Skip to Content
Zurück zu: Optimizing Cloud Costs in the Company
Cloud & Infrastructure 6 min. read

Planning High-Availability Cloud Architecture Correctly

A highly available cloud architecture reduces downtime risks, shortens recovery time, and keeps operations, security, and costs predictable and reliable.

devRocks Engineering · 18. July 2026
Kubernetes Infrastructure as Code Monitoring Observability Security
Planning High-Availability Cloud Architecture Correctly

A failed deployment, an overloaded database, or an unavailable external interface is enough to jeopardize revenue, trust, and internal processes. A highly available cloud architecture does not prevent disruptions but ensures that individual failures do not immediately lead to the failure of the digital business—and that teams can react in a controlled manner.

For medium-sized companies, this is not a matter of maximum technical complexity. What matters is an architecture whose availability corresponds to the actual business risk. A B2B portal with fixed business hours requires different measures than an e-commerce platform, a SaaS product, or an API that controls production processes. Those who implement maximum redundancy everywhere often pay too much. Those who treat availability solely as an infrastructure topic usually only recognize vulnerabilities in an incident.

What high availability practically means

High availability is often described with a target percentage: 99.9 percent availability allows approximately 8 hours and 46 minutes of downtime per year, whereas 99.99 percent allows just under 53 minutes. These figures are helpful but do not answer the central question: Which functions must work for which users at what time?

A platform can, for example, continue to accept orders even when the recommendation feature is down. An internal report may start later, while login, payment processing, or order transmission must not be interrupted. Good architecture separates such dependencies and prioritizes business-critical paths.

Two key metrics should be established before technical implementation. The Recovery Time Objective, or RTO, defines the maximum acceptable recovery time. The Recovery Point Objective, or RPO, describes the acceptable data loss over time. An RPO of 15 minutes may be sufficient for a marketing application but unacceptable for transactional data. These goals determine how data should be replicated, backups created, and failover processes built.

Highly available cloud architecture starts with failure domains

Operating cloud resources across multiple availability zones is a sensible starting point. However, it's not enough to simply place two identical application instances behind a load balancer. If a shared database, a central DNS entry, a secret store, or an external service fails, the application remains impaired despite multiple compute resources.

Therefore, the central architectural question is: Which components can fail together? These failure domains must be identifiable before redundancy is planned. Typical examples include a single region, a single Kubernetes cluster, a shared network path, a shared container image, or an untested database restore.

A resilient platform distributes stateless applications across at least two zones and directs traffic to operational instances through health checks. Depending on requirements, databases need replication, automatic failover, and a clear consistency strategy. Asynchronous processes benefit from queues, retries, and dead-letter mechanisms so that temporary errors do not lead to lost orders.

Consistency remains a deliberate compromise. A globally distributed database can better absorb latencies and regional failures, but it increases costs, operational overhead, and the complexity of data logic. For many applications, a highly available architecture within a single region with multiple zones is the economically right choice. Multi-region setups are particularly sensible when a regional failure poses significant risks to the business or when regulatory requirements demand them.

Stateless applications are easier to restore

The less local state resides on individual servers, the faster the platform can scale or restart in the event of failures. Sessions should be stored in a central, redundantly operated store or be implemented in such a way that they are not tied to a single instance. Files, uploads, and generated reports should be in object storage-based services rather than on local file systems.

Containers and Kubernetes assist with this separation but do not automatically solve it. A cluster without properly set resource limits, pod disruption budgets, autoscaling, and distributed workloads can still become unstable under load or during maintenance. Therefore, platform teams should not only standardize the runtime environment but also define clear operational standards for applications.

Data is the most challenging part of availability

Applications can often be redeployed within minutes. Data cannot be replaced arbitrarily. Therefore, the data strategy must reflect the business significance of individual data classes: transactional data, documents, logs, analysis information, and configurations follow different requirements for retention, recovery, and replication.

A backup is also not a restoration strategy as long as the restore is not regularly tested. Teams should not only check that backups have been successfully created, but they must also be able to demonstrate how long the recovery of a database, bucket, or complete environment actually takes and whether the restored data is usable.

Schema migrations also deserve special attention. A database change that only works with the new application code can block a rollback. Best practices therefore work with backward-compatible migrations: First, new structures are introduced, then the application reads and writes both versions, and only later is old code or the old data structure removed. This slightly slows down some changes but significantly reduces the risk of a production outage.

Planen Sie ein ähnliches Projekt? Wir beraten Sie gerne.

Request consultation

Automation prevents avoidable operational risks

Many outages are not caused by a cloud provider but by manual configuration changes, inconsistent environments, or incomplete deployments. Infrastructure as Code makes networks, permissions, databases, and runtime resources reproducible. This is not a formality but a prerequisite for rebuilding an environment in a controlled manner and for examining changes traceably.

The delivery pipeline is also part of the availability architecture. Automated tests, security scans, reproducible artifacts, and clearly defined releases reduce the likelihood of erroneous releases. Progressive deliveries like canary deployments or blue-green deployments further limit the damage when an error is only visible under real load.

However, a quick rollback must do more than just redeploy a previous container image. It needs compatible database changes, versioned configurations, and a traceable decision chain. In business-critical systems, technical teams should have concrete runbooks ready for typical scenarios: What happens in the case of database failover, faulty configuration, expired certificates, or an unreachable third-party API?

Observability makes availability manageable

Availability cannot be responsibly derived from a green infrastructure overview. A server can be reachable while users cannot complete an order or save data. Therefore, monitoring and alerting must connect the business function with the technical cause.

Meaningful service level indicators measure real user flows: successful logins, successful API requests, checkout durations, error rates in payments, or length of an order queue. Metrics reveal trends and thresholds, logs provide context, and traces make dependencies visible across multiple services. Only the combination allows for quick error isolation.

Alerting should enable action, not overwhelm teams with notifications. An alert needs a clear severity level, a responsible service, and ideally a first course of action. Warnings about low disk space are useful if they arrive early enough. Hundreds of identical error messages without prioritization, however, increase the response time in critical situations.

Availability requires drills and clear responsibility

A documented emergency plan is only as good as its last test. Planned failover drills, restore tests, and controlled failure scenarios demonstrate whether architecture, monitoring, and operational processes align. They also build trust between development, operations, and the specialist department, as decisions do not have to be made under time pressure.

Responsibility must be clearly assigned. Who assesses the incident? Who communicates internally? Who decides on a rollback? Who works with the cloud provider or an external SaaS vendor? Particularly with established platforms involving multiple service providers, avoidable gaps often arise here.

A highly available cloud architecture is not a one-time project or a product that is completed after go-live. It evolves with new features, load profiles, security requirements, and cost frames. devRocks connects architecture, automation, and production-oriented operations to ensure availability is not just promised on a slide but validated in daily operations.

The most sensible next step is often not a large-scale overhaul. Start with a critical user process, define RTO and RPO, expose its dependencies, and test the recovery under realistic conditions. This delivers solid priorities for any further investment.

Questions About This Topic?

We are happy to advise you on the technologies and solutions described in this article.

Get in Touch

Seit über 25 Jahren realisieren wir Engineering-Projekte für Mittelstand und Enterprise.

Weitere Artikel aus „Cloud & Infrastructure“

Frequently Asked Questions

Highly available cloud architecture ensures that individual failures within the system do not lead to a complete outage of the digital business. This is achieved through redundancy and backup strategies that prioritize business-critical functions and establish specific recovery objectives.
The RTO (Recovery Time Objective) and RPO (Recovery Point Objective) should be established based on the business importance of the application and data availability requirements. For example, an RPO of 15 minutes may be sufficient for marketing data, while a shorter timeframe may be necessary for transactional data.
Failure domains are individual components or systems within an architecture that can fail together. Understanding and identifying these failure domains is crucial to plan appropriate redundancy measures and ensure that failures do not lead to a complete application outage.
Availability should be monitored through monitoring and alerting systems that consider real user workflows and business metrics. Service Level Indicators can help assess the effectiveness of the application and promptly identify issues before they affect users.
Automation reduces the risks associated with manual configuration changes and inconsistent environments. Infrastructure as Code enables reproducible setups and controlled deployments, significantly lowering the likelihood of operational errors.

Didn't find an answer?

Get in touch