In today’s distributed, cloud-native architectures, resilience is not something you “add on” at the end of a design. It must be engineered into the fabric of the network from the beginning. With hybrid models, global user bases, evolving compliance requirements like DORA, and multicloud strategies, the network has become both a critical enabler and a potential single point of failure. The resilience of that network determines whether a system will recover, degrade gracefully, or collapse under pressure.  

Resiliency drives architecture decisions from the very beginning. In networking, it’s about building systems that can tolerate failure, self-heal, and maintain performance under pressure.

To meet this challenge, networking teams must transition from a traditional availability-driven mindset to one focused on continuous recovery and proof of resilience. Let’s dive into what that really means—and how to execute it using both AWS services and Aviatrix capabilities.  

What You’ll Learn:  

  • How the AWS Resilience Mental Model works 

  • How to create resiliency as a continuous discipline through observability, testing, and architecture like network segmentation 

  • How AWS and Aviatrix partner to empower customers with resilient architecture 

Understanding the AWS Resilience Mental Model

At its core, resilience is the ability of a workload to recover from infrastructure or service disruptions.  Amazon Web Services (AWS) frames this through a layered mental model that distinguishes between high availability and disaster recovery, supported by a foundation of continuous improvement.  

  • High availability focuses on withstanding common failures at a primary site.  

  • Disaster recovery ensures that workloads can return to normal operation within specific timeframes using secondary sites.  

Critically, AWS promotes a mindset of constant evolution, encouraging the use of CI/CD pipelines, observability tools, and chaos engineering to identify and close resilience gaps before they affect users.

AWS Mental Model of Resilience

Figure 1 - AWS Resilience Mental Model   

But resilience is not solely the provider’s responsibility. This is reflected in AWS’s shared responsibility model for resilience, which draws a clear line between what AWS manages and what the customer must design.   

While AWS ensures the reliability of the global infrastructure—including regions, availability zones, compute, storage, and core networking services—it is the customer’s responsibility to architect their workloads, manage quotas and operational constraints, implement observability, and continuously test for failure scenarios.   

AWS Shared Responsibility Model

Figure 2 - AWS Shared Responsibility Model for Resilience  

This model clarifies an important point: AWS provides the foundation, but it’s up to each organization to build a recoverable, testable, and auditable system on top of that foundation. And that’s where many teams struggle, especially as architectures grow in complexity, scale across multiple regions, or span hybrid environments.  

Building Provable Resilience in AWS Networking

View resilience not as a one-time event, but as a dynamic property of your system—something that must be continuously observed, measured, and revalidated over time.  

In AWS, resilience starts with intentional architectural design. For example, using a single AWS Transit Gateway (TGW) for centralized connectivity across VPCs and on-premises environments may seem sufficient for basic networking needs. However, this introduces a critical dependency. If one TGW experiences a regional disruption, control plane degradation, or routing failure, it becomes a single point of failure. To make the architecture resilient, you can deploy multiple TGWs across different regions, implement regional peering, and front these with Route 53 latency-based DNS for regional failover or AWS Global Accelerator for faster, health-aware, IP-based routing across AWS regions.

AWS also provides robust observability services. With Amazon CloudWatch, customers can monitor VPN tunnel status, NAT Gateway behavior, and route table changes. When using BGP over Transit Gateway Connect, dynamic route visibility requires additional tooling, as BGP session metrics are not natively exposed to CloudWatch.  

In such scenarios, third-party appliances like Aviatrix Gateways can establish BGP peering with the TGW Connect attachment and surface routing telemetry. These metrics are essential, but when dealing with BGP dynamics, route advertisements, and multi-region failover scenarios, traditional logs alone may not provide the real-time context needed to validate operational behavior.  

Observability with Aviatrix

This is where Aviatrix CoPilot extends AWS’s capabilities. CoPilot offers live visualization of the control and data plane, including BGP route maps, flow analytics, and topology monitoring. It helps teams quickly understand how paths change during failover, how prefixes propagate across Transits and gateways, and whether network behavior aligns with intended design patterns.  

Aviatrix Topology View

Aviatrix Topology View - live visualization

Rather than waiting for a service-level alarm, engineers can trace, inspect, and prove that resilience mechanisms like ECMP, fallback tunnels, or health-based advertisements are functioning as planned.  

Real-World Example: Observability

Consider a real-world example. A customer operating in both eu-west-1 (Ireland) and eu-central-1 (Europe Frankfurt) initially connected their workloads through AWS-native TGWs with peering. While this provided baseline connectivity, their failover testing revealed gaps in convergence and a lack of observability into routing decisions during simulated link loss.  

By introducing Aviatrix Transit Gateways into the architecture and enabling deterministic active-active routing with ECMP across Transits and health-aware BGP advertisements, they eliminated blind spots and established predictable failover behavior—capabilities not natively achievable across all AWS Transit Gateway attachment types.  

When AWS maintenance events impacted TGW availability in one region, traffic seamlessly rerouted to the alternate region—without disruption, without human intervention.  

This level of confidence built through visibility, design, and testing transforms resilience from a static checkbox into a measurable, improvable discipline. 

Recovery and Resilience Testing Must Be Repeatable

Designing resilient architecture is only the beginning. You must test your assumptions under real-world failure scenarios regularly and automatically.  

For example, in AWS you might have VPN connections or AWS Direct Connect (DX) links connecting on-premises to the cloud. It’s not uncommon for customers to rely on static route tables or prioritize DX over VPN using longer AS paths. But:  

  • Have you tested what happens when the DX link drops?  

  • Does the route preference shift correctly to VPN?  

  • Is there packet loss during the transition?  

  • What’s the exact failover time? 

Using BGP route-preference manipulation with AS path prepending and MED on AWS Direct Connect gateways, combined with health checks and withdrawal automation, you can simulate and enforce failover. However, without a route visualizer, this process is opaque.  

Repeatability and Testing with Aviatrix

Aviatrix allows you to simulate failover with CoPilot route replay—you can see in real time when routes are withdrawn or re-advertised, observe how traffic shifts from DX to IPsec-based VPN tunnels, and measure how long your system took to reroute.  

Practical Example: Testing Your Assumptions 

  • A financial services company had two Direct Connects in different colocation sites, each connected to a TGW in us-east-1.  

  • During testing, they noticed that even though BGP failed over correctly, traffic from AWS back to on-prem took an asymmetric path due to limitations in TGW’s route propagation and lack of policy-based control, which led to asymmetric paths during failover.  

  • By moving to Aviatrix’s overlay model and explicitly managing control plane propagation with policy-based routing, they achieved symmetric failover within sub-second convergence—far better than relying on default TGW behavior. 

Testing must also involve the application stack. For instance, you might have EC2 instances behind Application Load Balancers (ALBs) using private IPs. But when you simulate VPC peering loss or NACL misconfiguration, does the health check detect failure quickly enough to deregister those targets? These are nuances you can only discover through automated, repeatable chaos testing—ideally wired into your CI/CD pipelines. 

Designing Resilience Requires Rebuilding the Way We Think About Failover

Traditional failover assumes a binary world: either up or down, primary or secondary. But real cloud failures are messy—control plane delays, partial packet loss, route blackholing, or Availability Zone-isolated (AZ from now on) issues are far more common.  In AWS, a common anti-pattern is using one centralized NAT Gateway for all VPCs in a region. If that single NAT Gateway fails or reaches throughput limits, outbound traffic is blocked. A better design uses multi-AZ NAT Gateway deployments, optionally paired with PrivateLink for internal service-to-service communication and fallback.  However, for even better blast radius control, customers adopt cell-based architectures. Each cell has its own isolated networking components: its own VPC, Transit Gateway or Aviatrix Transit, NAT, DNS resolver, and firewalls. Cells don’t share routing tables unless explicitly allowed. In AWS, this can be implemented by creating multiple VPCs and TGWs, but the policy granularity is limited. 

Network Segmentation with Aviatrix

With Aviatrix, you can segment routing domains and enforce propagation boundaries, so only specific prefixes are shared across regions or functions. For example, a production environment in ap-southeast-1 never sees dev/test routes in us-west-2, even if both use shared infrastructure components like centralized firewalls or log collectors. This limits blast radius and makes failover predictable. 

Real-World Example: Making Failover Predictable

Real-life application of this: a SaaS provider with strict tenant isolation built multiple Aviatrix Transit domains across AWS regions, each mapped to a tenant group. During an incident affecting ap-northeast-1, tenant failover was achieved by shifting Route 53 DNS to the Transit domain in ap-southeast-1, while routing remained strictly tenant-scoped via custom BGP communities. 

Another frequent issue is DNS. In AWS, Route 53 failover works well—until split-horizon DNS or latency-based routing misaligns with application expectations. Observability tools like Route 53 Resolver Query Logs and CloudWatch Logs give some insight, but don’t show how BGP routes influence service access. With Aviatrix, you can trace actual flows from source to destination, revealing whether failover occurred at DNS or routing level—and whether applications handled the shift gracefully.  

These examples underscore that resilience is not a product of individual services, but of how they are orchestrated and validated together—across data, control, and management plans. 

Final Thoughts

Resilience in cloud networking is a core operational requirement and compliance imperative. Achieving it means understanding and engineering failure at every layer: DNS, BGP, NAT, Transit, VPN, and routing tables. It also means proving that your design works—not just under ideal conditions, but during chaos. 

AWS provides a rich set of foundational services—such as Transit Gateway, Direct Connect, Route 53, CloudWatch, and ALB health checks—that enable customers to build highly resilient, scalable, and secure network architectures. These tools offer the flexibility and depth needed to design fault tolerance, observability, and dynamic failover across regions and hybrid environments. 

As environments grow in complexity, however, managing and operationalizing these capabilities at scale can become challenging. This is where Aviatrix adds value. By complementing AWS’s native services with enhanced network visibility, centralized policy control, and operational intelligence through CoPilot, Aviatrix helps teams streamline resilience validation, simplify multi-region routing, and accelerate recovery processes—all while building on the robust infrastructure AWS provides. 

Call to Action

If your business runs on AWS and relies on hybrid or multi-region connectivity, you already have access to one of the most powerful and feature-rich networking platforms in the cloud. AWS provides the core building blocks to architect for high availability, failover, and observability, giving you the foundation to meet modern resilience expectations. 

To further simplify operations and validate resilience at scale, consider enhancing your AWS architecture with Aviatrix. Together with AWS, Aviatrix helps you design blast-radius-aware, multi-path, and multi-region network topologies with greater visibility, faster recovery, and centralized policy control. 

Build resilience proactively. Test, observe, and prove it with AWS and Aviatrix. 

resources_orange_glow
related posts
2025 State of Cloud Network Security How Does Your Organization Compare card image

2025 State of Cloud Network Security: How Does Your Organization Compare?

Eliminating Cloud Network Security Blind Spots with Zero Trust Encryption card image

Eliminating Cloud Network Security Blind Spots with Zero Trust Encryption

Serverless & Kubernetes Security for Agentic AI card image

Serverless & Kubernetes Security for Agentic AI

Subscribe
Cristian Critelli
Cristian Critelli

EMEA Lead Networking & Resilience Specialist Partner Solution Architect at Amazon Web Services (AWS), AWS

Cristian is an experienced IT Professional who specializes in network infrastructures, cloud architectures, and resiliency.

Featured Categories

orange-pattern-center

ACE Program

card image

Customers

card image

Cloud Network Security

card image

AWS

card image

Partners

card image

Cloud Networking Heroes

card image

Azure

card image

Events

card image
PODCAST

Altitude

View All
subscribe now

Keep Up With the Latest From Aviatrix

Cta pattren Image