Level 2 Technical Documentation

Apache CloudStack Use Cases

Building sovereign hyperscale cloud infrastructure in Crown datacentres using Apache CloudStack and open-source alternatives to critical AWS services.

Apache CloudStack (cloudstack.apache.org) is a mature, open-source cloud computing platform that enables building IaaS clouds comparable to AWS, Azure, and GCP. It is used in production by major service providers and governments worldwide, including significant deployments in Europe and Asia-Pacific.

Executive Overview

This document demonstrates how sovereign nations can build AWS-equivalent cloud infrastructure using Apache CloudStack and complementary open-source technologies. The approach enables:

200+ Production deployments worldwide
Millions VMs managed globally
Apache Foundation governance
15+ Years in production

Use Case 1: Sovereign Hyperscaler in Crown Datacentres

PRIMARY USE CASE: Building a National Cloud Platform

Scenario

A government (UK, EU member state, Canada, or Australia) needs to build sovereign cloud infrastructure in nationally-owned datacentres (e.g., UK Crown Hosting Data Centres, Canadian Shared Services facilities, Australian Government datacentres) that provides AWS-equivalent capabilities without US jurisdiction exposure.

Solution Architecture

Sovereign Hyperscaler Architecture

Sovereign Hyperscaler Architecture SOVEREIGN CLOUD PLATFORM (Apache CloudStack Foundation) SELF-SERVICE PORTAL CloudStack API Gateway OpenTofu Department UI (Kong) Provider Self-Service PLATFORM SERVICES LAYER (Kubernetes + Open Source) OpenFaaS PostgreSQL MinIO Keycloak Kafka (Lambda) (RDS) (S3) (Cognito) (Kinesis) INFRASTRUCTURE LAYER (CloudStack IaaS) Compute (VMs) Primary Secondary Network KVM / VMware Storage Storage (SDN/VLAN) (Ceph/NFS) (Object/S3) PHYSICAL LAYER (Crown/Government Datacen...

Diagram representation - see page content for details

CloudStack Core Capabilities Replacing AWS

AWS Service CloudStack Equivalent Implementation
EC2 (Compute) CloudStack Compute Native: VMs with KVM, VMware, or XenServer hypervisors
VPC / Networking CloudStack Advanced Networking Native: VPCs, VLANs, security groups, VPNs
EBS (Block Storage) CloudStack Volumes Native: Backed by Ceph RBD, NFS, or SAN
ELB (Load Balancer) CloudStack LB Native: NetScaler, HAProxy, or F5 integration
Auto Scaling CloudStack AutoScale Native: Policy-based automatic VM scaling
IAM CloudStack Accounts/Domains Native: Multi-tenant with RBAC + Keycloak integration
CloudWatch CloudStack + Prometheus Integration: CloudStack events + Prometheus metrics
CloudFormation OpenTofu + CloudStack Provider Integration: Full IaC support via OpenTofu provider

Open-Source FaaS Replacing AWS Lambda

AWS Lambda is one of the most critical services to replace. The following open-source Function-as-a-Service (FaaS) platforms can be deployed on CloudStack-managed Kubernetes:

Platform Maturity Best For Lambda Parity
OpenFaaS Production General purpose, excellent docs, large community High - HTTP triggers, async, auto-scaling
Knative Serving Production Scale-to-zero, event-driven, CNCF backed High - Native K8s, event sources
Fission Production Fast cold starts, multi-language support Medium - Good for simple functions
Apache OpenWhisk Production IBM-backed, enterprise features, triggers High - Full event model, sequences
Nuclio Production High-performance, data/AI workloads Medium - Focus on performance

Recommended FaaS Implementation: OpenFaaS

OpenFaaS is recommended as the primary Lambda replacement due to:

  • Mature, production-proven platform (used by VMware, BT, and others)
  • Simple deployment on Kubernetes managed by CloudStack
  • Auto-scaling including scale-to-zero
  • Support for any language via containers
  • REST API compatible with CI/CD pipelines
  • Built-in metrics and monitoring with Prometheus
  • Event connectors for Kafka, NATS, and HTTP webhooks
# Deploy OpenFaaS on CloudStack-managed Kubernetes

# 1. Install OpenFaaS using arkade (official installer)
arkade install openfaas

# 2. Deploy a function (example: Python handler)
faas-cli new --lang python3 my-function
faas-cli up -f my-function.yml

# 3. Invoke the function
curl https://gateway.openfaas.local/function/my-function \
  -d '{"message": "Hello from sovereign cloud"}'

# 4. Auto-scaling configuration
# Functions automatically scale based on request rate
# Scale to zero after idle period (configurable)

Implementation Phases

Phase 1: Foundation Infrastructure

Deploy CloudStack management cluster in primary datacentre. Install KVM compute hosts. Configure Ceph storage cluster for primary and secondary storage. Establish network zones and VLANs.

Phase 2: Platform Services

Deploy Kubernetes clusters on CloudStack VMs. Install OpenFaaS for serverless. Deploy PostgreSQL operators for managed databases. Install MinIO for S3-compatible storage.

Phase 3: Self-Service Portal

Configure CloudStack UI and API access. Integrate with government identity (via Keycloak). Deploy OpenTofu provider. Create department-specific accounts and quotas.

Phase 4: Secondary Region

Replicate architecture to secondary datacentre. Configure cross-region replication for storage. Establish disaster recovery procedures.

Complete AWS Service Mapping

The following table provides a comprehensive mapping of the most commonly used AWS services to their open-source equivalents that can be deployed on CloudStack:

Category AWS Service Open Source Alternative Maturity Implementation Notes
Compute EC2 CloudStack Compute Native Full VM lifecycle, templates, snapshots, live migration
Lambda OpenFaaS / Knative Production Deploy on K8s clusters managed by CloudStack
ECS/EKS Kubernetes + Rancher Production CloudStack Container Service or self-managed K8s
Batch Apache Airflow / Argo Workflows Production Workflow orchestration on Kubernetes
Storage S3 MinIO / Ceph RGW Production S3-compatible API; MinIO for simplicity, Ceph for scale
EBS CloudStack Volumes + Ceph RBD Native Block storage with snapshots and encryption
EFS CephFS / GlusterFS Production Shared file systems for containers and VMs
Glacier MinIO Tiering / Tape Archive Maturing Cold storage tiering with lifecycle policies
Database RDS (PostgreSQL) CloudNativePG / Patroni Production Kubernetes operator for managed PostgreSQL
RDS (MySQL) Vitess / MySQL Operator Production Scalable MySQL clustering for Kubernetes
DynamoDB ScyllaDB / Apache Cassandra Production Wide-column NoSQL; ScyllaDB offers DynamoDB API
ElastiCache Valkey / KeyDB / Dragonfly Production Redis-compatible caching with operators
DocumentDB FerretDB / MongoDB Production MongoDB API on PostgreSQL backend
Networking VPC CloudStack Advanced Networking Native Isolated networks, VPNs, NAT, security groups
Route 53 PowerDNS / CoreDNS Production Authoritative DNS with API management
ELB/ALB HAProxy / Traefik / NGINX Production CloudStack integrates with NetScaler, HAProxy
CloudFront Varnish / Apache Traffic Server Production CDN/caching layer at edge locations
API Gateway Kong / Traefik / APISIX Production Full API management, rate limiting, auth
Messaging SQS RabbitMQ / NATS Production Message queuing with delivery guarantees
SNS NATS / RabbitMQ Exchange Production Pub/sub messaging patterns
Kinesis Apache Kafka / Redpanda Production Real-time streaming; Redpanda is Kafka-compatible
EventBridge Knative Eventing / NATS Production Event routing and filtering
Security IAM Keycloak + CloudStack RBAC Production Full identity federation, OIDC, SAML
KMS OpenBao + HSM Production Sovereign key management with hardware HSMs
Secrets Manager OpenBao Production Dynamic secrets, rotation, access policies
Cognito Keycloak / Authentik Production User pools, social login, MFA
Observability CloudWatch Prometheus + Grafana Production Metrics collection, dashboards, alerting
CloudTrail CloudStack Events + Audit Logging Native API call logging, compliance auditing
X-Ray Jaeger / Tempo Production Distributed tracing for microservices

Additional Use Cases (2-11)

Use Case 2: Multi-Tenant Government Department Platform

Scenario

Central IT provides cloud infrastructure shared across multiple government departments, each with isolated environments, separate billing, and department-specific compliance requirements.

CloudStack Solution

  • Domains: Each department has its own CloudStack domain with sub-accounts
  • Resource Limits: CPU, memory, storage quotas per department
  • Network Isolation: Separate VPCs per department with no cross-talk
  • Billing Integration: CloudStack usage records for chargeback/showback
  • SSO Integration: Each department's identity provider via Keycloak federation

Example Departments

Department Typical Workloads Special Requirements
Health Patient records, research computing GDPR, NHS DSPT, air-gapped option
Revenue Tax systems, fraud detection High availability, audit trails
Benefits Claims processing, citizen portal Peak scaling, disaster recovery
Defence Classified workloads SECRET classification, physical isolation

Use Case 3: Disaster Recovery & Business Continuity

Scenario

Critical government services require robust disaster recovery capabilities with RPO (Recovery Point Objective) of 15 minutes and RTO (Recovery Time Objective) of 1 hour.

CloudStack DR Features

  • Multi-Zone Deployment: Primary and secondary zones in geographically separate datacentres
  • Storage Replication: Ceph cross-site replication for block and object storage
  • VM Snapshots: Scheduled snapshots with cross-zone copy
  • Database Replication: PostgreSQL streaming replication to standby cluster
  • DNS Failover: Automated DNS cutover using PowerDNS with health checks

Implementation Pattern

# CloudStack DR Configuration

Primary Zone: zone-london (Crown DC 1)
Secondary Zone: zone-manchester (Crown DC 2)

Storage Replication:
  - Ceph RBD mirroring: async, 15-minute sync
  - MinIO bucket replication: enabled

VM Recovery:
  - Snapshot schedule: every 15 minutes
  - Cross-zone copy: automated via CloudStack APIs

Database (PostgreSQL):
  - Patroni cluster: 1 primary (London), 2 replicas (1 London, 1 Manchester)
  - Automatic failover: < 30 seconds

DNS (PowerDNS):
  - Health check interval: 30 seconds
  - Failover threshold: 3 failed checks
  - TTL: 60 seconds

Use Case 4: Citizen-Facing Digital Services Platform

Scenario

Government needs to host citizen-facing services (e.g., tax filing, benefits applications, passport renewal) with high availability, auto-scaling, and integration with national identity systems.

Architecture

  • Frontend: Static assets on MinIO + CDN caching (Varnish)
  • API Layer: Kong API Gateway with rate limiting and authentication
  • Microservices: Kubernetes (CloudStack-managed) with OpenFaaS functions
  • Identity: Keycloak federated with GOV.UK Verify / myGov / Service Canada
  • Data: PostgreSQL clusters with connection pooling (PgBouncer)
  • Scaling: Kubernetes HPA + CloudStack AutoScale for VMs

Peak Load Handling

Tax filing deadlines create predictable peak loads. CloudStack's AutoScale groups combined with Kubernetes horizontal pod autoscaling handle:

  • 10x normal traffic during filing deadline
  • Pre-warming Kubernetes nodes before predicted peaks
  • Graceful scaling down after peaks to reduce costs

Use Case 5: Data Analytics & Business Intelligence

Scenario

Government departments need data analytics capabilities for policy analysis, fraud detection, and operational reporting without exposing sensitive data to US cloud providers.

Open Source Analytics Stack

AWS Service Open Source Replacement Purpose
Redshift ClickHouse / Apache Druid Column-store analytics database
Athena Trino (formerly Presto) SQL query engine for data lakes
Glue Apache Spark / dbt ETL and data transformation
QuickSight Apache Superset / Metabase Business intelligence dashboards
EMR Apache Spark on K8s Big data processing clusters
Lake Formation Apache Hive Metastore Data catalogue and governance

Data Lake Architecture

Sovereign Data Lake on CloudStack
Data Consumers
Superset Dashboards
Jupyter Notebooks
Trino SQL Clients
Query Layer
Trino Cluster (distributed SQL across data sources)
Processing Layer
Apache Spark (ETL, ML training)
Apache Airflow (Orchestration)
Storage Layer
MinIO (S3-compatible)
/bronze/ (raw data) → /silver/ (cleaned, validated) → /gold/ (aggregated, ready for analysis)

Use Case 6: Healthcare Records Platform (OFFICIAL-SENSITIVE)

Scenario

National health service requires sovereign infrastructure for electronic health records, clinical systems, and research data that must never leave national jurisdiction or be accessible to foreign entities.

Compliance Requirements

  • GDPR: Data subject rights, lawful basis, retention policies
  • National Health Data Standards: NHS DSPT (UK), HIPAA-equivalent (CA/AU)
  • Classification: OFFICIAL-SENSITIVE handling
  • Audit: Full access logging, immutable audit trails

CloudStack Security Configuration

  • Network Isolation: Dedicated VLANs, no internet egress for data tier
  • Encryption: Ceph encryption at rest, TLS everywhere, OpenBao for keys
  • Access Control: Keycloak with MFA mandatory, role-based access
  • Audit Logging: CloudStack events + application logs to Wazuh SIEM
  • Data Masking: Anonymisation for research extracts

Use Case 7: Development & Testing Environments

Scenario

Government digital teams need self-service development environments that mirror production but with reduced costs and faster provisioning.

CloudStack DevTest Features

  • Templates: Pre-configured VM templates with development stacks
  • Self-Service: Developer portal for instant environment creation
  • Ephemeral Environments: Auto-destroy after configurable period
  • Cost Controls: Per-team quotas, scheduled shutdowns
  • Production Mirroring: Same networking, storage, services as production

CI/CD Integration

# GitLab CI pipeline using CloudStack

stages:
  - provision
  - test
  - destroy

provision-env:
  stage: provision
  script:
    - opentofu init
    - opentofu apply -auto-approve -var="env_name=ci-${CI_PIPELINE_ID}"
  environment:
    name: review/${CI_COMMIT_REF_SLUG}
    on_stop: destroy-env

integration-tests:
  stage: test
  script:
    - pytest tests/integration --env ci-${CI_PIPELINE_ID}

destroy-env:
  stage: destroy
  when: manual
  script:
    - opentofu destroy -auto-approve -var="env_name=ci-${CI_PIPELINE_ID}"

Use Case 8: AI/ML Training Platform

Scenario

Government AI/ML initiatives require GPU compute for training models on sensitive data (fraud detection, medical imaging, policy simulation) without data leaving sovereign jurisdiction.

CloudStack GPU Support

  • GPU Passthrough: NVIDIA GPUs passed to VMs for ML training
  • vGPU Support: NVIDIA GRID for shared GPU access
  • Kubernetes GPU: NVIDIA device plugin for K8s workloads

ML Stack on CloudStack

AWS Service Open Source Replacement
SageMaker Kubeflow / MLflow
SageMaker Notebooks JupyterHub
SageMaker Training Kubeflow Training Operator
SageMaker Inference Seldon Core / KServe
SageMaker Feature Store Feast

Use Case 9: Edge Computing for Remote Locations

Scenario

Government services in remote locations (Canadian Arctic, Australian outback, Scottish Highlands) need local compute with limited connectivity to central cloud.

CloudStack Edge Solution

  • CloudStack Zones: Lightweight edge zones with local compute
  • K3s: Lightweight Kubernetes for edge workloads
  • Synchronisation: Eventual consistency with central systems
  • Offline Operation: Continue functioning when disconnected

Edge Architecture

Central Cloud (Crown DC)
  • CloudStack Management
  • Primary Zone
  • Full Services
◄► SYNC
Edge Location (Remote Site)
  • Edge CloudStack Zone
  • 2-3 compute hosts
  • Local Ceph storage
  • K3s cluster
  • Local MinIO cache

Use Case 10: Secure Communications Platform

Scenario

Government requires secure internal communications (email, messaging, video conferencing) that cannot be monitored or disrupted by foreign powers.

Sovereign Communications Stack

Function Commercial (US) Sovereign Alternative
Email Microsoft 365, Gmail Open-Xchange / Zimbra
Messaging Slack, Teams Element (Matrix)
Video Zoom, Teams Jitsi / BigBlueButton
File Sharing OneDrive, Dropbox Nextcloud
Office Suite Microsoft 365 LibreOffice + Collabora

Security Features

  • End-to-end encryption (Matrix Olm/Megolm)
  • Self-hosted infrastructure on CloudStack
  • No external dependencies or cloud services
  • Full audit logging and compliance

Use Case 11: Regulatory Sandbox / Innovation Platform

Scenario

Government innovation teams and approved startups need sandbox environments to test new technologies (blockchain, AI, IoT) with access to government APIs without affecting production systems.

CloudStack Sandbox Features

  • Isolated Projects: Each innovation project in separate CloudStack project
  • Synthetic Data: Anonymised datasets for testing
  • API Mockups: Mock government APIs for integration testing
  • Time-Limited: Automatic resource reclaim after project ends
  • Graduated Exit: Path to production for successful projects

Sandbox Governance

CloudStack Sandbox Domains:

gov-sandbox/
├── fintech-projects/        # Financial innovation
│   ├── project-alpha/       # 6-month allocation
│   └── project-beta/        # 3-month allocation
├── health-innovation/       # Healthcare startups
│   └── medtech-trial/       # Clinical data sandbox
└── govtech-accelerator/     # Digital government innovation
    ├── team-1/
    └── team-2/

Resource Limits per Project:
- 16 vCPU, 64GB RAM, 500GB storage
- No internet egress (controlled proxy only)
- Synthetic data only (no production data)
- Auto-suspend after 30 days inactive

International Cooperative Implementation

Cooperative Principle: Each jurisdiction retains full sovereignty over its infrastructure while sharing standards, knowledge, and development effort. No jurisdiction is required to share data or grant access to other jurisdictions.

Shared Development Model

International Cooperative Structure

International Cooperative Structure SHARED DEVELOPMENT LAYER Collaborative GitLab (hosted in EU) • Shared IaC modules (OpenTofu, Ansible) • Common Kubernetes operators and Helm charts • Security baselines and compliance policies • Documentation and runbooks JURISDICTION DEPLOYMENTS (Independent) UK Crown DCs EU Gaia-X Canada GC AU Government Compatible Cloud Cloud • CloudStack • CloudStack • CloudStack • CloudStack • Local Data • Local Data • Local Data • Local Data • UK Law • EU Law • CA Law • ...

Diagram representation - see page content for details

Working Groups

Working Group Focus Shared Outputs
Platform Engineering CloudStack deployment, Kubernetes operators OpenTofu modules, Helm charts, operator code
Security Standards Security baselines, compliance frameworks Policy-as-code (OPA), CIS benchmarks, audit tools
Data Services PostgreSQL, MinIO, Kafka operations Operators, backup strategies, performance tuning
Identity Federation Keycloak configuration, SSO patterns Federation templates, MFA integrations
Observability Monitoring, logging, alerting Grafana dashboards, Prometheus rules, alert templates
Migration Tooling AWS/Azure migration patterns Migration playbooks, assessment tools, cost models

Knowledge Sharing Mechanisms

Contribution Model

Jurisdiction Potential Lead Areas Rationale
EU (Germany/France) CloudStack core, Gaia-X integration, GDPR compliance Strong open-source ecosystem, Gaia-X leadership
UK Security frameworks, GDS patterns, digital identity Mature GDS standards, NCSC security expertise
Canada Bilingual support, Arctic edge computing Official languages requirements, remote coverage needs
Australia PSPF compliance, Asia-Pacific edge, DR patterns Geographic isolation expertise, Five Eyes alignment

Governance Principles

Sovereignty Preserved

  • Each nation controls its own infrastructure
  • No shared data across jurisdictions
  • Local compliance with local law only
  • Any nation can exit cooperation at will

No Central Authority

  • No supranational governance body
  • Consensus-based decision making
  • Working groups coordinate, not command
  • Each implements at own pace

Implementation Summary

Apache CloudStack provides a mature, production-proven foundation for building sovereign hyperscale cloud infrastructure. Combined with open-source FaaS (OpenFaaS/Knative), managed databases, and object storage, governments can replicate the critical capabilities of AWS without US jurisdiction exposure.

International cooperation enables shared development effort and knowledge transfer while each jurisdiction maintains complete sovereignty over its data and infrastructure.
Back to Level 2 Technical
View Reference Architecture