{{announcement.body}}
{{announcement.title}}

Data Residency and Sovereignty in Azure

DZone 's Guide to

Data Residency and Sovereignty in Azure

Azure Policy enables developers to create and assign policies to their resources that restricts certain modifications to maintain data compliance.

· Cloud Zone ·
Free Resource
Data
Azure can help maintain your data sovereignty.

Business Problem  

During my last assignment with a client for migrating some on-premise applications and data to Microsoft Azure, I was asked by the customer that they would only be allowed to store the data in a particular geo location. That is to say, they wanted to know how cloud will help them to follow data residency and sovereignty requirements.

What Is Data Residency?

Data residency is a compliance requirement where a business focuses on storing their data in a specific geo-location. There may be many reasons for this requirement, but it is generally governed by government compliance, such as GDPR in Europe.

 In a cloud-based project, most customers have concerns about data residency and data sovereignty.

Solution

In Microsoft Azure, we can manage data residency and sovereignty using various mechanisms like Hybrid Connectivity using VPN connectivity, Express Routes, Data gateways and by using the Microsoft Azure Stack, Azure policies.

In this article we will see how data residency and data sovereignty can be achieved in Microsoft Azure.

My client was willing to move his data to Microsoft Azure cloud but his prime consideration was to store the data in UK South and West locations only due to GDPR.

To assist such type of requirement, Microsoft Azure has its data center locations in Europe and customers can store their data in those data centers but keeping the restrictions in place that storing of data will not be allowed other that preferred location is still a big challenge. 

To overcome such challenge Microsoft Azure  provide azure-policy based governance which enforce different rules and effects cloud  resources to make resources stay compliant with your policy requirements.

Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy meets this need by evaluating your resources for non-compliance with assigned policies. All data stored by Azure Policy is encrypted at rest. 

 To achieve our goal to keep data on specified cloud locations , we used azure policy management with these build in policies.


                

Policy Name

Policy Details

Allowed locations

This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your Geo-compliance requirements

Allowed locations for resource groups

This policy enables you to restrict the locations your organization can create resource groups in. Use to enforce your Geo-compliance requirements.

   
   
   

Let See how these policies helps me to achieve the requirement.

Step 1 : Log on to the Azure portal at https://portal.azure.com

Step2 : Search for Policy in Global search bar and select policy


Step :3 On Left navigation click on Assignments and then click on Assign policy link on top


Step 4: Select your azure subscription on which you would like to enforce this policy ,
provide a meaning full name in Assignment Name and meaning full description.


Step 5 : Click on for policy definition 

Step 6 : Select the Allowed location policy and Select.

Step7 : Now Go to Parameter page  and select UK South,UK West and West Europe Regions

Step 8:  Hit Review and Create the policy 


How to Test the Policy 

As this policy is enforced and scoped on  Azure subscription level.  Let see that, can this restrict us from creating a azure storage account other than selected locations in the policy parameters.

 

Clicking on the details on failed message bar, it shows that, policy is restricting to create storage account.

9 .We can see while i try to create storage account on “EAST US 2” location , its gets failed during the validation step.

It's created.

We can see that Azure policies helps us address the prime concern of our customer to allow storing of data only to preferred locations to follow the legal compliance. 

Further Reading

Why I Don't Mind Having a European AWS Competitor

A Bootiful Podcast: Data Sovereignty, Microservices, Cloud Foundry, and More [Podcast]

Topics:
azure ,governance ,policy ,gdpr ,cloud ,azure policy ,compliance ,data sovereignty

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}