Amazon EC2 regions and Windows Azure affinity groups - Security Considerations

I read about regions and affinity groups in Amazon EC2 / Windows Azure. It seems they are used first and foremost to assure performance.

What I am concerned is about security. Can these services "switch" a region and transfer some of my data in the cloud to another region if they h开发者_开发百科ave a performance bottle neck? I couldn't find any information about this so far.

For my employer it's important that data never crosses regions since our clients demand that all their data stays on european data centers.

In Azure, affinity groups are an abstraction concept that simply tells the Fabric controller to do its best to ensure groups of related services are deployed to ensure optimization for inter-app communication. Groups ensure that services, storage, etc will all be placed in close proximity whenever possible.

Affinity groups are bound to regions, so you don't need to worry about a AG switching countries on its own, as that would be bound to the region.

In Azure, the explicit geo-location concept is that of a region. If you specify a region you are binding to a datacenter (or virtual concept of a DC) in that particular geographical region. At this time there is no ability to move/migrate services among regions on your own.

The Fabric Controller does replicate across physical datacenters for fault tolerance, but this action is bound to the country-specific nature of the region definition. So Datacenter 1 in North Central US likely replicated to Datacenter 2 in South Central US, but never to a European region. Even the "anywhere" regions which let the FC determine the best place for your code are bound by national boundaries.

In the future I wouldn't be surprised (though I'd say 50% chance) if Azure had a geo-replication option, but I highly doubt this would be a passive feature of the platform. There are simply too many governmental and legal ramification to just turn this on.

I've not worked with Amazon EC2 hence can't answer about that. However as far as Windows Azure is concerned, once you decide on an "Affinity Group" (which I think is a cool way to say "Data Center"), your data stays there (at least as of now). Currently Windows Azure does not provide geo replication of data out of the box so I don't think there is anything there in the service which would replicate the data automatically for you across multiple data centers.

One thing interesting would be to watch out would be disaster recovery scenario, where one data center goes down. Then I think (just speculating) Windows Azure might try to move the data from one data center to another. However I would recommend reading some SLA agreements just to be sure.

This is a common concern for EU customers - so Amazon and Microsoft are very aware of it.

For EC2, Amazon has 2 different concepts - regions and availability zones (see http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/index.html?using-regions-availability-zones.html) - your app can operate in multiple zones, but should never switch region.

For S3 data, See Amazon's FAQ http://aws.amazon.com/s3/faqs/#Can_I_comply_with_EU_data_privacy_regulations_using_Amazon_S3

Q: Can I comply with EU data privacy regulations using Amazon S3?

Objects stored in the EU (Ireland) Region never leave the EU unless you transfer them out. However, it is your responsibility to ensure that you comply with EU privacy laws.

For Azure, I believe the answer is similar - but I couldn't find a formal FAQ on this

From what I know of Azure the answer is no, your apps can't migrate regions. You selected a region it stays in that region, disaster recovery and failover also stay in that region for the very reason you're asking, I believe there are at least 2 datacentres per region.

A note on affinity groups - it's more than just performance, by assigning an affinity group you don't pay for bandwidth between nodes, which is important if you're processing a lot of data.