Stories, insights & tutorials

Dive into our latest articles on web development, DevOps, mobile apps, and engineering best practices.

Want to work with us?

Have a project in mind?

We write about the same technologies we use to build world-class products. Let's put that expertise to work for you.

Start a project Visit full blog

Enterprise Disaster Recovery: Architecting Active-Passive Multi-Region Failover for Kubernetes and PostgreSQL on AWS

DDeepak Singh RajputDevOps14 min read06 Apr 2026

TL;DR: Architect a production-grade, active-passive disaster recovery strategy on AWS to achieve sub-minute RTO and near-zero RPO using GitOps-driven EKS and Route 53 ARC. By leveraging Amazon Aurora PostgreSQL Global Databases for storage-level replication and maintaining warm compute in a secondary region, you can execute immediate unplanned failovers when a primary region degrades.

⚡ Key Takeaways

Replace standard PostgreSQL read replicas with Amazon Aurora Global Databases to achieve sub-second RPO via storage subsystem mirroring.
Provision your multi-region topology using Terraform's aws_rds_global_cluster to link active (us-east-1) and passive (us-west-2) environments.
Maintain at least one warm compute instance (e.g., db.r6g.large) in your secondary region to avoid a 10+ minute RTO penalty during database promotion.
Execute unplanned failovers using aws rds remove-from-global-cluster directly from the surviving region to detach the secondary database so it can immediately accept writes.

When a primary AWS region like us-east-1 degrades, your entire business is on the clock. For enterprise architectures, relying on a single region is a compliance violation waiting to happen. Frameworks like SOC2 and ISO27001, along with enterprise vendor agreements, strictly mandate proven, routinely tested disaster recovery (DR) plans.

Yet, when disaster actually strikes, the theoretical promises of a minimal Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are rarely met. Restoring a multi-terabyte PostgreSQL database from a cross-region snapshot takes hours. Bootstrapping a fresh Elastic Kubernetes Service (EKS) cluster via Terraform during a regional outage often fails due to AWS API control-plane rate limiting. If you rely on standard DNS TTLs and manual runbooks, your traffic will blackhole, your application state will drift, and your engineering team will be paralyzed by split-brain scenarios.

To mitigate these risks, you need an Active-Passive Multi-Region architecture. In this deep dive, we will architect a deterministic failover strategy using Amazon Aurora PostgreSQL Global Databases, GitOps-driven EKS clusters, and Route 53 Application Recovery Controller (ARC).

When enterprise teams partner with our DevOps and Cloud Deployment Services, this is the exact blueprint we implement to ensure mission-critical applications survive catastrophic regional failures with sub-minute RTOs and near-zero RPOs.

Achieving Sub-Second RPO with Aurora PostgreSQL Global Databases

Standard cross-region read replicas rely on PostgreSQL's native logical or physical replication. Under heavy write loads, this introduces significant replication lag, pushing your RPO into minutes. Furthermore, promoting a standard read replica requires a reboot and manual DNS updates, drastically increasing your RTO.

To achieve enterprise-grade DR, we leverage Amazon Aurora Global Database. Aurora bypasses standard PostgreSQL replication by mirroring data at the storage subsystem level using a dedicated replication backbone. This guarantees cross-region replication latency of under 1 second and virtually zero performance impact on the primary database.

Provisioning the Global Cluster Topology

Your active region (us-east-1) handles all read and write traffic. Your passive region (us-west-2) maintains a warm standby compute instance attached to the replicated storage volume.

# terraform/rds.tf

resource "aws_rds_global_cluster" "enterprise_global" {
  global_cluster_identifier = "enterprise-global-db"
  engine                    = "aurora-postgresql"
  engine_version            = "15.4"
  database_name             = "app_production"
  storage_encrypted         = true
}

# Primary Cluster (us-east-1)
resource "aws_rds_cluster" "primary" {
  provider                    = aws.useast1 # Assumes aliased provider
  engine                      = aws_rds_global_cluster.enterprise_global.engine
  engine_version              = aws_rds_global_cluster.enterprise_global.engine_version
  cluster_identifier          = "enterprise-primary-cluster"
  global_cluster_identifier   = aws_rds_global_cluster.enterprise_global.id
  master_username             = "dbadmin"
  manage_master_user_password = true
  skip_final_snapshot         = false
}

# Secondary Cluster (us-west-2)
resource "aws_rds_cluster" "secondary" {
  provider                  = aws.uswest2 # Assumes aliased provider
  engine                    = aws_rds_global_cluster.enterprise_global.engine
  engine_version            = aws_rds_global_cluster.enterprise_global.engine_version
  cluster_identifier        = "enterprise-secondary-cluster"
  global_cluster_identifier = aws_rds_global_cluster.enterprise_global.id
  skip_final_snapshot       = true
  
  depends_on = [aws_rds_cluster.primary]
}

Production Note: Do not run your passive region completely "cold" (headless storage). Always maintain at least one active instance (e.g., db.r6g.large) in the secondary region. If the secondary cluster lacks compute, promoting it during a failover requires provisioning a new instance from scratch, pushing your database RTO from seconds to 10+ minutes.

Executing an Unplanned Database Failover

During a true regional failure, standard API calls to the primary region's control plane might time out. You must initiate the failover directly from the healthy, secondary region.

While AWS provides a managed planned failover feature, a severe regional outage requires an unplanned failover (detaching the secondary cluster from the global topology so it can immediately accept writes).

# Execute from the surviving region's CI/CD or operations bastion
aws rds remove-from-global-cluster \
    --region us-west-2 \
    --global-cluster-identifier enterprise-global-db \
    --db-cluster-identifier arn:aws:rds:us-west-2:123456789012:cluster:enterprise-secondary-cluster

By detaching the secondary cluster, it is instantly promoted to a standalone primary cluster capable of accepting read/write traffic. This operation typically completes in under 60 seconds.

Multi-Cluster EKS State Synchronization via GitOps

An active-passive architecture requires the passive EKS cluster to be running and identical in configuration to the active cluster. Attempting to apply Helm charts sequentially during a high-stress outage is a dangerous anti-pattern.

Instead, rely on GitOps tools like ArgoCD or Flux. By leveraging ArgoCD's ApplicationSet controller combined with cluster labels, you can ensure that all Kubernetes manifests are automatically mirrored across both us-east-1 and us-west-2.

# argocd/applicationset.yaml
apiVersion: argocd.argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
  name: enterprise-workloads
  namespace: argocd
spec:
  generators:
  - clusters:
      selector:
        matchExpressions:
        - key: environment
          operator: In
          values: [production]
  template:
    metadata:
      name: '{{name}}-backend-api'
    spec:
      project: default
      source:
        repoURL: 'https://github.com/your-org/enterprise-manifests.git'
        targetRevision: HEAD
        path: workloads/backend-api
      destination:
        server: '{{server}}'
        namespace: production
      syncPolicy:
        automated:
          prune: true
          selfHeal: true
        retry:
          limit: 5
          backoff:
            duration: 5s
            factor: 2
            maxDuration: 3m

Preventing Passive EKS from Consuming External APIs

Your passive cluster will be running identical pods, but those pods should not interact with external third-party APIs (like Stripe or Twilio) or attempt to process SQS queues. Doing so will cause duplicate transaction processing and race conditions.

To handle this, inject an environment variable such as CLUSTER_ROLE=passive into the secondary EKS cluster's workloads via a Kustomize overlay or a Helm value. Your application code must be context-aware:

// src/queue/worker.ts
export async function startWorker() {
  if (process.env.CLUSTER_ROLE === 'passive') {
    logger.info("Cluster is passive. SQS consumer disabled.");
    return; // Exit without polling
  }
  
  // Initialize standard active queue polling
  const consumer = Consumer.create({
    queueUrl: process.env.SQS_QUEUE_URL,
    handleMessage: async (message) => {
      await processTransaction(message);
    }
  });
  
  consumer.start();
}

Deterministic Failover with Route 53 Application Recovery Controller (ARC)

Standard Route 53 health checks are insufficient for enterprise DR. If a health check experiences a brief anomaly, standard DNS might route traffic to your passive region before the database is promoted, resulting in a surge of API errors. Furthermore, DNS TTL caching means some clients will be routed incorrectly for minutes.

Instead, use Route 53 Application Recovery Controller (ARC). ARC provides highly available routing controls that operate on a massively redundant, five-region AWS data plane. It requires explicit, authorized intervention (human or machine) to flip a switch, entirely preventing "flapping" (where traffic bounces uncontrollably between regions).

First, provision the ARC Routing Controls:

# terraform/arc.tf
resource "aws_route53recoverycontrolconfig_cluster" "dr_cluster" {
  name = "enterprise-dr-cluster"
}

resource "aws_route53recoverycontrolconfig_control_panel" "dr_panel" {
  name        = "enterprise-control-panel"
  cluster_arn = aws_route53recoverycontrolconfig_cluster.dr_cluster.arn
}

resource "aws_route53recoverycontrolconfig_routing_control" "active_east" {
  name              = "route-us-east-1"
  control_panel_arn = aws_route53recoverycontrolconfig_control_panel.dr_panel.arn
}

resource "aws_route53recoverycontrolconfig_routing_control" "passive_west" {
  name              = "route-us-west-2"
  control_panel_arn = aws_route53recoverycontrolconfig_control_panel.dr_panel.arn
}

When a DR event is declared, an authorized engineer or an automated AWS Step Function updates the ARC state using the Boto3 ARC endpoints.

Warning: The Route 53 ARC data plane uses distinct, cluster-specific regional endpoints. You must query the ARC cluster for its unique endpoint URLs before mutating routing states. The standard boto3.client('route53-recovery-control-config') control-plane client will not work for actual state changes.

import boto3
import time

def execute_traffic_failover():
    # The ARC data plane requires specific, resilient cluster endpoints.
    # In production, cache these endpoint URLs in Systems Manager Parameter Store.
    endpoints = [
        "https://host-xxx.us-west-2.a.routing-control.amazonaws.com/v1",
        "https://host-yyy.eu-west-1.a.routing-control.amazonaws.com/v1"
    ]
    
    # Use the 'route53-recovery-cluster' client for data-plane state mutations
    client = boto3.client('route53-recovery-cluster', endpoint_url=endpoints[0])
    
    # 1. Turn ON the passive region (us-west-2)
    print("Enabling us-west-2 routing control...")
    client.update_routing_control_state(
        RoutingControlArn='arn:aws:route53-recovery-control::123456789012:controlpanel/xxx/routingcontrol/passive_west',
        RoutingControlState='On'
    )
    
    time.sleep(5) # Allow any overlapping propagation to settle
    
    # 2. Turn OFF the active region (us-east-1)
    print("Disabling us-east-1 routing control...")
    client.update_routing_control_state(
        RoutingControlArn='arn:aws:route53-recovery-control::123456789012:controlpanel/xxx/routingcontrol/active_east',
        RoutingControlState='Off'
    )

if __name__ == "__main__":
    execute_traffic_failover()

Managing Cross-Region Persistent Data and Backups

Stateless microservices are easily replicated. Database state is handled by Aurora. But what about EKS stateful workloads, persistent volumes (EBS), or dynamically generated static assets (S3)?

For Amazon S3, enable Cross-Region Replication (CRR) on your critical buckets to ensure asynchronous, continuous object mirroring.

For persistent volumes attached to EKS, you must orchestrate EBS snapshot replication using AWS Backup.

# terraform/aws_backup.tf
resource "aws_backup_plan" "cross_region_dr" {
  name = "eks-pv-dr-plan"

  rule {
    rule_name         = "hourly-cross-region"
    target_vault_name = aws_backup_vault.primary.name
    schedule          = "cron(0 * * * ? *)" # Runs hourly

    lifecycle {
      delete_after = 7
    }

    copy_action {
      destination_vault_arn = aws_backup_vault.secondary.arn
      lifecycle {
        delete_after = 7
      }
    }
  }
}

If your RPO for persistent volumes must be less than an hour, EBS snapshots are insufficient. Instead, abstract the file storage layer to Amazon EFS and use EFS Replication to sync data continuously to the secondary region. Alternatively, implement an open-source solution like VolSync within your Kubernetes clusters to replicate PersistentVolumeClaims asynchronously via rsync.

Executing the Failover Sequence

A disaster recovery plan is worthless if it requires hunting for fragmented, unverified scripts. The sequence of operations must be deterministic, idempotent, and orchestrated by a system outside of the failing region (e.g., GitHub Actions, a multi-region Jenkins instance, or AWS Step Functions in a neutral third region).

The strict operational sequence is:

Fence the Primary Region: Block write traffic to the primary region's database to prevent split-brain data corruption if the region is only partially degraded.
Promote the Database: Detach the secondary Aurora cluster to promote us-west-2 to an independent primary.
Reconfigure EKS Applications: Patch the passive EKS cluster to transition CLUSTER_ROLE to active, enabling background jobs and external API integrations.
Shift Global Traffic: Use Route 53 ARC to decisively shift ingress traffic to us-west-2.

Here is a conceptual break-glass orchestrator script executing the failover:

#!/bin/bash
set -e

echo "🚨 INITIATING ENTERPRISE DR FAILOVER 🚨"

# Step 1 & 2: Detach and Promote DB
echo "1. Promoting Aurora cluster in us-west-2..."
aws rds remove-from-global-cluster \
    --region us-west-2 \
    --global-cluster-identifier enterprise-global-db \
    --db-cluster-identifier arn:aws:rds:us-west-2:123456789012:cluster:enterprise-secondary-cluster

echo "Waiting for promotion to complete..."
aws rds wait db-cluster-available \
    --region us-west-2 \
    --db-cluster-identifier enterprise-secondary-cluster

# Step 3: Patch EKS ConfigMap
# Note: In a mature GitOps flow, this is triggered via a configuration repo PR.
echo "2. Activating EKS Workers in us-west-2..."
aws eks update-kubeconfig --region us-west-2 --name enterprise-eks-west
kubectl patch configmap app-config -n production \
  -p '{"data":{"CLUSTER_ROLE":"active"}}'
kubectl rollout restart deployment/backend-api -n production

# Step 4: Shift ARC Traffic
echo "3. Flipping Route 53 ARC..."
python3 arc_failover.py

echo "✅ FAILOVER COMPLETE. us-west-2 is now ACTIVE."

The Failback Sequence: Re-establishing Topology

The most overlooked aspect of disaster recovery is the failback. Once AWS resolves the us-east-1 outage, you cannot simply flip your DNS routing back. Your original primary database in us-east-1 is completely out of sync and contains stale data.

Failing back requires rebuilding the cross-region topology in reverse.

Snapshot the active database: Secure a backup of the newly promoted primary in us-west-2.
Destroy the old primary: Delete the stale, degraded cluster in us-east-1.
Re-establish the global cluster: Add us-east-1 back to the global database topology as a secondary region, which will force a fresh data sync over the AWS backbone.

# Execute in us-west-2 to re-add us-east-1 to the global topology
aws rds create-db-cluster \
    --region us-east-1 \
    --db-cluster-identifier enterprise-primary-cluster-new \
    --global-cluster-identifier enterprise-global-db \
    --engine aurora-postgresql \
    --engine-version 15.4

Only after the storage has fully synced back to us-east-1 (which can take hours depending on volume size) and replication lag approaches zero, can you safely execute a planned failover back to us-east-1 and revert your EKS cluster roles to their original state.

By automating your infrastructure through GitOps, relying on storage-level replication for PostgreSQL, and enforcing deterministic routing controls with Route 53 ARC, enterprises can survive total regional outages without losing data or defaulting on critical customer SLAs.

Available for Work

Need help building this in production?

SoftwareCrafting is a full-stack dev agency — we ship fast, scalable React, Next.js, Node.js, React Native & Flutter apps for global clients.

Get a Free Consultation

Frequently Asked Questions

Why use Amazon Aurora Global Database instead of standard PostgreSQL cross-region read replicas?

Standard read replicas rely on logical or physical replication, which introduces significant lag under heavy write loads and increases your Recovery Point Objective (RPO). Aurora Global Database mirrors data at the storage subsystem level using a dedicated replication backbone, guaranteeing cross-region replication latency of under one second with virtually zero performance impact on the primary database.

Should the passive region database run completely cold to save AWS costs?

No, you should never run your passive region completely headless. If the secondary cluster lacks a warm compute instance (such as a db.r6g.large), promoting it during a failover requires provisioning a new instance from scratch. This pushes your database Recovery Time Objective (RTO) from seconds to over 10 minutes.

How do you execute an unplanned PostgreSQL failover if the primary AWS region is completely down?

If the primary region's control plane is unresponsive, you must initiate the failover directly from the healthy secondary region. You achieve this by running an unplanned failover command (using aws rds remove-from-global-cluster) to detach the secondary cluster from the global topology, allowing it to immediately accept write traffic.

Why is bootstrapping a fresh EKS cluster via Terraform a bad strategy during a regional outage?

Attempting to provision a new EKS cluster from scratch during an active disaster often fails due to AWS API control-plane rate limiting, as other tenants scramble to failover simultaneously. To ensure a sub-minute RTO, you must maintain a pre-provisioned, GitOps-driven EKS cluster in your passive region.

How do SoftwareCrafting's DevOps and Cloud Deployment Services ensure compliance with frameworks like SOC2?

Frameworks like SOC2 and ISO27001 strictly mandate proven, routinely tested disaster recovery plans. Our DevOps and Cloud Deployment Services implement deterministic active-passive architectures using tools like Aurora Global Databases and Route 53 ARC, ensuring your infrastructure meets enterprise compliance through verifiable, sub-minute RTOs.

Can SoftwareCrafting help my team architect an active-passive failover for our existing AWS infrastructure?

Yes, our DevOps and Cloud Deployment Services specialize in transforming fragile single-region setups into enterprise-grade multi-region architectures. We partner with your engineering team to implement GitOps-driven EKS clusters and Aurora Global Databases, eliminating split-brain scenarios and guaranteeing near-zero RPO during catastrophic outages.

📎 Full Code on GitHub Gist: The complete rds.tf from this post is available as a standalone GitHub Gist — copy, fork, or embed it directly.