AWS US-EAST-1 fell over. Here’s the sysadmin’s playbook: blast radius, failure modes, and how to architect for RTO/RPO you can actually meet

When AWS US-EAST-1 sneezes, half the internet catches a cold. That was the story again during the latest large-scale incident: elevated error rates and latency across multiple services in N. Virginia cascaded into login failures, broken uploads, stalled APIs, and intermittent 5xx across consumer apps and enterprise SaaS alike. This piece isn’t about finger-pointing. It’s a posture guide for operators: what typically breaks in an outage like this, how to reason about your blast radius, what to do during the event, and how to build a stack that meets the RTO/RPO your business has signed up for—without lying to yourself.

---

Why US-EAST-1 punches above its weight

Even if your workloads run in Europe or APAC, you likely touch US-EAST-1 somewhere in your request path:

• Global or “pseudo-global” control planes often resolve to US-EAST-1 endpoints (historically common for STS/IAM/OIDC integrations, control APIs, pipeline glue, or legacy service homes).
• Foundational services—identity, secrets/parameters, queueing, configuration distribution—might be region-pinned in ways you didn’t intend.
• Multi-tenant internal services (artifact repos, build systems, feature flags, license servers, tenant routing, even your own “platform layer”) are frequently parked in N. Virginia “for convenience,” turning a regional outage into a global failure mode.

The net effect: a degradation in US-EAST-1 can show up as authentication timeouts in eu-west-1, webhook backlogs in ap-southeast-2, or partial page loads anywhere your frontends reach back for assets or tokens they cannot fetch.

---

Typical symptom patterns (and what they mean upstream)

• 5xx on “harmless” reads → Your frontend can reach its region, but a cross-regional call (identity, flags, config, pricing, image transforms) is timing out or retrying badly.
• Auth/login flapping → Token minting, OIDC discovery, or refresh flows pin to a degraded endpoint; clients back off poorly and the session layer thrashes.
• Upload stalls / multi-part PUT failures → Object storage or presigned-URL flows depend on an authority that’s degraded; parts succeed but commits fail.
• Queue growth with consumer brownouts → Producers keep publishing; consumers are throttled (or failing fast) because their dependencies are returning 5xx/429.
• Cron/Batch drift → Control plane calls (start/stop tasks, launches, scale-out) meet global API rate limits or are stuck behind slow IAM/STS paths.

The most expensive errors are not hard failures; they’re slow failures that burn threads, file descriptors, CPU, and retry budgets, collapsing the app from the edges in.

---

The live incident: what to do now

Assuming you don’t control the underlying cloud, you control how you fail. Triage in this order:

1. Cap the blast radius
   • Turn on circuit breakers for dependencies that exceed latency/error SLOs.
   • Fail closed or open explicitly per capability (e.g., disable personalization but keep core checkout).
2. Shed load gracefully
   • Enforce back-pressure: bounded queues, server-side rate ceilings, fair scheduling.
   • Switch heavy endpoints to “degraded mode” (static content, stale caches, static pricing, precomputed recommendations).
3. Stabilize identity & sessions
   • Extend token TTL where safe; reduce round-trips to authority; cache discovery docs and JWKS with longer freshness.
   • Prefer synchronous token validation over revalidation on every hop.
4. Make retries cheap (and finite)
   • Apply jittered exponential backoff; cap attempts; collapse duplicate work (idempotency keys).
   • Promote async hand-offs where user experience tolerates it (enqueue and notify on completion).
5. Communicate
   • Flip status pages early; set expectations in the UI; give operators one source of truth (war room notes, pinned slack/channel).
   • Pause feature rollouts and noisy alerts; swap to incident dashboards (golden signals only).
6. If you have it, use it: multi-Region / failover
   • Shift traffic to a healthy Region via DNS/GTM only if the data plane is ready (replicated state, health checks that reflect reality, warm capacity).
   • Keep the blast radius contained: don’t stampede a second Region and make two outages out of one.

---

After the smoke: what your post-mortem should answer

• Which calls to US-EAST-1 actually existed? Map every cross-Region/API/control-plane hit. If you can’t, build the traces now.
• What failed slow? Anything > P99 budget is a suspect. Count threads stuck in I/O wait; list pools exhausted.
• What was the cost of retries? Quantify added traffic, queue growth, cache churn, and thundering herds.
• Did you meet the SLOs tied to contracts? If not, trace back to design assumptions that were untrue (single-Region “with backups” is not high availability).
• What changed permanently? A post-mortem without design changes is an outage waiting to repeat.

---

Architecting for the next one: patterns that work (and those that don’t)

1) Blast-radius reduction beats “bigger everything”

• Cell/Shard your traffic: independent control planes per product/tenant/region.
• Resist “one global cluster” for identity, features, or pricing. Clone the service; it’s cheaper than your next downtime.

2) Multi-AZ is table stakes; Multi-Region is the lever

• AZ redundancy protects against facility loss, not regional-control failures.
• If the business RTO is minutes, you need active/active or hot-standby in a second Region with continuous replication.

3) Stateful without self-deception

• For low RPO: streaming replication (e.g., logical for Postgres, region-replicated object storage with strong read-after-write semantics where needed).
• Design conflict resolution or write fences (global counters, CRDTs, deterministic merges) for writes that can land in two places.

4) Timeouts, budgets, and bulkheads—codified

• Set timeouts per hop; derive them from the user SLO, not vibes.
• Apply budgets: if dependency X uses 250 ms, your upstream has at most 250 ms left—not “we’ll see.”
• Bulkhead critical pools (threads/conns/mem) so one dying feature doesn’t sink everything.

5) Idempotency everywhere

• POST that can replay. PUT with a stable key. Task workers that tolerate duplicates.
• Store function outcomes, not “we tried.” Your recovery will thank you.

6) Observability that reduces MTTR (not just produces charts)

• Service graphs with real edges (tracing), RED/USE dashboards for golden paths, and black-box probes that mimic users.
• Alarms on symptoms (latency/error) and causes (queue depths, saturation) with runbook links.

7) Practice failure

• Gamedays: break tokens, slow DNS, throttle queues, poison caches—in a safe env first, then limited prod.
• Verify automatic failover with shadow/dark traffic before you trust it.

---

RTO/RPO and the uncomfortable budgeting conversation

This is where engineering meets the business in the daylight. Two numbers drive everything:

• RTO (Recovery Time Objective) – how long you can be down before impact is unacceptable.
• RPO (Recovery Point Objective) – how much data you can lose (in time) when you recover.

David Carrero, co-founder of Stackscale – Grupo Aire (European private cloud and bare-metal), puts it bluntly:
“You architect to the RTO/RPO you can truly afford. If you can’t tolerate minutes or hours, you need two systems that can run without depending on each other. That’s mission-critical and real HA, not a slide. And you have to test it. A high-availability diagram that never fails over is just a drawing.”

If your RPO is 0 and RTO is 0–seconds to a couple of minutes, your options narrow fast:

• Active/active regions with synchronous or near-synchronous replication for the critical slice (watch latency budgets).
• Synchronous storage across sites for the hot path (accept the write-latency hit, or keep the hot set small via CQRS/sagas).
• Independent control planes, not “one global admin that must be up,” and DNS/GTM that’s already proven under load.
• Contracts and runbooks that match reality (staff on-call, pre-baked playbooks, tested automation).

If your business can tolerate RTO 15–30 min / RPO 5–15 min, you can open your design space: hot-standby with asynchronous replication, rapid re-provisioning with blue/green infra, and heavy use of queues to drain backlogs after failback.

Either way, the number you write on the slide should match the budget, latency, and people you commit in production.

---

A pragmatic Multi-Region checklist (AWS-centric but portable)

• Data
  • Primary database: logical replication to the secondary Region; read/write fencing plan.
  • Object storage: cross-Region replication (consider versioning + replication metrics).
  • Secrets/config: replicate with eventual consistency (and cache locally).
• Control plane
  • Auth (IdP/OIDC): deploy per Region; cache discovery docs/JWKS; emergency static keys if legal/possible.
  • Feature flags/config: regionalized endpoints; warm caches; no cold fetch on the request path.
• Traffic
  • GTM/DNS with health checks that reflect your service health, not just TCP/443.
  • Shadow traffic to the secondary Region continuously; promote on signal, not on hope.
• Ops
  • Terraform/Ansible pipelines that can materialize the secondary in minutes (not hours).
  • One-click read-only mode where safe; one-click degraded mode for heavy features (uploads, search, media transforms).
• People & practice
  • Quarterly gamedays: auth outage, object store slowdown, queue throttling, Region failover.
  • On-call paging that routes to the team that owns the failing dependency, not just SRE.

---

What not to do next time

• Don’t “protect” yourself with infinite retries. You’ll create the DDoS you fear.
• Don’t assume Multi-AZ == Multi-Region. It isn’t.
• Don’t over-rotate to multi-cloud without a competency plan. Two clouds doubles your failure modes unless you actually invest in platform engineering.
• Don’t leave global singletons (auth, feature flags, search control, license checks) sitting in US-EAST-1 because “that’s where we started.”

---

Executive summary for practitioners

• A regional AWS failure can be a global application failure if your control plane is centralized.
• Design for blast-radius containment first; Multi-Region second; Multi-cloud only when you’re mature enough.
• Your RTO/RPO are engineering constraints, not aspirations.
• Test failover. If you don’t practice it, you don’t have it.

As David Carrero notes: “Continuity is a budget line, not a wish. If the business goal is zero interruption and zero data loss, the design and the spend must match that ambition. There’s no magic—just engineering and priorities.”

When US-EAST-1 coughs again—and it will—make sure your users only notice a slight chill, not a winter storm.

---

Appendix: during-incident runbook (copy/paste)

1. Freeze deploys and config that touches traffic or auth.
2. Activate circuit breakers on dependencies over budget (latency/errors).
3. Lower connection pool limits to protect the process; apply back-pressure.
4. Degrade non-critical features (uploads, search facets, personalization).
5. Extend token TTL; cache OIDC docs/JWKS; reduce revalidation loops.
6. Turn on jittered backoff; cap retries; enforce idempotency keys.
7. Drain queues with controlled concurrency; don’t burst.
8. Communicate: status page, banner, single war room, rotation schedule.
9. If ready, shift traffic to the secondary Region; validate health before cut.
10. Record timings, symptoms, and decisions for the post-mortem.