Home / News / Dual-Site Infrastructure Design in UK Recovery and Continuity Planning

Dual-Site Infrastructure Design in UK Recovery and Continuity Planning

Secondary computing facilities became part of large-enterprise continuity planning during the mainframe and early data centre era, particularly from the 1970s and 1980s onward. Banks, public sector bodies, manufacturers and large service organisations had to consider how they would process payments, payroll, production orders or customer records if the primary computer room became unavailable. The driver was operational continuity after fires, power failures, equipment faults or loss of building access. As client-server systems, ERP platforms, internet services and online customer channels spread during the 1990s and early 2000s, the case for formal recovery sites extended beyond the largest mainframe estates.

The principle still holds, but the recovery problem has become more layered. Keeping critical systems, data and operational processes in one physical location creates obvious exposure. In earlier secondary-site models, the organisation could often think in terms of replicated servers, storage, network equipment and operating procedures within one controlled estate. Restoring a service may now require more than bringing up servers and storage. It may also require access to identity services, DNS control, monitoring, certificates, cloud management planes, SaaS platforms and third-party integrations.

That raises a more demanding question than whether infrastructure exists in two places. Can the primary site fail, isolate or hand over in a controlled way? Can the secondary site be operated without relying on the same impaired services? Can users authenticate, traffic be redirected, clean data be restored and normal operations resumed without creating further risk? The answer depends on both sites and on the services that connect, govern and protect them.

For UK organisations, dual-site planning also cuts across jurisdiction, supplier assurance, regional hosting choices, backup governance and network design. Co-location, UK-based object storage, managed backup and disaster recovery services are relevant not as standalone answers, but as building blocks: where clean data is stored, where recovery equipment sits, how restoration traffic moves, who has access and how the service is brought back.

This article examines dual-site infrastructure as a complete recovery design, not simply as the presence of a secondary location. It does not argue that every workload needs two active sites or full duplication. Its central point is narrower: dual-site infrastructure is useful only when both the primary and secondary arrangements are designedgoverned and tested for the disruption scenarios they are meant to withstand.

Why Dual-Site Infrastructure Is Being Re-examined

Two pressures make dual-site design worth re-examining: external disruption and internal execution risk.

The external pressure comes from risks that are harder to separate neatly. The Business Continuity Institute’s Horizon Scan 2025identifies cyber security as the leading long-term concern among respondents, followed by climate risk, artificial intelligence, geopolitical change and supply chain issues. For recovery planners, the significance is not only the ranking. It is that a cyber incident may affect a supplier, a geopolitical event may affect technology operations, and a supply chain issue may delay equipment, engineering support or specialist recovery assistance.

The second pressure comes from inside the organisation. Recovery plans often depend on people performing unusual tasks under time pressure, across several technical domains, while senior stakeholders are asking for updates. Uptime Institute’s Annual Outage Analysis 2025 reported that the proportion of human error-related outages caused by failure to follow procedures rose by ten percentage points compared with 2024. That finding matters because failover, restoration and failback are procedural as well as technical activities.

Dual-site architecture can fail for reasons that are not visible on a diagram. The primary site may not fail cleanly. The replicated data may include corruption. The secondary location may depend on the same identity, DNS or administration controls. Recovery may stall because access routes are unclear, firewall rules have not been maintained, runbooks are outdated or the team has never practised failback after running from the secondary site.

Cloud provider guidance is useful here because it describes several recovery patterns rather than one prescribed design. Backup and restore, pilot light, warm standby and active-active are not interchangeable labels. They imply different recovery times, recovery points, costs, operating overheads and data-consistency constraints. The workload and service requirement should determine the pattern, not a preference for a fashionable architecture.

What Existing Frameworks Tell Us About Resilient Architecture

The major frameworks cited here do not prescribe a universal number of sites, fixed separation distance or single technology stack. Their emphasis is on whether critical activities can continue, be restored within acceptable limits and be supported by arrangements that have been tested.

Source Main concern What it asks organisations to understand
ISO 22301 Business continuity management Important activities, business impact, continuity arrangements and exercising
Bank of England / PRA SS1/21 Continuity of important business services Impact tolerances, resources, mapping and severe but plausible disruption scenarios
NCSC Cyber Assessment Framework Cyber resilience and recoverability Critical resources, restoration order, business continuity and disaster recovery plans, and tested recovery arrangements
AWS, Microsoft and Google Cloud DR guidance Recovery architecture Recovery objectives, workload requirements and suitable recovery patterns

The table is useful because it shows that resilience guidance is not asking for a simple inventory of assets. ISO 22301 is concerned with continuity management. SS1/21 focuses on important business services and impact tolerances. The NCSC Cyber Assessment Framework looks at cyber resilience and restoration. Cloud provider guidance deals more directly with workload architecture and recovery patterns.

The language differs, but the discipline is similar: identify the service, understand the resources and suppliers that support it, decide how much interruption is acceptable and prove the arrangement works. That is directly relevant to dual-site planning because resilience is shaped by the relationship between the two sites. A secondary location can look convincing while still depending on the same identity service, DNS control, administration route or supplier process as the primary location. Equally, a primary site that cannot be isolated, failed over or recovered cleanly can undermine the whole design.

The design task is selective. Not every workload needs the same level of duplication. The organisation should identify the services that matter most, map what supports them, choose a recovery pattern that matches the business impact and test whether it works under realistic conditions.

Independent Environments

Recovery objectives should determine architecture

Dual-site architecture should start with service requirements, not infrastructure preference. Recovery time objective and recovery point objective still matter because they separate workloads that need rapid restoration from those that can tolerate delay or limited data loss. A payment platform, booking system or customer-facing service may justify a more prepared recovery arrangement than an internal reporting tool or infrequently accessed archive repository.

These models should not be treated as maturity levels or interchangeable labels. Active-active can support very low interruption tolerances for suitable workloads, but only where the application, data consistency model, traffic routing and operational controls are designed for it. Warm standby may provide a better balance for services that need faster recovery but do not justify continuously active duplicate capacity. Backup and restore may be acceptable where downtime and data loss tolerances are wider.

The design should follow the business impact assessment. Over-engineering every workload adds cost and management burden. Under-designing critical services creates false assurance. Stronger dual-site strategies usually use several recovery tiers rather than one uniform model.

Geographic separation should match the failure scenario

In the UK context, dual-site planning often has to balance metro resilience with regional separation. A second site in the same city may be convenient, low latency and easier to operate, but it may still share carrier routes, power-area exposure, staffing constraints or building-access risks. A site in another UK region can reduce some shared exposure while retaining UK data residency, but it may require different replication, access, support and failback arrangements.

Greater separation can reduce shared physical risk and may support sovereignty aims when both facilities remain within the UK. It also introduces trade-offs. Synchronous replication can be constrained by latency. Asynchronous replication can leave a recovery point gap, depending on workload behaviour, link performance and replication design. Staff may need different access arrangements, and failback may be more involved if the secondary location has been running production services for a sustained period.

Co-location and UK-based secondary infrastructure are relevant when an organisation needs physical separation, known jurisdiction, predictable access and clearer operational control over recovery assets. They allow recovery equipment and data to be separated from an office or primary facility without requiring every workload to move into a large public cloud estate. The value depends on whether both sides of the design are understood: what the primary site must hand over, what the secondary site must run and how the organisation will return safely to normal operations.

Supporting services should not remain concentrated by accident

Enterprise applications are seldom self-contained systems. A customer-facing service may depend on identity services for authentication, DNS infrastructure for service discovery, monitoring platforms for operational visibility, certificate management services for encrypted communications and external APIs for business functionality. Some of these components may be hosted in different locations, delivered as cloud services or operated by separate teams and suppliers.

This is a common weakness in dual-site design. Servers and databases may be replicated, while the services that make them usable remain concentrated in one administrative model. If the identity platform is unavailable or compromised, users may not be able to authenticate to the recovered service. If DNS is controlled through an inaccessible account, traffic may not be redirected. If monitoring depends only on the primary site, the recovery team may lose visibility when it needs it most.

Not every supporting service needs the same level of duplication. The important point is to know which services are essential to restoration, who owns them, where they sit and what happens if they are unavailable during the incident. Without that mapping, the organisation may restore infrastructure without restoring the service users actually need.

Recoverable Environments

Recovery data should be more than a recent copy

Replication and backup are often discussed together, but they solve different problems. Replication helps keep another system close to the current state of production. Backup preserves restore points that can be used when the current state is no longer trustworthy.

That distinction matters in dual-site planning. If ransomware encrypts a dataset and replication rapidly copies the encrypted state to the second site, the organisation may have two current but unusable versions. If an administrator accidentally deletes records and the deletion is replicated immediately, the secondary system may reflect the same error. In both cases, replication has worked technically but has not delivered recoverability.

Independent recovery copies therefore remain essential. Immutable backup repositories, object storage with retention controls, separate administrative privileges and protected backup catalogues can all support this objective. Object storage is relevant here not as a complete disaster recovery platform, but as a scalable repository layer for retained backup and archive data when combined with suitable backup software, compute resources, connectivity and recovery procedures.

For UK organisations handling sensitive or regulated data, recovery data also raises governance questions. Backup and archive copies may contain the same information as production systems, so storage location, administrative access, key management and retention controls should be understood before an incident occurs. Recovery is harder to manage when the organisation discovers during a crisis that the cleanest copy is difficult to access, slow to restore or governed by unclear supplier arrangements.

Connectivity should be designed for restoration, not only replication

Routine replication traffic and incident restoration traffic behave differently. Replication may move smaller changes over time. Restoration may require large data transfers, user redirection, remote administration, forensic activity, supplier access and service validation at the same time.

This can expose weaknesses that are not visible during normal operations. A link sized for daily incremental backup may be inadequate for restoring a large virtual estate. A single carrier path may work well until a fibre break or provider issue affects both production and recovery access. A VPN configuration may support administrators during normal maintenance but become a bottleneck when multiple recovery teams, suppliers and security specialists need access simultaneously.

Connectivity design should be tested against restoration behaviour, not only steady-state data movement. That includes bandwidth, alternative routes, routing changes, DNS updates, firewall rules, privileged access and support arrangements. It also includes failback. If the secondary site runs production services for several days, the organisation needs a controlled route back to the primary location once systems are clean and available. Without failback planning, a temporary recovery arrangement can become an unstable operating model.

Testable Environments

Recovery exercises should expose the awkward details

Dual-site design becomes credible only when the organisation has tested how the full recovery path would work. A runbook shows intent; an exercise shows whether the primary site can be isolated or failed over, whether the secondary site can be operated, and whether access rights, firewall rules, supplier escalation paths, certificates, sequencing and ownership still work under pressure. The uncomfortable findings are often the most valuable: a missing administrator account, an expired certificate, a forgotten application link, a restore process that takes longer than expected or a failback route that has not been properly defined.

ISO 22301 requires business continuity arrangements to be exercised and tested, while SS1/21 places emphasis on severe but plausible scenario testing for important business services. This shifts the discussion from whether a recovery plan exists to whether it has been demonstrated.

Testing can be proportionate. Not every organisation can or should perform frequent full-site failover exercises. However, table-top exercises, isolated restore tests, application recovery drills, dependency reviews, partial failovers and scheduled recovery rehearsals all provide evidence. They also improve operational confidence because teams learn where judgement, manual intervention and supplier coordination are required.

The best exercises are often the uncomfortable ones. They reveal where the plan is too optimistic. If identity recovery takes longer than expected, if DNS changes require another team, if object storage restore throughput is lower than assumed, or if failback is poorly defined, the organisation has learned something valuable before a real incident forces the issue.

Conclusion

Disaster recovery has often been shaped by physical separation. Organisations built secondary facilities because placing technology somewhere else reduced exposure to site-level failure. That assumption still has value, but it is no longer enough. Modern services are often delivered through combinations of systems, suppliers, data stores and operational processes that may span several locations and administrative domains. The success of dual-site design depends less on geography alone and more on how the primary and secondary sites work together: how one fails over, how the other is operated, how clean data is restored and how normal operations are resumed.

That makes dual-site strategy a set of choices rather than a single architecture pattern. Which services need rapid recovery? Which can wait? Which supporting systems must remain available? Which data copies are protected from corruption or malicious change? Which network paths are required during restoration? How will failback be controlled once the primary location is safe to use again?

These questions matter directly when organisations assess co-location, object storage, managed backup, disaster recovery and connectivity decisions. Each can strengthen resilience when it has a defined role in the recovery architecture: separating infrastructure, protecting clean data, supporting restoration traffic or providing a managed route back to service. None provides assurance in isolation. The value of dual-site infrastructure is proven only when the organisation can use both sides of the design to keep important services operating, restore them safely and return to normal operations after a genuine disruption.

2 July 2026