Uber's Failover Architecture: Reconciling Reliability and Efficiency in Hyperscale Microservice Infrastructure

Uber's engineering team, led by Mayank Bansal and Milind Chabbi, has published a paper detailing their new Uber Failover Architecture (UFA). This system fundamentally rethinks how the ride-sharing giant ensures platform resilience at a global scale. Historically, Uber ensured reliability through a costly '2x capacity' model, where every service was provisioned to handle global traffic independently across two separate regions. This left half of the massive compute fleet idle as a buffer, resulting in low utilization and high infrastructure costs. UFA replaces this one-size-fits-all approach with a differentiated architecture that aligns resource allocation with business criticality.

Critical services, like dispatch and payments, retain strong failover guarantees with dedicated buffer capacity. However, non-critical services now opportunistically use the buffer capacity reserved for critical services during normal operations. During rare 'full-peak' failover events, these non-critical services are selectively preempted and then rapidly restored using on-demand cloud capacity, with differentiated Service-Level Agreements (SLAs) governing their recovery. Automated safeguards, including dependency analysis and regression gates, ensure that critical services continue to function even when non-critical ones are temporarily unavailable. The quantitative impact is massive: UFA has already hardened over 4,000 unsafe dependencies and eliminated over one million CPU cores from a baseline of about four million, representing a major win for both engineering efficiency and the company's bottom line.