When Cloudflare launched Regional Services in June of 2020, the concept of data locality and data sovereignty were very much rooted in European regulations.
Bashar Bashaireh, Managing Director of Middle East & Türkiye at Cloudflare explains, “Fast forward to today, and the pressure to localise data persists: Several countries have laws requiring data localisation in some form, public-sector contracting requirements in many countries require their vendors to restrict the location of data processing, and some customers are reacting to geopolitical developments by seeking to exclude data processing from certain jurisdictions. That’s why Cloudflare is excited today to announce the first step in a longer journey to help customers meet their specific requirements for being able to control where their traffic is handled by expanding the vendor’s existing ecosystem with nineteen new regions including the Kingdom of Saudi Arabia.”
The new regions Cloudflare is launching include: Austria, Brazil, Cloudflare Green Energy, Exclusive of Hong Kong and Macau, Exclusive of Russia and Belarus, France, Hong Kong, Italy, NATO, Netherlands, Russia, Saudi Arabia, South Africa, Spain, Switzerland, Taiwan, US State of California, US State of Florida, US State of Texas.
Cloudflare generally determines new Regional Services offerings based on what it is hearing from customers about their legal obligations. Some of them need to have data to stay in a particular jurisdiction, while others need data to avoid certain jurisdictions. In response to these needs, the company developed a number of Regional Services offerings that restrict inspection of data to only those data centres within jurisdictional boundaries, such as Brazil, Saudi Arabia, and Switzerland. And it has also listened to customers who are eager to demonstrate their commitment to sustainability by offering its Cloudflare Green Energy region, which limits inspection of data to those data centres that are committed to powering their operations with renewable energy.
Cloudflare’s framework for data localisation
Over the course of the next year, customers are going to see a lot of new and exciting ways to use Cloudflare products to help keep their data local. While the company continues to believe that data localisation should not be a proxy for privacy and that restrictions on cross border data transfers are harmful to global commerce, it remains committed to supporting those enterprises who need data localisation solutions to address legal obligations and risk tolerance.
Unfortunately, many different cloud providers have decided that the best way to meet the compliance needs of their customers is to create fixed infrastructure deployments called Sovereign Clouds. The trouble with these infrastructure deployments is that companies have to commit all of its traffic to be regionalised, regardless of whether all of that traffic actually needs to be confined to a specific data centre in a specific region.
What if there was a better way forward that lets enterprises regionalise exactly what they need to, without having to localise everything, giving them the best of compliance and performance? What would customers build if they could localise the APIs that handled private customer information, while also serving their static assets globally? How could the compliance and privacy of customers’ Zero Trust deployments be increased if they are allowed to choose where their security processing occurred? What if they could define custom regions, and apply those regions to specific hostnames and Cloudflare products while also being able to use BYOIP or Static IP?
Cloudflare calls this approach software defined regionalisation (SDR) and it believes that is the future of data localisation. Using the company’s global network as the foundation, SDR allows customers to make exceptionally granular choices about what traffic to regionalise and where to regionalise it. This empowers customers to build applications that are fast, reliable, and compliant without having to deploy new physical infrastructure or have multiple cloud deployments for the same application.
Taking it a step further, SDR allows customers to shape Cloudflare to meet their needs today, and tomorrow. It gives the flexibility to quickly respond to new challenges in a rapidly changing world. By making localisation choices in software, enterprises are not bound by the physical constraints of their existing network geography or the locations of their cloud deployments.
How Regional Services ensures data is processed in the correct region
Complying with data localisation requirements isn’t possible without strong encryption; otherwise, anyone could snoop on customers’ data, regardless of where it’s stored. Strong encryption is the foundation of Regional Services.
Data is often described as being “in transit” and “at rest”. It’s critically important that both are encrypted. In transit, Cloudflare can enforce that all traffic uses modern TLS and gets the highest level of encryption possible. It can also enforce that all traffic back to customers’ origin servers is always encrypted. Communication between all of the vendor’s edge and core data centres is always encrypted. Cloudflare encrypts all of the data it handles at rest, with disk-level encryption. From cached files on the company’s edge network to configuration state in databases in its core data centres – every byte is encrypted at rest.
How then can Cloudflare also regionalise the traffic if it’s encrypted? All of the company’s data centres advertise the same IP addresses through Border Gateway Protocol (BGP). Whichever data centre is closest to the customers from a network point of view is the one that an end user will hit.
This is great for two reasons. The first is that the closer the data centre is to an eyeball, the faster the reply. The second great benefit is that this comes in very handy when dealing with large DDoS attacks. Volumetric DDoS attacks throw a lot of bogus traffic at a particular application, which overwhelms network capacity. Cloudflare’s anycast network is great at taking on these attacks because they get distributed across the entire network, and mitigated close to where they originate.
Anycast doesn’t respect regional borders – it doesn’t even know about them. Which is why, out of the box, Cloudflare can’t guarantee that traffic from inside a country will also be serviced there. Typically, requests hit a data centre inside the originating country, but it’s possible that the user’s Internet Service Provider will send traffic to a network that might route it to a different country.
Regional Services solves that: when turned on, each data centre becomes aware of which regional services-defined boundary it is operating in. If a user hits a Cloudflare data centre that doesn’t match the region that the customer has selected, the company simply forwards the raw TCP stream in encrypted form. Once it reaches a data centre inside the right region, it decrypts and applies all of its Layer 7 products. This covers products such as CDN, WAF, Bot Management, and Workers.
Cloudflare’s Regional Services for the new regions became available for early access on May 9th, 2024, and the company plans to have them generally available in June 2024.