Container Service for Kubernetes:Disaster recovery architectures and solutions based on Kubernetes container clusters

Across availability zones (multi-AZ)

A region contains multiple availability zones (AZs) that operate on separate power and network infrastructure. A cross-AZ DR solution protects against localized failures such as power outages or network disruptions. Because inter-AZ latency is low, cross-AZ DR is well-suited for stateful applications like databases, caches, and message queues.

For more information about regions and AZs, see Regions and zones.

Across regions (multi-region)

Large-scale disasters can affect all AZs in a region simultaneously. A cross-region DR solution handles this scenario, but cross-region latency is higher than inter-AZ latency, which makes implementation more complex and costly.

Design principle

Before designing a multi-AZ or multi-region DR solution, confirm whether your stateful applications (databases, caches, message processors) and the cloud services they depend on support the intended DR scope.

Solution 1: Cross-AZ and cross-region backup and recovery on Alibaba Cloud

The backup center of Distributed Cloud Container Platform for Kubernetes (ACK One) backs up both stateless and stateful applications running in ACK clusters. For stateful applications, storage data is backed up alongside the application YAML configuration.

The backup center integrates the following Alibaba Cloud services to support one-click backup of application YAML data, persistent volumes (PVs) backed by cloud disks, and PVs backed by file systems:

• Elastic Compute Service (ECS) snapshots

• Apsara File Storage NAS file systems

• Object Storage Service (OSS) buckets and objects

• Cloud Backup

Backup data can be restored to ACK clusters in any region and AZ at any time. Alibaba Cloud databases such as ApsaraDB RDS for MySQL also support backup and restore. See Backup and restoration and Migrate data between ApsaraDB RDS instances.

Solution 2: Data backup and restoration for hybrid clouds

Connect Kubernetes clusters running in on-premises data centers or other cloud platforms to ACK using registered clusters in ACK One. Once connected, use the ACK One backup center to back up applications in the registered cluster — including stateless and stateful workloads, with storage data backed up alongside the YAML configuration for stateful apps.

Backup application data (Deployments and StatefulSets) and storage data (persistent volumes (PVs) and persistent volume claims (PVCs)) can be restored to ACK clusters in any region and AZ.

Cross-cluster access during migration with multi-cluster Services

When migrating a large number of applications in batches, applications across clusters may need to communicate during the transition. Use the multi-cluster Services (MCS) feature of ACK One to enable cross-cluster access between interconnected clusters.

MCS injects the Kubernetes Service (including its endpoints) from one cluster into another. For example, MCS can inject the Service of Application 2 in Cluster 1 into Cluster 2, letting Application 1 in Cluster 2 reach Application 2 across clusters.

To register on-premises or third-party clusters with ACK One, connect via a leased line and use the registered cluster feature of ACK One, then enable MCS for those clusters.

Solution: Multi-cluster gateway based on ACK One

This solution deploys applications across two ACK clusters in separate AZs and uses the ACK One multi-cluster gateway for Layer 7 traffic routing and health-based failover.

Normal operation:

After AZ1 failure — automatic failover to Cluster 2 in AZ2:

How it works:

1. Deploy applications to two ACK clusters using GitOps. Git repositories serve as the source of truth for continuous and consistent deployment.

2. Define standard Kubernetes Ingress rules in YAML using the ACK One multi-cluster gateway. The gateway itself is deployed across AZs for high availability (HA).

3. When Cluster 1 or its applications become unavailable, the multi-cluster gateway automatically reroutes traffic to Cluster 2 without manual intervention.

4. As traffic increases in Cluster 2, the Horizontal Pod Autoscaler (HPA) scales out application replicas, which triggers the autoscaler to provision additional cluster nodes.

5. For cross-AZ DR of ApsaraDB RDS, see Build a high availability architecture.

This solution uses Layer 7 HTTP traffic forwarding with Layer 7 health checks. During a primary/secondary switchover, traffic loss is lower than with DNS-based traffic distribution.

Advantages over DNS-based traffic distribution:

DNS TTL workarounds (such as reducing TTL values) generate large volumes of DNS requests and increase costs without eliminating caching delays.

Architecture of the DNS-based alternative (for reference):

Solution 1: Multi-cluster gateway based on ACK One (recommended)

Use this solution when:

• You need cross-region HA and the primary region has constrained resources (for example, GPU resources are scarce due to AI workload demand).

• Your applications have moderate latency sensitivity but require advanced multi-cluster traffic management.

How it works:

1. An Application Load Balancer (ALB) multi-cluster gateway in Region 1 handles Layer 7 cross-region traffic routing, including QUIC 0-RTT and header-based routing. Region 2 runs a single-cluster ALB instance in cold standby, ready to accept traffic if Region 1 fails.

2. Global Traffic Manager (GTM) provides DNS resolution and load distribution. GTM monitors the health of ALB instances in both regions and triggers DR automatically.

3. Failure handling has two paths:

   • If the entire Region 1 or its ALB instance fails, GTM switches the DNS resolution of the service domain to the Region 2 ALB instance.

   • If only a cluster or specific service in Region 1 fails, or if Region 2 becomes unavailable, the ALB multi-cluster gateway reroutes traffic to the healthy cluster directly — without requiring a GTM DNS switch.

4. Connect clusters across regions using a Cloud Enterprise Network (CEN) or VPC peering connection. Cross-region traffic is forwarded over a leased line for reliability.

5. Use Global Distributed Cache for Tair for multi-region cache HA.

6. Use the cross-region HA configuration for databases. See Architecture for multi-zone deployment.

Key advantages:

• Advanced traffic management: Content-based routing and flexible health checks beyond what traditional GTM provides.

• Centralized management: One Fleet control plane manages Ingress configurations and services across all clusters.

• Faster failover: Seamless failover in seconds for cluster or service failures, avoiding DNS propagation delays.

Solution 2: DNS-based traffic distribution with a single ACK One Fleet instance

Use this solution for globally distributed workloads that route users to the nearest region and where DNS-level latency is acceptable.

How it works:

1. Protect services against volumetric attacks and web application attacks — including SQL injection, cross-site scripting (XSS), and command injection — using Anti-DDoS Proxy and Web Application Firewall (WAF). See GTM works with WAF, GA, and SLB and Protect a website service by using Anti-DDoS Pro or Anti-DDoS Premium and WAF.

2. Route user requests to the nearest region using GTM.

3. Deploy applications to both ACK clusters using GitOps for continuous and consistent deployment.

4. Use Global Distributed Cache for Tair for multi-region cache HA.

5. Use the cross-region HA configuration for databases. See Architecture for multi-zone deployment.

6. Apply multi-AZ DR within each region.

Solution 3: DNS-based traffic distribution with multiple ACK One Fleet instances

This solution follows the same structure as Solution 2 but uses multiple ACK One Fleet instances instead of one. Use this when organizational boundaries or compliance requirements mandate separate management planes per region.

The traffic protection, routing, application deployment, cache HA, database HA, and per-region multi-AZ DR configuration are identical to Solution 2.