Building blocks active-passive deployments

Overview of building blocks, alternatives and not considered options

The following building blocks are needed to set up an active-passive deployment with synchronous replication.

The building blocks link to a blueprint with an example configuration. They are listed in the order in which they need to be installed.

We provide these blueprints to show a minimal functionally complete example with a good baseline performance for regular installations. You would still need to adapt it to your environment and your organization’s standards and security best practices.


Two sites with low-latency connection

Ensures that synchronous replication is available for both the database and the external Infinispan.

Suggested setup: Two AWS Availability Zones within the same AWS Region.

Not considered: Two regions on the same or different continents, as it would increase the latency and the likelihood of network failures. Synchronous replication of databases as a services with Aurora Regional Deployments on AWS is only available within the same region.

Environment for Keycloak and Infinispan

Ensures that the instances are deployed and restarted as needed.

Suggested setup: Red Hat OpenShift Service on AWS (ROSA) deployed in each availability zone.

Not considered: A stretched ROSA cluster which spans multiple availability zones, as this could be a single point of failure if misconfigured.


A synchronously replicated database across two sites.


A deployment of Infinispan that leverages the Infinispan’s Cross-DC functionality.

Blueprint: Deploy Infinispan for HA with the Infinispan Operator using the Infinispan Operator, and connect the two sites using Infinispan’s Gossip Router.

Not considered: Direct interconnections between the Kubernetes clusters on the network layer. It might be considered in the future.

Only Infinispan server versions 15.0.0 or greater are supported in Active/Passive deployments.


A clustered deployment of Keycloak in each site, connected to an external Infinispan.

Load balancer

A load balancer which checks the /lb-check URL of the Keycloak deployment in each site.

Not considered: AWS Global Accelerator as it supports only weighted traffic routing and not active-passive failover. To support active-passive failover, additional logic using, for example, AWS CloudWatch and AWS Lambda would be necessary to simulate the active-passive handling by adjusting the weights when the probes fail.

On this page