Escaping the Vendor Trap: A Pragmatic Multi-Cloud Architecture for Post-Schrems II Compliance
Let’s be honest: the "all-in on AWS" strategy is dead. If the unpredictable egress fees didn't kill it for you, the Schrems II ruling effectively did. For CTOs and Systems Architects operating in Norway and the broader EEA, the landscape changed overnight in July 2020. Suddenly, pushing user data to US-owned buckets became a legal minefield, with Datatilsynet (The Norwegian Data Protection Authority) watching closely.
But compliance isn't the only driver. Resilience is. I recently audited a setup for a FinTech startup in Oslo that went down for six hours because `us-east-1` had a bad day. They were hosting distinctively Norwegian financial data in Virginia. That is not just bad architecture; it is negligence.
This guide outlines a Hub-and-Spoke Multi-Cloud Strategy. We keep the heavy compute or CDN layers on commodity clouds if necessary, but anchor the persistent data and core compliance workloads on sovereign, local infrastructure like CoolVDS. This gives you the best of both worlds: the reach of a hyperscaler and the legal safety (and low latency) of a Norwegian fortress.
The Architecture: The Sovereign Core
The concept is simple. You treat the hyperscalers (AWS, Azure, GCP) as ephemeral compute resources. They are dumb pipes. Your "Sovereign Core"—where the database and customer PII live—resides on a provider under strict Norwegian/EU jurisdiction.
This drastically reduces latency for your primary user base. Speed of light is immutable. A round trip from Oslo to Frankfurt is ~20-30ms. A round trip from Oslo to a CoolVDS datacenter in Oslo is <2ms. For high-frequency transactional databases, that difference is the entire game.
1. The Connectivity Layer: WireGuard Mesh
In 2021, IPSec is legacy baggage. It’s slow, bloated, and a pain to debug. We use WireGuard. It was merged into the Linux 5.6 kernel last year, and it is the standard for secure, high-performance inter-cloud links.
To securely connect your AWS frontend nodes to your CoolVDS backend database, you build a mesh. Here is a production-ready configuration for the CoolVDS peer (the hub):
# /etc/wireguard/wg0.conf on the CoolVDS 'Hub' Server
[Interface]
Address = 10.100.0.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = <SERVER_PRIVATE_KEY>
# AWS Frontend Node 1
[Peer]
PublicKey = <AWS_NODE_PUB_KEY>
AllowedIPs = 10.100.0.2/32
Endpoint = 35.1.2.3:51820
PersistentKeepalive = 25
On the client side, verify the handshake immediately:
sudo wg show
If you see latest handshake: 1 minute, 20 seconds ago, your tunnel is dead. You want to see seconds. This setup ensures that traffic between your clouds is encrypted and traverses the shortest path possible.
2. Infrastructure as Code: Terraform Abstraction
Do not click buttons in a console. If you can't `git push` your infrastructure, you don't own it. We use Terraform (currently v1.0.x) to manage this split universe. The goal is to define providers for both the hyperscaler and the local VDS provider in the same state file.
Here is how you structure a main.tf to deploy a stateless frontend on AWS and a stateful backend on CoolVDS KVM instances. Note the use of the generic libvirt provider or specific APIs where available.
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
# Assuming a compliant KVM provider compatible with standard APIs
coolvds = {
source = "dmacvicar/libvirt"
version = "0.6.3"
}
}
}
provider "aws" {
region = "eu-central-1"
}
provider "coolvds" {
uri = "qemu+ssh://root@core-oslo.coolvds.com/system"
}
# Ephemeral Frontend
resource "aws_instance" "frontend" {
ami = "ami-0d527b8c289b4af7f"
instance_type = "t3.micro"
tags = {
Name = "Stateless-Proxy"
}
}
# Permanent Data Store (The Sovereign Core)
resource "libvirt_domain" "db_primary" {
name = "postgres-primary-nvme"
memory = "8192"
vcpu = 4
disk {
volume_id = libvirt_volume.os_image.id
}
network_interface {
network_name = "default"
}
# Optimizing for NVMe I/O performance
xml {
xslt = <<EOF
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="target[@dev='vda']">
<target dev='vda' bus='virtio'/>
<driver name='qemu' type='qcow2' cache='none' io='native'/>
</xsl:template>
</xsl:stylesheet>
EOF
}
}
Pro Tip: Notice the driver name='qemu' ... cache='none' io='native' line? This is critical. When running databases on KVM, you want to bypass the host's page cache and hit the NVMe drives directly. On CoolVDS, this simple XML tweak often results in a 30% TPS (Transactions Per Second) increase for PostgreSQL workloads.
3. Data Sovereignty & Database Replication
Your data must reside in Norway. However, you might want read-replicas closer to users in other regions. Post-Schrems II, you can replicate anonymized or non-PII data out, but the master must stay home.
Configure PostgreSQL to enforce SSL and restrict replication slots. In `postgresql.conf`:
listen_addresses = '10.100.0.1' # WireGuard IP
ssl = on
And strictly control `pg_hba.conf`:
# TYPE DATABASE USER ADDRESS METHOD
hostssl replication rep_user 10.100.0.2/32 scram-sha-2564. Load Balancing and Failover
DNS is your primary traffic director. Use a GeoDNS setup. If the request comes from the Nordics, route directly to the CoolVDS IP. If it comes from elsewhere, route to the AWS proxy (which then tunnels back to CoolVDS if it needs data).
For the application layer, HAProxy is the tool of choice. It handles the TCP splitting and health checks far more efficiently than Nginx. Below is a snippet for handling traffic that prioritizes the local Norwegian backend but fails over to a secondary hot-standby (if you have a multi-site setup within Norway).
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
user haproxy
group haproxy
daemon
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
frontend http_front
bind *:80
bind *:443 ssl crt /etc/ssl/private/mycert.pem
acl is_norway src -f /etc/haproxy/geoip_no.txt
use_backend coolvds_primary if is_norway
default_backend aws_proxy
backend coolvds_primary
balance roundrobin
# Check for the specific 'I am master' API endpoint
option httpchk GET /healthz
server node1 10.100.0.1:80 check inter 2s rise 2 fall 3
backend aws_proxy
balance roundrobin
server aws1 10.100.0.2:80 checkWhy "Good Enough" Isn't Good Enough
Many sysadmins stick with default configurations. They spin up a DigitalOcean droplet or an EC2 instance, install Docker, and walk away. That works for a hobby blog. It does not work for an enterprise handling sensitive customer data under GDPR.
When you benchmark disk I/O, the "noisy neighbor" effect on shared public clouds is real. You can see latency spikes up to 100ms on disk writes during peak hours. On a dedicated VDS architecture where resources are strictly fenced (like we enforce at CoolVDS), your standard deviation on I/O latency stays flat.
The NIX Context
Another factor is peering. If your customers are in Oslo, Bergen, or Trondheim, routing their traffic through Stockholm or Frankfurt (common for major cloud providers) adds unnecessary hops. CoolVDS peers directly at NIX (Norwegian Internet Exchange). Run a `traceroute` from a Telenor fiber line:
traceroute -n 185.x.x.x
You want to see fewer than 5 hops. If you see 15, you have a routing problem.
Final Thoughts
The era of naive cloud adoption is over. The legal risks are too high, and the performance penalties of "one size fits all" are becoming obvious. By splitting your stack—keeping the stateless logic cheap and distributed, while keeping the stateful core local and compliant—you build a system that keeps the lawyers happy and the users fast.
Don't let your data residency strategy be an afterthought. Spin up a CoolVDS NVMe instance today, configure your WireGuard tunnel, and bring your data back home where it belongs.