This chapter covers the Warm Standby Disaster Recovery (DR) pattern on AWS, a critical architecture for achieving Recovery Time Objectives (RTO) of minutes and Recovery Point Objectives (RPO) of seconds to minutes. For the SAA-C03 exam, DR patterns are a core topic under Resilient Architectures (Objective 2.6), appearing in approximately 10-15% of questions. Mastering warm standby, including its trade-offs compared to pilot light, multi-site active-active, and backup-restore, is essential for scenario-based questions that ask you to recommend a cost-effective, low-RTO solution.
Jump to a section
Think of your primary AWS region as your main electrical grid connection to your house. It powers everything — lights, appliances, servers. Now, imagine you have a backup generator in the garage (the DR region). In a warm standby setup, the generator is not completely off (cold standby) nor is it running all your appliances in parallel (active-active). Instead, it's idling, warmed up, with fuel in the tank and the transfer switch connected. You keep a few critical lights (a scaled-down version of your application) running off the generator to ensure it's ready. If the main grid fails, you flip the main switch (Route53 DNS update) and within minutes the generator takes over all loads. The generator is sized to handle the full load eventually, but initially it only runs the essentials. You pay for the fuel and maintenance of the idling generator (DR region compute and storage costs) but avoid the cost of running everything twice. This is exactly warm standby: a scaled-down, fully functional copy of your production environment in another region, ready to scale up and take over when disaster strikes.
What is Warm Standby?
Warm standby is a disaster recovery strategy where a scaled-down but fully functional copy of your production environment runs in a different AWS Region. The DR environment is always on, serving a small portion of traffic or simply idling, and can be scaled up to full production capacity within minutes during a disaster. This pattern balances cost and recovery speed: it is more expensive than pilot light but cheaper than multi-site active-active, and it offers faster recovery than backup-restore.
Why Use Warm Standby?
Organizations choose warm standby when they require: - RTO of minutes (typically 5-15 minutes) - RPO of seconds to minutes (data loss limited to recent changes) - Cost efficiency compared to running full production in two regions - Simpler failback compared to pilot light (since the DR environment is already running)
How It Works Internally
#### Core Components
Primary Region (Active): Runs full production workload at 100% capacity.
DR Region (Standby): Runs a scaled-down version of the workload — typically 25-50% of production capacity. This includes:
- A smaller EC2 Auto Scaling group (e.g., 2-4 instances vs 10-20 in production) - A smaller RDS instance (e.g., db.r5.large vs db.r5.4xlarge) with synchronous or asynchronous replication from primary - Application and web servers configured and ready - Load balancers (ALB/NLB) pre-provisioned but possibly not receiving traffic - DNS records (Route53) with low TTL and health checks pointing to primary
#### Data Replication
Data synchronization is the backbone of warm standby. Common methods:
RDS Multi-AZ Cross-Region Read Replicas: For relational databases, create a read replica in the DR region. The replica can be promoted to a standalone primary in minutes. Replication is asynchronous (default) with RPO typically < 1 second under normal conditions. For Aurora, use Aurora Global Database, which offers <1 second RPO across regions.
DynamoDB Global Tables: For NoSQL workloads, DynamoDB Global Tables provide multi-region, fully replicated tables with eventual consistency. RPO is typically < 1 second.
S3 Cross-Region Replication (CRR): For object storage, enable CRR to replicate data to a bucket in the DR region. RPO is typically minutes (15 minutes typical).
EC2 AMI replication: Use Amazon Data Lifecycle Manager to copy AMIs to the DR region, or automate with AWS Backup.
#### Scaling Mechanism
When a disaster is declared, the DR environment must scale up to full production capacity. This is typically automated via:
AWS CloudFormation or Terraform: Templates pre-deployed in the DR region. On failover, update the stack to increase instance counts and instance sizes.
Auto Scaling: Pre-configured Auto Scaling groups with higher minimum and desired capacity. Triggered by CloudWatch alarms or manual action.
Lambda Functions: Invoked to modify scaling parameters, update Route53 records, and promote read replicas.
#### DNS Failover
Route53 is configured with:
A primary record pointing to the primary region's load balancer (weight 100, health check on primary endpoint).
A secondary record pointing to the DR region's load balancer (weight 0, health check on DR endpoint).
A health check on the primary endpoint. When the primary fails, Route53 automatically routes traffic to the DR endpoint. Alternatively, manual failover record sets can be used.
#### Failback
After the primary region recovers, you need to fail back. This involves: 1. Reversing data replication direction (if needed). 2. Scaling down the DR region to standby capacity. 3. Updating DNS records to point back to primary.
Key Values, Defaults, and Timers
Route53 Health Check Interval: 30 seconds (default). You can set a custom interval of 10 seconds for an additional cost.
Route53 Failover TTL: Recommended 60 seconds or less for fast failover. Lower TTL means faster propagation but more DNS queries.
RDS Read Replica Promotion: Typically 1-3 minutes for MySQL/PostgreSQL, 5-10 minutes for Oracle.
Aurora Global Database RPO: Typically < 1 second, but can be up to 5 seconds under heavy load.
DynamoDB Global Tables Replication Latency: Usually < 1 second under normal conditions.
S3 CRR RPO: 15 minutes typical, but can be up to hours if backlogged.
Configuration and Verification
#### Example: Setting up RDS Cross-Region Read Replica for DR
Create the read replica in the DR region:
aws rds create-db-instance-read-replica \
--db-instance-identifier mydb-replica \
--source-db-instance-identifier mydb-primary \
--region us-west-2 \
--db-instance-class db.r5.large \
--publicly-accessible falseVerify replication status:
aws rds describe-db-instances --db-instance-identifier mydb-replica --region us-west-2 --query 'DBInstances[0].ReadReplicaSourceDBInstanceIdentifier'On failover, promote the replica:
aws rds promote-read-replica \
--db-instance-identifier mydb-replica \
--region us-west-2#### Example: Route53 Failover Configuration
Create a failover routing policy:
{
"Comment": "Failover record for warm standby",
"Changes": [
{
"Action": "CREATE",
"ResourceRecordSet": {
"Name": "app.example.com.",
"Type": "A",
"SetIdentifier": "Primary",
"Failover": "PRIMARY",
"TTL": 60,
"ResourceRecords": [{"Value": "203.0.113.10"}],
"HealthCheckId": "abcdefgh-1234-5678-9012-ijklmnopqrst"
}
},
{
"Action": "CREATE",
"ResourceRecordSet": {
"Name": "app.example.com.",
"Type": "A",
"SetIdentifier": "Secondary",
"Failover": "SECONDARY",
"TTL": 60,
"ResourceRecords": [{"Value": "198.51.100.20"}],
"HealthCheckId": "abcdefgh-1234-5678-9012-ijklmnopqrst"
}
}
]
}Interaction with Related Technologies
AWS Global Accelerator: Can be used instead of Route53 for traffic shifting. Provides static anycast IP addresses and faster failover (sub-second) by routing traffic to healthy endpoints.
AWS CloudFront: Can serve static content from both regions, with origin failover to the DR region.
AWS Backup: Can be used to back up data and restore to DR region, but this is backup-restore, not warm standby.
AWS Elastic Disaster Recovery (DRS): An AWS service that replicates EC2 instances to a staging area in the DR region, enabling warm standby-like recovery with RTO of minutes.
Cost Considerations
Warm standby costs include:
DR region compute (EC2, ECS, Lambda) at reduced capacity
DR region database (RDS, DynamoDB) at reduced size
Data transfer costs for replication (cross-region data transfer is charged per GB)
Storage costs (EBS snapshots, S3 CRR storage)
Route53 health checks and DNS queries
Typical cost is 25-50% of production, compared to 100% for active-active and 5-10% for pilot light.
Provision DR Region Infrastructure
Deploy a scaled-down copy of your production environment in the DR region using Infrastructure as Code (CloudFormation, Terraform). This includes VPC, subnets, security groups, load balancers, Auto Scaling groups (with minimal instances), and database instances (e.g., RDS read replica or Aurora cluster). Ensure the DR environment is fully functional — applications are deployed and configured, but may not serve production traffic. Verify connectivity and that the application starts correctly.
Enable Data Replication
Set up cross-region data replication for all critical data stores. For RDS, create a cross-region read replica with automatic replication. For DynamoDB, enable Global Tables. For S3, enable Cross-Region Replication (CRR) with appropriate IAM roles. Monitor replication lag using CloudWatch metrics (e.g., ReplicaLag for RDS). Ensure replication is healthy before proceeding. Typical RPO for RDS is <1 second, for S3 CRR is ~15 minutes.
Configure DNS Failover
Create Route53 health checks for the primary application endpoint (e.g., ALB DNS name). Configure a failover routing policy with a primary record pointing to the primary region and a secondary record pointing to the DR region. Set TTL to 60 seconds or less for fast failover. The health check interval is 30 seconds by default. When the primary endpoint fails, Route53 automatically routes traffic to the secondary record within seconds to minutes (depending on TTL and health check interval).
Test Failover and Failback
Regularly simulate a disaster by manually failing over to the DR region. Promote the read replica to primary, scale up Auto Scaling groups to full capacity, and update any necessary configurations (e.g., update application configs to point to the new database). Verify that the application works correctly from the DR region. Then perform a failback: reverse replication, scale down DR, and update DNS to point back to primary. Document the process and measure RTO and RPO achieved.
Automate Scaling and Failover
Use AWS Lambda, Step Functions, or Systems Manager Automation to automate the failover process. For example, a Lambda function can be triggered by a CloudWatch alarm (e.g., primary region health check fails) that promotes the RDS replica, updates Auto Scaling groups, and changes Route53 records. This reduces RTO to minutes. Ensure runbooks are tested and updated regularly. Consider using AWS Elastic Disaster Recovery for automated replication and orchestration.
Enterprise Scenario 1: E-Commerce Platform
A large e-commerce company runs its production workload in us-east-1. To meet a 10-minute RTO, they implement warm standby in us-west-2. They use:
RDS MySQL with a cross-region read replica (db.r5.large in DR vs db.r5.4xlarge in production).
EC2 Auto Scaling groups: 2 instances in DR (vs 20 in production) behind an ALB.
Route53 failover with 60-second TTL and health checks on the primary ALB.
DynamoDB Global Tables for session data.
S3 CRR for product images.
During a regional outage, they promote the read replica (takes 2 minutes), scale up Auto Scaling group to 20 instances (takes 5 minutes via pre-warmed AMI), and DNS failover completes within 1 minute. Total RTO: ~8 minutes. RPO: <1 second for database, ~15 minutes for S3.
Enterprise Scenario 2: Financial Services
A bank requires RTO of 5 minutes and RPO of 0 (zero data loss) for its transaction processing system. They use:
Aurora Global Database in us-east-1 and eu-west-1. The DR cluster has one DB instance (writer) that is not promoted until failover.
Application servers in DR region in an Auto Scaling group with min=2, max=20.
Route53 with weighted routing (primary weight 100, DR weight 0) and health checks.
AWS Global Accelerator for instantaneous traffic shifting.
During failover, they promote the DR Aurora cluster to primary (takes <1 minute), scale up application servers, and traffic is shifted via Global Accelerator. RTO: ~3 minutes. RPO: 0 (synchronous replication within Aurora Global Database).
Common Pitfalls
Underestimating scaling time: If AMIs are not pre-warmed or instance types are not available in the DR region, scaling can take much longer than expected. Always test scaling.
Data replication lag: If the application writes heavily, replication lag can increase RPO beyond acceptable limits. Monitor and set alarms.
Configuration drift: The DR environment may become stale if not updated with application changes. Regularly deploy updates to DR.
Route53 TTL too high: A TTL of 300 seconds (5 minutes) means DNS clients cache the old IP, delaying failover. Use 60 seconds or lower.
Not testing failover: Without regular testing, the failover process may fail due to missing dependencies or outdated scripts.
What SAA-C03 Tests on This Topic
The exam tests your ability to choose the most appropriate DR strategy based on RTO, RPO, and cost requirements. Specifically, objective 2.6 (Resilient Architectures) includes questions that ask you to recommend a DR pattern for a given scenario. Warm standby is the correct answer when:
RTO is minutes (e.g., 5-15 minutes)
RPO is seconds to minutes (e.g., <1 minute)
Cost is a concern but not the primary driver (pilot light is cheaper, active-active is more expensive)
The exam will often present a scenario with specific RTO/RPO numbers and ask you to select the pattern. Be prepared to differentiate between:
Backup and Restore: RTO hours, RPO 24 hours (snapshots)
Pilot Light: RTO 10-30 minutes, RPO minutes
Warm Standby: RTO minutes, RPO seconds
Multi-Site Active-Active: RTO near-zero, RPO near-zero
Common Wrong Answers and Why
Choosing Pilot Light when RTO is 5 minutes: Pilot light requires provisioning infrastructure (EC2 instances, load balancers) from AMIs and snapshots, which typically takes 10-30 minutes. Warm standby is needed for sub-10-minute RTO.
Choosing Active-Active when cost is a major constraint: Active-active runs full production in two regions, doubling costs. Warm standby is cheaper because it runs a scaled-down version.
Assuming S3 CRR provides RPO of seconds: S3 CRR typically has an RPO of 15 minutes. For sub-second RPO, use RDS read replicas or DynamoDB Global Tables.
Selecting Route53 simple routing instead of failover routing: Simple routing does not support health checks; failover routing is required for automatic failover.
Specific Numbers and Terms That Appear on the Exam
RTO of 15 minutes is a typical threshold: warm standby can achieve this, pilot light may not.
RPO of 1 second is typical for RDS read replicas (asynchronous) and DynamoDB Global Tables.
Route53 health check interval: 30 seconds (default), 10 seconds (custom).
Route53 TTL: Recommended 60 seconds for fast failover.
RDS read replica promotion time: 1-3 minutes for MySQL/PostgreSQL.
Aurora Global Database: RPO < 1 second, failover time < 1 minute.
Edge Cases and Exceptions
If the application is stateless and uses external database: Warm standby can be simpler — just replicate the database and have compute ready.
If the DR region is in a different continent: Network latency may increase replication lag. Consider using Aurora Global Database with optimized replication.
If the primary region fails completely: Ensure that the DR region can handle full load. Auto Scaling must be configured to scale up quickly.
How to Eliminate Wrong Answers
Identify RTO and RPO requirements: If RTO is hours, eliminate warm standby and active-active. If RTO is minutes, eliminate backup-restore.
Identify cost constraints: If cost is the top priority, choose pilot light over warm standby.
Identify data consistency needs: If strong consistency is required, avoid asynchronous replication (e.g., S3 CRR) and use synchronous replication (e.g., Aurora Global Database).
Look for keywords: "Scaled-down but fully functional" indicates warm standby. "Core services running minimal footprint" indicates pilot light.
Warm standby: RTO minutes, RPO seconds, cost moderate.
Pilot light: RTO 10-30 minutes, RPO minutes, cost low.
Active-active: RTO near-zero, RPO near-zero, cost high.
Backup-restore: RTO hours, RPO 24 hours, cost lowest.
Route53 failover routing requires health checks and TTL ≤ 60 seconds for fast failover.
RDS cross-region read replicas provide RPO < 1 second; promotion takes 1-3 minutes.
Aurora Global Database offers < 1 second RPO and < 1 minute failover.
S3 CRR typical RPO is 15 minutes; not suitable for sub-minute RPO.
Always test failover regularly to ensure the process works and meets RTO/RPO.
Automate failover with Lambda or Step Functions to reduce RTO.
These come up on the exam all the time. Here's how to tell them apart.
Warm Standby
Runs scaled-down but fully functional application stack in DR region
RTO: Minutes (5-15 minutes)
RPO: Seconds to minutes (via replication)
Cost: Moderate (25-50% of production)
Failover: Scale up existing resources, promote DB replica
Pilot Light
Runs only core data services (e.g., database) in DR region; compute provisioned on failover
RTO: 10-30 minutes (time to provision compute)
RPO: Minutes (via replication)
Cost: Low (5-10% of production)
Failover: Provision compute from AMIs, promote DB replica
Mistake
Warm standby requires running the full production capacity in the DR region.
Correct
Warm standby uses a scaled-down version of the production environment, typically 25-50% of capacity. The DR environment is fully functional but smaller, and can be scaled up on failover.
Mistake
Warm standby and pilot light are the same thing.
Correct
Pilot light runs only the core data services (e.g., database) and minimal compute; the rest is provisioned on failover. Warm standby runs a scaled-down but complete application stack, including compute and load balancers, ready to serve traffic at a reduced level immediately.
Mistake
Route53 failover is instantaneous.
Correct
Route53 failover relies on DNS TTL and health check intervals. With a TTL of 60 seconds and health check interval of 30 seconds, failover can take up to 90 seconds. For sub-second failover, use AWS Global Accelerator.
Mistake
S3 Cross-Region Replication provides RPO of seconds.
Correct
S3 CRR typically has an RPO of 15 minutes or more. For RPO of seconds, use RDS read replicas or DynamoDB Global Tables.
Mistake
Warm standby is always more expensive than pilot light.
Correct
Warm standby is more expensive than pilot light because it runs compute and load balancers 24/7. However, it is cheaper than active-active and provides faster recovery than pilot light.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Warm standby runs a scaled-down but fully functional copy of your production environment in the DR region, including compute and load balancers. Pilot light only runs core data services (like a database) and minimal compute; the rest is provisioned on failover. Warm standby has a lower RTO (minutes) compared to pilot light (10-30 minutes) but is more expensive.
Warm standby can achieve an RTO of 5-15 minutes and an RPO of seconds to minutes. RTO depends on how quickly you can scale up resources and promote database replicas. RPO depends on the replication method: RDS read replicas and DynamoDB Global Tables offer sub-second RPO, while S3 CRR offers ~15 minutes.
Use Route53 with a failover routing policy. Create a primary record pointing to the primary region's load balancer with a health check, and a secondary record pointing to the DR region's load balancer. Set TTL to 60 seconds or lower. When the health check fails, Route53 automatically routes traffic to the secondary record.
Yes, Global Accelerator provides static anycast IP addresses and can route traffic to healthy endpoints across regions. It offers sub-second failover and is often used alongside Route53 for faster traffic shifting. You can configure two endpoint groups (primary and DR) with weights.
For RDS, create a cross-region read replica. For DynamoDB, enable Global Tables. For S3, enable Cross-Region Replication. For EC2, use AMI replication via Data Lifecycle Manager. For Aurora, use Aurora Global Database. Choose based on your data store and RPO requirements.
Warm standby typically costs 25-50% of your production environment because you run a scaled-down version. Pilot light costs 5-10% (only database and minimal compute). Active-active costs 100% (full production in two regions). Backup-restore costs the least (only storage for backups).
Use AWS Lambda or Step Functions to orchestrate failover. For example, a Lambda function can promote an RDS read replica, update Auto Scaling groups to increase instance count, and change Route53 records. You can trigger this via a CloudWatch alarm or manually. AWS Elastic Disaster Recovery also provides automated orchestration.
You've just covered Warm Standby DR Pattern on AWS — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?