Apologies in advance if this a bit of a broad question (and it may well be the answer is, "it depends"), but I'd be interested to know if anyone currently has an app which spans multiple countries, i.e US / EU / UK. ideally in financial services, but I'm interested in any sector. Specifically, I'm curious how others handle data governance / data across regions; i.e UK has GDPR, and favours data to reside in the UK. I'm assuming the US could have similar requirements (i.e, all US users need to have their data in us-west-1); How do you handle this? I could imagine you "split" your app across regions, but then you've got two databases, two sets of infrastructure: the dual infrastructure problem can be solved via iac, but how do you ensure (for instance) account/user uniqueness across regions? Is it simply that you have to query both databases? Or do you do something like a master table with a hashed user email pointing to the region-specific user record? I'm also thinking of support mechanisms where you need to actively show both datasets etc.

Numerous ways to do this but a simple one would be encryption if its not ultra strick and just allow decryption based on the user being in UK vs US for example. Or if you can do partitioning (depends on db) where you only show data based on their region

We're AWS Aurora (MySQL) at the moment

Each country has its own "financial" data center, where the financial data is stored for that region in keeping with local country laws. The systems are then aggregated to a master group of financial servers. It took us years to finally have our services on the same application platform and then a few more years to make it all work as corporate liked. The biggest hurdle to all of this was local laws that govern data governance and getting all the regions to nicely cooperate, as there was a massive amount of resistance towards centralized review and standardization. The overview is akin to a master corporate server and has many "Backup" secondary servers for each region at corporate. We would take the backup server data to build the "Master" service reports. Yes, the application was effectively split across multiple areas, data centers, and databases; as for user uniqueness, we appended userId with an internal region, department, and employment status stamp, so if you looked at the id and happened to understand the encoding, you knew with a high degree of accuracy where that user was from and what their role was at a glance. As for encryption, Even the best encryption is nothing compared to identify verification.

I mean you can also do Sharding which gets complex with your clusters but you have to setup routing and a bunch of stuff but its doable to keep data for EU vs US in 2 separate data centers but very doable…just complex.

This app is tiny compared to a system like that described above - at the moment I'm still trying to work out if it's even a requirement... But we'd potentially be dealing with US banks (non financial data) as a UK entity - but would be a small amount of PII

Yea its good you are analyzing it in advance

IDK if it's possible, but the "easiest" solution might be to just follow the strictest set of laws in all cases and apply it business wide.

It is very doable. Just depends on the laws/rules required.

Yeah my concern is that US want "their" users data in US silos, so it can be raided by the FBI etc. Which is why UK users don't want their data in the US 🙂 The more I think about it, the more I think I'm gonna just have to replicate the entire stack, DB and all in the various regions, and then have a bridging tool to pass non-PII data across.

Yea sucks to be screwed over like that but if it needs pure isolation that may be the exact route to go

yeah - as Tick-Tock has demonstrated, you need independent business units for true data isolation.

But what I will say related to my ability to do this, you can have multiple clusters setup for each physical region and route data traffic to write only in specific clusters with query routing to the required cluster and policy rules to keep things in line.

I imagine that gets tricky when you start logging requests/traffic? i.e log files - the danger being you could accidentally log something in the wrong region

DB logs? Or overall App&DB platform logs?

AWS VPC logs (for instance)

a lot of it heavily revolves around proper setup and routing for every aspect including logging….so users who reside in EU better only be granted access onto EU instances and all items should be handled to stay within their region

that is where full region isolation would be required.

If user is restricted to the EU vpc for example they are stuck there including all logging etc…so everything would be EU

So hypothetical example, you have app.domain.com (say, a cloudfront global hosted static front end) - User hits the site, you'd want to do some geolocation stuff to say "hey do you want our US/UK site", and maybe redirect them to app.domain.com/us etc. Maybe store the pref in a cookie. So then any requests like login/pw reset would go to api.us.domain.com rather than api.uk.domain.com - Since the two DBs/infra are completely isolated, there's presumably nothing stopping them accidentally creating two accounts in different regions with the same email address. (Fairly unlikely, but possible). (this is where my brain fails) - the only way to prevent this would be a transfer of data between two regions, which would inevitably be logged. i.e, you need to pass the email address to the other region to check if it exists. Can you get around that?

in a limited sense - you would be forcing them to the "appropriate" site via IP geo location (think netflix region lock). The failure is VPNs get around it but that would be less of your problem.

Cloudflare is a genius at handling routing traffic based on IP and headers and cloudflare handling the routing level would put them in the proper pool as you mentioned above app.us.domain.com or app.eu.domain.com or whatever you name it and the load balancer on aws side can process and handle the request or DENY the request if you are not in an EU (header that Cloudflare told the AWSLB)

Ok, I think I'm starting to get the picture in my head. Thanks guys - invaluable and helpful insight - much appreciated.

I deal with this alot in FSI. Unfortunately in many cases it means multiple deployments of the same app in multiple regions.