Multi-Region Incident Response: Coordinating Across Teams and Time Zones
Running services in multiple regions solves availability problems but creates coordination problems. When us-east-1 goes down at 2am and your on-call engineer is in Europe, you've got two problems layered on top of each other: the incident itself, and figuring out who does what.
Most incident runbooks assume a single blast radius. A region goes down, one team pages, one engineer responds, one incident gets resolved. Multi-region setups break that model in a few specific ways.
The Problems That Actually Bite You
You can't always tell if it's one region or many. A customer reports that your API is slow. Is it slow in all regions, or just the one nearest them? Without region-aware alerting, your on-call engineer spends the first five minutes just figuring out the scope. By the time they know it's a us-east-1 problem, not a global one, they've already paged the wrong people.
Your blast radii aren't always contained. A misconfigured CDN rule, a bad database migration, a botched config push through a shared pipeline: these can affect all regions at once. If each region has its own on-call rotation and they're all woken up at 3am independently, you'll have four engineers trying to coordinate over Slack, none of them knowing who's the incident commander.
Time zone gaps leave uncovered windows. "Follow the sun" coverage sounds good in theory. In practice, handoffs are rough, context gets lost, and the engineer picking up in a new region often has to reconstruct what happened in the last two hours from a Slack thread. If the original responder went offline at 6am local time and the new responder didn't read the thread until 8am, that's a two-hour gap where nobody was actively monitoring recovery.
Status page updates lag the actual state. A partial outage in one region is tricky to communicate. Your status page might say "Degraded Performance" when ap-southeast-1 is fully down but us-west-2 is fine. Customers in Singapore are getting a different experience than customers in Portland, and your status page doesn't reflect that split.
How to Structure Your Response
The goal is to know, within the first two minutes: which regions are affected, who owns each region's response, and whether this is a coordinated global incident or a regional one.
Region-Scoped Alerts
Your alerts should fire per region, not just globally. Instead of a single "API latency high" alert, you want:
ALERT: API latency high
Region: us-east-1
P95 latency: 1.2s (threshold: 500ms)
Affected services: checkout, authThis gives the responder scope immediately. It also means a regional failure doesn't suppress the signal for other regions. If us-east-1 fires first and the on-call engineer is heads-down, a separate alert for ap-southeast-1 should still fire independently and wake up whoever covers that region.
Tools like Prometheus with region labels, Datadog with environment scopes, or OpenTelemetry with resource attributes all support this. The pattern is the same: tag every signal with its origin region, and alert on regional aggregates before rolling them up to global ones.
If your alerting tool can't fire region-tagged alerts independently, you'll hit false positives constantly: a regional failure looks like a global one, and your responders spend precious minutes confirming scope instead of fixing things.
Designate a Global Incident Commander Early
For incidents that span more than one region, you need someone whose job is coordination, not troubleshooting. They run the incident bridge, write the status page updates, and decide when to escalate and who to involve.
If an incident only touches one region, the regional responder owns it. But once you've confirmed that two or more regions are affected, someone needs to step up as the global incident commander, even if that's a different person from the regional responders.
Write this down in your escalation policy: "If two or more regions are simultaneously degraded, page the global on-call IC." That person might not know anything about the specific service, but they know how to run an incident bridge and keep communication flowing.
Bridge Protocols for Cross-Region Incidents
When two regions are both degraded, you'll have at minimum two engineers on the call, one for each region. Without structure, they'll talk over each other, duplicate work, and confuse the timeline.
A simple protocol that works:
- One dedicated Slack thread per incident, named by incident ID
- Regional responders post status updates to the thread every 10 minutes: current hypothesis, actions taken, what they need
- The incident commander summarizes and posts to the status page
- No side conversations about root cause until the incident is mitigated
This sounds rigid, but in a high-stress multi-region outage, structure is what keeps the response from becoming chaos. It also means your post-incident timeline is clean, because every action was logged in one place.
Handoffs That Actually Transfer Context
If you're using follow-the-sun coverage and a handoff happens mid-incident, the outgoing engineer can't just say "it's being handled" and go to sleep. Before handing off:
- Write a brief summary in the incident thread: what happened, what's been tried, current status, open questions
- Do a five-minute verbal sync with the incoming engineer if at all possible
- Mark the handoff explicitly in your incident management tool so the timeline reflects who was driving when
The incoming engineer should acknowledge the handoff and repeat back their understanding of the current status. If they misunderstood something, that's better to catch now than an hour later.
A Concrete Scenario
Your payment service runs in us-east-1, eu-west-1, and ap-southeast-1. At 11pm UTC, alerts start firing:
ALERT: Payment success rate low
Region: us-east-1
Success rate: 82% (threshold: 99%)
ALERT: Payment success rate low
Region: eu-west-1
Success rate: 79% (threshold: 99%)Two regions, simultaneous. Your escalation policy kicks in automatically and pages your global on-call IC. They join the bridge and see two regional responders already triaging.
Within three minutes, the responders confirm the problem is in a shared database migration that ran five minutes ago. The migration touched a schema used by both regions. ap-southeast-1 hasn't fired yet because it's two minutes behind the migration rollout.
The IC marks this a P1, posts a degraded status to the status page for all three regions proactively, and coordinates the rollback. The regional responders execute the rollback in parallel. Recovery takes 12 minutes from first alert to green.
Without a global IC, the two regional responders might have both attempted rollbacks simultaneously, potentially interfering with each other. Without region-scoped alerts, the ap-southeast-1 impact wouldn't have shown up for another two minutes, and the status page would have been wrong until then.
What Multi-Region Coverage Actually Requires
| Incident type | Who owns it | IC needed? |
|---|---|---|
| Single region degraded | Regional on-call | No |
| Two regions degraded | Regional on-calls | Yes |
| Global outage (all regions) | Global on-call IC | Yes |
| One region down, others at risk | Regional on-call | Depends on escalation |
The table is simple but teams often skip the decision logic entirely. Without it, you get P1 incidents where nobody knows who's the incident commander because the escalation policy only describes single-region scenarios.
The Practical Takeaway
Multi-region coordination isn't just about having on-call engineers in every timezone. It's about knowing who owns the global view when things go wrong across regions, having alerting that's scoped to tell you exactly where problems are, and building handoff practices that don't drop context.
The overhead of setting this up is small compared to the cost of a two-hour multi-region incident where four engineers are all independently trying to fix the same underlying problem.