Common Architecture Framework
Jurisdiction-neutral reference architecture, principles, and patterns applicable to all cooperating governments undertaking sovereign cloud migration.
Framework Structure
The common framework provides a shared foundation that each jurisdiction adapts to its specific governance, compliance, and procurement requirements.
Sovereign Cloud Stack Overview
Application Layer
Government Services | Citizen Portals | Internal Systems
Platform Services (PaaS)
Containers | Databases | Messaging | API Gateway | Functions
Infrastructure Services (IaaS)
Compute (VMs/Bare Metal) | Object Storage | Block Storage | Networking | DNS
Security & Identity Layer
IAM | Encryption/KMS | Network Security | SIEM | Compliance
Physical Infrastructure
Sovereign Datacenters | Network Connectivity | HSMs
Guiding Principles
Sovereignty First
- Data resides within national borders
- Subject only to domestic law
- No US entity in supply chain
- Local control over encryption keys
Open Standards
- Avoid proprietary lock-in
- Kubernetes for orchestration
- Standard APIs and protocols
- Portable workloads
Security by Design
- Zero-trust architecture
- Encryption at rest and in transit
- Sovereign key management
- Continuous compliance monitoring
Recommended Technology Stack
The following open-source technologies form the foundation of the sovereign cloud platform:
| Layer | US Provider Service | Sovereign Alternative | Notes |
|---|---|---|---|
| Container Orchestration | EKS, AKS, GKE | Kubernetes (vanilla), Rancher, K3s | CNCF standard |
| Object Storage | S3, Azure Blob, GCS | MinIO, Ceph, SeaweedFS | S3-compatible APIs |
| Relational Database | RDS, Aurora, Cloud SQL | PostgreSQL, MariaDB | Open source, enterprise support available |
| Identity & Access | IAM, Azure AD | Keycloak, Authentik | OIDC/SAML compliant |
| Secrets Management | KMS, Key Vault | OpenBao, local HSMs | Sovereign key custody |
| Message Queue | SQS, Azure Service Bus | Apache Kafka, RabbitMQ | Event-driven architecture |
| API Gateway | API Gateway, APIM | Kong, Traefik, APISIX | Rate limiting, auth, routing |
| Monitoring | CloudWatch, Azure Monitor | Prometheus, Grafana, ELK | Full observability stack |
| Infrastructure as Code | CloudFormation, ARM | OpenTofu, Ansible, Pulumi | Provider-agnostic |
Migration Approach Overview
Phased Migration Strategy
Phase 0: Assessment & Planning
Inventory current workloads, assess migration complexity, establish governance, select pilot candidates.
Phase 1: Pilot Migration
Migrate low-risk, non-critical workloads to prove sovereign cloud platform. Validate architecture, tooling, and operational procedures.
Phase 2: Platform Foundation
Build out full sovereign cloud platform capabilities. Establish security baselines, monitoring, disaster recovery.
Phase 3-4: Migration Waves
Systematic migration of production workloads by priority. High-sovereignty-risk workloads first, then broader portfolio.
Phase 5: Optimisation
Performance tuning, cost optimisation, operational maturity improvements.
Phase 6: US Cloud Exit
Complete decommissioning of US cloud workloads. Contract termination, data deletion verification.
Workload Prioritisation Matrix
| Priority | Sovereignty Risk | Migration Complexity | Example Workloads |
|---|---|---|---|
| Highest | Critical (national security, intel) | Any | Defence, intelligence, diplomatic comms |
| High | High (citizen data, policy) | Low-Medium | Healthcare, benefits, tax systems |
| Medium | Medium | Any | Internal admin, non-sensitive services |
| Lower | Low | High (legacy, complex) | Public websites, open data |
Detailed Documentation
Select a section below to access detailed technical documentation:
- Architecture Principles - Sovereignty, security, openness, governance
- Reference Architecture - Complete sovereign cloud stack design
- Migration Strategy - Phased approach, patterns, playbooks
- Supplier Consortium - Selection criteria, procurement, SLAs
- Governance Model - Cooperative governance, decision framework