Purpose and Characteristics

Tier 0 maintains full service continuity during a data center outage within the same metropolitan region. All critical components, including application services, databases, storage systems, and traffic distribution layers, participate equally across two sites.

This pattern is designed for:

• Zero or near-zero RPO
• Sub-minute RTO in most failure scenarios
• Continuous state alignment across sites
• Strict operational discipline and testing frequency

Only metro-distance data centers should participate in synchronous paths due to latency limitations.

Architecture Summary

The Tier 0 pattern includes the following elements:

Primary and Secondary (Metro Proximate)

• Both sites are fully active and serve production traffic
• All data-relevant components replicate synchronously between the two sites
• Storage arrays or database engines enforce write acknowledgment across the pair
• Application tiers scale horizontally across both locations
• Load balancing distributes requests based on health, latency, or weight

Out-of-Region Site

• An out-of-region location may exist for long-term continuity, but it must use asynchronous replication
• It does not participate in active-active traffic and serves as a tertiary recovery region

Traffic Flow and Load Distribution

• User traffic is distributed across metro sites using global or local load balancing mechanisms
• Traffic weighting can favor one site for efficiency while retaining the ability to absorb full load if the other site fails
• All platform components must support cross-site coordination, including session handling, cache behavior, and consistency guarantees

Data Replication Model

Synchronous Replication (Metro Sites Only)

• Write operations are acknowledged only when committed at both metro sites
• Ensures zero or near-zero RPO
• Requires deterministic sub-5 ms latencies, depending on the storage or database system

Asynchronous Replication (Out-of-Region)

• Used solely for tertiary protection
• Introduces measurable RPO due to replication lag
• Not part of active traffic patterns

Failure Scenarios and Expected Outcomes

Single Metro Site Failure

• Traffic automatically shifts to the surviving metro site
• No data loss due to synchronous replication
• RTO typically measured in seconds to a few minutes depending on detection and failover orchestration

Inter-Site Metro Link Failure

• Application behavior depends on quorum rules
• Systems must avoid split-brain conditions through well-defined witness or arbitration services
• Load balancers or DNS services adjust routing according to health checks

Regional Disaster

• Out-of-region failover is possible but results in RPO based on asynchronous replication lag
• RTO depends on automation maturity

Operational Considerations

Platform Requirements

• Low-latency dedicated links between metro sites
• Strict capacity planning and continuous load validation
• Automated failover testing, typically quarterly or semi-annual
• Clustering technologies with quorum enforcement
• Transaction-safe replication systems
• Highly coordinated change windows to prevent replication desynchronization

Operational Discipline

• Rigorous configuration management
• Coordinated deployments across both metro regions
• Version-aligned application stacks
• Continuous monitoring of replication latency and health

Appropriate Workloads

Tier 0 is typically reserved for:

• High-frequency transactional systems
• Critical identity and authentication services
• Financial clearing and settlement platforms
• Real-time healthcare or clinical systems
• Systems with contractual zero-data-loss requirements
• Platforms where even momentary loss impacts safety, compliance, or fiduciary obligations

Unsuitable Workloads

Avoid using Tier 0 when:

• Applications cannot tolerate distributed active-active behavior
• Database systems lack synchronous replication capabilities
• Network latency cannot be guaranteed
• Budget does not support dual metro-grade facilities
• Operations teams lack the maturity for strict simultaneous change management

Risks and Tradeoffs

• Highest cost tier due to redundant full-capacity infrastructure
• Strict latency dependency may limit geographic options
• Split-brain risk if not designed with proper quorum and failover controls
• Operational rigidity due to synchronous dependencies
• Complex troubleshooting when issues span cross-site clusters

Summary

Tier 0 is the pinnacle of enterprise resiliency. It is a specialized pattern intended for systems with no tolerance for data loss or extended downtime. When properly implemented, it delivers the strongest possible availability guarantees within metro boundaries. When misapplied, it introduces unnecessary cost and operational complexity.

This tier forms the reference baseline for all lower tiers.