Apple Podcasts
Spotify
Youtube Music
Spreaker
Podchaser
Amazon Music
Most architects believe that deploying across multiple regions guarantees resilience. It doesn’t. In reality, many organizations are simply paying double for what is effectively a distributed single point of failure. When failover depends on meetings, manual intervention, or a functioning control plane during a blackout—you don’t have resilience. You have hope. This episode breaks that illusion. We simulate a real regional outage and expose how modern cloud architectures fail under pressure. The shift is clear: from passive redundancy to state-synchronized resilience—where systems are designed to behave, not just exist, during failure.
WHEN THE FRONT DOOR FAILS: EDGE DEPENDENCY RISK
Global entry points like Azure Front Door feel invisible—until they fail. When they do, perfectly healthy backends become unreachable. The October outage proved this: a single configuration issue disrupted global routing, taking down services worldwide. This is the Anycast trap. Traffic doesn’t fail cleanly—it fragments. Some users connect, others time out, and your monitoring becomes misleading. The fix isn’t more edge—it’s multi-path ingress. Resilient systems allow traffic to bypass global layers and route directly to regional endpoints, trading performance for survival.
DNS FAILURE: THE HIDDEN SYSTEM KILLER
Everything in the cloud depends on name resolution. When DNS breaks, your architecture doesn’t degrade—it disappears. A single race condition can wipe routing records and trigger a retry storm, where systems overload themselves trying to recover. True resilience requires decoupling internal communication from global DNS. Regional resolution, conservative TTL strategies, and break-glass routing paths ensure your system can still function—even when the internet can’t tell it where to go.
THE CONTROL PLANE FALLACY
Most disaster recovery plans assume you can redeploy during a crisis. But when outages hit, management APIs like Azure Resource Manager are often overwhelmed. Thousands of organizations try to recover at once, creating a bottleneck that makes redeployment impossible. The reality: the cloud is finite under stress. Resilient architectures don’t rebuild—they pre-provision. Warm standby environments, reserved capacity, and data-plane failover remove dependency on a failing control plane. If your recovery requires the portal, you’re already too late.
STATE STRATEGY: THE REAL BATTLEFIELD
Stateless services are easy to move. Data is not. It anchors your system to failure. Most architectures rely on asynchronous replication, accepting small delays that turn into permanent data loss during outages. The solution is consistency-aware design. Not all data is equal. Critical transactions demand tighter guarantees, while less critical data can lag. True resilience means active global state, not passive backups—so when a region fails, the system continues without interruption.
GOVERNANCE: WHY MEETINGS KILL UPTIME
The longest outages aren’t caused by technology—they’re caused by indecision. War rooms delay action while systems degrade. If failover requires approval, your architecture is already broken. Modern resilience relies on automated decision-making. Telemetry-driven triggers, circuit breakers, and federated ownership ensure that failover happens instantly—without debate. The system reacts before humans can hesitate.
TESTING FOR FAILURE, NOT SUCCESS
Architectures don’t fail on whiteboards—they fail in production. Hidden bugs only appear under stress. That’s why resilience requires chaos engineering and Game Days. By simulating outages under real conditions, teams uncover bottlenecks, retry storms, and capacity gaps before they matter. If you’re not testing regularly, your architecture is silently degrading.
THE SHIFT: FROM REDUNDANCY TO TRUE RESILIENCE
Resilience isn’t about where you deploy—it’s about how your system behaves under pressure. It requires intentional design across ingress, DNS, control planes, data, and governance. Key takeaways:
- Multi-region alone does not eliminate single points of failure
- Automated failover beats manual decision-making every time
- State strategy—not infrastructure—is the foundation of resilience
You don’t rise to the level of your architecture during a crisis—you fall to the level of your preparation. The difference between an outage and a disaster is how your system behaves when everything goes wrong. Follow for more deep dives into cloud resilience, and rethink how your architecture survives—not just scales.
Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support.
🚀 Want to be part of m365.fm?
Then stop just listening… and start showing up.
👉 Connect with me on LinkedIn and let’s make something happen:
- 🎙️ Be a podcast guest and share your story
- 🎧 Host your own episode (yes, seriously)
- 💡 Pitch topics the community actually wants to hear
- 🌍 Build your personal brand in the Microsoft 365 space
This isn’t just a podcast — it’s a platform for people who take action.
🔥 Most people wait. The best ones don’t.
👉 Connect with me on LinkedIn and send me a message:
"I want in"
Let’s build something awesome 👊
1
00:00:00,000 --> 00:00:04,080
Many architects believe that deploying to multiple regions equals resilience.
2
00:00:04,080 --> 00:00:08,320
They assume that if region A goes dark, region B simply picks up the slack.
3
00:00:08,320 --> 00:00:12,080
But in reality, they are just paying double for a distributed single point of failure.
4
00:00:12,080 --> 00:00:15,120
The top 1% of architects do not focus on where they deploy.
5
00:00:15,120 --> 00:00:17,680
They focus on how the system behaves under pressure.
6
00:00:17,680 --> 00:00:22,000
If your failover requires a manual meeting or a functioning control plane during a blackout,
7
00:00:22,000 --> 00:00:23,240
you do not have a plan.
8
00:00:23,240 --> 00:00:24,240
You have hope.
9
00:00:24,240 --> 00:00:27,920
In the next 25 minutes, we are going to simulate a regional blackout.
10
00:00:27,920 --> 00:00:33,040
We will expose the architecture fragility that turns minor latency into a global death spiral.
11
00:00:33,040 --> 00:00:38,960
It is time to move from the old model of passive redundancy to a new model of state synchronized resilience.
12
00:00:38,960 --> 00:00:41,520
Edge failure when the front door goes dark.
13
00:00:41,520 --> 00:00:46,240
Global entry points like Azure Front Door or Edge Rooting are the most efficient way to scale.
14
00:00:46,240 --> 00:00:49,440
They handle SSL termination, they provide WAF protection,
15
00:00:49,440 --> 00:00:51,840
and they root traffic to the nearest healthy backend.
16
00:00:51,840 --> 00:00:55,280
But these tools create a bootstrap problem where your back ends are perfectly healthy,
17
00:00:55,280 --> 00:00:56,720
but completely unreachable.
18
00:00:56,720 --> 00:00:59,520
Look at the October 2025 Front Door Outage.
19
00:00:59,520 --> 00:01:04,080
A single configuration change bypassed safety checks and invalidated global routing logic,
20
00:01:04,080 --> 00:01:08,880
which meant that within minutes, Edge servers worldwide began mis-routing or timing out requests.
21
00:01:08,880 --> 00:01:13,360
The Azure portal failed and major SSL sites vanished because the logic was broken at the source.
22
00:01:13,360 --> 00:01:16,800
If your global ingress is the only way in, you have not built a bridge.
23
00:01:16,800 --> 00:01:18,720
You have built a funnel that can be plugged.
24
00:01:18,720 --> 00:01:22,320
Most organizations assume that because they use any cast IP addresses,
25
00:01:22,320 --> 00:01:23,920
the network will just find a path.
26
00:01:23,920 --> 00:01:29,040
But any cast is just a routing protocol, and it does not fix a logic error in the application layer.
27
00:01:29,040 --> 00:01:30,560
This creates the any cast trap.
28
00:01:30,560 --> 00:01:33,360
During a failure, you do not see a clean down status.
29
00:01:33,360 --> 00:01:37,280
Instead, you see scattered 500-level errors across global points of presence.
30
00:01:37,280 --> 00:01:40,560
Some users in London can connect while users in New York get timeouts,
31
00:01:40,560 --> 00:01:45,200
which makes it harder to diagnose than a total regional failure because the telemetry is inconsistent.
32
00:01:45,200 --> 00:01:48,480
Your monitoring might show the backend is at 0% CPU,
33
00:01:48,480 --> 00:01:50,720
but that is only because no traffic is reaching it.
34
00:01:50,720 --> 00:01:53,200
To survive this, you need multi-path management.
35
00:01:53,200 --> 00:01:57,680
You cannot rely on a single global edge proxy for 100% of your traffic.
36
00:01:57,680 --> 00:02:00,800
The new model uses secondary DNS-based failover.
37
00:02:00,800 --> 00:02:04,880
If the global edge layer degrades, you shift traffic directly to regional gateways.
38
00:02:04,880 --> 00:02:07,440
You might lose the CDN caching or the global WAF,
39
00:02:07,440 --> 00:02:11,440
but your application stays online because you chose to trade performance for availability.
40
00:02:11,440 --> 00:02:14,320
The mistake is treating the edge as an invisible utility.
41
00:02:14,320 --> 00:02:18,560
It is not. It is a dependency, and every dependency is a potential wall.
42
00:02:18,560 --> 00:02:23,040
In the October 2025 event, recovery was delayed because of retry storms.
43
00:02:23,040 --> 00:02:26,720
As soon as the fix was rolled out, millions of clients that had been pulling for a connection
44
00:02:26,720 --> 00:02:31,760
slammed the edge nodes. The healthy nodes were overwhelmed by the sheer volume of reconnection attempts,
45
00:02:31,760 --> 00:02:36,000
and the system could not stabilize because the front door was being kicked in by its own users.
46
00:02:36,000 --> 00:02:38,400
You must implement circuit breakers at the client level.
47
00:02:38,400 --> 00:02:41,120
Exponential back-off is not just a nice-to-have feature.
48
00:02:41,120 --> 00:02:43,120
It is a survival mechanism for the platform.
49
00:02:43,120 --> 00:02:47,360
If you do not control the retry logic, you are essentially dedossing your own infrastructure
50
00:02:47,360 --> 00:02:49,680
during a recovery window. This is where the old model breaks.
51
00:02:49,680 --> 00:02:51,680
It assumes the network is a static pipe,
52
00:02:51,680 --> 00:02:56,160
but the new model understands that the network is a dynamic living system that reacts to failure.
53
00:02:56,160 --> 00:02:59,200
Ask yourself, "What would happen if front door vanished right now?"
54
00:02:59,200 --> 00:03:02,560
If the answer is that your users would be stuck, then you are not resilient.
55
00:03:02,560 --> 00:03:05,680
You are just waiting for a configuration error to take you offline.
56
00:03:05,680 --> 00:03:09,200
The goal is to decouple the ingress logic from the regional availability.
57
00:03:09,200 --> 00:03:12,720
You want to be able to bypass the global layer entirely if it becomes a liability.
58
00:03:12,720 --> 00:03:17,440
This requires pre-configured regional endpoints that are ready to receive traffic at a moment's notice,
59
00:03:17,440 --> 00:03:22,320
and it requires a DNS strategy that does not depend on the same control plane that just went dark.
60
00:03:22,320 --> 00:03:23,760
Because here is the reality.
61
00:03:23,760 --> 00:03:27,200
Once the user can finally reach the edge, the next hurdle is not the code.
62
00:03:27,200 --> 00:03:29,600
It is the system's ability to talk to itself.
63
00:03:29,600 --> 00:03:32,800
If the edge is the front door, DNS is the directions to the house.
64
00:03:32,800 --> 00:03:36,080
And when those directions disappear, the entire architecture vanishes.
65
00:03:36,080 --> 00:03:39,440
We need to look at why names fail and how they take the cloud with them.
66
00:03:39,440 --> 00:03:42,720
The DNS name resolution "death spiral".
67
00:03:42,720 --> 00:03:44,640
Everything in the cloud depends on a name.
68
00:03:44,640 --> 00:03:48,080
When you call an API, connect to a database or authenticate a user,
69
00:03:48,080 --> 00:03:49,600
you are relying on a resolution string.
70
00:03:49,600 --> 00:03:54,720
If that resolution fails, the connective tissue of your entire architecture simply vanishes.
71
00:03:54,720 --> 00:03:56,640
The servers are running and the code is loaded,
72
00:03:56,640 --> 00:03:59,280
but the components are suddenly blind and deaf to one another.
73
00:03:59,280 --> 00:04:03,760
We saw this play out in a catastrophic race condition within a major cloud DNS management system.
74
00:04:03,760 --> 00:04:08,320
The failure wasn't a hardware snap, but rather a logic error between two automated processes,
75
00:04:08,320 --> 00:04:10,080
known as the planner and the enactor.
76
00:04:10,080 --> 00:04:12,160
The planner was generating new routing maps,
77
00:04:12,160 --> 00:04:14,560
while the enactor was struggling to apply an old one.
78
00:04:14,560 --> 00:04:18,880
Because the enactor fell behind, the system assumed the old records were obsolete and deleted them.
79
00:04:18,880 --> 00:04:22,400
In an instant, the directions to critical regional endpoints were wiped clean
80
00:04:22,400 --> 00:04:24,000
and the IP addresses were gone.
81
00:04:24,000 --> 00:04:25,280
This is the death spiral.
82
00:04:25,280 --> 00:04:28,240
It starts when a small resolution error triggers a retry,
83
00:04:28,240 --> 00:04:31,840
and that retry adds load to a DNS service that is already struggling.
84
00:04:31,840 --> 00:04:36,240
As the service slows down, more requests time out, which leads to even more retreats.
85
00:04:36,240 --> 00:04:39,840
The system isn't just failing, it is actively consuming itself.
86
00:04:39,840 --> 00:04:43,040
And here is the hidden dependency that kills most recovery plans.
87
00:04:43,040 --> 00:04:47,520
Your failover mechanism likely relies on the very DNS service that is currently degraded.
88
00:04:47,520 --> 00:04:50,000
If you need to update a caname record to point to region B,
89
00:04:50,000 --> 00:04:52,000
but the DNS control plane is paralyzed,
90
00:04:52,000 --> 00:04:55,040
you are stuck in the dark with no way to turn on the lights.
91
00:04:55,040 --> 00:04:59,520
To break this cycle, you have to bypass the global resolution layer for your internal traffic.
92
00:04:59,520 --> 00:05:03,280
The new model treats service-to-service communication as a separate failure domain.
93
00:05:03,280 --> 00:05:06,320
You implement any cast DNS that lives closer to the resources,
94
00:05:06,320 --> 00:05:10,080
and you use regional security token service endpoints to handle identity.
95
00:05:10,080 --> 00:05:13,360
By localizing these lookups, you ensure that a global DNS outage
96
00:05:13,360 --> 00:05:15,520
doesn't paralyze internal operations.
97
00:05:15,520 --> 00:05:18,800
If the front door is broken, the back office should still be able to function.
98
00:05:18,800 --> 00:05:21,920
You also need to set conservative time to live strategies.
99
00:05:21,920 --> 00:05:25,280
In a world of instant cloud scaling architects love low TTL,
100
00:05:25,280 --> 00:05:29,520
sometimes as low as 60 seconds because they want the ability to shift traffic immediately.
101
00:05:29,520 --> 00:05:32,960
But during a backbone failure, a low TTL is a liability.
102
00:05:32,960 --> 00:05:37,200
Every 60 seconds, every client in your ecosystem has to ask for directions again.
103
00:05:37,200 --> 00:05:40,320
If the DNS server is slow, you've just created a massive bottleneck.
104
00:05:40,320 --> 00:05:43,360
The systems thinker balances agility with durability.
105
00:05:43,360 --> 00:05:47,440
For critical service-to-service paths, you might hard-code internal break-glass routing.
106
00:05:47,440 --> 00:05:50,640
This isn't dirty engineering, it is a safety net that ensures your application
107
00:05:50,640 --> 00:05:53,280
doesn't need a global directory to find its own database.
108
00:05:53,280 --> 00:05:56,960
The old model assumes that the platform's foundational services are infallible.
109
00:05:56,960 --> 00:06:00,160
The new model assumes they are the first things that will break under stress.
110
00:06:00,160 --> 00:06:03,040
You must map out every name resolution your app makes.
111
00:06:03,040 --> 00:06:06,640
If any of those names point to a global service without a regional fallback,
112
00:06:06,640 --> 00:06:08,320
that is your single point of failure.
113
00:06:08,320 --> 00:06:11,200
You aren't resilient until you can resolve your own identity
114
00:06:11,200 --> 00:06:13,200
without asking the internet for permission.
115
00:06:13,200 --> 00:06:14,960
Because even if the name is resolved,
116
00:06:14,960 --> 00:06:17,200
you might find yourself facing a different kind of wall.
117
00:06:17,200 --> 00:06:20,240
You might have the right directions, but discover the road itself is blocked.
118
00:06:20,240 --> 00:06:23,040
You try to scale, you try to move, and you try to fix the mess.
119
00:06:23,040 --> 00:06:26,320
But the tools you usually use to manage the cloud have stopped responding.
120
00:06:26,320 --> 00:06:28,160
This is the fallacy of the management plane.
121
00:06:28,160 --> 00:06:32,240
It is the assumption that the data plane and the control plane will never fail at the same time,
122
00:06:32,240 --> 00:06:35,600
and that assumption is where the next stage of the blackout begins.
123
00:06:35,600 --> 00:06:38,960
Control plane degradation, the wheel just redeploy fallacy.
124
00:06:38,960 --> 00:06:42,640
Most disaster recovery plans rely on a massive, unspoken assumption.
125
00:06:42,640 --> 00:06:46,240
You assume that when the fire starts, the fire truck will still have gas.
126
00:06:46,240 --> 00:06:49,440
In Azure Terms, this is the belief that the Azure Resource Manager,
127
00:06:49,440 --> 00:06:51,600
or ARM, will be fully functional.
128
00:06:51,600 --> 00:06:53,680
Architects tell themselves that if region A fails,
129
00:06:53,680 --> 00:06:56,080
they will just redeploy their stack to region B.
130
00:06:56,080 --> 00:06:59,520
It sounds logical on a whiteboard, but in a real-world regional crisis,
131
00:06:59,520 --> 00:07:01,120
that strategy is a total fantasy.
132
00:07:01,120 --> 00:07:04,080
There is a fundamental difference between the data plane and the control plane.
133
00:07:04,080 --> 00:07:06,800
The data plane is where your code runs and your user's interact.
134
00:07:06,800 --> 00:07:08,800
The control plane is the management layer,
135
00:07:08,800 --> 00:07:12,320
or the APIs you call to create, scale, or move resources.
136
00:07:12,320 --> 00:07:15,760
During a regional blackout, the data plane in your healthy region might be fine,
137
00:07:15,760 --> 00:07:19,840
but the control plane is often the first thing to get paralyzed by ARM exhaustion.
138
00:07:19,840 --> 00:07:22,560
Think about what happens the moment a major region goes offline.
139
00:07:22,560 --> 00:07:25,760
Thousands of companies simultaneously trigger their recovery scripts,
140
00:07:25,760 --> 00:07:30,400
and every automated system on the continent starts hitting the same management APIs at once.
141
00:07:30,400 --> 00:07:34,960
This creates a massive surge in API requests that the platform was never sized to handle.
142
00:07:34,960 --> 00:07:37,760
Timeouts begin and internal service cues fill up.
143
00:07:37,760 --> 00:07:41,440
Suddenly, your simple command to spin up a new virtual machine scale set
144
00:07:41,440 --> 00:07:44,080
returns a 503 error and you are stuck.
145
00:07:44,080 --> 00:07:47,600
We saw this in January of 2024 during a significant ARM disruption.
146
00:07:47,600 --> 00:07:52,800
A latent code defect triggered by a routine change caused management nodes to fail on startup.
147
00:07:52,800 --> 00:07:57,840
It didn't just affect one service, but instead exhausted capacity across multiple regions for seven hours.
148
00:07:57,840 --> 00:08:01,920
If your recovery plan was to redeploy on demand, you are out of luck for nearly a full work day.
149
00:08:01,920 --> 00:08:06,000
The old model treats the cloud as an infinite pool of resources available at a moment's notice.
150
00:08:06,000 --> 00:08:08,640
The new model recognizes that during a crisis,
151
00:08:08,640 --> 00:08:10,960
the cloud is a finite, crowded lifeboat.
152
00:08:10,960 --> 00:08:12,320
This leads to the redeploy myth.
153
00:08:12,320 --> 00:08:16,240
Even if the management APIs are responding, the physical hardware might not be available.
154
00:08:16,240 --> 00:08:19,840
When a region fails, everyone rushes to the same safe neighboring region.
155
00:08:19,840 --> 00:08:23,360
Within minutes, the most popular VM sizes in that healthy region are sold out.
156
00:08:23,360 --> 00:08:27,840
You try to scale your web tier, but you get an allocation failed message because the healthy region is full.
157
00:08:27,840 --> 00:08:31,760
You wait until the disaster to ask for space, and now there is none left.
158
00:08:31,760 --> 00:08:34,720
The systems thinker avoids this by moving to a pre-provisioned model.
159
00:08:34,720 --> 00:08:38,240
You don't wait for the outage to start building your secondary environment.
160
00:08:38,240 --> 00:08:42,320
You maintain warm standbys, which are pieces of infrastructure that are already allocated
161
00:08:42,320 --> 00:08:43,840
and running at a minimal scale.
162
00:08:43,840 --> 00:08:48,320
Resilience means having the capacity reserved before the rest of the world tries to buy it.
163
00:08:48,320 --> 00:08:52,160
Your recovery should be a pushbutton event that only requires a routing change.
164
00:08:52,160 --> 00:08:56,640
It should not require a thousand platform API calls to build an environment from scratch.
165
00:08:56,640 --> 00:08:59,840
You must also define clear decision rights for this process.
166
00:08:59,840 --> 00:09:03,760
If your recovery requires calling the Azure Resource Manager to change a setting,
167
00:09:03,760 --> 00:09:04,880
you are vulnerable.
168
00:09:04,880 --> 00:09:06,880
The goal is to have data play and failover.
169
00:09:06,880 --> 00:09:10,480
This means the traffic shift happens through the network and the application logic,
170
00:09:10,480 --> 00:09:11,760
not through the management portal.
171
00:09:11,760 --> 00:09:14,720
If you can't switch regions while the Azure portal is down,
172
00:09:14,720 --> 00:09:16,240
you aren't truly resilient.
173
00:09:16,240 --> 00:09:19,040
You are just a passenger on a ship that has no lifeboats.
174
00:09:19,040 --> 00:09:20,320
We have secured the ingress.
175
00:09:20,320 --> 00:09:21,600
We have stabilized the names.
176
00:09:21,600 --> 00:09:25,440
We have pre-provisioned the compute so we don't get locked out by a paralyzed control plane.
177
00:09:25,440 --> 00:09:27,760
But now we face the hardest part of the cloud.
178
00:09:27,760 --> 00:09:31,680
The thing that actually keeps systems pinned to a failing region is the data.
179
00:09:31,680 --> 00:09:33,760
Because while stateless code is easy to move,
180
00:09:33,760 --> 00:09:37,440
state has mass and that mass is where resilience is truly one or lost.
181
00:09:37,440 --> 00:09:39,120
State strategy.
182
00:09:39,120 --> 00:09:41,360
Where resilience is one or lost.
183
00:09:41,360 --> 00:09:43,680
Moving a stateless service is easy.
184
00:09:43,680 --> 00:09:47,600
If a web server dies, you just spin up another one and the system keeps moving.
185
00:09:47,600 --> 00:09:48,800
But stateful data is different.
186
00:09:48,800 --> 00:09:52,720
It acts like an anchor that keeps your entire system pinned to a failing region.
187
00:09:52,720 --> 00:09:54,800
This is the moment of truth for every architect.
188
00:09:54,800 --> 00:09:58,560
You can have the best network routing and the fastest compute on the planet.
189
00:09:58,560 --> 00:10:01,200
But if your data is trapped in a black-doubt data center,
190
00:10:01,200 --> 00:10:02,880
your application is dead.
191
00:10:02,880 --> 00:10:04,240
The reality is simple.
192
00:10:04,240 --> 00:10:06,320
Multi-region deployment doesn't make you resilient.
193
00:10:06,320 --> 00:10:07,760
Your state strategy does.
194
00:10:07,760 --> 00:10:10,880
In the old model, architects treated databases like black boxes.
195
00:10:10,880 --> 00:10:15,120
They turned on geo-ridundancy and walked away, assuming the cloud provider would handle the heavy lifting.
196
00:10:15,120 --> 00:10:17,280
But that approach ignores the physics of data.
197
00:10:17,280 --> 00:10:21,680
Every bit of information you write has to travel across a physical distance to reach the secondary region.
198
00:10:21,680 --> 00:10:23,280
This creates the asynchronous trap.
199
00:10:23,280 --> 00:10:27,360
Most managed services use asynchronous replication to keep performance high.
200
00:10:27,360 --> 00:10:30,080
If you wait for a right to confirm in two regions at the same time,
201
00:10:30,080 --> 00:10:31,520
your latency will skyrocket.
202
00:10:31,520 --> 00:10:32,960
So, you accept a small gap.
203
00:10:32,960 --> 00:10:35,040
You live with a few seconds or minutes,
204
00:10:35,040 --> 00:10:37,920
where the secondary region is slightly behind the primary.
205
00:10:37,920 --> 00:10:39,280
But here is where things break.
206
00:10:39,280 --> 00:10:42,000
If a regional outage occurs and you fail over immediately,
207
00:10:42,000 --> 00:10:44,480
that replication lag becomes a permanent data loss event.
208
00:10:44,480 --> 00:10:47,520
Those last few hundred transactions never made it to the other side.
209
00:10:47,520 --> 00:10:51,760
They exist only on disks that are currently sitting in a dark room with no power.
210
00:10:51,760 --> 00:10:54,320
If your business cannot tolerate losing 10 minutes of orders,
211
00:10:54,320 --> 00:10:56,640
then your passive failover isn't a strategy.
212
00:10:56,640 --> 00:10:57,760
It is a gamble.
213
00:10:57,760 --> 00:11:00,720
To win here, you have to move to a model of consistency awareness.
214
00:11:00,720 --> 00:11:02,800
You stop treating all data as equal.
215
00:11:02,800 --> 00:11:07,280
You use tools like Cosmos DB with multi-region rights or SQL failover groups,
216
00:11:07,280 --> 00:11:10,480
but you configure them based on the specific needs of the transaction.
217
00:11:10,480 --> 00:11:14,320
For a user's shopping cart, maybe session consistency is enough.
218
00:11:14,320 --> 00:11:18,800
It balances a fast user experience with the guarantee that the user sees their own rights.
219
00:11:18,800 --> 00:11:21,600
But for a financial ledger, you might choose bounded staleness.
220
00:11:21,600 --> 00:11:25,280
This is where you explicitly define exactly how much lag you are willing to risk
221
00:11:25,280 --> 00:11:27,520
before the system stops accepting new entries.
222
00:11:27,520 --> 00:11:29,280
You are essentially choosing your poison.
223
00:11:29,280 --> 00:11:32,560
Do you want a system that is always available but might lose data,
224
00:11:32,560 --> 00:11:36,320
or a system that is perfectly consistent, but goes offline when the network jitters?
225
00:11:36,320 --> 00:11:37,760
The new model doesn't pick one.
226
00:11:37,760 --> 00:11:39,360
It maps the data to the outcome.
227
00:11:39,360 --> 00:11:44,320
You design your state so that critical crown jewel data is replicated with the tightest possible recovery point,
228
00:11:44,320 --> 00:11:47,680
while non-essential logs or telemetry are left to catch up whenever they can.
229
00:11:47,680 --> 00:11:51,440
This requires a shift in how you think about primary and secondary sites.
230
00:11:51,440 --> 00:11:54,320
In a resilient architecture, there is no backup region.
231
00:11:54,320 --> 00:11:57,280
There are only active nodes participating in a global state.
232
00:11:57,280 --> 00:12:01,040
When one node vanishes, the others already have the context they need to continue.
233
00:12:01,040 --> 00:12:03,200
You aren't failing over in the traditional sense.
234
00:12:03,200 --> 00:12:05,840
You are just narrowing the scope of your active footprint.
235
00:12:05,840 --> 00:12:10,800
This reduces the recovery time because there is no massive database promotion or DNS update required.
236
00:12:10,800 --> 00:12:14,560
The state is already there, but building the technology is only half the battle.
237
00:12:14,560 --> 00:12:18,000
You can have the most advanced state synchronized cluster on the planet,
238
00:12:18,000 --> 00:12:21,520
and it will still fail if the people running it are paralyzed by indecision.
239
00:12:21,520 --> 00:12:23,840
The longest part of an outage isn't the technical fix.
240
00:12:23,840 --> 00:12:27,600
It is the time spent in a war room arguing about whether or not to pull the trigger.
241
00:12:27,600 --> 00:12:31,040
We need to talk about the governance that dictates who owns the disaster
242
00:12:31,040 --> 00:12:32,880
and why meetings are the enemy of uptime.
243
00:12:32,880 --> 00:12:35,360
Governance and decision rights.
244
00:12:35,360 --> 00:12:36,640
No meetings allowed.
245
00:12:36,640 --> 00:12:39,760
The longest part of a cloud outage isn't the technical restoration.
246
00:12:39,760 --> 00:12:45,040
It is the time spent in a virtual war room while executives argue about the financial impact of failing over.
247
00:12:45,040 --> 00:12:48,560
You are sitting there with a degraded region and watching your error rates climb
248
00:12:48,560 --> 00:12:53,040
while a committee debates whether the primary site might come back online in the next 10 minutes.
249
00:12:53,040 --> 00:12:54,160
This is the decision gap.
250
00:12:54,160 --> 00:12:59,360
It is the period where your architecture is ready to move but your organization is paralyzed by its own hierarchy.
251
00:12:59,360 --> 00:13:04,480
In the old model, failover is treated as a high stakes emergency that requires centralized gatekeeping.
252
00:13:04,480 --> 00:13:09,680
You have a rigid chain of command where a CTO or a VP of infrastructure has to sign off on a traffic shift.
253
00:13:09,680 --> 00:13:13,840
The assumption is that failing over is risky, expensive and potentially unnecessary.
254
00:13:13,840 --> 00:13:17,760
But when you are dealing with a regional blackout that centralized model becomes a bottleneck.
255
00:13:17,760 --> 00:13:20,160
If your failover requires a meeting you don't have a plan.
256
00:13:20,160 --> 00:13:23,600
You have hope and hope is a terrible disaster recovery strategy.
257
00:13:23,600 --> 00:13:27,840
The new model shifts toward platform-led guardrails with federated execution.
258
00:13:27,840 --> 00:13:31,200
You move the decision making power away from the boardroom and into the code.
259
00:13:31,200 --> 00:13:37,520
This starts by defining circuit breakers which are automated triggers that execute based on telemetry rather than consensus.
260
00:13:37,520 --> 00:13:42,160
If your latency across the regional backbone exceeds a specific threshold for more than five minutes,
261
00:13:42,160 --> 00:13:44,320
the system should initiate a shift automatically.
262
00:13:44,320 --> 00:13:48,880
There is no phone call, there is no slack thread, the telemetry is the only authority that matters.
263
00:13:48,880 --> 00:13:52,400
This requires a fundamental change in how you view the one hour grace period.
264
00:13:52,400 --> 00:13:56,960
Microsoft managed failovers for services like SQL Database often have a built-in delay.
265
00:13:56,960 --> 00:14:00,640
The platform waits to see if the issue is transient before it forces a move.
266
00:14:00,640 --> 00:14:04,240
For a mission-critical SaaS business, waiting an hour is a losing strategy.
267
00:14:04,240 --> 00:14:07,440
You cannot outsource your uptime to a provider's global average.
268
00:14:07,440 --> 00:14:11,360
Your governance must allow for customer managed failover that triggers long before the platform
269
00:14:11,360 --> 00:14:12,880
officially declares a disaster.
270
00:14:12,880 --> 00:14:17,360
You have to be willing to be wrong and failover early to protect the user experience.
271
00:14:17,360 --> 00:14:21,760
To make this work you must separate the roles of the platform team and the application team.
272
00:14:21,760 --> 00:14:25,600
The platform team provides the approved patterns, such as the pre-provisioned networks,
273
00:14:25,600 --> 00:14:28,320
the identity silos and the replication logic.
274
00:14:28,320 --> 00:14:30,960
They build the how, but the application team owns the when.
275
00:14:30,960 --> 00:14:32,880
They own the runbook and the execution.
276
00:14:32,880 --> 00:14:36,960
When the metrics hit the red zone, the app team has the predefined right to pull the trigger
277
00:14:36,960 --> 00:14:38,480
without asking for permission.
278
00:14:38,480 --> 00:14:41,600
This federated ownership ensures that the people closest to the workload
279
00:14:41,600 --> 00:14:43,200
are the ones driving the recovery.
280
00:14:43,200 --> 00:14:45,040
You are essentially building a system of trust.
281
00:14:45,040 --> 00:14:47,200
You trust the telemetry to detect the fault
282
00:14:47,200 --> 00:14:49,920
and you trust the automation to execute the shift.
283
00:14:49,920 --> 00:14:52,320
This removes the human ego from the equation.
284
00:14:52,320 --> 00:14:55,120
It stops the second guessing that happens during a crisis.
285
00:14:55,120 --> 00:14:59,600
In a resilient organization, the war room isn't for deciding if you should failover.
286
00:14:59,600 --> 00:15:03,840
It is for managing the fallout after the automation has already moved the traffic.
287
00:15:03,840 --> 00:15:07,920
You are managing the incident, not the infrastructure, because here is the truth.
288
00:15:07,920 --> 00:15:12,080
A governance policy is just a piece of paper until it is tested under load.
289
00:15:12,080 --> 00:15:14,560
You can have the most decisively leadership in the world,
290
00:15:14,560 --> 00:15:18,480
but if your scripts have dormant bugs that only appear when the network is screaming
291
00:15:18,480 --> 00:15:20,000
your governance won't save you,
292
00:15:20,000 --> 00:15:23,440
you have to prove that the technology and the people can handle the pressure.
293
00:15:23,440 --> 00:15:25,840
You have to move beyond the diagram and into the chaos.
294
00:15:25,840 --> 00:15:28,800
Testing like you expect it to break,
295
00:15:28,800 --> 00:15:32,080
architectures never fail when they are just drawings on a whiteboard.
296
00:15:32,080 --> 00:15:34,400
They fail in production because of dormant bugs,
297
00:15:34,400 --> 00:15:37,680
which are logical flaws that stay hidden while your system is healthy.
298
00:15:37,680 --> 00:15:42,000
These bugs wait for the exact moment your network starts screaming to reveal themselves.
299
00:15:42,000 --> 00:15:44,640
You might believe your failover group is configured perfectly,
300
00:15:44,640 --> 00:15:46,800
but if you haven't tested it under a real load,
301
00:15:46,800 --> 00:15:48,240
you don't actually know if it works.
302
00:15:48,240 --> 00:15:49,680
Right now you just have a theory.
303
00:15:49,680 --> 00:15:53,280
This is why the new model focuses on chaos engineering and scheduled game days.
304
00:15:53,680 --> 00:15:56,320
You shouldn't wait for a massive regional blackout to discover
305
00:15:56,320 --> 00:15:59,200
that your secondary region lacks the quota for your web tier.
306
00:15:59,200 --> 00:16:02,240
Instead, you should intentionally sever your primary connections
307
00:16:02,240 --> 00:16:04,400
and simulate a total backbone collapse.
308
00:16:04,400 --> 00:16:08,240
You do this on a Tuesday morning when your best engineers are caffeinated and ready to respond,
309
00:16:08,240 --> 00:16:11,920
rather than at 3 a.m. on a holiday weekend when everyone is asleep.
310
00:16:11,920 --> 00:16:14,640
During these drills, you have to measure your actual recovery time
311
00:16:14,640 --> 00:16:16,800
against the targets written in your paper policy.
312
00:16:16,800 --> 00:16:18,800
If your official policy says 15 minutes,
313
00:16:18,800 --> 00:16:20,640
but the actual failover takes 40,
314
00:16:20,640 --> 00:16:22,720
you need to find where the friction is hiding.
315
00:16:22,720 --> 00:16:25,200
That friction is often caused by a retry storm,
316
00:16:25,200 --> 00:16:29,040
which happens when your application tries to reconnect so aggressively that it essentially
317
00:16:29,040 --> 00:16:30,720
ddoses your own healthy region.
318
00:16:30,720 --> 00:16:33,360
If you haven't validated your exponential back-off settings,
319
00:16:33,360 --> 00:16:35,280
your failover won't actually save you.
320
00:16:35,280 --> 00:16:38,000
It will just move the outage to a different set of servers.
321
00:16:38,000 --> 00:16:42,080
You also need synthetic testing to continuously check the performance of your secondary region
322
00:16:42,080 --> 00:16:43,680
from the perspective of the user.
323
00:16:43,680 --> 00:16:45,920
Most monitoring tools look from the inside out
324
00:16:45,920 --> 00:16:48,000
and tell you the database is technically up.
325
00:16:48,000 --> 00:16:52,000
Synthetic testing looks from the outside in to tell you if a user can actually
326
00:16:52,000 --> 00:16:55,200
finish a transaction when the primary region starts lagging.
327
00:16:55,200 --> 00:16:57,360
This is the only way to catch gray failures,
328
00:16:57,360 --> 00:17:00,400
which are those subtle degradations where the system isn't technically down,
329
00:17:00,400 --> 00:17:02,080
but it is completely unusable.
330
00:17:02,080 --> 00:17:04,240
If you aren't running these drills every quarter,
331
00:17:04,240 --> 00:17:06,720
your architecture is degrading every single day.
332
00:17:06,720 --> 00:17:09,600
Every configuration change, every new microservice,
333
00:17:09,600 --> 00:17:13,760
and every security patch you apply is a potential landmine for your recovery plan.
334
00:17:13,760 --> 00:17:16,320
Testing isn't a one-time event you finish during onboarding
335
00:17:16,320 --> 00:17:18,960
because it is a continuous requirement for staying in business.
336
00:17:18,960 --> 00:17:20,480
You have to break things on purpose
337
00:17:20,480 --> 00:17:22,400
to make sure they don't break on their own.
338
00:17:22,400 --> 00:17:25,840
This level of rigor is what separates the architects who build systems
339
00:17:25,840 --> 00:17:27,680
from the ones who just build hopes.
340
00:17:27,680 --> 00:17:31,440
You aren't looking for a success message in these tests you are looking for a failure.
341
00:17:31,440 --> 00:17:33,520
You want the script to crash and the database to lock
342
00:17:33,520 --> 00:17:36,160
because the more you find now, the less you will lose later.
343
00:17:36,160 --> 00:17:38,960
It is a proactive search for the cracks in your armor.
344
00:17:38,960 --> 00:17:41,040
And that is the only path to true resilience.
345
00:17:41,040 --> 00:17:43,440
The level of preparation.
346
00:17:43,440 --> 00:17:45,680
You should now understand the fundamental shift.
347
00:17:45,680 --> 00:17:47,840
Distribution is not the same thing as resilience.
348
00:17:47,840 --> 00:17:50,160
Resilience is a deliberate behavior of a system
349
00:17:50,160 --> 00:17:51,200
while it is under load.
350
00:17:51,200 --> 00:17:53,920
It requires a state strategy that handles consistency,
351
00:17:53,920 --> 00:17:56,000
a control plane that doesn't become a bottleneck,
352
00:17:56,000 --> 00:17:58,720
and a governance model that trusts the telemetry.
353
00:17:58,720 --> 00:18:01,360
True survival in the cloud happens when you stop pretending
354
00:18:01,360 --> 00:18:03,280
that having redundant infrastructure is enough.
355
00:18:03,280 --> 00:18:06,000
I challenge you today to map out your top three dependencies
356
00:18:06,000 --> 00:18:08,720
and find the one that lacks an automated failover path.
357
00:18:08,720 --> 00:18:10,880
That specific gap is your biggest risk.
358
00:18:10,880 --> 00:18:13,840
Stop building redundant architectures and start building resilient ones
359
00:18:13,840 --> 00:18:17,920
because the most expensive system is always the one that fails when you need it most.
360
00:18:17,920 --> 00:18:21,200
If this changed how you think about cloud strategy, follow me,
361
00:18:21,200 --> 00:18:24,720
Mirko Peters, unlinked in to share your failover stories.
362
00:18:24,720 --> 00:18:27,840
You can also subscribe to the M365FM podcast
363
00:18:27,840 --> 00:18:29,920
for more deep dives into these topics.
364
00:18:29,920 --> 00:18:33,360
You don't rise to the level of your architecture during a crisis.
365
00:18:33,360 --> 00:18:35,200
You fall to your level of preparation.
366
00:18:35,200 --> 00:18:38,240
That preparation is the only thing that turns a potential disaster
367
00:18:38,240 --> 00:18:39,920
into a manageable incident.
368
00:18:39,920 --> 00:18:43,120
Architectures never fail when they are just drawings on a whiteboard.
369
00:18:43,120 --> 00:18:45,520
They fail in production because of dormant bugs,
370
00:18:45,520 --> 00:18:49,040
which are logical flaws that stay hidden while your system is healthy.
371
00:18:49,040 --> 00:18:51,360
These bugs wait for the exact moment your network
372
00:18:51,360 --> 00:18:53,120
starts screaming to reveal themselves.
373
00:18:53,120 --> 00:18:55,600
You might believe your failover group is configured perfectly,
374
00:18:55,600 --> 00:18:57,440
but if you haven't tested it under a reload,
375
00:18:57,440 --> 00:18:59,120
you don't actually know if it works.
376
00:18:59,120 --> 00:19:00,640
Right now you just have a theory.
377
00:19:00,640 --> 00:19:03,200
This is why the new model focuses on chaos engineering
378
00:19:03,200 --> 00:19:04,560
and scheduled game days.
379
00:19:04,560 --> 00:19:06,480
You shouldn't wait for a massive regional blackout
380
00:19:06,480 --> 00:19:10,000
to discover that your secondary region lacks the quota for your web tier.
381
00:19:10,000 --> 00:19:12,800
Instead, you should intentionally sever your primary connections
382
00:19:12,800 --> 00:19:15,040
and simulate a total backbone collapse.
383
00:19:15,040 --> 00:19:17,440
You do this on a Tuesday morning when your best engineers
384
00:19:17,440 --> 00:19:19,360
are caffeinated and ready to respond.
385
00:19:19,360 --> 00:19:22,960
Rather than at 3am on a holiday weekend when everyone is asleep.
386
00:19:22,960 --> 00:19:25,760
During these drills, you have to measure your actual recovery time
387
00:19:25,760 --> 00:19:28,000
against the targets written in your paper policy.
388
00:19:28,000 --> 00:19:29,840
If your official policy says 15 minutes
389
00:19:29,840 --> 00:19:31,840
but the actual failover takes 40,
390
00:19:31,840 --> 00:19:33,600
you need to find where the friction is hiding.
391
00:19:33,600 --> 00:19:35,680
That friction is often caused by a retry storm,
392
00:19:35,680 --> 00:19:37,920
which happens when your application tries to reconnect
393
00:19:37,920 --> 00:19:41,200
so aggressively that it essentially detourses your own healthy region.
394
00:19:41,200 --> 00:19:43,520
If you haven't validated your exponential back-off settings,
395
00:19:43,520 --> 00:19:45,520
your failover won't actually save you,
396
00:19:45,520 --> 00:19:48,240
it will just move the outage to a different set of servers.
397
00:19:48,240 --> 00:19:50,800
You also need synthetic testing to continuously check
398
00:19:50,800 --> 00:19:52,880
the performance of your secondary region
399
00:19:52,880 --> 00:19:54,640
from the perspective of the user.
400
00:19:54,640 --> 00:19:56,880
Most monitoring tools look from the inside out
401
00:19:56,880 --> 00:19:59,360
and tell you the database is technically up.
402
00:19:59,360 --> 00:20:01,200
Synthetic testing looks from the outside in
403
00:20:01,200 --> 00:20:03,600
to tell you if a user can actually finish a transaction
404
00:20:03,600 --> 00:20:05,440
when the primary region starts lagging.
405
00:20:05,440 --> 00:20:07,600
This is the only way to catch gray failures,
406
00:20:07,600 --> 00:20:08,960
which are those subtle degradations
407
00:20:08,960 --> 00:20:10,560
where the system isn't technically down
408
00:20:10,560 --> 00:20:12,320
but it is completely unusable.
409
00:20:12,320 --> 00:20:14,640
If you aren't running these drills every quarter,
410
00:20:14,640 --> 00:20:17,040
your architecture is degrading every single day.
411
00:20:17,040 --> 00:20:19,440
Every configuration change, every new microservice
412
00:20:19,440 --> 00:20:21,360
and every security patch you apply
413
00:20:21,360 --> 00:20:23,680
is a potential landmine for your recovery plan.
414
00:20:23,680 --> 00:20:26,240
Testing isn't a one-time event you finished during onboarding
415
00:20:26,240 --> 00:20:27,920
because it is a continuous requirement
416
00:20:27,920 --> 00:20:28,960
for staying in business.
417
00:20:28,960 --> 00:20:30,320
You have to break things on purpose
418
00:20:30,320 --> 00:20:32,000
to make sure they don't break on their own.
419
00:20:32,000 --> 00:20:34,240
This level of rigor is what separates the architects
420
00:20:34,240 --> 00:20:37,120
who build systems from the ones who just build hopes.
421
00:20:37,120 --> 00:20:39,440
You aren't looking for a success message in these tests.
422
00:20:39,440 --> 00:20:40,960
You are looking for a failure.
423
00:20:40,960 --> 00:20:43,440
You want the script to crash and the database to lock
424
00:20:43,440 --> 00:20:45,760
because the more you find now, the less you will lose later.
425
00:20:45,760 --> 00:20:48,240
It is a proactive search for the cracks in your armor
426
00:20:48,240 --> 00:20:50,960
and that is the only path to true resilience.
00:00:00,000 --> 00:00:04,080
Many architects believe that deploying to multiple regions equals resilience.
2
00:00:04,080 --> 00:00:08,320
They assume that if region A goes dark, region B simply picks up the slack.
3
00:00:08,320 --> 00:00:12,080
But in reality, they are just paying double for a distributed single point of failure.
4
00:00:12,080 --> 00:00:15,120
The top 1% of architects do not focus on where they deploy.
5
00:00:15,120 --> 00:00:17,680
They focus on how the system behaves under pressure.
6
00:00:17,680 --> 00:00:22,000
If your failover requires a manual meeting or a functioning control plane during a blackout,
7
00:00:22,000 --> 00:00:23,240
you do not have a plan.
8
00:00:23,240 --> 00:00:24,240
You have hope.
9
00:00:24,240 --> 00:00:27,920
In the next 25 minutes, we are going to simulate a regional blackout.
10
00:00:27,920 --> 00:00:33,040
We will expose the architecture fragility that turns minor latency into a global death spiral.
11
00:00:33,040 --> 00:00:38,960
It is time to move from the old model of passive redundancy to a new model of state synchronized resilience.
12
00:00:38,960 --> 00:00:41,520
Edge failure when the front door goes dark.
13
00:00:41,520 --> 00:00:46,240
Global entry points like Azure Front Door or Edge Rooting are the most efficient way to scale.
14
00:00:46,240 --> 00:00:49,440
They handle SSL termination, they provide WAF protection,
15
00:00:49,440 --> 00:00:51,840
and they root traffic to the nearest healthy backend.
16
00:00:51,840 --> 00:00:55,280
But these tools create a bootstrap problem where your back ends are perfectly healthy,
17
00:00:55,280 --> 00:00:56,720
but completely unreachable.
18
00:00:56,720 --> 00:00:59,520
Look at the October 2025 Front Door Outage.
19
00:00:59,520 --> 00:01:04,080
A single configuration change bypassed safety checks and invalidated global routing logic,
20
00:01:04,080 --> 00:01:08,880
which meant that within minutes, Edge servers worldwide began mis-routing or timing out requests.
21
00:01:08,880 --> 00:01:13,360
The Azure portal failed and major SSL sites vanished because the logic was broken at the source.
22
00:01:13,360 --> 00:01:16,800
If your global ingress is the only way in, you have not built a bridge.
23
00:01:16,800 --> 00:01:18,720
You have built a funnel that can be plugged.
24
00:01:18,720 --> 00:01:22,320
Most organizations assume that because they use any cast IP addresses,
25
00:01:22,320 --> 00:01:23,920
the network will just find a path.
26
00:01:23,920 --> 00:01:29,040
But any cast is just a routing protocol, and it does not fix a logic error in the application layer.
27
00:01:29,040 --> 00:01:30,560
This creates the any cast trap.
28
00:01:30,560 --> 00:01:33,360
During a failure, you do not see a clean down status.
29
00:01:33,360 --> 00:01:37,280
Instead, you see scattered 500-level errors across global points of presence.
30
00:01:37,280 --> 00:01:40,560
Some users in London can connect while users in New York get timeouts,
31
00:01:40,560 --> 00:01:45,200
which makes it harder to diagnose than a total regional failure because the telemetry is inconsistent.
32
00:01:45,200 --> 00:01:48,480
Your monitoring might show the backend is at 0% CPU,
33
00:01:48,480 --> 00:01:50,720
but that is only because no traffic is reaching it.
34
00:01:50,720 --> 00:01:53,200
To survive this, you need multi-path management.
35
00:01:53,200 --> 00:01:57,680
You cannot rely on a single global edge proxy for 100% of your traffic.
36
00:01:57,680 --> 00:02:00,800
The new model uses secondary DNS-based failover.
37
00:02:00,800 --> 00:02:04,880
If the global edge layer degrades, you shift traffic directly to regional gateways.
38
00:02:04,880 --> 00:02:07,440
You might lose the CDN caching or the global WAF,
39
00:02:07,440 --> 00:02:11,440
but your application stays online because you chose to trade performance for availability.
40
00:02:11,440 --> 00:02:14,320
The mistake is treating the edge as an invisible utility.
41
00:02:14,320 --> 00:02:18,560
It is not. It is a dependency, and every dependency is a potential wall.
42
00:02:18,560 --> 00:02:23,040
In the October 2025 event, recovery was delayed because of retry storms.
43
00:02:23,040 --> 00:02:26,720
As soon as the fix was rolled out, millions of clients that had been pulling for a connection
44
00:02:26,720 --> 00:02:31,760
slammed the edge nodes. The healthy nodes were overwhelmed by the sheer volume of reconnection attempts,
45
00:02:31,760 --> 00:02:36,000
and the system could not stabilize because the front door was being kicked in by its own users.
46
00:02:36,000 --> 00:02:38,400
You must implement circuit breakers at the client level.
47
00:02:38,400 --> 00:02:41,120
Exponential back-off is not just a nice-to-have feature.
48
00:02:41,120 --> 00:02:43,120
It is a survival mechanism for the platform.
49
00:02:43,120 --> 00:02:47,360
If you do not control the retry logic, you are essentially dedossing your own infrastructure
50
00:02:47,360 --> 00:02:49,680
during a recovery window. This is where the old model breaks.
51
00:02:49,680 --> 00:02:51,680
It assumes the network is a static pipe,
52
00:02:51,680 --> 00:02:56,160
but the new model understands that the network is a dynamic living system that reacts to failure.
53
00:02:56,160 --> 00:02:59,200
Ask yourself, "What would happen if front door vanished right now?"
54
00:02:59,200 --> 00:03:02,560
If the answer is that your users would be stuck, then you are not resilient.
55
00:03:02,560 --> 00:03:05,680
You are just waiting for a configuration error to take you offline.
56
00:03:05,680 --> 00:03:09,200
The goal is to decouple the ingress logic from the regional availability.
57
00:03:09,200 --> 00:03:12,720
You want to be able to bypass the global layer entirely if it becomes a liability.
58
00:03:12,720 --> 00:03:17,440
This requires pre-configured regional endpoints that are ready to receive traffic at a moment's notice,
59
00:03:17,440 --> 00:03:22,320
and it requires a DNS strategy that does not depend on the same control plane that just went dark.
60
00:03:22,320 --> 00:03:23,760
Because here is the reality.
61
00:03:23,760 --> 00:03:27,200
Once the user can finally reach the edge, the next hurdle is not the code.
62
00:03:27,200 --> 00:03:29,600
It is the system's ability to talk to itself.
63
00:03:29,600 --> 00:03:32,800
If the edge is the front door, DNS is the directions to the house.
64
00:03:32,800 --> 00:03:36,080
And when those directions disappear, the entire architecture vanishes.
65
00:03:36,080 --> 00:03:39,440
We need to look at why names fail and how they take the cloud with them.
66
00:03:39,440 --> 00:03:42,720
The DNS name resolution "death spiral".
67
00:03:42,720 --> 00:03:44,640
Everything in the cloud depends on a name.
68
00:03:44,640 --> 00:03:48,080
When you call an API, connect to a database or authenticate a user,
69
00:03:48,080 --> 00:03:49,600
you are relying on a resolution string.
70
00:03:49,600 --> 00:03:54,720
If that resolution fails, the connective tissue of your entire architecture simply vanishes.
71
00:03:54,720 --> 00:03:56,640
The servers are running and the code is loaded,
72
00:03:56,640 --> 00:03:59,280
but the components are suddenly blind and deaf to one another.
73
00:03:59,280 --> 00:04:03,760
We saw this play out in a catastrophic race condition within a major cloud DNS management system.
74
00:04:03,760 --> 00:04:08,320
The failure wasn't a hardware snap, but rather a logic error between two automated processes,
75
00:04:08,320 --> 00:04:10,080
known as the planner and the enactor.
76
00:04:10,080 --> 00:04:12,160
The planner was generating new routing maps,
77
00:04:12,160 --> 00:04:14,560
while the enactor was struggling to apply an old one.
78
00:04:14,560 --> 00:04:18,880
Because the enactor fell behind, the system assumed the old records were obsolete and deleted them.
79
00:04:18,880 --> 00:04:22,400
In an instant, the directions to critical regional endpoints were wiped clean
80
00:04:22,400 --> 00:04:24,000
and the IP addresses were gone.
81
00:04:24,000 --> 00:04:25,280
This is the death spiral.
82
00:04:25,280 --> 00:04:28,240
It starts when a small resolution error triggers a retry,
83
00:04:28,240 --> 00:04:31,840
and that retry adds load to a DNS service that is already struggling.
84
00:04:31,840 --> 00:04:36,240
As the service slows down, more requests time out, which leads to even more retreats.
85
00:04:36,240 --> 00:04:39,840
The system isn't just failing, it is actively consuming itself.
86
00:04:39,840 --> 00:04:43,040
And here is the hidden dependency that kills most recovery plans.
87
00:04:43,040 --> 00:04:47,520
Your failover mechanism likely relies on the very DNS service that is currently degraded.
88
00:04:47,520 --> 00:04:50,000
If you need to update a caname record to point to region B,
89
00:04:50,000 --> 00:04:52,000
but the DNS control plane is paralyzed,
90
00:04:52,000 --> 00:04:55,040
you are stuck in the dark with no way to turn on the lights.
91
00:04:55,040 --> 00:04:59,520
To break this cycle, you have to bypass the global resolution layer for your internal traffic.
92
00:04:59,520 --> 00:05:03,280
The new model treats service-to-service communication as a separate failure domain.
93
00:05:03,280 --> 00:05:06,320
You implement any cast DNS that lives closer to the resources,
94
00:05:06,320 --> 00:05:10,080
and you use regional security token service endpoints to handle identity.
95
00:05:10,080 --> 00:05:13,360
By localizing these lookups, you ensure that a global DNS outage
96
00:05:13,360 --> 00:05:15,520
doesn't paralyze internal operations.
97
00:05:15,520 --> 00:05:18,800
If the front door is broken, the back office should still be able to function.
98
00:05:18,800 --> 00:05:21,920
You also need to set conservative time to live strategies.
99
00:05:21,920 --> 00:05:25,280
In a world of instant cloud scaling architects love low TTL,
100
00:05:25,280 --> 00:05:29,520
sometimes as low as 60 seconds because they want the ability to shift traffic immediately.
101
00:05:29,520 --> 00:05:32,960
But during a backbone failure, a low TTL is a liability.
102
00:05:32,960 --> 00:05:37,200
Every 60 seconds, every client in your ecosystem has to ask for directions again.
103
00:05:37,200 --> 00:05:40,320
If the DNS server is slow, you've just created a massive bottleneck.
104
00:05:40,320 --> 00:05:43,360
The systems thinker balances agility with durability.
105
00:05:43,360 --> 00:05:47,440
For critical service-to-service paths, you might hard-code internal break-glass routing.
106
00:05:47,440 --> 00:05:50,640
This isn't dirty engineering, it is a safety net that ensures your application
107
00:05:50,640 --> 00:05:53,280
doesn't need a global directory to find its own database.
108
00:05:53,280 --> 00:05:56,960
The old model assumes that the platform's foundational services are infallible.
109
00:05:56,960 --> 00:06:00,160
The new model assumes they are the first things that will break under stress.
110
00:06:00,160 --> 00:06:03,040
You must map out every name resolution your app makes.
111
00:06:03,040 --> 00:06:06,640
If any of those names point to a global service without a regional fallback,
112
00:06:06,640 --> 00:06:08,320
that is your single point of failure.
113
00:06:08,320 --> 00:06:11,200
You aren't resilient until you can resolve your own identity
114
00:06:11,200 --> 00:06:13,200
without asking the internet for permission.
115
00:06:13,200 --> 00:06:14,960
Because even if the name is resolved,
116
00:06:14,960 --> 00:06:17,200
you might find yourself facing a different kind of wall.
117
00:06:17,200 --> 00:06:20,240
You might have the right directions, but discover the road itself is blocked.
118
00:06:20,240 --> 00:06:23,040
You try to scale, you try to move, and you try to fix the mess.
119
00:06:23,040 --> 00:06:26,320
But the tools you usually use to manage the cloud have stopped responding.
120
00:06:26,320 --> 00:06:28,160
This is the fallacy of the management plane.
121
00:06:28,160 --> 00:06:32,240
It is the assumption that the data plane and the control plane will never fail at the same time,
122
00:06:32,240 --> 00:06:35,600
and that assumption is where the next stage of the blackout begins.
123
00:06:35,600 --> 00:06:38,960
Control plane degradation, the wheel just redeploy fallacy.
124
00:06:38,960 --> 00:06:42,640
Most disaster recovery plans rely on a massive, unspoken assumption.
125
00:06:42,640 --> 00:06:46,240
You assume that when the fire starts, the fire truck will still have gas.
126
00:06:46,240 --> 00:06:49,440
In Azure Terms, this is the belief that the Azure Resource Manager,
127
00:06:49,440 --> 00:06:51,600
or ARM, will be fully functional.
128
00:06:51,600 --> 00:06:53,680
Architects tell themselves that if region A fails,
129
00:06:53,680 --> 00:06:56,080
they will just redeploy their stack to region B.
130
00:06:56,080 --> 00:06:59,520
It sounds logical on a whiteboard, but in a real-world regional crisis,
131
00:06:59,520 --> 00:07:01,120
that strategy is a total fantasy.
132
00:07:01,120 --> 00:07:04,080
There is a fundamental difference between the data plane and the control plane.
133
00:07:04,080 --> 00:07:06,800
The data plane is where your code runs and your user's interact.
134
00:07:06,800 --> 00:07:08,800
The control plane is the management layer,
135
00:07:08,800 --> 00:07:12,320
or the APIs you call to create, scale, or move resources.
136
00:07:12,320 --> 00:07:15,760
During a regional blackout, the data plane in your healthy region might be fine,
137
00:07:15,760 --> 00:07:19,840
but the control plane is often the first thing to get paralyzed by ARM exhaustion.
138
00:07:19,840 --> 00:07:22,560
Think about what happens the moment a major region goes offline.
139
00:07:22,560 --> 00:07:25,760
Thousands of companies simultaneously trigger their recovery scripts,
140
00:07:25,760 --> 00:07:30,400
and every automated system on the continent starts hitting the same management APIs at once.
141
00:07:30,400 --> 00:07:34,960
This creates a massive surge in API requests that the platform was never sized to handle.
142
00:07:34,960 --> 00:07:37,760
Timeouts begin and internal service cues fill up.
143
00:07:37,760 --> 00:07:41,440
Suddenly, your simple command to spin up a new virtual machine scale set
144
00:07:41,440 --> 00:07:44,080
returns a 503 error and you are stuck.
145
00:07:44,080 --> 00:07:47,600
We saw this in January of 2024 during a significant ARM disruption.
146
00:07:47,600 --> 00:07:52,800
A latent code defect triggered by a routine change caused management nodes to fail on startup.
147
00:07:52,800 --> 00:07:57,840
It didn't just affect one service, but instead exhausted capacity across multiple regions for seven hours.
148
00:07:57,840 --> 00:08:01,920
If your recovery plan was to redeploy on demand, you are out of luck for nearly a full work day.
149
00:08:01,920 --> 00:08:06,000
The old model treats the cloud as an infinite pool of resources available at a moment's notice.
150
00:08:06,000 --> 00:08:08,640
The new model recognizes that during a crisis,
151
00:08:08,640 --> 00:08:10,960
the cloud is a finite, crowded lifeboat.
152
00:08:10,960 --> 00:08:12,320
This leads to the redeploy myth.
153
00:08:12,320 --> 00:08:16,240
Even if the management APIs are responding, the physical hardware might not be available.
154
00:08:16,240 --> 00:08:19,840
When a region fails, everyone rushes to the same safe neighboring region.
155
00:08:19,840 --> 00:08:23,360
Within minutes, the most popular VM sizes in that healthy region are sold out.
156
00:08:23,360 --> 00:08:27,840
You try to scale your web tier, but you get an allocation failed message because the healthy region is full.
157
00:08:27,840 --> 00:08:31,760
You wait until the disaster to ask for space, and now there is none left.
158
00:08:31,760 --> 00:08:34,720
The systems thinker avoids this by moving to a pre-provisioned model.
159
00:08:34,720 --> 00:08:38,240
You don't wait for the outage to start building your secondary environment.
160
00:08:38,240 --> 00:08:42,320
You maintain warm standbys, which are pieces of infrastructure that are already allocated
161
00:08:42,320 --> 00:08:43,840
and running at a minimal scale.
162
00:08:43,840 --> 00:08:48,320
Resilience means having the capacity reserved before the rest of the world tries to buy it.
163
00:08:48,320 --> 00:08:52,160
Your recovery should be a pushbutton event that only requires a routing change.
164
00:08:52,160 --> 00:08:56,640
It should not require a thousand platform API calls to build an environment from scratch.
165
00:08:56,640 --> 00:08:59,840
You must also define clear decision rights for this process.
166
00:08:59,840 --> 00:09:03,760
If your recovery requires calling the Azure Resource Manager to change a setting,
167
00:09:03,760 --> 00:09:04,880
you are vulnerable.
168
00:09:04,880 --> 00:09:06,880
The goal is to have data play and failover.
169
00:09:06,880 --> 00:09:10,480
This means the traffic shift happens through the network and the application logic,
170
00:09:10,480 --> 00:09:11,760
not through the management portal.
171
00:09:11,760 --> 00:09:14,720
If you can't switch regions while the Azure portal is down,
172
00:09:14,720 --> 00:09:16,240
you aren't truly resilient.
173
00:09:16,240 --> 00:09:19,040
You are just a passenger on a ship that has no lifeboats.
174
00:09:19,040 --> 00:09:20,320
We have secured the ingress.
175
00:09:20,320 --> 00:09:21,600
We have stabilized the names.
176
00:09:21,600 --> 00:09:25,440
We have pre-provisioned the compute so we don't get locked out by a paralyzed control plane.
177
00:09:25,440 --> 00:09:27,760
But now we face the hardest part of the cloud.
178
00:09:27,760 --> 00:09:31,680
The thing that actually keeps systems pinned to a failing region is the data.
179
00:09:31,680 --> 00:09:33,760
Because while stateless code is easy to move,
180
00:09:33,760 --> 00:09:37,440
state has mass and that mass is where resilience is truly one or lost.
181
00:09:37,440 --> 00:09:39,120
State strategy.
182
00:09:39,120 --> 00:09:41,360
Where resilience is one or lost.
183
00:09:41,360 --> 00:09:43,680
Moving a stateless service is easy.
184
00:09:43,680 --> 00:09:47,600
If a web server dies, you just spin up another one and the system keeps moving.
185
00:09:47,600 --> 00:09:48,800
But stateful data is different.
186
00:09:48,800 --> 00:09:52,720
It acts like an anchor that keeps your entire system pinned to a failing region.
187
00:09:52,720 --> 00:09:54,800
This is the moment of truth for every architect.
188
00:09:54,800 --> 00:09:58,560
You can have the best network routing and the fastest compute on the planet.
189
00:09:58,560 --> 00:10:01,200
But if your data is trapped in a black-doubt data center,
190
00:10:01,200 --> 00:10:02,880
your application is dead.
191
00:10:02,880 --> 00:10:04,240
The reality is simple.
192
00:10:04,240 --> 00:10:06,320
Multi-region deployment doesn't make you resilient.
193
00:10:06,320 --> 00:10:07,760
Your state strategy does.
194
00:10:07,760 --> 00:10:10,880
In the old model, architects treated databases like black boxes.
195
00:10:10,880 --> 00:10:15,120
They turned on geo-ridundancy and walked away, assuming the cloud provider would handle the heavy lifting.
196
00:10:15,120 --> 00:10:17,280
But that approach ignores the physics of data.
197
00:10:17,280 --> 00:10:21,680
Every bit of information you write has to travel across a physical distance to reach the secondary region.
198
00:10:21,680 --> 00:10:23,280
This creates the asynchronous trap.
199
00:10:23,280 --> 00:10:27,360
Most managed services use asynchronous replication to keep performance high.
200
00:10:27,360 --> 00:10:30,080
If you wait for a right to confirm in two regions at the same time,
201
00:10:30,080 --> 00:10:31,520
your latency will skyrocket.
202
00:10:31,520 --> 00:10:32,960
So, you accept a small gap.
203
00:10:32,960 --> 00:10:35,040
You live with a few seconds or minutes,
204
00:10:35,040 --> 00:10:37,920
where the secondary region is slightly behind the primary.
205
00:10:37,920 --> 00:10:39,280
But here is where things break.
206
00:10:39,280 --> 00:10:42,000
If a regional outage occurs and you fail over immediately,
207
00:10:42,000 --> 00:10:44,480
that replication lag becomes a permanent data loss event.
208
00:10:44,480 --> 00:10:47,520
Those last few hundred transactions never made it to the other side.
209
00:10:47,520 --> 00:10:51,760
They exist only on disks that are currently sitting in a dark room with no power.
210
00:10:51,760 --> 00:10:54,320
If your business cannot tolerate losing 10 minutes of orders,
211
00:10:54,320 --> 00:10:56,640
then your passive failover isn't a strategy.
212
00:10:56,640 --> 00:10:57,760
It is a gamble.
213
00:10:57,760 --> 00:11:00,720
To win here, you have to move to a model of consistency awareness.
214
00:11:00,720 --> 00:11:02,800
You stop treating all data as equal.
215
00:11:02,800 --> 00:11:07,280
You use tools like Cosmos DB with multi-region rights or SQL failover groups,
216
00:11:07,280 --> 00:11:10,480
but you configure them based on the specific needs of the transaction.
217
00:11:10,480 --> 00:11:14,320
For a user's shopping cart, maybe session consistency is enough.
218
00:11:14,320 --> 00:11:18,800
It balances a fast user experience with the guarantee that the user sees their own rights.
219
00:11:18,800 --> 00:11:21,600
But for a financial ledger, you might choose bounded staleness.
220
00:11:21,600 --> 00:11:25,280
This is where you explicitly define exactly how much lag you are willing to risk
221
00:11:25,280 --> 00:11:27,520
before the system stops accepting new entries.
222
00:11:27,520 --> 00:11:29,280
You are essentially choosing your poison.
223
00:11:29,280 --> 00:11:32,560
Do you want a system that is always available but might lose data,
224
00:11:32,560 --> 00:11:36,320
or a system that is perfectly consistent, but goes offline when the network jitters?
225
00:11:36,320 --> 00:11:37,760
The new model doesn't pick one.
226
00:11:37,760 --> 00:11:39,360
It maps the data to the outcome.
227
00:11:39,360 --> 00:11:44,320
You design your state so that critical crown jewel data is replicated with the tightest possible recovery point,
228
00:11:44,320 --> 00:11:47,680
while non-essential logs or telemetry are left to catch up whenever they can.
229
00:11:47,680 --> 00:11:51,440
This requires a shift in how you think about primary and secondary sites.
230
00:11:51,440 --> 00:11:54,320
In a resilient architecture, there is no backup region.
231
00:11:54,320 --> 00:11:57,280
There are only active nodes participating in a global state.
232
00:11:57,280 --> 00:12:01,040
When one node vanishes, the others already have the context they need to continue.
233
00:12:01,040 --> 00:12:03,200
You aren't failing over in the traditional sense.
234
00:12:03,200 --> 00:12:05,840
You are just narrowing the scope of your active footprint.
235
00:12:05,840 --> 00:12:10,800
This reduces the recovery time because there is no massive database promotion or DNS update required.
236
00:12:10,800 --> 00:12:14,560
The state is already there, but building the technology is only half the battle.
237
00:12:14,560 --> 00:12:18,000
You can have the most advanced state synchronized cluster on the planet,
238
00:12:18,000 --> 00:12:21,520
and it will still fail if the people running it are paralyzed by indecision.
239
00:12:21,520 --> 00:12:23,840
The longest part of an outage isn't the technical fix.
240
00:12:23,840 --> 00:12:27,600
It is the time spent in a war room arguing about whether or not to pull the trigger.
241
00:12:27,600 --> 00:12:31,040
We need to talk about the governance that dictates who owns the disaster
242
00:12:31,040 --> 00:12:32,880
and why meetings are the enemy of uptime.
243
00:12:32,880 --> 00:12:35,360
Governance and decision rights.
244
00:12:35,360 --> 00:12:36,640
No meetings allowed.
245
00:12:36,640 --> 00:12:39,760
The longest part of a cloud outage isn't the technical restoration.
246
00:12:39,760 --> 00:12:45,040
It is the time spent in a virtual war room while executives argue about the financial impact of failing over.
247
00:12:45,040 --> 00:12:48,560
You are sitting there with a degraded region and watching your error rates climb
248
00:12:48,560 --> 00:12:53,040
while a committee debates whether the primary site might come back online in the next 10 minutes.
249
00:12:53,040 --> 00:12:54,160
This is the decision gap.
250
00:12:54,160 --> 00:12:59,360
It is the period where your architecture is ready to move but your organization is paralyzed by its own hierarchy.
251
00:12:59,360 --> 00:13:04,480
In the old model, failover is treated as a high stakes emergency that requires centralized gatekeeping.
252
00:13:04,480 --> 00:13:09,680
You have a rigid chain of command where a CTO or a VP of infrastructure has to sign off on a traffic shift.
253
00:13:09,680 --> 00:13:13,840
The assumption is that failing over is risky, expensive and potentially unnecessary.
254
00:13:13,840 --> 00:13:17,760
But when you are dealing with a regional blackout that centralized model becomes a bottleneck.
255
00:13:17,760 --> 00:13:20,160
If your failover requires a meeting you don't have a plan.
256
00:13:20,160 --> 00:13:23,600
You have hope and hope is a terrible disaster recovery strategy.
257
00:13:23,600 --> 00:13:27,840
The new model shifts toward platform-led guardrails with federated execution.
258
00:13:27,840 --> 00:13:31,200
You move the decision making power away from the boardroom and into the code.
259
00:13:31,200 --> 00:13:37,520
This starts by defining circuit breakers which are automated triggers that execute based on telemetry rather than consensus.
260
00:13:37,520 --> 00:13:42,160
If your latency across the regional backbone exceeds a specific threshold for more than five minutes,
261
00:13:42,160 --> 00:13:44,320
the system should initiate a shift automatically.
262
00:13:44,320 --> 00:13:48,880
There is no phone call, there is no slack thread, the telemetry is the only authority that matters.
263
00:13:48,880 --> 00:13:52,400
This requires a fundamental change in how you view the one hour grace period.
264
00:13:52,400 --> 00:13:56,960
Microsoft managed failovers for services like SQL Database often have a built-in delay.
265
00:13:56,960 --> 00:14:00,640
The platform waits to see if the issue is transient before it forces a move.
266
00:14:00,640 --> 00:14:04,240
For a mission-critical SaaS business, waiting an hour is a losing strategy.
267
00:14:04,240 --> 00:14:07,440
You cannot outsource your uptime to a provider's global average.
268
00:14:07,440 --> 00:14:11,360
Your governance must allow for customer managed failover that triggers long before the platform
269
00:14:11,360 --> 00:14:12,880
officially declares a disaster.
270
00:14:12,880 --> 00:14:17,360
You have to be willing to be wrong and failover early to protect the user experience.
271
00:14:17,360 --> 00:14:21,760
To make this work you must separate the roles of the platform team and the application team.
272
00:14:21,760 --> 00:14:25,600
The platform team provides the approved patterns, such as the pre-provisioned networks,
273
00:14:25,600 --> 00:14:28,320
the identity silos and the replication logic.
274
00:14:28,320 --> 00:14:30,960
They build the how, but the application team owns the when.
275
00:14:30,960 --> 00:14:32,880
They own the runbook and the execution.
276
00:14:32,880 --> 00:14:36,960
When the metrics hit the red zone, the app team has the predefined right to pull the trigger
277
00:14:36,960 --> 00:14:38,480
without asking for permission.
278
00:14:38,480 --> 00:14:41,600
This federated ownership ensures that the people closest to the workload
279
00:14:41,600 --> 00:14:43,200
are the ones driving the recovery.
280
00:14:43,200 --> 00:14:45,040
You are essentially building a system of trust.
281
00:14:45,040 --> 00:14:47,200
You trust the telemetry to detect the fault
282
00:14:47,200 --> 00:14:49,920
and you trust the automation to execute the shift.
283
00:14:49,920 --> 00:14:52,320
This removes the human ego from the equation.
284
00:14:52,320 --> 00:14:55,120
It stops the second guessing that happens during a crisis.
285
00:14:55,120 --> 00:14:59,600
In a resilient organization, the war room isn't for deciding if you should failover.
286
00:14:59,600 --> 00:15:03,840
It is for managing the fallout after the automation has already moved the traffic.
287
00:15:03,840 --> 00:15:07,920
You are managing the incident, not the infrastructure, because here is the truth.
288
00:15:07,920 --> 00:15:12,080
A governance policy is just a piece of paper until it is tested under load.
289
00:15:12,080 --> 00:15:14,560
You can have the most decisively leadership in the world,
290
00:15:14,560 --> 00:15:18,480
but if your scripts have dormant bugs that only appear when the network is screaming
291
00:15:18,480 --> 00:15:20,000
your governance won't save you,
292
00:15:20,000 --> 00:15:23,440
you have to prove that the technology and the people can handle the pressure.
293
00:15:23,440 --> 00:15:25,840
You have to move beyond the diagram and into the chaos.
294
00:15:25,840 --> 00:15:28,800
Testing like you expect it to break,
295
00:15:28,800 --> 00:15:32,080
architectures never fail when they are just drawings on a whiteboard.
296
00:15:32,080 --> 00:15:34,400
They fail in production because of dormant bugs,
297
00:15:34,400 --> 00:15:37,680
which are logical flaws that stay hidden while your system is healthy.
298
00:15:37,680 --> 00:15:42,000
These bugs wait for the exact moment your network starts screaming to reveal themselves.
299
00:15:42,000 --> 00:15:44,640
You might believe your failover group is configured perfectly,
300
00:15:44,640 --> 00:15:46,800
but if you haven't tested it under a real load,
301
00:15:46,800 --> 00:15:48,240
you don't actually know if it works.
302
00:15:48,240 --> 00:15:49,680
Right now you just have a theory.
303
00:15:49,680 --> 00:15:53,280
This is why the new model focuses on chaos engineering and scheduled game days.
304
00:15:53,680 --> 00:15:56,320
You shouldn't wait for a massive regional blackout to discover
305
00:15:56,320 --> 00:15:59,200
that your secondary region lacks the quota for your web tier.
306
00:15:59,200 --> 00:16:02,240
Instead, you should intentionally sever your primary connections
307
00:16:02,240 --> 00:16:04,400
and simulate a total backbone collapse.
308
00:16:04,400 --> 00:16:08,240
You do this on a Tuesday morning when your best engineers are caffeinated and ready to respond,
309
00:16:08,240 --> 00:16:11,920
rather than at 3 a.m. on a holiday weekend when everyone is asleep.
310
00:16:11,920 --> 00:16:14,640
During these drills, you have to measure your actual recovery time
311
00:16:14,640 --> 00:16:16,800
against the targets written in your paper policy.
312
00:16:16,800 --> 00:16:18,800
If your official policy says 15 minutes,
313
00:16:18,800 --> 00:16:20,640
but the actual failover takes 40,
314
00:16:20,640 --> 00:16:22,720
you need to find where the friction is hiding.
315
00:16:22,720 --> 00:16:25,200
That friction is often caused by a retry storm,
316
00:16:25,200 --> 00:16:29,040
which happens when your application tries to reconnect so aggressively that it essentially
317
00:16:29,040 --> 00:16:30,720
ddoses your own healthy region.
318
00:16:30,720 --> 00:16:33,360
If you haven't validated your exponential back-off settings,
319
00:16:33,360 --> 00:16:35,280
your failover won't actually save you.
320
00:16:35,280 --> 00:16:38,000
It will just move the outage to a different set of servers.
321
00:16:38,000 --> 00:16:42,080
You also need synthetic testing to continuously check the performance of your secondary region
322
00:16:42,080 --> 00:16:43,680
from the perspective of the user.
323
00:16:43,680 --> 00:16:45,920
Most monitoring tools look from the inside out
324
00:16:45,920 --> 00:16:48,000
and tell you the database is technically up.
325
00:16:48,000 --> 00:16:52,000
Synthetic testing looks from the outside in to tell you if a user can actually
326
00:16:52,000 --> 00:16:55,200
finish a transaction when the primary region starts lagging.
327
00:16:55,200 --> 00:16:57,360
This is the only way to catch gray failures,
328
00:16:57,360 --> 00:17:00,400
which are those subtle degradations where the system isn't technically down,
329
00:17:00,400 --> 00:17:02,080
but it is completely unusable.
330
00:17:02,080 --> 00:17:04,240
If you aren't running these drills every quarter,
331
00:17:04,240 --> 00:17:06,720
your architecture is degrading every single day.
332
00:17:06,720 --> 00:17:09,600
Every configuration change, every new microservice,
333
00:17:09,600 --> 00:17:13,760
and every security patch you apply is a potential landmine for your recovery plan.
334
00:17:13,760 --> 00:17:16,320
Testing isn't a one-time event you finish during onboarding
335
00:17:16,320 --> 00:17:18,960
because it is a continuous requirement for staying in business.
336
00:17:18,960 --> 00:17:20,480
You have to break things on purpose
337
00:17:20,480 --> 00:17:22,400
to make sure they don't break on their own.
338
00:17:22,400 --> 00:17:25,840
This level of rigor is what separates the architects who build systems
339
00:17:25,840 --> 00:17:27,680
from the ones who just build hopes.
340
00:17:27,680 --> 00:17:31,440
You aren't looking for a success message in these tests you are looking for a failure.
341
00:17:31,440 --> 00:17:33,520
You want the script to crash and the database to lock
342
00:17:33,520 --> 00:17:36,160
because the more you find now, the less you will lose later.
343
00:17:36,160 --> 00:17:38,960
It is a proactive search for the cracks in your armor.
344
00:17:38,960 --> 00:17:41,040
And that is the only path to true resilience.
345
00:17:41,040 --> 00:17:43,440
The level of preparation.
346
00:17:43,440 --> 00:17:45,680
You should now understand the fundamental shift.
347
00:17:45,680 --> 00:17:47,840
Distribution is not the same thing as resilience.
348
00:17:47,840 --> 00:17:50,160
Resilience is a deliberate behavior of a system
349
00:17:50,160 --> 00:17:51,200
while it is under load.
350
00:17:51,200 --> 00:17:53,920
It requires a state strategy that handles consistency,
351
00:17:53,920 --> 00:17:56,000
a control plane that doesn't become a bottleneck,
352
00:17:56,000 --> 00:17:58,720
and a governance model that trusts the telemetry.
353
00:17:58,720 --> 00:18:01,360
True survival in the cloud happens when you stop pretending
354
00:18:01,360 --> 00:18:03,280
that having redundant infrastructure is enough.
355
00:18:03,280 --> 00:18:06,000
I challenge you today to map out your top three dependencies
356
00:18:06,000 --> 00:18:08,720
and find the one that lacks an automated failover path.
357
00:18:08,720 --> 00:18:10,880
That specific gap is your biggest risk.
358
00:18:10,880 --> 00:18:13,840
Stop building redundant architectures and start building resilient ones
359
00:18:13,840 --> 00:18:17,920
because the most expensive system is always the one that fails when you need it most.
360
00:18:17,920 --> 00:18:21,200
If this changed how you think about cloud strategy, follow me,
361
00:18:21,200 --> 00:18:24,720
Mirko Peters, unlinked in to share your failover stories.
362
00:18:24,720 --> 00:18:27,840
You can also subscribe to the M365FM podcast
363
00:18:27,840 --> 00:18:29,920
for more deep dives into these topics.
364
00:18:29,920 --> 00:18:33,360
You don't rise to the level of your architecture during a crisis.
365
00:18:33,360 --> 00:18:35,200
You fall to your level of preparation.
366
00:18:35,200 --> 00:18:38,240
That preparation is the only thing that turns a potential disaster
367
00:18:38,240 --> 00:18:39,920
into a manageable incident.
368
00:18:39,920 --> 00:18:43,120
Architectures never fail when they are just drawings on a whiteboard.
369
00:18:43,120 --> 00:18:45,520
They fail in production because of dormant bugs,
370
00:18:45,520 --> 00:18:49,040
which are logical flaws that stay hidden while your system is healthy.
371
00:18:49,040 --> 00:18:51,360
These bugs wait for the exact moment your network
372
00:18:51,360 --> 00:18:53,120
starts screaming to reveal themselves.
373
00:18:53,120 --> 00:18:55,600
You might believe your failover group is configured perfectly,
374
00:18:55,600 --> 00:18:57,440
but if you haven't tested it under a reload,
375
00:18:57,440 --> 00:18:59,120
you don't actually know if it works.
376
00:18:59,120 --> 00:19:00,640
Right now you just have a theory.
377
00:19:00,640 --> 00:19:03,200
This is why the new model focuses on chaos engineering
378
00:19:03,200 --> 00:19:04,560
and scheduled game days.
379
00:19:04,560 --> 00:19:06,480
You shouldn't wait for a massive regional blackout
380
00:19:06,480 --> 00:19:10,000
to discover that your secondary region lacks the quota for your web tier.
381
00:19:10,000 --> 00:19:12,800
Instead, you should intentionally sever your primary connections
382
00:19:12,800 --> 00:19:15,040
and simulate a total backbone collapse.
383
00:19:15,040 --> 00:19:17,440
You do this on a Tuesday morning when your best engineers
384
00:19:17,440 --> 00:19:19,360
are caffeinated and ready to respond.
385
00:19:19,360 --> 00:19:22,960
Rather than at 3am on a holiday weekend when everyone is asleep.
386
00:19:22,960 --> 00:19:25,760
During these drills, you have to measure your actual recovery time
387
00:19:25,760 --> 00:19:28,000
against the targets written in your paper policy.
388
00:19:28,000 --> 00:19:29,840
If your official policy says 15 minutes
389
00:19:29,840 --> 00:19:31,840
but the actual failover takes 40,
390
00:19:31,840 --> 00:19:33,600
you need to find where the friction is hiding.
391
00:19:33,600 --> 00:19:35,680
That friction is often caused by a retry storm,
392
00:19:35,680 --> 00:19:37,920
which happens when your application tries to reconnect
393
00:19:37,920 --> 00:19:41,200
so aggressively that it essentially detourses your own healthy region.
394
00:19:41,200 --> 00:19:43,520
If you haven't validated your exponential back-off settings,
395
00:19:43,520 --> 00:19:45,520
your failover won't actually save you,
396
00:19:45,520 --> 00:19:48,240
it will just move the outage to a different set of servers.
397
00:19:48,240 --> 00:19:50,800
You also need synthetic testing to continuously check
398
00:19:50,800 --> 00:19:52,880
the performance of your secondary region
399
00:19:52,880 --> 00:19:54,640
from the perspective of the user.
400
00:19:54,640 --> 00:19:56,880
Most monitoring tools look from the inside out
401
00:19:56,880 --> 00:19:59,360
and tell you the database is technically up.
402
00:19:59,360 --> 00:20:01,200
Synthetic testing looks from the outside in
403
00:20:01,200 --> 00:20:03,600
to tell you if a user can actually finish a transaction
404
00:20:03,600 --> 00:20:05,440
when the primary region starts lagging.
405
00:20:05,440 --> 00:20:07,600
This is the only way to catch gray failures,
406
00:20:07,600 --> 00:20:08,960
which are those subtle degradations
407
00:20:08,960 --> 00:20:10,560
where the system isn't technically down
408
00:20:10,560 --> 00:20:12,320
but it is completely unusable.
409
00:20:12,320 --> 00:20:14,640
If you aren't running these drills every quarter,
410
00:20:14,640 --> 00:20:17,040
your architecture is degrading every single day.
411
00:20:17,040 --> 00:20:19,440
Every configuration change, every new microservice
412
00:20:19,440 --> 00:20:21,360
and every security patch you apply
413
00:20:21,360 --> 00:20:23,680
is a potential landmine for your recovery plan.
414
00:20:23,680 --> 00:20:26,240
Testing isn't a one-time event you finished during onboarding
415
00:20:26,240 --> 00:20:27,920
because it is a continuous requirement
416
00:20:27,920 --> 00:20:28,960
for staying in business.
417
00:20:28,960 --> 00:20:30,320
You have to break things on purpose
418
00:20:30,320 --> 00:20:32,000
to make sure they don't break on their own.
419
00:20:32,000 --> 00:20:34,240
This level of rigor is what separates the architects
420
00:20:34,240 --> 00:20:37,120
who build systems from the ones who just build hopes.
421
00:20:37,120 --> 00:20:39,440
You aren't looking for a success message in these tests.
422
00:20:39,440 --> 00:20:40,960
You are looking for a failure.
423
00:20:40,960 --> 00:20:43,440
You want the script to crash and the database to lock
424
00:20:43,440 --> 00:20:45,760
because the more you find now, the less you will lose later.
425
00:20:45,760 --> 00:20:48,240
It is a proactive search for the cracks in your armor
426
00:20:48,240 --> 00:20:50,960
and that is the only path to true resilience.