hardSAPHA/DR

Multi-Region Active-Passive DR

A healthcare company has a 5-minute RTO and 1-minute RPO for their core application. They run in us-east-1 today. Design the DR architecture for region failure.

Key Constraints

RTO: 5 minutes

RPO: 1 minute

Regulated (HIPAA) — encryption mandatory

Must survive entire region failure

Reference Architecture (interactive 3D)

🖱️ Drag to rotate · 📜 Scroll to zoom

Loading diagram...

Warm Standby with Aurora Global Database

1Aurora Global Database: writes in us-east-1, replicated to us-west-2 in under 1 second (meets RPO).
2Route 53 failover routing with health checks on the primary ALB.
3us-west-2 runs a 'warm' copy: minimal EC2 instances pre-provisioned (faster than pilot-light).
4On region failure: Route 53 fails over (~30-60s), ASG scales us-west-2 up, Aurora promotes the secondary region → total RTO under 5 min.
5S3 Cross-Region Replication keeps static assets and backups in both regions.
6KMS multi-region keys so the same key ID encrypts/decrypts data in both regions.
7CloudFormation StackSets keep both regions in config sync (drift = silent DR failure).

Heuristics Applied

✓ Multi-Region only when RTO/RPO requires it ✓ Use health checks for routing ✓ Use Customer-Managed Keys when compliance requires ✓ Encrypt at rest and in transit

Common Traps (Wrong Answers)

Pilot-light (cold standby) — can't meet 5-min RTO; warming up takes 10+ min
Cross-Region Read Replica instead of Aurora Global — no fast failover, async replication can lag minutes
Single-region KMS key — encrypted data in DR region is unusable
Letting Route 53 default TTL (300s) cache stale answers and block failover
Manual ASG scale-up — automate it via Lambda triggered by Route 53 health-check alarm

Try the simulator

Build this architecture yourself in the drag-and-drop simulator.

Open Simulator →More Scenarios