:

• Serial deployment: Deploy to one region, verify, then proceed to next
• Canary regions: Route small traffic percentage to new version before full rollout
• Rollback capability: Each region independently rollback-able
• Version tracking: Know exactly what version runs where

Cross-Region Monitoring

Monitoring must itself be geographically distributed:

• External monitoring: Third-party services checking from multiple locations
• Cross-region health checks: Each region monitors others
• Synthetic transactions: End-to-end tests simulating user behavior in each region
• Replication metrics: Lag, throughput, errors for cross-region data sync

Testing Geographic Failover

Regular testing ensures failover actually works:

• Scheduled drills: Planned regional failovers with rollback ready
• Chaos engineering: Random region failures in production (carefully controlled)
• Capacity validation: Verify receiving regions can handle full load
• Runbook validation: Ensure documented procedures match reality

Cost Management

Multi-region deployments multiply infrastructure costs:

• Data transfer: Cross-region transfer is expensive; minimize replication bandwidth
• Compute: Size secondary regions appropriately (N+1 per region or global N+M)
• Storage: Replicated storage costs multiply by region count
• Reserved capacity: Multi-region reserved instances/committed use discounts

Netflix

Netflix operates across multiple AWS regions with active-active architecture:

• Zuul gateway for intelligent traffic routing
• Regional failover tested continuously through chaos engineering
• Stateless services with regional data caching
• Global database (Cassandra) with multi-region replication

Google

Google's Spanner provides globally consistent database:

• TrueTime for global transaction ordering across regions
• Automatic failover with strong consistency
• Paxos-based replication for durability
• Available as managed service (Cloud Spanner)

Stripe

Stripe implements multi-region for payment reliability:

• Active-passive with automated failover
• Synchronous replication for payment data (zero loss tolerance)
• Extensive testing through regular failover exercises
• API versioning enables gradual regional rollouts

Cloudflare

Cloudflare's network is inherently global:

• Anycast routing to nearest datacenter
• No single 'primary' region—truly distributed
• Workers execute at edge, near users
• Automatic failover through BGP withdrawal

Geographic redundancy protects against failures that affect entire regions—from datacenter fires to cloud provider outages. While complex and costly, it's essential for systems requiring the highest availability levels.

Next Steps:

Geographic redundancy protects against location-level failures. But what about individual component failures within a system? In the next page, we'll explore component redundancy—the patterns for eliminating single points of failure at the component level within a single deployment.