The pattern
In active passive failover one node is the primary handling all traffic, while a standby stays ready but idle. When the primary fails, the standby is promoted and takes over its role.
This is common for stateful systems like relational databases where having two writers at once would corrupt data.
How failover happens
- A health monitor watches the primary with frequent probes.
- On detected failure it promotes the standby to primary.
- Traffic is redirected, often by moving a virtual IP or updating service discovery.
The dangers
- Failover time: detection plus promotion plus rerouting is real downtime.
- Split brain: if the standby promotes itself while the old primary is only slow, both think they are primary. Fencing the old node prevents this.
- Cold standby: an idle replica may have cold caches and serve slowly right after promotion.
When it fits
Active passive is simple to reason about because only one node writes at a time. The cost is paying for a standby that does no useful work until the bad day arrives.
Key idea
Active passive trades idle standby capacity for the safety of having exactly one writer at a time.