← all lessons
System Design · Consistency & Replication ·

Epoch-Based Leader Leases: Cutting Stale-Read Risk Without a Round-Trip

Core concept
In a replicated system, a leader node (the single node allowed to accept writes) normally must confirm it's still the leader before serving a read — otherwise a stale, deposed leader might return old data. A leader lease sidesteps that round-trip: the leader is granted authority for a fixed wall-clock window (an epoch), and any node reading from it within that window can trust the data is fresh without asking other replicas. The guarantee holds because no new leader can be elected until the old lease expires, so the old leader can't have been superseded yet. This converts a multi-node consensus check into a local clock check.

Diagram

flowchart LR
    C[Client] -->|read request| L[Leader]
    L -->|check: lease still valid?| CK[Local Clock]
    CK -->|yes, within epoch| L
    L -->|serve read locally| C
    CK -->|no, lease expired| E[Reject / Re-acquire Lease]

Concrete real-world example
Google's Chubby (a distributed lock and coordination service) and its open-source sibling etcd (a strongly-consistent key-value store used in Kubernetes) both use leader leases. When etcd's leader wins an election via Raft (a consensus algorithm for electing a single authoritative node), it receives a lease — say, 500 ms. During that window, a linearizable read (a read guaranteed to reflect the very latest committed write) can be served directly from the leader's local state, skipping a full Raft round-trip to followers. This cuts median read latency by roughly half on a cross-datacenter cluster where a round-trip costs 40–80 ms.

One trade-off / gotcha
The entire guarantee rests on synchronized clocks. If the leader's clock runs slow — even by a few hundred milliseconds — the leader might believe its lease is still valid after a new leader has already been elected elsewhere. That's a split-brain read: two nodes both believe they're the authoritative leader simultaneously. The standard defense is clock skew pessimism: the leader voluntarily steps down slightly before the lease mathematically expires (e.g., 50 ms early), leaving a safety buffer larger than the worst-case clock drift between nodes. If your environment can't bound clock drift (no NTP (Network Time Protocol, syncs clocks across machines) or PTP (Precision Time Protocol, hardware-level clock sync)), lease-based reads are unsafe.

An interview-style question to ponder
You're designing a metadata service for a distributed file system. Reads are 10× more frequent than writes, and clients demand linearizable reads. Your cluster spans two datacenters 60 ms apart. A naive Raft quorum read costs one full round-trip. Should you use leader leases to optimize reads, and if so, what lease duration would you choose and why?

Stuck? Show a hint

Start by separating two independent dials: the correctness constraint (what clock drift bound you can actually guarantee) and the availability constraint (how long reads stall if the leader crashes mid-lease). The lease duration has to satisfy both simultaneously.

Show answer

Use leader leases with a duration of roughly 150–200 ms, set conservatively above your measured clock drift but short enough to limit unavailability after a leader crash.

  • A round-trip between datacenters costs ~120 ms (2 × 60 ms). Eliminating it with a lease drops linearizable read latency from ~120 ms to sub-millisecond locally — a decisive win when reads are 10× more frequent than writes.
  • Choose the lease duration by bounding clock skew first. If NTP on your nodes keeps clocks within ±30 ms, a 200 ms lease with a 50 ms early-step-down buffer leaves a 20 ms safety margin (200 − 50 − 2×30 skew = 20 ms positive margin). That's enough. Don't guess: measure your actual 99th-percentile clock drift in production and build the lease around it.
  • A shorter lease (say 50 ms) means a crashed leader's lease expires faster, restoring availability sooner, but also means the leader re-acquires the lease more frequently — each re-acquisition costs a Raft round-trip, eating into your latency savings. 150–200 ms strikes the right balance for a 60 ms cross-datacenter environment.
  • But why not just serve reads from any replica (without leases) for even lower latency? Because replicas may lag behind the leader by tens to hundreds of milliseconds; you'd be trading linearizability for speed, violating the requirement. Leases give you speed and the linearizability guarantee, as long as clocks are disciplined.
  • Watch out: if you run in a virtualized environment (cloud VMs), a hypervisor "steal" event can freeze a VM for hundreds of milliseconds without the guest OS noticing — making its clock appear to stand still while wall time advances. This silently violates your clock drift assumptions and can make lease-based reads unsafe without an additional heartbeat or fencing mechanism.