About This Architecture

Hybrid private HA architecture spanning on-premises and AWS VPC with zero-trust network isolation and private DNS resolution. On-prem Windows App VMs and MS SQL Server with Always On listeners connect via Site-to-Site IPsec VPN and optional AWS Direct Connect to cloud-native EC2 and RDS instances, all behind internal load balancers with no public IPs. Private DNS forwarding across Route 53 and on-prem AD DNS ensures seamless app.company.local and sql.company.local resolution without internet exposure. This architecture eliminates blast radius, enforces least-privilege access through VPN-only entry, and enables disaster recovery failover between datacenters while maintaining compliance and security posture. Fork this diagram to customize BGP routing policies, adjust VPN redundancy, or swap RDS for self-managed SQL Always On in the cloud.

People also ask

How do I design a hybrid HA architecture that keeps on-premises and AWS resources private with automatic SQL failover and no public IPs?

This diagram shows a hybrid HA setup where on-prem Windows App VMs and MS SQL Server connect to AWS EC2 and RDS via Site-to-Site IPsec VPN and optional Direct Connect, with private DNS forwarding across Route 53 and on-prem AD DNS. Internal load balancers on both sides ensure no public IPs are exposed, while SQL Always On listeners enable seamless failover between datacenters, maintaining zero-tru