Replication & Consistency • Quorum ReplicationHard⏱️ ~3 min
Production Operational Patterns: Sloppy Quorum, Adaptive Strategies, and Multi Region Considerations
Sloppy quorum is an availability enhancing technique used by Amazon Dynamo where writes temporarily go to fallback nodes outside the preferred n replica set when some primary replicas are unreachable. For example, if a key normally maps to replicas A, B, C but replica B is down, a write might go to A, C, and fallback node D (the next node in the consistent hashing ring). The write to D includes a hint indicating the intended recipient is B. When B recovers, D replays the hinted writes to B and deletes the hints. This allows the system to maintain write availability even when fewer than w primary replicas are reachable, trading increased complexity and reconciliation debt for availability. The operational challenge is managing hint backlogs: a prolonged outage (hours to days) can accumulate gigabytes of hints per node. When the failed node recovers, hint replay can saturate its disk (hundreds of MB/s) and CPU, causing cascading latency spikes in foreground operations. Production systems must cap hint queue sizes (for example, 10 GB per node), implement throttled replay rates (for example, 50 MB/s), and provide observability into hint age and backlog size to alert operators before replay storms impact user traffic.
Adaptive and dynamic quorum strategies adjust consistency parameters in response to failures while preserving safety. During partial failures, you might temporarily lower w or r to maintain availability, but only if you can ensure quorum intersection is preserved and you have sufficient anti entropy capacity to repair divergence afterward. For instance, with n = 5 and normal w = 3, r = 3, if two replicas fail you could degrade to w = 2, r = 2 (since 2 + 2 = 4 > 3 remaining replicas) to continue serving traffic. However, this requires careful epoch management and coordination to ensure all coordinators agree on the current quorum configuration, otherwise different nodes might use inconsistent quorums that violate intersection. Weighted quorums based on failure domains provide another dimension of control: assign weights to replicas such that any quorum must include replicas from at least two availability zones to avoid correlated failure risk. This ensures that even if an entire AZ fails, the remaining replicas can still form both read and write quorums.
Multi region replication introduces fundamental trade offs because quorum across continents is impractical due to 50 to 150 millisecond inter region round trip times. Amazon DynamoDB Global Tables and similar systems use per region quorums with asynchronous cross region replication. Each region maintains its own n replicas (typically 3 across AZs within the region) and uses w = 2, r = 2 for operations within the region, achieving single digit millisecond latencies. Writes are then asynchronously replicated to other regions with propagation delays of sub second to low seconds depending on write rates, payload sizes, and inter region network conditions. Conflicts across regions are resolved using last writer wins based on timestamps, with guidance for applications to use higher level idempotency keys or version vectors for correctness sensitive operations. This design accepts windows of inconsistency (seconds) and potential conflict resolution data loss in exchange for low latency local operations and survival of entire region failures. The operational reality is that strong consistency across regions requires coordination (like Spanner TrueTime with GPS and atomic clocks for bounded uncertainty, or explicit cross region consensus), which adds 50 to 200 milliseconds to every strongly consistent operation.
💡 Key Takeaways
•Sloppy quorum writes to fallback nodes when primary replicas are unavailable, maintaining write availability at the cost of hinted handoff reconciliation. Hint backlogs from prolonged outages (hours to days) can accumulate 10 to 100 GB requiring throttled replay at 50 to 100 MB/s to avoid overwhelming recovering nodes.
•Adaptive quorums temporarily adjust w and r during failures, but require careful coordination to maintain intersection. With n = 5 degrading from w = 3, r = 3 to w = 2, r = 2 when two replicas fail requires epoch management so all coordinators use consistent thresholds.
•Weighted quorums enforce cross availability zone requirements. Assigning each AZ weight 1 and requiring total weight >= 2 for any quorum ensures operations span at least two AZs, tolerating single AZ failures without violating safety.
•Multi region quorum is impractical with 50 to 150 millisecond inter region RTTs. DynamoDB Global Tables use per region w = 2, r = 2 (single digit millisecond) with async cross region replication (sub second to seconds), accepting windowed inconsistency and LWW conflicts.
•Anti entropy repair must be scheduled and rate limited to avoid impacting foreground traffic. Cassandra schedules full repairs during maintenance windows, limiting to 50 to 100 MB/s per node, and tracks repair completion percentage (target 100 percent within gc_grace_seconds, typically 10 days).
•Operational SLOs for quorum systems typically target 99.9th percentile latency under 300 milliseconds during peak and failure scenarios, with alerts on quorum unavailability rates (operations failing to reach w or r), replication lag (age of oldest unacked write), hint backlog size and duration, and repair debt (bytes pending anti entropy).
📌 Examples
Amazon Dynamo sloppy quorum: with n = 3 (A, B, C) and w = 2, if B is unreachable, the coordinator writes to A, C normally. If both B and C are unreachable, it writes to A and fallback D with hints for B and C, maintaining write availability but creating reconciliation complexity when B and C recover.
Cassandra nodetool repair runs Merkle tree anti entropy, comparing each token range with replicas. For a 1 TB node with 10 day gc_grace_seconds, operators schedule weekly repairs during low traffic hours (e.g., 2 AM to 6 AM), throttled to 50 MB/s to avoid saturating disk bandwidth and impacting p99 read latency.
DynamoDB Global Tables: a write to the US East region commits to 2 out of 3 AZ replicas locally (2 to 5 milliseconds p99), then asynchronously replicates to Europe and Asia Pacific regions. Cross region propagation typically completes in 0.5 to 2 seconds, with conflicts resolved by last writer wins using logical timestamps.
Amazon S3 cross region replication: after a PUT returns (tens of milliseconds, reflecting quorum durability in source region across multiple AZs), S3 asynchronously replicates to destination regions with typical completion in 15 minutes for 90 percent of objects (source region to destination typically 50 to 150 milliseconds RTT but queuing and processing add overhead).