Every disaster recovery review eventually reaches the same sentence: "We have cross-region replication, so we're covered." It is said with confidence, because by every metric the team watches, it is true. The replica is current. Lag is measured in seconds. The dashboard is green. And that confidence is precisely the problem.
The better replication works, the more dangerous the assumption becomes.
This is not an argument against replication. Modern replication is one of the most reliable primitives in infrastructure — it does exactly what it claims, continuously and without drama. The argument is against the false confidence that reliability manufactures. Replication is a data-movement capability. Resilience is a recovery capability. They are routinely treated as the same thing, and they are not even close. A current copy at a second site tells you that your data exists somewhere else. It tells you nothing about whether a service can be brought back to life from it, how long that would take, or whether the thing you recover is even valid.
What follows is five structural reasons cross-region replication is not resilience.
What Cross-Region Replication Actually Guarantees
Cross-region replication maintains a copy of data in a geographically separate location, kept current to within some bounded window. Synchronous replication holds the replica byte-identical to the source at commit time; asynchronous replication accepts a small lag in exchange for not blocking writes on a distant round trip. Object stores do it at the bucket level (AWS S3 Cross-Region Replication), storage platforms at the account or volume level (Azure storage redundancy), databases at the transaction-log level.
That is the entire guarantee: a current copy exists elsewhere. It protects against the loss of a region, a data center, a storage array. What it does not guarantee is anything about the act of recovery. Replication is the continuous answer to one narrow question — "is the copy current?" — and it answers nothing else.
RPO Is Not RTO
Recovery Point Objective measures how much data you can afford to lose. Recovery Time Objective measures how long you can afford to be down. Replication is purely an RPO instrument. It drives data loss toward zero and does precisely nothing for RTO.
| RPO | RTO | |
|---|---|---|
| The question | How much data can we lose? | How long until we serve again? |
| Driven by | Replication frequency | Orchestration, dependencies, people |
| Replication's effect | Drives toward zero | Unchanged |
| Where it's proven | Continuously, automatically | Only under failure |
This is the Replication–Recovery Gap: the structural distance between data being current at a second site and a service being recoverable from it. Teams measure the left column obsessively and infer the right column for free. The right column is not free. For why recovery metrics should drive infrastructure design, see RPO, RTO, and RTA.
Replication Faithfully Copies the Disaster
Replication has no concept of intent. Ransomware encryption, an accidental DROP TABLE, a malformed migration, a bad automation run — to the replication engine these are all just changes, and changes are what it exists to propagate. Faithfully. In seconds.
Diagnostic: "When the destructive event lands on the primary, how long until it lands on every replica — and is that interval shorter than your detection time?"
That interval is the Corruption Propagation Window: the time between a destructive event reaching the primary and that same event being faithfully copied to every replica, before anyone detects it. Synchronous replication shrinks that window to near zero. The replica is not a recovery point — it is a mirror, and a mirror reflects ransomware as cleanly as a healthy transaction. This is why ransomware recovery is an architecture problem and why breaking the propagation path with air gaps and immutability is a different capability from replication.
The Consistency Boundary Problem
The failure practitioners understand least is consistency across a system of independently replicated components — not single-database crash- vs application-consistency, covered in why crash-consistent is not a database backup.
A modern service is a database, an object store, a queue, a cache, an event stream, a search index — each with its own replication mechanism and lag. Replicate each independently and every one reports healthy at the destination. The recovered system is still operationally invalid: messages in flight exist in the database but not the queue, the cache references a state the database has moved past, the event stream is hours behind.
⚠ Common mistake: Treating per-component replication health as system recoverability. Individually healthy components can collectively form an unrecoverable application — the inconsistency lives in the relationships between stores, which no component monitors.
Recovery is not the restoration of systems — it is the restoration of relationships between systems.
Failover Is the Resilience. Replication Is Just Plumbing.
Replication is passive. Recovery is active. Replication happens continuously, automatically, under normal conditions, measured every day. Recovery happens rarely, with humans in the loop, under abnormal conditions, measured once — during the crisis. These are two different engineering disciplines.
The Dependency Recovery Problem
Dependency Recovery Blindness is the failure to recognize that a service recovers as a dependency graph, not an infrastructure stack. The database came back. But the identity provider is in the failed region. The secrets store did not fail over. DNS still resolves to the dead region. The certificate authority is unreachable, so mutual TLS fails between every service that did recover. A recovery is only as complete as its least-recovered dependency. This is why DNS failover so often doesn't fail over and why configuration drift surfaces during a drill.
Recovery Is Exercised Under Stress
| Replication | Recovery |
|---|---|
| Continuous | Rare |
| Automated | Human-involved |
| Predictable | Chaotic |
| Measured daily | Measured during crisis |
| Operates during normal conditions | Operates during abnormal conditions |
Replication proves your infrastructure can copy data. Recovery proves that people, processes, dependencies, and systems can survive failure together, under pressure, on the worst day.
What Resilience Actually Requires
Call the target Recovery State: the condition in which data, dependencies, orchestration, and operational authority are simultaneously available to restore service. Replication creates data state. Recovery requires recovery state.
| Capability | Replication | Recovery |
|---|---|---|
| Data currency | ✓ | Partial |
| Point-in-time recovery | ✗ | ✓ |
| Dependency orchestration | ✗ | ✓ |
| Identity availability | ✗ | ✓ |
| DNS cutover | ✗ | ✓ |
| Application consistency | Partial | ✓ |
| Service restoration | ✗ | ✓ |
Closing the distance requires immutable, versioned copies that predate corruption; consistency groups that span the components that fail together; a rehearsed, sequenced failover that includes identity, secrets, DNS, and trust; and an RTO measured under realistic stress. It also requires accepting that recovery does not end when systems restart — the thread the incident recovery process picks up. Replication is not recovery; recovery is not restore; restore is not incident-closed.
Architect's Verdict
Most resilience programs do not measure recovery. They measure replication success and assume recovery success — and the assumption holds right up until the day it is tested, which is the only day it matters.
The real problem is not that teams trust replication. It is that they never name the difference between data state and recovery state, so they never design for the second. A current copy in another region is necessary. It is nowhere near sufficient.
Replication answers one question: "Is the copy current?" Recovery answers a different question: "Can the business operate from it?" The distance between those two answers is where most disaster recovery strategies fail.
Originally published at rack2cloud.com
Top comments (0)