This chapter covers data residency and sovereignty requirements in Microsoft Azure, a critical topic for the AZ-305 exam. You will learn how Azure ensures customer data stays within geographic boundaries, the tools available to enforce compliance, and common exam traps. Approximately 10-15% of AZ-305 questions touch on data residency, sovereignty, and compliance, often in the context of designing identity and governance solutions.
Jump to a section
Think of data residency like a bank safety deposit box in a specific country. You can only access your box in that country's branch, and the bank guarantees that your documents never leave that vault. Azure's datacenter regions are like bank branches around the world. When you choose a region (e.g., 'West Europe'), you're renting a safety deposit box in that branch. Azure's data residency promise means your data will be stored only in that branch, not moved to another branch without your explicit consent. The bank's internal logistics (Azure's replication and backup systems) must keep all copies within the same country's borders. If the bank has a policy that documents cannot cross borders (sovereignty), then even the courier (data replication) must stay within that country. If you later want to move your box to another branch, you must request a transfer, and the bank will verify compliance with local laws. In Azure, this is enforced through data residency policies, Azure Policy, and customer-managed keys that ensure data doesn't leave the designated region.
What Are Data Residency and Sovereignty?
Data residency refers to the physical or geographic location where data is stored. Data sovereignty extends this concept to the legal and regulatory requirements that data must remain within a specific jurisdiction. For example, the EU's General Data Protection Regulation (GDPR) requires that personal data of EU citizens be stored in the EU or in countries with equivalent protection. Similarly, countries like Brazil, India, and China have laws that mandate local storage of certain types of data.
In Azure, data residency is enforced through the concept of regions. Each Azure region is a set of datacenters deployed within a latency-defined perimeter and connected through a dedicated regional low-latency network. When you deploy a resource like a storage account or a virtual machine, you choose a region. Azure guarantees that for most services, data at rest remains within that region unless you explicitly configure cross-region replication.
How Azure Enforces Data Residency
Azure uses several mechanisms to enforce data residency:
Region selection: During resource creation, you select a region. For example, a storage account in 'East US' will have its primary data stored in datacenters in that region.
Locally redundant storage (LRS): Data is replicated three times within a single datacenter in the chosen region.
Zone-redundant storage (ZRS): Data is replicated across three availability zones within the same region.
Geo-redundant storage (GRS): Data is replicated to a paired region, which is in the same geography (e.g., North Europe and West Europe are paired within Europe). This ensures data stays within the same geographic boundary (e.g., Europe).
Geo-zone-redundant storage (GZRS): Combines ZRS and GRS, again within the same geographic boundary.
Azure's paired regions are designed to be at least 300 miles apart within the same geography. For example, East US is paired with West US. This ensures that even during a disaster, data remains within the United States.
Data Sovereignty and Azure Policy
Azure Policy is a service that allows you to create, assign, and manage policies that enforce rules for your resources. To enforce data sovereignty, you can use built-in policies like:
'Allowed Locations': Restricts which regions can be used for resource deployment.
'Allowed Locations for resource groups': Restricts where resource groups can be created.
'Audit if resource does not use a specific region': Audits resources that are not in the desired region.
You can also create custom policies to enforce data residency for specific services. For example, you can require that Azure SQL databases be deployed only in regions within the European Union.
Azure Blueprints and Compliance
Azure Blueprints enable you to define a repeatable set of Azure resources that implement and adhere to standards, patterns, and requirements. A blueprint can include policies, role assignments, and resource templates. For data sovereignty, you can create a blueprint that enforces allowed locations, ensures data encryption at rest, and restricts cross-region replication.
Customer-Managed Keys and Sovereignty
Azure Key Vault allows you to store encryption keys in a specific region. With customer-managed keys (CMK), you control the keys used to encrypt your data. If you use a key stored in a Key Vault in a specific region, Azure will not be able to move your data to another region without your key, providing an additional layer of sovereignty enforcement.
Azure Regions and Geographies
Azure divides the world into geographies, each containing one or more regions. A geography is a discrete market, typically containing two or more regions, that preserves data residency and compliance boundaries. For example: - United States geography: East US, East US 2, Central US, etc. - Europe geography: North Europe, West Europe, France Central, etc. - Asia Pacific geography: Southeast Asia, East Asia, etc.
Data residency requirements often mandate that data stay within a specific geography. Azure's geo-redundant storage ensures that data is replicated within the same geography.
Sovereign Clouds
For customers with the highest compliance needs, Azure offers sovereign clouds: - Azure Government: For US government agencies and their partners. Data is stored in US datacenters and accessed only by US persons. - Azure China (21Vianet): Operated by 21Vianet, a Chinese company. Data remains in China and is subject to Chinese law. - Azure Germany: Was available but is being retired; now use Azure regions in Germany (e.g., Germany West Central) which are part of the European geography.
Data Transfer and Residency
When you use Azure services, data may be transferred between regions for performance or redundancy. However, Azure provides options to restrict data movement: - Disable geo-redundant storage: Choose LRS or ZRS to keep data within a single region. - Azure Traffic Manager: You can configure routing methods to keep traffic within a region. - Azure Front Door: Can be configured to route requests to the nearest region, but you can restrict backend origins to specific regions.
Azure Policy for Data Residency
To enforce data residency, you can use Azure Policy to:
Deny creation of resources outside allowed regions.
Audit existing resources for compliance.
Require specific SKUs that support data residency (e.g., Azure SQL Database with geo-redundancy disabled).
Example policy definition to restrict locations:
{
"policyRule": {
"if": {
"not": {
"field": "location",
"in": ["eastus", "westus"]
}
},
"then": {
"effect": "deny"
}
}
}Azure Resource Graph and Compliance
Azure Resource Graph allows you to query resources across subscriptions. You can use it to audit data residency compliance. For example, you can query all storage accounts and their replication settings to ensure they are not using geo-redundant storage if that violates sovereignty.
Azure Blueprints for Sovereignty
A blueprint can include:
Policy assignments for allowed locations.
Role assignments for data stewards.
Resource templates that enforce encryption with customer-managed keys.
Azure Compliance Offerings
Azure provides a portfolio of compliance offerings (e.g., ISO 27001, SOC 2, FedRAMP). These certifications attest that Azure meets data residency and sovereignty requirements. For the exam, know that Azure maintains compliance with over 90 offerings.
Data Residency for Specific Services
Azure Storage: You can choose replication type (LRS, ZRS, GRS, GZRS). GRS replicates to a paired region in the same geography.
Azure SQL Database: You can configure geo-replication to a secondary region. To enforce sovereignty, disable geo-replication or only allow replication to regions within the same geography.
Azure Virtual Machines: Disks are stored in the same region as the VM. You can use Azure Site Recovery for disaster recovery, which replicates to another region. To enforce sovereignty, only allow failover to regions within the same geography.
Azure Cosmos DB: You can configure multi-region writes. To enforce sovereignty, restrict the regions to those within the required geography.
Exam Focus: Common Scenarios
The AZ-305 exam often presents scenarios where a company must comply with data residency laws. For example:
A European company must ensure that customer data stays in Europe.
A US government agency must use Azure Government.
A company in Brazil must store data in Brazil.
You must choose the appropriate Azure services and configurations to meet these requirements.
Identify Data Residency Requirements
First, determine the legal and regulatory requirements for data storage. For example, GDPR requires that personal data of EU citizens be stored in the EU. Identify the geographic boundaries (e.g., European Union, United States, Brazil). Also determine if there are restrictions on data replication across regions. This step involves reading compliance documentation and consulting with legal teams.
Select Appropriate Azure Region
Choose an Azure region that falls within the required geographic boundary. For example, for EU data, select 'West Europe' or 'North Europe'. For US data, select 'East US' or 'West US'. Ensure the region supports the services you need. Some services may not be available in all regions. Use the Azure Products by Region tool to verify availability.
Configure Storage Replication
For storage accounts, select the replication type that meets residency requirements. If data must stay within a single region, choose Locally Redundant Storage (LRS) or Zone-Redundant Storage (ZRS). If geo-redundancy is allowed but must stay within the same geography, choose Geo-Redundant Storage (GRS) or Geo-Zone-Redundant Storage (GZRS). Avoid cross-geography replication.
Apply Azure Policy for Location Restriction
Create and assign an Azure Policy that restricts resource creation to allowed regions. Use the built-in 'Allowed Locations' policy. Assign it at the subscription or management group level. This prevents users from accidentally deploying resources in non-compliant regions. Also consider policies that audit existing resources and report non-compliance.
Implement Customer-Managed Keys
Use Azure Key Vault to store encryption keys in the required region. Enable customer-managed keys for services like Azure Storage, Azure SQL Database, and Azure Cosmos DB. This ensures that even if data is replicated, it cannot be decrypted without keys in the allowed region. This adds a layer of sovereignty enforcement.
Monitor and Audit Compliance
Use Azure Policy compliance dashboard to monitor adherence. Use Azure Resource Graph to query resources and their locations. Set up alerts for non-compliant resources. Regularly audit replication settings, especially for storage and databases. Use Azure Advisor for recommendations on compliance.
Enterprise Scenario 1: European Bank GDPR Compliance
A large European bank must store all customer financial data within the European Union. They deploy Azure resources in the 'West Europe' region. They use Azure Policy to deny any resource creation outside of EU regions (West Europe, North Europe, France Central, etc.). They configure all storage accounts with LRS or ZRS to avoid geo-replication. For Azure SQL Database, they disable geo-replication. They use Azure Blueprints to enforce these settings across multiple subscriptions. They also use customer-managed keys stored in Azure Key Vault in West Europe. A common issue is that developers accidentally create resources in 'East US' for testing; Azure Policy denies the deployment, and the compliance dashboard alerts the governance team.
Enterprise Scenario 2: US Government Agency FedRAMP Compliance
A US federal agency must comply with FedRAMP High requirements. They use Azure Government, which is a physically isolated instance of Azure in US datacenters. All data stays within the US. They restrict resource creation to Azure Government regions (US Gov Virginia, US Gov Texas, etc.). They use Azure Policy to enforce this. They also require that all encryption keys be stored in Azure Government Key Vault. Performance is a consideration because Azure Government has fewer regions; they use Availability Zones within the same region for high availability. A misconfiguration that could occur is using Azure commercial instead of Azure Government; the agency uses Azure Policy to block connections to commercial Azure.
Enterprise Scenario 3: Multinational Company with Data Sovereignty in Brazil
A multinational company operating in Brazil must keep Brazilian customer data within Brazil. They deploy resources in the 'Brazil South' region. They use Azure Policy to restrict locations to Brazil South only. They configure all storage with LRS. They also use Azure Traffic Manager to route user traffic to the Brazil South endpoint. They must ensure that disaster recovery does not replicate data outside Brazil; they use Azure Site Recovery with a secondary region in Brazil South (though Azure only has one region in Brazil, so they use a different availability zone or rely on backup to a local datacenter). A common mistake is assuming that Brazil South is paired with a region outside Brazil; in reality, Brazil South is paired with South Central US, but GRS is not allowed due to sovereignty. They must use LRS or ZRS only.
AZ-305 Exam Focus on Data Residency and Sovereignty
The AZ-305 exam tests your ability to design solutions that meet data residency and sovereignty requirements. Key objectives include: - Objective 1.2: Design identity and governance solutions, including data residency and sovereignty. - Objective 5.1: Design solutions for compliance, including regulatory requirements.
Common Wrong Answers and Traps
Choosing Azure Germany: Many candidates think Azure Germany (sovereign cloud) is still available for EU data. In reality, Azure Germany was retired in 2021, and customers should use standard Azure regions in Germany (Germany West Central) which are part of the European geography. The exam may have a distractor like 'Deploy to Azure Germany' — this is wrong.
Enabling Geo-Redundant Storage for Sovereignty: Some candidates think GRS is always safe because it stays within a geography. But if the requirement is data must stay within a single country (e.g., Brazil), GRS might replicate to a paired region in a different country (e.g., Brazil South pairs with South Central US). The correct answer is LRS or ZRS.
Using Azure Policy 'Allowed Locations' but not assigning it: Candidates may create the policy but forget to assign it at the correct scope. The exam may ask 'What is the most efficient way to enforce data residency?' and the answer is 'Assign the Allowed Locations policy at the management group level.'
Confusing data residency with data encryption: Encryption does not satisfy data residency. Data must be physically stored in the required location. Encryption is complementary.
Specific Numbers and Terms
Paired regions: Know that East US pairs with West US, North Europe with West Europe, etc.
Geography vs. region: A geography contains multiple regions. Data residency is typically per geography.
Azure Government: For US government agencies and their partners. Not for commercial use.
Azure China (21Vianet): For data in China.
LRS, ZRS, GRS, GZRS: Know when to use each for residency.
Edge Cases
What if a service doesn't support a region? You must choose a different service or region that meets compliance.
What if the required geography has only one region? You cannot use GRS; use LRS or ZRS with backup to on-premises.
What about data in transit? Data in transit is not subject to residency in the same way, but you can use VPN or ExpressRoute to keep traffic within a geography.
How to Eliminate Wrong Answers
If the question says 'must stay within the European Union', eliminate any answer that uses regions outside Europe (e.g., East US).
If the question says 'must not replicate data outside the country', eliminate GRS and GZRS.
If the question involves a US government agency, look for 'Azure Government' as the correct answer.
If the question says 'must be in compliance with GDPR', ensure the solution uses regions in the EU.
Data residency means data is stored in a specific geographic location; data sovereignty adds legal requirements.
Azure regions are grouped into geographies; data can be kept within a geography using GRS or within a single region using LRS/ZRS.
Azure Policy 'Allowed Locations' restricts resource deployment to specific regions.
Azure Blueprints can enforce data residency by combining policies, role assignments, and resource templates.
Customer-managed keys in Azure Key Vault provide additional sovereignty by controlling encryption keys.
Sovereign clouds (Azure Government, Azure China) are for specific compliance requirements and are not available to all customers.
For EU data, use regions in Europe; for US government data, use Azure Government.
Geo-redundant storage (GRS) replicates to a paired region within the same geography, which may cross country borders.
Always disable geo-replication if data must stay within a single country.
Use Azure Resource Graph to audit data residency compliance across subscriptions.
These come up on the exam all the time. Here's how to tell them apart.
Locally Redundant Storage (LRS)
Data replicated 3 times within a single datacenter in one region.
Data stays within a single region, ideal for strict data residency.
No cross-region replication, so no risk of data leaving the required geography.
Lower durability (99.999999999%) compared to GRS.
Cannot recover from a region-wide disaster.
Geo-Redundant Storage (GRS)
Data replicated 3 times in the primary region, then replicated to a paired region.
Data stays within the same geography (e.g., Europe), but may cross country borders.
Higher durability (99.999999999999%) due to secondary region.
Can recover from a region-wide disaster.
May violate data sovereignty if the paired region is in a different country.
Mistake
Azure Germany is still available for EU data residency.
Correct
Azure Germany was retired in 2021. For EU data residency, use standard Azure regions in Germany (Germany West Central, Germany North) which are part of the European geography.
Mistake
Geo-redundant storage (GRS) always keeps data within the same country.
Correct
GRS replicates to a paired region, which may be in a different country within the same geography. For example, Brazil South pairs with South Central US. If data must stay in Brazil, use LRS or ZRS.
Mistake
Azure Policy 'Allowed Locations' automatically enforces data residency for all services.
Correct
The policy only restricts the location of the resource itself, not where data is replicated. For example, a storage account can be in 'West Europe' but still replicate to 'North Europe' via GRS. You must also configure replication settings.
Mistake
Data encryption at rest satisfies data residency requirements.
Correct
Encryption protects data confidentiality but does not control where data is physically stored. Data must be stored in the required geographic location regardless of encryption.
Mistake
Azure sovereign clouds (Government, China) are available to any customer.
Correct
Azure Government is restricted to US government agencies and their partners. Azure China (21Vianet) is for customers in China. Standard Azure customers cannot use these clouds.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Data residency refers to the physical location where data is stored. Data sovereignty extends this to the legal and regulatory requirements that data must remain within a specific jurisdiction. For example, GDPR requires that personal data of EU citizens be stored in the EU (residency) and also be subject to EU data protection laws (sovereignty). Azure enforces residency through region selection and replication settings, while sovereignty is addressed through compliance certifications and sovereign clouds.
To keep data within a single country, choose a region located in that country (e.g., Brazil South for Brazil). Use Locally Redundant Storage (LRS) or Zone-Redundant Storage (ZRS) to avoid cross-region replication. Disable geo-replication for services like Azure SQL Database and Azure Storage. Apply Azure Policy to restrict resource creation to that region. Also, use customer-managed keys stored in a Key Vault in the same region to prevent data decryption elsewhere.
Azure Government is a physically isolated instance of Microsoft Azure designed for US government agencies and their partners. It meets FedRAMP High, DoD, and other US government compliance requirements. You should use Azure Government when you have data that must be stored in the US and accessed only by US persons. It is not available for commercial use. For other countries, use standard Azure regions or sovereign clouds like Azure China.
Azure Policy can restrict the location where resources are created, but it does not control data replication within a service. For example, you can deny creation of a storage account outside 'West Europe', but the storage account could still be configured with GRS that replicates to 'North Europe'. To fully enforce residency, you must also configure the service's replication settings (e.g., use LRS) and possibly use custom policies to audit replication configuration.
An Azure geography is a discrete market that contains one or more regions and preserves data residency and compliance boundaries. For example, the United States geography includes regions like East US, West US, etc. A region is a set of datacenters within a geography. Data residency requirements often specify a geography (e.g., European Union), and Azure ensures that geo-redundant storage replicates within the same geography.
Azure provides regions within the EU (e.g., West Europe, North Europe, France Central). By default, geo-redundant storage replicates to a paired region within the same geography (e.g., West Europe pairs with North Europe). To ensure data stays within the EU, you can restrict resource creation to EU regions using Azure Policy, use LRS or ZRS, and disable geo-replication for databases. Azure also maintains GDPR compliance certifications.
Customer-managed keys (CMK) allow you to control the encryption keys used to protect your data. By storing these keys in an Azure Key Vault in a specific region, you ensure that even if data is replicated to another region, it cannot be decrypted without your keys. This adds an extra layer of sovereignty because you can revoke access to keys, effectively preventing data access in unauthorized regions.
You've just covered Data Residency and Sovereignty Requirements — now see how well it sticks with free AZ-305 practice questions. Full explanations included, no account needed.
Done with this chapter?