"The cloud is just someone else's computer."
We laughed at that bumper sticker for years. We stopped laughing on October 20, 2025. We stopped sleeping on March 1, 2026.
Prologue: Two Days That Changed Cloud Engineering Forever
There are dates that get permanently burned into the memory of every engineer who lived through them.
On October 19, 2025, at 11:48 PM PDT, Amazon DynamoDB in the US-EAST-1 (Northern Virginia) region began returning elevated API error rates. What followed was not a dramatic explosion - it was something far more humbling: a microscopic software race condition, invisible to every monitoring system, hiding in an automated DNS management routine that had run millions of times without incident. Within minutes, a cascade of failures ripped through the control plane, taking down over 140 AWS services and disrupting major platforms including Slack, Coinbase, Roblox, and Snapchat for over 15 hours.
The engineering world spent weeks dissecting that failure. Then, before the debate had even settled, the threat model changed completely.
At approximately 4:30 AM PST on March 1, 2026, one of AWS's Availability Zones in the UAE - mec1-az2 - was struck by what the company initially described as "objects," causing "sparks and fire" inside the data center. By the time the full picture emerged, drone strikes had taken out two of ME-CENTRAL-1's three availability zones, and the Bahrain region (ME-SOUTH-1) had lost one zone - marking the first confirmed military attack on a hyperscale cloud provider, according to Uptime Institute.
These are not two separate stories. They are the same story, told from two different angles - and together, they redefine what it means to build resilient systems in 2026.
Oct 2025
Duration
Insurance Losses
Hit Mar 2026
Destroyed
Part 1: The Illusion of the Infinite Cloud
Cloud computing created the most successful myth in the history of technology. "Nine nines of durability." "Automatic multi-AZ failover." "Global infrastructure." Enterprises confidently dismantled their on-premises data centers, migrated banking systems, healthcare databases, and payment platforms onto AWS - and stopped thinking about infrastructure entirely.
As of October 25, 2025, AWS's rolling availability figures showed 99.84% uptime over one year. The marketing promise is "nines of availability." The operational reality is that when things go wrong at this scale, they go wrong for hundreds of millions of people simultaneously.
Part 2: Anatomy of an AWS Region
The foundational geographic unit of AWS infrastructure is the Region - a specific physical location where AWS clusters multiple data centers. US-EAST-1 is Northern Virginia. EU-WEST-1 is Ireland. ME-CENTRAL-1 is the UAE. Regions are designed to be completely independent - no shared power, networking, or control plane dependencies.
Each Region is subdivided into Availability Zones (AZs) - discrete physical data centers with independent power, cooling, and networking, placed far enough apart to prevent a single environmental event from taking down multiple zones, but close enough (typically within 60 miles) for single-digit millisecond synchronous replication.
Control Plane vs. Data Plane - The Most Critical Distinction
The Control Plane is the management layer - the APIs you call to create, modify, and delete resources (aws ec2 run-instances, IAM policy updates, Route 53 changes). Control planes are architecturally complex, stateful, and have a higher probability of impairment.
The Data Plane is the service in operation - a running EC2 instance, an S3 bucket serving requests, a DynamoDB table processing writes. Data planes are intentionally simpler.
Part 3: A Taxonomy of Cloud Failure
Every major outage falls into one of four categories - and 2025-2026 gave us live specimens of all four:
Category 1 - Software & Logical Failures: Race conditions, DNS bugs, state corruption, cascading dependency failures. Most frequent. Can propagate globally at the speed of light.
Category 2 - Human Error: Mistyped commands, flawed deployments. The 2017 S3 outage was caused by an engineer who removed more servers than intended during routine maintenance, forcing S3 subsystems to restart.
Category 3 - Infrastructure & Environmental: Power outages, cooling failures, fiber cuts, seismic events. Geographically bounded but potentially severe.
Part 4: Case Study 1 - The Day a DNS Race Condition Broke the Internet
October 19-20, 2025 | AWS US-EAST-1 | Duration: ~15 Hours
Why DynamoDB Is Not Just a Database
DynamoDB is marketed as a managed NoSQL database. But internally it serves a second, equally critical function: it is the central state management and metadata store for dozens of AWS control planes. EC2 uses DynamoDB to track physical server health. The EC2 DropletWorkflow Manager (DWFM) relies on it to renew leases on physical servers. Lambda, EKS, Fargate, and Redshift all have dependency chains tracing back to it. When DynamoDB disappears, it is not like losing one service. It is like removing the foundation from a building.
dynamodb.us-east-1.amazonaws.com got a silent DNS failure - no error, just an empty response.The Root Cause: A Race Condition in Automated DNS Management
DynamoDB's DNS management comprises two components: a DNS Planner that monitors load balancer health and creates DNS plans, and a DNS Enactor that applies those plans to Route 53. One Enactor runs per AZ - three in US-EAST-1.
On the night of October 19, one DNS Enactor experienced unusual delays. Simultaneously, the Planner began generating new plans at a higher pace. The delayed Enactor's processing overlapped with another Enactor's plan cleanup - causing the older plan to overwrite the newer one just before deletion. Result: all IP addresses were inadvertently erased from the regional DynamoDB endpoint dynamodb.us-east-1.amazonaws.com.
Creates DNS plans
Sends to Enactors
↑ Plan rate increased
during incident
Processing old plan
Overwrites newer state
Applies correct plan
Sends to Route 53
Empty DNS record
for DynamoDB endpoint
The Cascade: One Failure, Fifteen Hours
Phase 1 (11:48 PM - 2:25 AM): Empty DNS record - all DynamoDB API requests fail immediately. Lambda, Redshift, EC2 orchestration systems go dark.
Phase 2 (2:25 AM - 1:50 PM): EC2 DropletWorkflow Manager enters congestive collapse. Server lease renewals stop. EC2 returns InsufficientCapacity errors. Even after DNS is restored, DWFM is buried under overdue lease checks. Engineers manually throttle traffic and restart DWFM components.
Phase 3 (6:21 AM - 2:20 PM): New EC2 instances launch without proper networking configurations. NLB health checks fail systemically. Lambda is throttled as a result.
Platforms affected: Slack, Coinbase, Roblox, Snapchat, Fortnite, Signal, Venmo, Canvas, Ring, and McDonald's. NOAA reported a massive backlog in critical weather data processing. A Premier League match had its official statistics platform disrupted mid-game.
Engineering Lessons From a Software Failure
2:25 AM. The outage continued until 2:20 PM. Account for backlog drain and state recovery - not just detection and fix time.US-EAST-1 fell together when the control plane failed. Multi-AZ is not a substitute for multi-region architecture.Part 5: Case Study 2 - When War Came to the Server Rack
March 1, 2026 | AWS ME-CENTRAL-1 (UAE) + ME-SOUTH-1 (Bahrain)
The Geopolitical Context: Compute as the New Strategic Oil
The U.S. military uses AWS to run some of its workloads, including running Anthropic's AI model Claude for some intelligence functions. Iran's Fars News Agency said on Telegram that the Bahrain facility had been deliberately targeted "to identify the role of these centers in supporting the enemy's military and intelligence activities."
CNBC March 4 ↗
The boundary between commercial cloud computing and military operations has largely vanished. The Pentagon's Joint Warfighting Cloud Capability and its JADC2 networks run on the same commercial infrastructure that serves banks and ride-hailing apps. This is the Dual-Use Trap: under International Humanitarian Law, any civilian infrastructure that makes an effective contribution to military action can be reclassified as a legitimate military objective.
"If data centers become critical hubs for transiting military information, we can expect them to be increasingly targeted by both cyber and physical attacks."
- Zachary Kallenborn, PhD Researcher, King's College London Fortune March 9 ↗
"Iran and proxies have targeted oil fields in the past, but their attacks this week on UAE data centers shows they are now considered critical infrastructure."
- Patrick J. Murphy, Executive Director, Hilco Global CNBC March 6 ↗
What Actually Happened
AWS confirmed: two of its facilities in the UAE were "directly struck" by drones. In Bahrain, "a drone strike in close proximity to one of our facilities caused physical impacts to our infrastructure." CNBC March 2 ↗
AWS official statement: "These strikes have caused structural damage, disrupted power delivery to our infrastructure, and in some cases required fire suppression activities that resulted in additional water damage."
By 1846 UTC, power disruptions spread to a second UAE availability zone (mec1-az3), significantly impacting services like S3 storage - which AWS notes is only designed to withstand the loss of a single zone within a region.
The Register ↗
Fully functional
→ Fire
→ Sprinklers activated
→ Water damage
→ Offline
from AZ2 events
→ Offline
Fully functional
→ Power grid disruption
→ Offline
Fully functional
Why Multi-AZ Architecture Failed Here
AWS's redundancy model is designed to survive the failure of one zone at a time - calibrated against statistical assumptions: floods, earthquakes, power grid failures are localized events with a physical blast radius.
mec1-az2 and mec1-az3 went offline simultaneously, distributed databases and consensus algorithms lost quorum. DynamoDB requires 2/3 nodes to achieve write quorum. Only 1 node survived.Impact and AWS Advisory
AWS confirmed disruption of over 109 services including EC2, S3, DynamoDB, Lambda, RDS, and EKS. Consumer apps including delivery platform Careem, and payments companies Alaan and Hubpay reported outages. Banking providers ADCB and Emirates NBD, and enterprise software provider Snowflake also reported service disruptions.
CNBC March 3 ↗
AWS issued an unprecedented advisory: "customers with workloads running in the Middle East consider taking action now to backup data and potentially migrate your workloads to alternate AWS Regions." This was the first time in AWS history they advised customers to migrate out of an entire region due to physical security concerns.
"Organizations using services from any cloud provider in the Middle East should immediately take steps to shift their computing to other regions."
- Mike Chapple, IT Professor, University of Notre Dame Fortune March 3 ↗
The Submarine Cable Threat Multiplier
Seventeen submarine cables pass through the Red Sea, carrying the majority of data traffic between Europe, Asia, and Africa. With Iran's closure of the Strait of Hormuz and renewed Houthi threats in the Red Sea, both critical data chokepoints are now in active conflict zones simultaneously.
"Closing both choke points simultaneously would be a globally disruptive event."
- Doug Madory, Director of Internet Analysis, Kentik Fortune March 9 ↗
Part 6: Two Outages, One Lesson - Comparative Analysis
| Dimension | Oct 2025 - Software Failure | March 2026 - Kinetic Attack |
|---|---|---|
| Root Cause | DNS race condition in DynamoDB automation | Military drone strikes during Iran-US conflict |
| Region Affected | US-EAST-1 - global dependency | ME-CENTRAL-1 + ME-SOUTH-1 |
| AZs Impacted | All AZs - control plane failure | 2 of 3 in UAE, 1 in Bahrain |
| Nature of Damage | Logical state corruption | Structural, power loss, water damage |
| Data Plane Impact | Running workloads survived | Physical servers destroyed/unreachable |
| Recovery Time | ~15 hours | Days to weeks |
| Warning Time | Zero - invisible until cascade | Zero - 4:30 AM strike |
| Financial Impact | Up to $581M insurance losses | Ongoing - regional economies disrupted |
Part 7: Engineering Resilience for a World on Fire
Principle 1: Multi-Region Active-Active Is the Minimum
The October outage proved that a control plane failure can defeat multi-AZ redundancy. The March attack proved that a coordinated physical strike can defeat it catastrophically. The baseline for any mission-critical workload is active-active multi-region deployment.
Aurora Global DB / DynamoDB Global Tables
sub-second cross-region replication
Route 53 health check → auto failover → 100% traffic to Region B
User impact: ~30-60 seconds degraded latency
Key AWS services that enable this pattern: Amazon Route 53 with health checks and latency-based routing · Aurora Global Database for sub-second cross-region replication · DynamoDB Global Tables for multi-region NoSQL sync · S3 Cross-Region Replication · AWS Application Recovery Controller
Principle 2: Eliminate Hidden Cross-Region Dependencies
A multi-region architecture is worthless if both regions secretly depend on a shared component in US-EAST-1. Audit aggressively for these hidden single points of failure:
IAM endpoint centralized in us-east-1ACM certificates not replicated cross-regionSecrets Manager secrets not replicatedCI/CD pipelines running only in one regionPrinciple 3: Infrastructure as Code Is Your DR Weapon
AWS advised affected customers to immediately migrate workloads to alternate regions. Executing that in hours - not days - requires your entire infrastructure stack to be codified and reproducible with a single command.
IaC cannot spin up full production in a new region in under 30 minutes, your disaster recovery plan is a document, not a capability.# Your entire production environment: deployable in one command
# Target: < 30 minutes to full production in new region
terraform apply \
-var="region=ap-south-1" \
-var="environment=production" \
-var="disaster_recovery_mode=true"
# Provisions: VPCs, EKS clusters, RDS/Aurora (pointing to global replica),
# all application services, monitoring, alerting, IAM rolesPrinciple 4: Cell-Based Architecture - Contain the Blast Radius
Principle 5: Static Stability - Design for Control Plane Failure
# ANTI-PATTERN: Control plane hit on every request ❌
def serve_request(user_id):
config = aws_parameter_store.get_parameter(f'/app/config/{user_id}')
subscription = aws_dynamodb.get_item(user_id)
return process(config, subscription)
# CORRECT: Static stability through local caching ✅
def serve_request(user_id):
config = local_cache.get(f'config:{user_id}')
if not config:
config = aws_parameter_store.get_parameter(...)
local_cache.set(f'config:{user_id}', config, ttl=3600)
return process(config)
# If DynamoDB goes down for 15 hours:
# Application serves from cache. Users see zero disruption.Principle 6: Geopolitics Is Now an Infrastructure Decision
Principle 7: Chaos Engineering Is Now a Security Practice
Run quarterly regional failover tests. Measure actual RTO. Document actual runbooks. The companies that survived March 1 with zero downtime had already rehearsed exactly this scenario - not because they expected a drone strike, but because they treated failure as inevitable and designed for it systematically.
# AWS Fault Injection Service - Regional failover validation
# Run quarterly. Measure actual RTO before you need it.
apiVersion: fis.aws/v1
kind: ExperimentTemplate
metadata:
name: regional-failover-validation
spec:
actions:
block-regional-traffic:
actionId: aws:network:disrupt-connectivity
parameters:
duration: PT30M
scope: all
validate-failover:
actionId: aws:cloudwatch:assert-alarm-state
parameters:
alarmName: secondary-region-serving-traffic
alarmState: OK
stopConditions:
- source: aws:cloudwatch:alarm
value: error-rate-exceeds-thresholdPart 8: The Future of Physical Cloud Security
The March 2026 attacks mandate a fundamental rethink of physical security. Cloud security spending has historically focused on cyber threats - state-sponsored APTs, ransomware, DDoS. The physical perimeter was considered "solved" with fences, biometric access, and mantraps. That assumption is now obsolete.
Subterranean Facilities: The Lefdal Mine Datacenter in Norway operates deep within a former olivine mine, protected by 60 meters of solid rock. The Green Mountain facility was built inside a decommissioned NATO ammunition depot. Both achieve PUE of 1.08 - versus the industry average of 1.5+.
Counter-UAS Layered Defense - Tier 1: Broad-spectrum RF sensors (400 MHz to 8 GHz) and EO/IR radar for early-warning perimeters. Tier 2: Physical obscuration - scrims, camouflage netting over generators, fuel tanks, and HVAC chillers. Tier 3: Precise RF manipulation severing the drone's C2 link - far safer over populated areas than kinetic countermeasures.
Part 9: The Complete Engineering Framework
Multi-region active-active is the minimum viable resilience posture. Multi-AZ fails for software failures. It fails catastrophically for coordinated physical strikes.
Control plane failures are the most dangerous failure mode. Design for static stability - serve existing users indefinitely even if every control plane API in your primary region is unreachable.
Geopolitical risk is now a first-class infrastructure concern. Region selection must include military risk, dual-use classification exposure, and submarine cable dependencies.
Your
IaCmust deploy full production in a new region in under 30 minutes. If it cannot, your DR plan is a document. Test it quarterly with real failover exercises.Automation must have circuit breakers and human-in-the-loop overrides for destructive operations. No automated process should be able to delete
DNSrecords without a circuit breaker.Cell-based architecture limits blast radius. A bad deployment should affect 1% of users, not 100%.
Chaos engineering is no longer optional. The companies that survived March 1 with zero downtime had already rehearsed exactly this scenario.
Epilogue: The Ground Is Moving
In a previous post on this blog, we analyzed how JioHotstar engineered a platform capable of serving 82.1 crore concurrent streams for the ICC T20 World Cup 2026 Final - a story of extraordinary preparation meeting extraordinary demand.
That article was about the ceiling of what cloud engineering can achieve when everything goes right. This article is about what happens when things go catastrophically wrong - when a microscopic race condition cascades through 140 services, and when weapons of war reach the server rack.
The cloud is no longer just up in the sky. It is on the ground. It is in buildings. It is a target.
And the engineers who build the systems that the world depends on must now design for a world where the ground itself is moving.
Verified Sources
If this deep-dive was useful to your thinking, I'd love to hear your perspective in the comments below. What architectural decisions is your team making differently after these two events? 👇