Multi-Region Active-Active Architecture: A Decision Record for Global Databases
Going global with your data layer is the point where comfortable single-region assumptions stop holding. A multi-region active-active architecture accepts writes in two or more regions at once, which buys you near-zero failover time and low local latency, but it forces you to confront concurrency at the storage layer rather than papering over it in the application.
This is a decision record, not a vendor pitch. We will treat the question as an engineering team actually treats it: what is the context, what are the realistic options, what did we decide, and what consequences do we now own? The honest answer is that active-active is rarely free. You trade operational simplicity for resilience, and you trade strong consistency for write availability, or pay dearly to keep both.
The systems we reference are real and their guarantees are documented. Where a guarantee matters, we name it precisely.
What this covers: the consistency spectrum, single-writer versus multi-writer topologies, conflict resolution with CRDTs and last-writer-wins, failover and region evacuation, and the latency, cost, and clock-skew traps that bite teams in production.
Context and Background
Why does anyone reach for active-active in the first place? Three forces usually drive it. The first is recovery objectives. When your RTO and RPO targets approach zero, an active-passive standby that takes minutes to promote is not good enough. An active-active topology already serves traffic in the surviving region, so failover becomes a routing change rather than a promotion event.
The second force is latency. Users in Frankfurt should not pay a 150-millisecond round trip to a writer in Virginia for every mutation. Placing a writable replica close to the user removes that tax. The third force is data sovereignty. Regulations like GDPR and India’s DPDP Act increasingly require that certain records live and be served from specific jurisdictions, which pushes you toward regional write capability whether you wanted the complexity or not.
Active-passive is the conservative alternative. One region writes; others stand by, replicating asynchronously. It is simpler to reason about because there is exactly one source of truth at any moment. The cost is that the passive region’s capacity sits idle, and a failover still means promoting a replica, repointing clients, and praying replication lag was small. For many teams that is an acceptable trade. For global, write-heavy, latency-sensitive products, it often is not.
It is worth being concrete about the recovery numbers, because they drive the whole decision. In active-passive, your real RPO is your replication lag at the moment of failure, which under load can be seconds of un-replicated writes lost forever. Your RTO is detection time plus promotion time plus client reconnection, which in practice is rarely under a minute and often several. Active-active collapses both: there is nothing to promote, so RTO is the time to withdraw a route, and RPO depends only on whether the failed region had un-replicated writes in flight. That difference, a minute versus a few seconds, is what justifies the added complexity for a payments or messaging platform where every second of downtime is measurable revenue.
Then there is physics, expressed as theory. The CAP theorem says that under a network partition you choose between consistency and availability; you cannot have both. Active-active systems live in the part of the design space where partitions are not hypothetical but routine, because the links between regions are long and lossy. The more useful lens is PACELC, which extends CAP: if there is a partition, choose availability or consistency, else (in normal operation) choose latency or consistency. Active-active is fundamentally a bet about that “else” clause. You are usually choosing latency over consistency in the common case, and you must decide how much consistency you are willing to give back to get it. For a deeper look at how distributed SQL engines navigate this, see our comparison of PostgreSQL, YugabyteDB, and CockroachDB. Google’s Spanner documentation is the canonical reference for the consistency end of this spectrum.
The Architecture and the Consistency Spectrum
A multi-region active-active database accepts writes in every participating region and reconciles them into a single logical dataset. The core design choices are how writes are routed, whether replication is synchronous or asynchronous, and which consistency model the application is promised. Those three choices are coupled: you cannot pick strong consistency and low write latency and full partition availability at the same time across continents.
The topology above shows the shape most teams converge on. A global router directs each user to a nearby region. Each region runs its own application tier and its own writable database node. The regions replicate to each other, and a conflict channel feeds a resolution path for writes that collide. Everything downstream of that picture is a decision about how strict the reconciliation is.
One subtlety that the diagram cannot show is that the application tier and the data tier do not have to share the same consistency story. It is common and sensible to run the application stateless and active-active in every region while keeping the data tier on a stricter regime for the tables that need it. A read replica close to the user serves the bulk of traffic at single-digit-millisecond latency, while the small fraction of writes that demand strong consistency route to a quorum that may span regions. This split lets you give most users a fast, local experience and pay the cross-region tax only on the operations that genuinely cannot tolerate staleness. Designing the boundary between those two worlds, which calls are strong and which are eventual, is the real architectural work; the boxes and arrows are the easy part.
Single-Writer-Per-Region Versus Multi-Writer
The first fork is whether any given row can be written in more than one region. In a single-writer-per-region (or sharded-by-region) design, each record has a home region that owns its writes. Writes for European customers land in Europe; writes for US customers land in the US. Conflicts effectively disappear because two regions never write the same row concurrently. This is the safest active-active pattern and is how many “active-active” deployments actually run.
The catch is that this only works when your data partitions cleanly by geography. A user who travels, a globally shared inventory count, or a cross-region transfer breaks the assumption. The moment two regions can write the same key, you are in true multi-writer territory, and conflict resolution stops being optional.
Multi-writer is the genuinely hard mode. Any region can mutate any row. The system must define what happens when two regions mutate the same row at nearly the same instant. DynamoDB Global Tables, Cassandra with multiple datacenters, and Azure Cosmos DB in multi-region-write mode all operate here, and all of them lean on last-writer-wins or application-supplied merge logic to converge.
A useful intermediate pattern sits between the two extremes: home-region ownership with failover writes. Each key has a home region that normally owns its writes, but if that region is unreachable, another region may temporarily accept writes for it. This keeps conflicts at zero in the common case while preserving write availability during a partition. The price is that the brief window of foreign writes can still collide with late-arriving home-region writes, so you need conflict handling for exactly that edge even though it almost never fires. Many production “active-active” systems are really this pattern wearing a more impressive name, and that is often the right engineering call rather than a compromise.
Synchronous Versus Asynchronous Replication
The second fork is the replication discipline. Synchronous replication requires a write to be acknowledged by a quorum of regions before it commits. Google Spanner is the archetype: it uses TrueTime, a clock with bounded uncertainty backed by GPS and atomic clocks, plus Paxos, to provide external consistency, which is the strongest practical guarantee. CockroachDB and YugabyteDB use Raft-based consensus to offer serializable isolation across regions. The price is latency. A cross-continent quorum commit pays at least one wide-area round trip, so writes can take tens to over a hundred milliseconds.
Asynchronous replication lets each region commit locally and ship changes to peers afterward. Writes are fast because they never wait on a remote region. The cost is that a freshly committed write is not immediately visible elsewhere, and two regions can commit conflicting writes that only meet later. DynamoDB Global Tables and Cassandra multi-DC replication work this way. Aurora DSQL, AWS’s newer distributed SQL offering, aims to give serializable semantics with optimistic concurrency while keeping write latency low, illustrating that the synchronous-versus-async line is blurrier in 2026 than it once was.
There is a middle setting that many teams miss: quorum tuned below all-regions. Cassandra and its descendants let you set the write consistency level, so you might require acknowledgment from a local-region quorum plus one remote replica rather than from every region. This caps the worst-case latency to a single inter-region hop while still surviving the loss of any one region. CockroachDB’s region survival goals work on the same principle, letting you choose whether a database survives a node failure or a whole region failure, and pricing each choice in latency. The lesson is that synchronous and asynchronous are endpoints of a dial, not a switch, and the interesting designs live somewhere in between.
The Consistency Models You Can Actually Promise
Consistency is not a binary; it is a spectrum, and naming your point on it precisely is half the battle. Strong consistency (linearizability, or Spanner’s external consistency) means every read sees the latest committed write as if there were one global timeline. It is the easiest to reason about and the most expensive to provide globally.
Bounded staleness relaxes that: reads may lag the latest write, but only by a defined window, say five seconds or one hundred operations. Cosmos DB exposes this as a first-class level. Causal consistency guarantees that operations which depend on each other are seen in order, preserving session guarantees like read-your-writes, without enforcing a single global order. Eventual consistency promises only that, absent new writes, all replicas converge given enough time. It is the cheapest and the most surprising for developers who assume reads reflect their last write.
The practical value of these intermediate levels is that they map cleanly to real product requirements that neither strong nor eventual consistency serves well. A social feed can tolerate seeing a post a few seconds late, so bounded staleness is a perfect fit and far cheaper than linearizability. A comment thread, by contrast, must never show a reply before the comment it answers, which is exactly what causal consistency guarantees without forcing a global order on unrelated threads. Session consistency, a common Cosmos DB default, scopes these guarantees to a single client connection, so a user always sees their own writes while other users may briefly see older state. Picking the weakest level that still satisfies the product requirement, rather than reflexively reaching for strong consistency, is where most of the latency and cost savings in an active-active design actually come from. The mistake is treating consistency as a single global knob instead of a per-feature decision.
The conflict types you must handle follow from the model. Write-write conflicts occur when two regions update the same field. Insert-insert conflicts occur when two regions create rows that collide on a unique key. And read-modify-write hazards, like decrementing a shared counter, are where naive last-writer-wins silently loses updates. Choosing a model is really choosing which of these classes you will resolve automatically and which you will surface to application code.
One more class deserves a name because it bites teams that thought they were safe: the delete-update conflict. One region deletes a row while another updates it. Does the delete win, resurrecting nothing, or does the update win, resurrecting a row the other region believed gone? Most async systems handle this with tombstones, markers that record a deletion so a late update cannot quietly bring the row back. Tombstones have to be retained long enough to outlive any in-flight conflicting write and then garbage-collected, and getting that window wrong is a classic source of zombie records. When you map your tables to a consistency model, walk each one through all four conflict classes explicitly rather than assuming write-write is the only one.
Conflict Resolution and Failover
Once two regions can write the same data, convergence is mandatory and the strategy you pick determines whether your data stays correct. There are three broad families: last-writer-wins, conflict-free replicated data types, and application-level merge. They differ in how much they understand your data’s semantics, and that understanding is exactly what buys correctness.
The flow above routes each conflict by data type. A scalar field falls back to last-writer-wins. A counter or set uses a CRDT merge that is mathematically guaranteed to converge. A genuine business rule, like reconciling two edits to the same shopping cart, escalates to an application handler. The right system uses all three, not just one.
Last-Writer-Wins, CRDTs, and Application Merge
Last-writer-wins (LWW) is the default in DynamoDB Global Tables and Cassandra. Each write carries a timestamp; on conflict, the higher timestamp wins. It is simple and always converges. Its flaw is that the loser is silently discarded, so a legitimate update can vanish if two writes race. LWW is acceptable for last-seen status or cache-like data, and dangerous for anything where a lost write means lost money or lost intent.
The discipline that makes LWW survivable is field-level rather than row-level resolution. If two regions update different columns of the same row, row-level LWW throws away one region’s column entirely even though the writes never truly conflicted. Field-level merge keeps both columns and only arbitrates when the same field was touched, which dramatically shrinks the blast radius of any single resolution. Cassandra resolves at the cell level for exactly this reason, and it is one of the most underappreciated reasons its conflict behavior is more forgiving than a naive document store that overwrites whole documents. When you evaluate a managed system, ask at what granularity it resolves, because that single property quietly determines how much data you lose under contention.
CRDTs are the principled answer for data with mergeable semantics. A conflict-free replicated data type is structured so that concurrent updates always merge to the same result regardless of order. A grow-only counter, a positive-negative counter, an observed-remove set, and a last-write-wins register are the common building blocks. Redis Enterprise’s active-active databases and Riak built their reputations on CRDTs. The win is that increments from two regions both survive; the constraint is that not all data fits a CRDT shape, and modeling it requires effort.
Application merge is the escape hatch. When neither LWW nor a CRDT captures your intent, you give the database two conflicting versions and a function that produces the resolved one. Cosmos DB’s custom merge procedures and Cassandra-on-application-logic patterns do this. It is the most powerful and the most error-prone, because correctness now lives in code you maintain.
Underneath these strategies sit the primitives. Vector clocks and version vectors let the system detect whether two writes are genuinely concurrent or causally ordered, which prevents you from “resolving” a conflict that was never one. Idempotency keys ensure a retried write is not applied twice. Write fencing, often a monotonically increasing epoch token, prevents a stale or evicted node from committing after it has been superseded. Skipping these primitives is how teams get duplicate charges and resurrected deleted records.
It helps to understand why vector clocks matter rather than treating them as ceremony. A plain timestamp tells you which write is newer by the wall clock, but not whether one write knew about the other. Two writes are truly concurrent only if neither causally precedes the other, and that is precisely what a vector clock captures: each replica increments its own counter and merges the maximum it has seen from peers. When two versions arrive with incomparable vectors, the system knows it has a real conflict to resolve rather than a simple stale overwrite. Resolving a non-conflict, or failing to detect a real one, are equal and opposite failures, and both corrupt data in ways that surface weeks later. This is the machinery that turns “last writer wins” from a coin flip into a defensible rule.
Failover, Routing, and Split-Brain
Failover in an active-active world is less dramatic than in active-passive because the surviving region is already serving traffic. The job is to detect the failure, stop sending traffic to the dead region, and prevent the dead region from doing damage when it comes back.
The sequence above shows a clean region evacuation. A health monitor stops receiving probe responses from Region A. It tells the global router to drain traffic to Region B and to fence writes in Region A so a half-dead node cannot accept work. Region B absorbs the full load. When A recovers, it rejoins and resynchronizes before taking traffic again.
Global traffic routing is how that drain happens in practice. Anycast advertises the same IP from multiple regions and lets BGP route to the nearest healthy one; withdrawing a route evacuates a region in seconds. GSLB (global server load balancing) via DNS does the same at a coarser grain, limited by DNS TTL caching. Most production setups combine health-checked DNS with regional load balancers.
Split-brain is the nightmare case: a partition convinces each side it is the survivor, both keep writing, and you get two divergent histories. Quorum-based systems prevent this structurally, because a minority partition cannot achieve quorum and stops accepting writes. LWW-async systems instead accept the divergence and resolve it on heal, which is why the conflict strategy and the failover strategy are not separable decisions.
The rejoin path deserves as much design attention as the failover path, and usually gets far less. When a recovered region comes back, it may hold writes that never replicated and may be missing writes the survivor accepted while it was gone. Letting it serve reads immediately means serving stale data; letting it serve writes immediately means risking conflicts against state it has not yet caught up on. The disciplined pattern is to readmit the region in stages: first resync as a follower until replication lag drops under a threshold, then accept reads, then accept writes. Anycast and GSLB make it tempting to flip a region back into rotation the moment its health check passes, but a passing health check only means the process is alive, not that its data is current. Conflating liveness with readiness is one of the most common ways a clean failover turns into a messy data incident hours later.
| Approach | Convergence | Lost-update risk | Latency | Best fit |
|---|---|---|---|---|
| Last-writer-wins | Always | High | Low | Status, cache, last-seen data |
| CRDT merge | Always | None for modeled types | Low | Counters, sets, carts, presence |
| Application merge | If function is correct | Depends on code | Low to medium | Domain-specific reconciliation |
| Synchronous quorum | Always | None | High | Financial ledgers, strong reads |
The decision matrix above is the heart of this ADR. We do not pick one row globally. We pick per data class: ledgers and balances go to synchronous quorum, counters and presence go to CRDTs, soft state goes to LWW, and the rare genuinely-mergeable domain object gets an application handler. For asynchronous patterns that decouple regions, our guide to async processing architecture patterns covers the queue and event-stream plumbing that often sits alongside this.
Trade-offs, Gotchas, and What Goes Wrong
Active-active fails in predictable ways, and naming them up front is cheaper than learning them in an incident.
Cross-region write latency is the first surprise. If you chose synchronous quorum for strong consistency, every write that needs a remote acknowledgment pays a wide-area round trip. Teams that benchmark in one region and ship globally are routinely shocked when p99 write latency jumps from single-digit to triple-digit milliseconds. Use the decision flow above to confirm you actually need linearizable reads bef
