The Hidden Risk in Your Infrastructure
Many organisations still run critical systems that exist in a precarious state. These might be an odd on-premises server tucked away in a corner, legacy monolithic applications that "just work," or systems that were never properly integrated into modern backup and disaster recovery strategies. While these systems may have been forgotten during cloud migrations, they often contain important business data and represent a major business continuity risk.
⚠️ The Reality Check
Without proper disaster recovery, your organisation is vulnerable to:
- Hardware failure: Ageing servers with no replacement strategy
- Ransomware attacks: Increasingly sophisticated threats targeting legacy systems.
- Natural disasters: Floods, fires, or power outages affecting on-premises infrastructure
- Human error: Accidental deletions or misconfigurations with no recovery path
The challenge is clear: these systems need protection, but building traditional disaster recovery infrastructure is expensive, complex, and time-consuming. What organisations need is a simple, cost-effective solution that provides robust disaster recovery without requiring extensive refactoring or infrastructure investment.
The Solution
AWS Elastic Disaster Recovery (AWS DRS) provides exactly this: a managed service that continuously replicates your servers to AWS, enabling rapid recovery when needed without the complexity of building and maintaining traditional DR infrastructure.
What is AWS Elastic Disaster Recovery?
AWS Elastic Disaster Recovery (AWS DRS) is a managed service that minimises downtime and data loss by providing fast, reliable recovery of on-premises and cloud-based applications. It works by continuously replicating your source servers into a low-cost staging area in your AWS account, ready to launch full-capacity recovery instances within minutes when needed.
Key Benefits of AWS DRS
Near Real-Time Replication
Continuous data replication ensures minimal data loss with Recovery Point Objectives (RPO) measured in seconds, not hours.
Rapid Recovery
Launch recovery instances in minutes with Recovery Time Objectives (RTO) typically under 20 minutes for most workloads.
Agent-Based Approach
Simple agent installation on source servers handles all replication, working with on-premises, AWS, and other cloud environments.
Legacy System Support
Ideal for protecting legacy and monolithic workloads without requiring application refactoring or modernisation.
How It Works
AWS DRS uses block-level replication to continuously copy data from your source servers to a low-cost staging area in AWS. This staging area uses lightweight instances and EBS snapshots to minimise costs. When disaster strikes, you can launch full-capacity EC2 instances from this replicated data within minutes, ensuring business continuity with minimal disruption.
What Does AWS DRS Actually Protect?
A common misconception is that AWS DRS protects "everything." Understanding exactly what it covers and what it doesn't is critical for designing a complete DR strategy.
Compute (Primary Use Case)
AWS DRS protects entire servers, not just data. This includes physical servers, EC2 instances, VMware/Hyper-V VMs, and VMs running in other clouds.
Real-world context
If your on-prem data centre fails, DRS can launch equivalent EC2 instances in minutes with identical OS, installed applications, system state, and configuration fully intact.
Operating System & Applications
Because DRS replicates at the block level, it captures the full OS configuration, installed software, application binaries, and the Windows system registry. Everything needed to bring a server back to its exact state is preserved.
Important caveat
DRS does not automatically replicate IAM roles, security groups, load balancers, or other AWS-managed resources unless they are pre-configured in your launch settings.
Application Data
All attached disks are continuously replicated. This covers databases running on VMs (e.g. self-managed MySQL, SQL Server), file servers, and application data directories. If it lives on the disk, DRS replicates it.
- Self-managed databases on VMs (MySQL, SQL Server, PostgreSQL, Oracle)
- File servers and shared storage directories
- Application data directories and configuration files
What AWS DRS Does NOT Directly Cover
These AWS-managed services have their own native DR mechanisms and are outside the scope of DRS:
Amazon RDS
Use cross-region read replicas or automated snapshots
Amazon DynamoDB
Use Global Tables for multi-region replication
Amazon S3
Use Cross-Region Replication (CRR)
IAM Configuration
Must be pre-configured manually in the target account
Route 53 Health Checks
Must be set up independently for DNS failover
Elastic Load Balancer (ELB)
Must be pre-created in the recovery region
Key takeaway: AWS DRS is a powerful layer of your DR strategy, but it must be complemented with native DR mechanisms for managed AWS services to achieve full coverage.
How AWS DRS Solves the Problem
AWS DRS provides a straightforward path to protecting your legacy and critical systems without the complexity of traditional disaster recovery solutions. Here is how organisations can leverage AWS DRS to achieve robust business continuity:
Replicate Legacy Servers into AWS
Install the AWS DRS agent on your source servers, whether they are on-premises, in AWS, or in another cloud. The agent handles continuous, block-level replication to AWS without impacting production performance. This works seamlessly with legacy systems, monolithic applications, and even servers running older operating systems.
Launch Recovery Instances Only When Needed
Unlike traditional DR solutions that require maintaining duplicate infrastructure, AWS DRS keeps your data in a low-cost staging area. You only launch full-capacity recovery instances during actual disasters or testing, significantly reducing costs while maintaining readiness.
Avoid Complex Backup Infrastructure
AWS DRS eliminates the need to build and maintain complex backup infrastructure. No need for backup servers, storage arrays, or replication appliances. The service handles all the complexity of continuous replication, storage management, and recovery orchestration.
Protect Without Refactoring
One of the biggest advantages of AWS DRS is that it protects your systems as-is. There is no need to refactor applications, change architectures, or modernise code. This makes it ideal for legacy systems that are difficult to modify, allowing you to protect them now while planning modernisation for the future.
Minimal Operational Overhead
AWS DRS is a fully managed service, meaning AWS handles the underlying infrastructure, updates, and maintenance. Your team can focus on business continuity planning and testing rather than managing replication infrastructure, making it suitable even for small IT teams with limited resources.
AWS DRS Implementation Flow
Install Agent on Source Server
Deploy the lightweight AWS DRS agent on your source servers (on-premises, AWS, or other clouds)
Continuous Replication to AWS
Block-level replication continuously copies data to low-cost staging area in AWS
Launch Recovery Environment When Needed
Spin up full-capacity EC2 instances from replicated data within minutes during disasters
Validate with Test Drills
Regularly test recovery procedures without impacting production systems
Prerequisites for Using AWS DRS
Before implementing AWS DRS, ensure you have the following prerequisites in place. While the list may seem extensive, most organisations already have many of these components as part of their existing AWS infrastructure.
AWS Account and Region
- Active AWS account with appropriate permissions
- Choose an AWS region for your staging area (typically closest to your source servers)
- Verify AWS DRS is available in your chosen region
Network Connectivity
- Reliable network connection between source servers and AWS
- Options include AWS Direct Connect, VPN, or internet connectivity
- Sufficient bandwidth for initial data replication and ongoing changes
- Outbound connectivity on TCP port 443 (HTTPS) from source servers
- Outbound connectivity on TCP port 1500 from source servers to the AWS replication servers for block-level data replication traffic
Supported Operating Systems
Linux
- • RHEL 6.x, 7.x, 8.x, 9.x
- • CentOS 6.x, 7.x, 8.x
- • Ubuntu 16.04, 18.04, 20.04, 22.04
- • SUSE Linux Enterprise Server
- • Amazon Linux 1, 2
Windows
- • Windows Server 2008 R2 and later
- • Windows Server 2012, 2012 R2
- • Windows Server 2016, 2019, 2022
- • Both Standard and Datacenter editions
Source Server Requirements
- CPU: Minimum 1 vCPU (2 or more recommended for production)
- Memory: Minimum 2 GB RAM (4 GB or more recommended)
- Disk: Sufficient free space for agent installation, typically 2 to 5 GB
- Permissions: Root/Administrator access for agent installation
- File systems: Support for ext2, ext3, ext4, XFS, NTFS, ReFS
IAM Roles and Permissions
- AWS DRS service-linked role (automatically created on first use)
- IAM user or role with permissions to manage AWS DRS resources
- EC2 instance profile for replication servers (managed by AWS DRS)
- Permissions for EBS, EC2, and VPC operations
- S3 access permissions for storing replication logs, agent installers, and recovery snapshots
AWS Infrastructure Readiness
- VPC: Virtual Private Cloud configured in your target region
- Subnets: Private subnets for staging and recovery instances
- Security Groups: Configured to allow necessary traffic
- Internet Gateway or NAT: For outbound connectivity if needed
Pro Tip: Start Small
Don't feel overwhelmed by these prerequisites. Start with a single, non-critical server to familiarise yourself with AWS DRS. Once you're comfortable with the process, you can expand to protect additional systems. Many organisations begin with their most vulnerable legacy servers and gradually extend coverage across their infrastructure.
Security Considerations
Security is paramount when implementing disaster recovery solutions. AWS DRS provides multiple layers of security to protect your data during replication, storage, and recovery. Understanding these security features helps you maintain compliance and protect sensitive information.
Data Encryption
Encryption in Transit
All data transmitted between your source servers and AWS is encrypted using TLS 1.2 or higher. This protects your data as it travels across networks, whether over the internet, VPN, or Direct Connect.
Encryption at Rest
Replicated data stored in AWS is automatically encrypted using AWS-managed keys or your own customer-managed keys (CMKs) via AWS Key Management Service (KMS). EBS volumes used for staging and recovery are encrypted by default.
IAM Least-Privilege Access
Implement least-privilege access principles for AWS DRS operations:
- Create dedicated IAM roles for AWS DRS with only necessary permissions
- Use IAM policies to restrict who can initiate recovery operations
- Enable MFA for sensitive operations like launching recovery instances
- Regularly review and audit IAM permissions
Point-in-Time Recovery for Ransomware Protection
AWS DRS supports point-in-time recovery, which is particularly valuable for ransomware scenarios. Rather than restoring to the most recent state (which may already be encrypted or corrupted), you can roll back to a clean snapshot taken before the attack occurred. This makes AWS DRS a meaningful layer of defence against ransomware, not just hardware failure or natural disasters.
Network Isolation
Protect your disaster recovery infrastructure through network segmentation:
- VPC Isolation: Deploy staging and recovery resources in dedicated VPCs
- Security Groups: Configure restrictive security groups allowing only necessary traffic
- Network ACLs: Add additional network-level controls for defence in depth
- Private Subnets: Place staging servers in private subnets without direct internet access
Compliance Considerations
AWS DRS supports various compliance frameworks and certifications:
ISO 27001
SOC 1/2/3
PCI DSS
HIPAA
Protecting Credentials on Source Servers
Secure the AWS DRS agent credentials on your source servers:
- Use IAM roles instead of long-term access keys where possible
- Rotate credentials regularly following security best practices
- Store credentials securely using operating system credential stores
- Limit access to credential files using file system permissions
DR Testing Without Production Impact
AWS DRS enables secure testing of your disaster recovery procedures:
- Launch recovery instances in isolated test environments
- Test recovery procedures without affecting production systems
- Validate application functionality and data integrity
- Clean up test resources automatically after validation
Security Best Practice
Implement a defence-in-depth strategy by combining multiple security layers. No single security control is sufficient. Use encryption, network isolation, access controls, and monitoring together to create a robust security posture for your disaster recovery infrastructure.
Technical Skills Required
AWS DRS is designed to be accessible to IT teams with traditional infrastructure backgrounds. You don't need deep cloud expertise. Here's what's helpful:
Basic AWS Knowledge
Familiarity with EC2, VPC, IAM, and the AWS Management Console is sufficient.
Server & Networking Fundamentals
Linux or Windows administration, basic TCP/IP networking, and firewall concepts are all you need.
DR Concepts (RPO & RTO)
Understanding Recovery Point and Recovery Time Objectives helps you configure and validate your DR strategy effectively.
What You Don't Need
No scripting, application refactoring, container knowledge, or advanced cloud architecture expertise required.
Perfect for small IT teams. Start with a single server, build confidence, then expand coverage incrementally. No large team of cloud specialists required.
Use Cases Beyond On-Premises
While AWS DRS is commonly associated with protecting on-premises infrastructure, its capabilities extend far beyond this traditional use case. Modern organisations are discovering innovative ways to leverage AWS DRS for various disaster recovery scenarios across hybrid and multi-cloud environments.
Multi-Region Disaster Recovery Within AWS
Use AWS DRS to replicate workloads running in one AWS region to another region for geographic redundancy. This protects against regional outages and provides compliance with data residency requirements.
Example Scenario
A financial services company runs critical applications in the AWS Sydney region. They use AWS DRS to continuously replicate these workloads to the AWS Melbourne region, ensuring business continuity if the primary region experiences an outage. This approach provides sub-second RPO and minutes RTO without maintaining duplicate infrastructure.
Cross-Cloud Disaster Recovery
Protect workloads running in other cloud providers such as Azure, Google Cloud, or Oracle Cloud by replicating them to AWS. This provides cloud-agnostic disaster recovery and reduces vendor lock-in concerns.
Example Scenario
An organisation runs legacy applications on Azure but wants AWS as their disaster recovery target. AWS DRS agents installed on Azure VMs continuously replicate data to AWS, enabling rapid failover if Azure experiences issues. This multi-cloud strategy provides resilience without requiring a complete migration.
Legacy Monolithic Applications
Protect business-critical monolithic applications that are difficult to modernise. AWS DRS provides disaster recovery for these systems without requiring architectural changes or application refactoring.
Example Scenario
A manufacturing company relies on a 15-year-old ERP system running on physical servers. The application is too complex and risky to modernise, but it contains critical business data. AWS DRS replicates these servers to AWS, providing disaster recovery protection while the organisation plans a long-term modernisation strategy.
Systems Without Robust DR
Many organisations have systems that were deployed without proper disaster recovery planning. AWS DRS provides a quick path to implementing DR for these vulnerable systems.
Example Scenario
A healthcare provider discovers that their patient management system has no backup or disaster recovery solution. The system runs on ageing hardware with no redundancy. AWS DRS is implemented within days, providing immediate protection while the organisation evaluates long-term infrastructure options.
Regulatory and Continuity Requirements
Meet regulatory requirements for business continuity and disaster recovery without building expensive duplicate infrastructure. AWS DRS provides documented, testable DR capabilities that satisfy compliance audits.
Example Scenario
A financial institution must demonstrate disaster recovery capabilities to regulatory auditors. AWS DRS provides continuous replication with documented RPO/RTO metrics, regular testing capabilities, and comprehensive audit logs through CloudTrail—all requirements for regulatory compliance.
Flexible DR Strategy
The versatility of AWS DRS means you can implement different disaster recovery strategies for different workloads based on their criticality, complexity, and business requirements. You are not locked into a single approach and can mix strategies as needed.
Critical Systems
Multi-region replication with automated failover
Legacy Systems
Basic replication with extended RTO acceptable
Building Resilience Without Disruption
AWS Elastic Disaster Recovery removes the traditional barriers to protecting legacy and critical systems. There is no need for duplicate infrastructure, complex refactoring, or a large cloud team. Start with your most vulnerable server, validate the recovery process, and expand from there at your own pace and within your existing budget.
AWS DRS is a strategic enabler for business continuity — protecting what you have today while giving you the breathing room to modernise tomorrow.
Ready to Protect Your Legacy Systems?
Let's discuss how AWS Elastic Disaster Recovery can protect your critical infrastructure and ensure business continuity without disrupting current operations.