← All posts
6 min read

Eventual Consistency: Temporary Disagreement with a Convergence Promise

#technology#distributed-systems#eventual-consistency#data
📑 On this page

In a distributed system, one change may need to reach databases, caches, search indexes, analytics stores, and devices across the world.

Coordinating every copy before responding can increase latency and reduce availability. Some systems therefore accept that different readers briefly see different answers.

Eventual consistency permits temporary disagreement while promising that replicas will converge when updates stop and communication succeeds.

The phrase does not mean "anything can be wrong forever."

A concrete example: changing a profile picture

A user uploads a new profile picture.

The primary profile service stores it immediately, while:

  • a content delivery cache still holds the old image,
  • a search result has not refreshed,
  • another region has not received the update,
  • and the user's current page shows the new local preview.

For a short period, two screens show different pictures. They converge as invalidation and replication complete.

Stronger consistency

With strong consistency, a completed write is visible according to a stricter ordering guarantee.

For example, a linearizable register behaves as if operations occurred one at a time in one order, and a later read observes the latest completed write.

Strong guarantees simplify reasoning but can require coordination that becomes slow or unavailable during network trouble.

What eventual consistency guarantees

At its basic level:

If no new updates occur, and messages continue to be delivered, replicas eventually reach the same value.

It does not by itself specify:

  • how long convergence takes,
  • which intermediate values readers see,
  • whether a user reads their own write,
  • how conflicts are resolved,
  • or whether updates can be lost.

Real systems need more precise contracts.

Stale reads

A stale read returns an older value.

Staleness can come from:

  • asynchronous replicas,
  • cache retention,
  • delayed event consumers,
  • offline devices,
  • or precomputed views.

Products should decide where stale data is harmless and where it creates unacceptable decisions.

Read-your-writes

Users are confused when they save a change and immediately see the old value.

A read-your-writes guarantee ensures one client session can observe its own completed updates, even if other readers temporarily cannot.

Techniques include:

  • sticky routing to the primary,
  • session version tokens,
  • local optimistic state,
  • or waiting until a replica reaches a required position.

Monotonic reads

Monotonic reads prevent a client from moving backward in observed history.

If a user has seen version 12, a later read should not show version 10. Routing among replicas with different progress can otherwise make data appear to reverse.

Session tokens or replica selection can preserve this guarantee.

Causal consistency

Causal consistency preserves cause-and-effect order.

If a reply was written after reading a post, observers should not see the reply without the post. Unrelated concurrent changes can still appear in different orders.

This is stronger than unconstrained eventual consistency and often cheaper than one global order.

Replication lag

Replication lag is the delay between an authoritative update and a replica applying it.

Measure:

  • time lag,
  • byte or log-position lag,
  • oldest pending event,
  • and lag by region or partition.

Average lag can hide one badly delayed shard.

Derived views

Search indexes, recommendation stores, and analytics tables are derived from authoritative data.

They may update asynchronously because rebuilding or indexing inside every write would be expensive. A product should clarify which view controls decisions.

Search may be eventually consistent, while permission checks must consult an authoritative source.

Caches

A cache intentionally serves copied data.

Consistency depends on:

  • time-to-live,
  • invalidation,
  • write-through or write-behind behavior,
  • versioned keys,
  • and failure handling.

Cache invalidation messages can be delayed or lost, so expiration provides a convergence backstop.

Concurrent updates

Two disconnected replicas may accept conflicting changes.

Conflict resolution options include:

  • last-write-wins,
  • version vectors,
  • mergeable data structures,
  • field-level merge,
  • or human choice.

The right rule depends on business meaning. Last-write-wins can silently discard important work.

Last-write-wins

Last-write-wins selects the update with the greatest timestamp or version.

It is simple but sensitive to:

  • clock skew,
  • arbitrary tie-breaking,
  • and lost intent.

It may suit replaceable preferences but not simultaneous edits to legal or financial records.

Commutative operations

Some operations can be applied in any order and still converge.

For example, adding distinct items to a set can merge naturally. Increment counters need careful duplicate handling but may support commutative designs.

Designing operations around intent can make conflict resolution safer than replacing whole records.

CRDTs

Conflict-free replicated data types use mathematical merge rules that converge despite concurrent updates.

Examples include certain counters, sets, registers, and collaborative structures. CRDTs solve specific data-merge problems, not every business invariant.

A shopping inventory cannot simply merge independent decrements if overselling is forbidden.

User experience

Products should communicate pending and synchronized states honestly:

  • "Saved on this device"
  • "Syncing"
  • "Published"
  • "Search may take a moment to update"

Optimistic interfaces should revert or explain failure. Silent disagreement makes users repeat actions or distrust the system.

Consistency boundaries

Different operations in one product can use different guarantees.

Examples:

  • reaction counts can converge later,
  • a user's own post should appear immediately to them,
  • account permission removal may need strong enforcement,
  • money movement needs explicit transactional rules.

"Our system is eventually consistent" is too broad to guide product behavior.

Convergence objectives

Even eventual consistency needs a target.

A service objective might state:

  • 99.9 percent of search updates visible within 30 seconds,
  • all healthy-region replicas within five seconds,
  • or cache changes within one minute.

Without a bounded expectation, prolonged failure can be mislabeled as normal eventual behavior.

Failure and repair

Replicas may miss updates because of:

  • broken consumers,
  • corrupted messages,
  • expired retention,
  • schema incompatibility,
  • or manual intervention.

Systems need reconciliation:

  • anti-entropy comparison,
  • replay,
  • checksums,
  • backfill,
  • or rebuilding from an authoritative log.

Eventual convergence depends on an active repair mechanism.

Testing consistency

Test:

  • delayed propagation,
  • reads from stale replicas,
  • concurrent edits,
  • duplicate events,
  • reordered updates,
  • consumer restart,
  • and reconciliation after missed data.

Assert both temporary permitted behavior and the final convergence condition.

Knowledge check

  1. What does eventual consistency promise after updates stop?
  2. How does read-your-writes improve user experience?
  3. Why can last-write-wins lose meaningful intent?
  4. Why might search be eventually consistent while authorization is not?
  5. What makes a convergence objective operationally useful?

The one idea to remember

Eventual consistency accepts temporary disagreement to reduce coordination, but it still needs explicit session guarantees, conflict rules, convergence targets, authoritative sources, and repair. Use it per operation according to the cost of stale or conflicting data.