Data Residency and Sovereignty in Azure
Business Problem
During my last assignment with a client for migrating some on-premise applications and data to Microsoft Azure, I was asked by the customer that they would only be allowed to store the data in a particular geo location. That is to say, they wanted to know how cloud will help them to follow data residency and sovereignty requirements.
What Is Data Residency?
Data residency is a compliance requirement where a business focuses on storing their data in a specific geo-location. There may be many reasons for this requirement, but it is generally governed by government compliance, such as GDPR in Europe.
In a cloud-based project, most customers have concerns about data residency and data sovereignty.
Solution
In Microsoft Azure, we can manage data residency and sovereignty using various mechanisms like Hybrid Connectivity using VPN connectivity, Express Routes, Data gateways and by using the Microsoft Azure Stack, Azure policies.
In this article we will see how data residency and data sovereignty can be achieved in Microsoft Azure.
My client was willing to move his data to Microsoft Azure cloud but his prime consideration was to store the data in UK South and West locations only due to GDPR.
To assist such type of requirement, Microsoft Azure has its data center locations in Europe and customers can store their data in those data centers but keeping the restrictions in place that storing of data will not be allowed other that preferred location is still a big challenge.
To overcome such challenge Microsoft Azure provide azure-policy based governance which enforce different rules and effects cloud resources to make resources stay compliant with your policy requirements.
Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy meets this need by evaluating your resources for non-compliance with assigned policies. All data stored by Azure Policy is encrypted at rest.
To achieve our goal to keep data on specified cloud locations , we used azure policy management with these build in policies.
Policy Name
Policy Details
Allowed locations
This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your Geo-compliance requirements
Allowed locations for resource groups
This policy enables you to restrict the locations your organization can create resource groups in. Use to enforce your Geo-compliance requirements.
Let See how these policies helps me to achieve the requirement.
Step 1 : Log on to the Azure portal at https://portal.azure.com
Step2 : Search for Policy in Global search bar and select policy
Step :3 On Left navigation click on Assignments and then click on Assign policy link on top
Step 4: Select your azure subscription on which you would like to enforce this policy ,
provide a meaning full name in Assignment Name and meaning full description.
Step 5 : Click on … for policy definition
Step 6 : Select the Allowed location policy and Select.
Step7 : Now Go to Parameter page and select UK South,UK West and West Europe Regions
Step 8: Hit Review and Create the policy
How to Test the Policy
As this policy is enforced and scoped on Azure subscription level. Let see that, can this restrict us from creating a azure storage account other than selected locations in the policy parameters.
Clicking on the details on failed message bar, it shows that, policy is restricting to create storage account.
9 .We can see while i try to create storage account on “EAST US 2” location , its gets failed during the validation step.
Its created
We can see that azure policies helps us address the prime concern of our customer to allow storing of data only to preferred locations to follow the legal compliance.
