Both clusters (primary and secondary) have VPC configurations suitable for EKS

Each cluster VPC has public subnets (for ALB/NAT) and private subnets (for worker nodes)

VPC CIDR blocks do not overlap (if cross-VPC communication required)

Verify VPC endpoints for S3 (to avoid NAT charges) are configured if applicable

Secondary cluster's IAM role has read access to primary's S3 bucket

IAM policy includes specific bucket ARN (not wildcard)

IAM policy requires aws:SecureTransport (HTTPS only)

Test with: aws s3 ls s3://<primary-bucket>/ --region <secondary-region>

CloudWatch alarm Lambda can reach both cluster ALBs

Route53 health check endpoints can reach both ALBs on port 443

Security groups allow inbound HTTPS from Route53 health check IPs

Health check TLS certificate is valid and matches ALB hostname

Route53 hosted zone is configured and contains failover records for global FQDN

Failover record TTL is set appropriately (suggested: 60-180 seconds for faster failover)

Primary and secondary health checks are in HEALTHY state initially

Verify DNS propagation with: dig <global-fqdn> @<route53-nameserver>

ACM certificate or self-signed cert covers global FQDN and cluster-specific FQDNs

Certificate is not expired and auto-renewal is configured (if using cert-manager)

Ingress TLS configuration references correct certificate

If using Kubernetes NetworkPolicy, ingress pods are allowed from ALB security group

LogScale pods are allowed to reach S3 (typically via VPC endpoint)

Egress rules allow DNS resolution (UDP 53) for health checks