The Pragmatic Multi-Cloud: Surviving Schrems II and Latency Spikes in Norway
Let’s cut through the marketing noise. Since the CJEU struck down the Privacy Shield in July 2020 (Schrems II), every CTO in Europe has been scrambling. If you are blindly dumping Norwegian customer data into US-owned hyperscalers, you aren't just risking latency; you are risking legal non-compliance. But moving everything on-prem is a regression we can't afford.
The solution isn't to abandon the cloud. It's to stop treating "The Cloud" as a single vendor. The most resilient infrastructure I’ve architected this year follows a hybrid model: volatile frontend workloads on hyperscalers, and persistent, sensitive data on local, high-performance Norwegian infrastructure.
Here is how we build a compliant, low-latency architecture using Terraform, WireGuard, and CoolVDS NVMe instances.
The Latency Lie: Frankfurt is Not Oslo
Hyperscalers love to tell you their "Europe North" or "Europe West" regions are close enough. They aren't. Physics is stubborn. Round-trip time (RTT) from Oslo to Frankfurt usually hovers around 20-30ms. That sounds fast until your application makes 50 sequential database queries per request. Suddenly, you are staring at 1.5 seconds of network wait time before the CPU even wakes up.
If your user base is in Norway, your database needs to be in Norway. Utilizing the Norwegian Internet Exchange (NIX) via a local provider drastically reduces this.
| Metric | Hyperscaler (Frankfurt) | CoolVDS (Oslo) |
|---|---|---|
| Ping to Oslo Fiber | ~24ms | ~2ms |
| Data Sovereignty | US CLOUD Act Risk | Norwegian Jurisdiction |
| Storage | Networked Block Storage (Variable IOPS) | Local NVMe (Consistent IOPS) |
The Architecture: Split-Stack Hosting
The strategy is simple: Stateless Compute Global, Stateful Data Local.
We keep our Kubernetes clusters or auto-scaling groups in the big clouds for elasticity. But we anchor our database and PII (Personally Identifiable Information) on a CoolVDS instance in Oslo. This satisfies Datatilsynet (The Norwegian Data Protection Authority) requirements by keeping the data at rest on Norwegian soil, protected by local privacy laws.
Secure Interconnect with WireGuard
In 2021, IPsec is too slow and OpenVPN is single-threaded. We use WireGuard (integrated into Linux 5.6+) to create a mesh between the cloud frontend and the local backend. It is lean, fast, and re-establishes connections instantly.
Here is the configuration for the CoolVDS side (the "Peer"). We utilize a standard Ubuntu 20.04 LTS image which supports this natively.
# /etc/wireguard/wg0.conf on CoolVDS (Database Node)
[Interface]
Address = 10.100.0.1/24
SaveConfig = true
PostUp = ufw route allow in on wg0 out on eth0
PostDown = ufw route delete allow in on wg0 out on eth0
ListenPort = 51820
PrivateKey = <YOUR_SERVER_PRIVATE_KEY>
[Peer]
# The Hyperscaler Frontend Client
PublicKey = <CLIENT_PUBLIC_KEY>
AllowedIPs = 10.100.0.2/32Pro Tip: Don't forget to adjust your MTU. Tunneling adds overhead. On a standard 1500 MTU link, set WireGuard MTU to 1420 to avoid packet fragmentation that kills throughput.
Optimizing PostgreSQL 13 for NVMe
One major advantage of moving the database to a dedicated VDS is getting away from "noisy neighbor" throttling found in shared cloud block storage. CoolVDS provides raw NVMe access. To utilize this, we need to tune PostgreSQL 13 to be aggressive with I/O.
Most default configs assume spinning rust (HDDs). Change these immediately in your postgresql.conf:
# /etc/postgresql/13/main/postgresql.conf
# Assume high-speed SSD availability
random_page_cost = 1.1 # Default is 4.0, which assumes expensive seeks
effective_io_concurrency = 200 # Crank this up for NVMe
# Memory Management (Assuming 16GB RAM Instance)
shared_buffers = 4GB # 25% of RAM
effective_cache_size = 12GB # 75% of RAM
work_mem = 16MB # Be careful increasing this too much per connection
# Write Integrity
wal_sync_method = fdatasync # Efficient on LinuxThese settings tell the query planner that random seeks are cheap, encouraging the use of index scans over sequential scans, which drastically improves performance for complex queries on large datasets.
Orchestrating it all with Terraform
Managing two providers doesn't mean manual work. We use Terraform to provision the state.
# main.tf
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
# We use a generic provider or local-exec for the VDS if no direct provider exists
null = {
source = "hashicorp/null"
}
}
}
# Provision the VDS (Conceptual example using remote-exec)
resource "null_resource" "coolvds_db_setup" {
connection {
type = "ssh"
user = "root"
host = var.coolvds_ip
private_key = file("~/.ssh/id_rsa")
}
provisioner "remote-exec" {
inline = [
"apt-get update",
"apt-get install -y wireguard postgresql-13",
"echo '${local.wg_config}' > /etc/wireguard/wg0.conf",
"systemctl start wg-quick@wg0"
]
}
}
The Compliance Reality
GDPR is not just about cookies. It is about where data physically resides and who can compel access to it. By anchoring your database in Norway on a provider like CoolVDS, you create a legal firewall. The US CLOUD Act has far less reach into a Norwegian-owned server rack in Oslo than it does into a US-owned data center in Frankfurt.
Final Thoughts
The "All-in-AWS" era is ending. It is expensive, legally risky, and for Nordic users, latency-inefficient. A hybrid approach requires a bit more architectural discipline—setting up WireGuard and managing state files—but the payoff is immense. You get the legal safety of local hosting with the raw speed of NVMe, without sacrificing the elasticity of the cloud for your frontend.
Don't let slow I/O or legal ambiguity kill your business. Deploy a test environment today. You can spin up a high-performance NVMe instance on CoolVDS in under 60 seconds and ping it from Oslo NIX to see the difference yourself.