Do we overengineer for uptime and underprepare for recovery?

HI ​@Madi.Cristil I Completely agree with this view. We often try to apply high availability/fault tolerance everywhere, but backup systems are a different case. In many scenarios, being recoverable quickly and reliably matters more than being always-on. Great perspective.

Design for recovery, not uptime, is the right model for protection infrastructure in my opinion. We measure Always-On and Availability Groups in millisecond failover and response times. Applying HA thinking to a backup system can actually create false confidence in some cases. The backup system being available is not the same as the backup system being functional and trustworthy.

I enjoyed the read, nice post. 

Thank you, ​@AndrePulia  and ​@eblack !

In my opinion, you need to have a bit of both - uptime + recovery.  I know when doing designs you tend to want to lean in the uptime direction, but you need to look at the whole picture to ensure you can also recover fast enough to get things back on track.  I look at both these when doing designs for Veeam.

I think that's the right approach! 

This brings me flashbacks of some customers stating in relation to their windows server “We are a 24/7 shop, no downtime or reboots!”, but what about windows updates?, “we can’t afford them”. Until of course they could not afford not to do them!

This statement is up for DEBATE!

“High availability keeps things up. Fault tolerance keeps them running through failure.”

As some have already discussed here, the cost and complexity of having HA configured for all components is high and it’s valid to question whether it’s worth it if the issue is a misconfiguration or corruption on the primary system. That will simply be copied to the secondary.

As for fault tolerance, we also need a way to detect faults. For a real world example, VB365 does not have backup health check like VBR does and there is no way to know if the backups are recoverable at all the restore points until a restore is actually initiated. So you don’t know you have a problem until you’re trying to restore to fix a problem.

So to answer your question we do over-engineer uptime and under-engineer for recovery.

This is an amazing point and I couldn’t agree more. Not to mention how expensive FT environments can get, and how many resources end up wasted on systems that don’t actually require that level of protection.

With increasing storage, memory, licensing, and infrastructure costs, organizations really need to evaluate requirements and spend money where it makes sense.

There are 4 things I often find myself repeating. 

• HA and FT are different technologies for different purposes

• HA/FT are not backups or DR, though they can be part of a DR strategy

• Backups are not DR either, but are often one of the most important parts of it

• Storage snapshots are not backups, but can help with recovery in some situations including DR

Fault Tolerance means exactly what it says, systems continue running through a fault with little to no interruption. They are perfect for mission critical services that need 24/7 uptime, but also usually the most expensive. You’re often doubling hardware, storage, networking, licensing, datacenter space, and more. It also has to be designed properly, otherwise you’re just introducing new single points of failure. What is the point of an FT system on the same piece of hardware, or connected to a single switch. 

Highly Available systems are usually more of an active/passive setup where services fail over or restart automatically with minimal downtime.

Both HA and FT have their place depending on business requirements. The issue is when people assume every system needs that level of protection. 

Another important point is that HA and FT environments will often replicate corruption, ransomware, application issues, or human mistakes. They protect against hardware failures and help minimize downtime, but they are not substitutes for backups.

For less critical systems, backups with Veeam can provide DR capabilities at a fraction of the cost without requiring expensive HA.

People 100% often overengineer plans wasting money thinking every system is critical. For myself, if our main site is down, I know for a fact many areas that can not work. Do those systems need to be operational if no one is utilizing them?   

On the other side, what if just the SAN fails, or the sprinklers went off?. That could be a disaster requiring them to be brought online at another site and business can keep running. That doesn’t mean they need to be HA/FT, but having a disaster recovery plan for situations like that, utilizing replication or backups should still be thought out.

For myself, I usually categorize systems something like:

• Critical FT systems that truly cannot go down

• Critical HA systems with minimal acceptable downtime

• Systems restored from backups/replication

• Lower priority systems restored best effort

• Systems where the business has accepted the risk

In a real disaster, outages should honestly be expected. Multi-site FT with synchronous replication absolutely has its place, but it gets extremely expensive and complex very quickly. For most businesses, that level of protection only makes sense for a small number of truly critical systems.

END RANT! - Kidding, but after many years of explaining and dealing with this, and lately the increasing costs of hardware, there has been many meetings about this. Also, test your Backups, DR plans, FT, and HA systems frequently, in every possible scenario, because if you don’t, you will have a very bad time at 4AM on a Saturday. 

Great addition to my blog! Thanks for that, ​@Scott !

It seems like you really enjoyed the debate initiative , ​@HangTen416 ! 😎😁