@andrioid The problem is going to be testing the alternative: it's like the famous example of where returning planes have been hit.

In a relatively simple, but horizontally scalable, system I'd at least do multi-AZ with auto-scaling failover, since that's effectively free (need the compute anyway).

Anything beyond that isn't a technology decision, it's a business one - does the cost of increasing resilience in the event of a #BCDR incident for the potential impact on #RTO or #RPO.