Failover & Redundancy

Redundancy is having more capacity or copies than the minimum needed, so the loss of one doesn't cause failure: redundant servers, replicated data, multiple availability zones. Failover is the act of detecting a failure and shifting traffic or responsibility to a healthy standby. Together they're the backbone of high availability.

Everything fails eventually: disks, machines, racks, whole data centers. Without redundancy, every component is a single point of failure and every failure is an outage. Redundancy removes the single points; failover makes recovery automatic and fast instead of a manual scramble. The combination is what lets a service advertise four or five nines of availability.

Redundancy comes in modes: active-active (all replicas serve traffic; losing one just reduces capacity) and active-passive (a standby waits, promoted on primary failure). Failover detects death via health checks/heartbeats, then redirects: a load balancer drops the dead instance from rotation, a follower DB is promoted to primary, or DNS/anycast shifts a region. Geographic redundancy spreads across availability zones and regions so a whole-datacenter loss is survivable. Quorum and leader election keep failover from causing split-brain.

• Turns component failures into non-events, since single points of failure are eliminated
• Active-active also adds capacity and load distribution, not just safety
• Geographic redundancy survives entire-datacenter and regional outages

• You pay for idle capacity: active-passive standbys cost money to sit and wait
• Failover itself is risky: untested failover paths fail when you finally need them, and promotion can cause split-brain or data loss
• True multi-region redundancy forces hard data-consistency and replication-lag tradeoffs

• WhatsApp →

  Cassandra replication factor 3 across nodes means losing one replica triggers no downtime, so reads/writes continue against the survivors

• Payment Gateway →

  The Postgres ledger runs primary + standby with automatic promotion; money writes must survive a primary failure without loss

• Amazon S3 (Object Storage) →

  Erasure coding across multiple availability zones means object durability survives whole-AZ failure, not just disk failure

• Untested failover is broken failover. The standby you've never failed over to will surprise you in the worst way, so run game days and chaos drills regularly.
• Active-passive wastes the standby's capacity and the standby may be cold (stale caches, unwarmed connections) when promoted. Active-active avoids both but needs the app to tolerate concurrent writes.
• Automatic failover can cause split-brain or data loss if it promotes a lagging replica. Pair promotion with quorum/fencing so two primaries can't coexist.
• Redundancy at one layer doesn't help if a shared dependency fails: redundant app servers all talking to one database still have a single point of failure.