Common Framework
Reference Architecture
Complete sovereign cloud stack design covering compute, storage, networking, data, security, and integration layers - all built on open standards and non-US technology.
Architecture Overview
Sovereign Cloud Reference Architecture
Application Layer
Containerised Workloads
Serverless Functions
Legacy VMs
Managed Services
Platform Layer
Kubernetes
PostgreSQL
Redis
RabbitMQ
MinIO (S3)
Keycloak
Infrastructure Layer
Compute (VMs)
Block Storage
Object Storage
Load Balancers
Network Layer
VPC/Private Networks
Firewalls
VPN/Interconnect
DNS
Architecture Layers
Physical Layer
Sovereign Datacentres
Physical infrastructure located within national borders, owned and operated by non-US entities.
| Requirement | Specification |
|---|---|
| Location | Within national territory or approved partner jurisdiction |
| Ownership | Non-US entity, not subject to US jurisdiction |
| Tier Level | Minimum Tier 3 (N+1 redundancy) |
| Certifications | ISO 27001, SOC 2, national security certifications |
| Geographic Redundancy | Minimum 2 datacentres, 100km+ separation |
Recommended European Providers
- OVHcloud (France) - Datacentres across EU
- Hetzner (Germany) - High-performance, cost-effective
- Scaleway (France) - Cloud-native infrastructure
- IONOS (Germany) - Enterprise-grade
- Equinix (non-US subsidiary) - Colocation where needed
Infrastructure Layer (IaaS)
Compute
| Component | Technology Options | Notes |
|---|---|---|
| Virtual Machines | KVM, Proxmox VE, OpenStack Nova | Open-source hypervisors |
| Bare Metal | Provider bare metal, MAAS | For high-performance workloads |
| Container Runtime | containerd, CRI-O | OCI-compliant |
Storage
| Type | Technology Options | Use Case |
|---|---|---|
| Object Storage | MinIO, Ceph RADOS Gateway, SeaweedFS | S3-compatible, documents, backups |
| Block Storage | Ceph RBD, OpenStack Cinder, Longhorn | VM disks, databases |
| File Storage | CephFS, GlusterFS, NFS | Shared file systems |
Networking
| Component | Technology Options |
|---|---|
| SDN / CNI | Cilium, Calico, Flannel |
| Load Balancing | MetalLB, HAProxy, NGINX |
| DNS | CoreDNS, BIND, PowerDNS |
| Service Mesh | Istio, Linkerd, Consul Connect |
Security & Identity Layer
Identity & Access Management
| Component | Technology | Standards |
|---|---|---|
| Identity Provider | Keycloak, Authentik, Zitadel | OIDC, SAML 2.0, OAuth 2.0 |
| Directory Services | FreeIPA, OpenLDAP, 389DS | LDAP, Kerberos |
| MFA | privacyIDEA, Keycloak OTP | TOTP, FIDO2, WebAuthn |
Key Management
| Component | Technology | Notes |
|---|---|---|
| Secrets Management | OpenBao Vault (open source) | Auto-unsealing with HSM |
| HSM | Thales Luna, Utimaco, nCipher | FIPS 140-2 Level 3+ |
| Certificate Management | cert-manager, EJBCA, step-ca | PKI automation |
Security Monitoring
| Component | Technology |
|---|---|
| SIEM | Wazuh, OpenSearch + SIEM, Graylog |
| Vulnerability Scanning | Trivy, Clair, Grype |
| Runtime Security | Falco, Sysdig (OSS), Tetragon |
| Policy Enforcement | OPA/Gatekeeper, Kyverno |
Data Layer
| Type | Technology | Use Case |
|---|---|---|
| Relational Database | PostgreSQL, MariaDB | Transactional data, structured records |
| Document Database | MongoDB (SSPL), FerretDB | Semi-structured data, JSON |
| Cache | Redis, Valkey, KeyDB, Dragonfly | Session state, caching |
| Message Queue | Apache Kafka, RabbitMQ, NATS | Event streaming, async processing |
| Search | OpenSearch, Meilisearch, Typesense | Full-text search, analytics |
| Time Series | TimescaleDB, InfluxDB, VictoriaMetrics | Metrics, IoT, monitoring |
Application & Platform Layer
Container Orchestration
- Kubernetes (vanilla) - CNCF standard, maximum portability
- Rancher - Multi-cluster management, good UI
- K3s - Lightweight, edge deployments
- OpenShift (community) - OKD, if Red Hat ecosystem preferred
API Management
| Component | Technology |
|---|---|
| API Gateway | Kong, Traefik, APISIX, Tyk |
| Ingress Controller | NGINX Ingress, Traefik, Contour |
| WAF | ModSecurity, Coraza |
Observability
| Pillar | Technology |
|---|---|
| Metrics | Prometheus, VictoriaMetrics, Thanos |
| Logging | Loki, OpenSearch, Fluentd/Fluent Bit |
| Tracing | Jaeger, Tempo, Zipkin |
| Dashboards | Grafana |
| Alerting | Alertmanager, Grafana Alerting |
CI/CD & GitOps
| Component | Technology |
|---|---|
| Git Repository | GitLab (self-hosted), Gitea, Forgejo |
| CI/CD | GitLab CI, Tekton, Jenkins |
| GitOps | ArgoCD, Flux |
| Container Registry | Harbor, GitLab Registry |
| Artifact Storage | Nexus, JFrog Artifactory (OSS) |
Deployment Patterns
Multi-Region Architecture
Multi-Region Sovereign Deployment
REGION A (Primary)
K8s Cluster
App Pods
Database (Primary)
Object Storage
◄►
Sync &
Replication ◄►
Replication ◄►
REGION B (Secondary)
K8s Cluster
App Pods
Database (Replica)
Object Storage
Global Load Balancer / DNS
Traffic routing | Health checks | Failover
Classification Zones
Sovereign cloud must support multiple classification levels with appropriate isolation:
| Zone | Classification | Isolation |
|---|---|---|
| Public Zone | OFFICIAL | Logical separation, shared infrastructure |
| Protected Zone | OFFICIAL-SENSITIVE | Dedicated compute, network segmentation |
| Secure Zone | SECRET | Air-gapped networks, dedicated hardware |