Takeaways from the whitepaper "Enabling Data Residency and Data Protection in Microsoft Azure Regions"

Enabling Data Residency and Data Protection in Microsoft Azure Regions [PDF] describes how Microsoft helps customers to meet data residency and data protection requirements. Some interesting facts and takeaways from the 34 paged whitepaper:

• Selecting Azure datacenter regions for workload deployment should be based on technical and regulatory requirements. 
• An Availability Zone in an Azure region is a combination of a fault domain and an update domain. 
• A region can consist of several datacenters even if the region does not have multiple Availability Zones. 
• An Azure geography ensures that data residency, sovereignty, compliance, and resiliency requirements are honored within geographical boundaries. 
• A geo can be a country or a set of countries. 
• VMs in Availability Zones are synchronously replicated across the Availability Zones. 
• Managed Disks provide redundancy within an Availability Zone, with three replica instances spread across storage stamps in the same datacenter and support designing for a recovery point objective of zero hours within an Availability Zone for resiliency and high availability purposes. 
• There are three high-level scenarios that can impact Virtual Machines in Azure: planned maintenance, unplanned hardware maintenance, unexpected downtime.
• The Azure Site Recovery service provides a multi-VM consistency group option, which creates a replication group with shared crash-consistent and app-consistent recovery points when failed over.
• Enabling multi-VM consistency can impact workload performance as it is CPU intensive. The maximum number of virtual machines in a replication group is sixteen.
• A crash-consistent recovery point does not guarantee data consistency for the operating system, nor for apps on the VM. Today, most apps can recover well from crash-consistent recovery points. 
• Azure Site Recovery creates crash-consistent recovery points every five minutes by default, and this setting cannot be modified. 
•  Application-consistent recovery points are created from app-consistent snapshots. An app-consistent snapshot contains all the information in a crash-consistent snapshot, plus all the data in memory and in progress transactions. App-consistent snapshots use the Volume Shadow Copy Service (VSS)
• These are more complex and take longer to complete than crash-consistent snapshots and affect the performance of applications running on a virtual machine enabled for replication. 
• By default, Azure Site Recovery takes an app-consistent snapshot every 4 hours, but it is possible to configure any value between 1 and 12 hours. 
• As Microsoft provides service level SLAs, and recovery time objective (RTO) and recovery point objective (RPO) are dependent on customer architecture, Azure does not provide RTO and RPO SLAs.
• Proximity placement groups offer co-location of Azure VMs in the same datacenter. A proximity placement group is a logical grouping used to make sure that Azure compute resources are located physically close to each other, reducing latency. This feature is especially useful for improving performance of SAP workloads deployed to Azure. 
• To ensure best performance of the systems it is essential to ensure low-latency between the different components of the system. Especially critical is the communication between Application server and the database, as well as the latency between HANA VMs when synchronous replication has to be enabled. 
• Azure services are grouped into three categories: foundational, mainstream, and specialized services.
• Preview, beta, or other prerelease services typically store customer data in the United States but may store it globally.
• A limited set of Azure non-regional services do not enable the customer to specify the region where the service will be deployed because they rely on a global architecture.  This includes Content Delivery Network (CDN), Azure Active Directory (which may store Active Directory data globally. This does not apply to Active Directory deployments in the United States (where Active Directory data is stored solely in the United States) and in Europe (where Active Directory data is stored in Europe or the United States) and Azure Multi-Factor Authentication (MFA)
• To implement governance over cloud infrastructure and data (including but not limited to regions in which resources can be deployed, which services can be deployed, or resource monitoring requirements), Microsoft provides Azure Policy. To restrict the policy to certain Azure regions (e.g. for data residency), the Allowed Locations policy can be used.
• Azure Blueprints is a free service that provides you with templates to create, deploy, and update fully governed cloud environments to consistent standards, and to comply with regulatory requirements. It differs from Azure Resource Manager (ARM) and Azure Policy in that Blueprints is a package that contains different types of artifacts – including Resource Manager templates, resource groups, policy assignments, and role assignments – all in one container, so you can quickly and easily deploy all these components in a repeatable configuration.
• Blueprints help to simplify large-scale Azure deployments by packaging policies in a single blueprint definition that includes artifacts such as Azure Resource Manager templates, resource groups, role-based access controls, and policies. 
• Microsoft provides built-in blueprints to deploy common compliance certification scenarios. For  example, the ISO 27001 Blueprint and the PCI DSS Blueprint map a core set of policies for those respective standards to any Azure environment. Blueprints can be deployed to multiple Azure subscriptions and managed from a central location, and are scalable to support production implementations for large-scale migrations. 
• In Azure, the most important use case for telemetry is its use as a sensor for the automated operation of the cloud. Based on the telemetry information and desired state configuration, remediation activities are triggered via automation, thus reducing the additional risk caused by manual human intervention.
• Azure undergoes a SOC audit by an AICPA-accredited auditor twice a year to verify the effectiveness of its security controls in audit scope.
• Azure Key Vault is designed to support application keys and secrets and it is not intended to be a store for user passwords. Access to a key vault is controlled through two separate interfaces: the management plane and the data plane. Access controls for the management plane and data plane work independently. Customers should use dedicated role definitions in Azure Active Directory to manage role-based access. This approach implements an effective segregation of duties. 
• The client-side encryption model refers to encryption that is performed outside of the Resource Provider or Azure. Client-side encryption does not work for artificial intelligence (AI) and machine learning services, analytics services, containers, compute services, identity services, management and governance services, security services, and many storage services.
• Azure confidential computing protects customer data at runtime, bringing Intel SGX and Virtualization Based Security (VBS) to the cloud. Confidential computing helps ensure that when data needs to be “in the clear” (unencrypted) for efficient processing, the data is protected inside a Trusted Execution Environment (TEE).
• To use confidential computing, customers choose the DCsv2 series VMs. The DCsv2-series machines are backed by the latest generation of Intel XEON E-2288G processors with SGX technology. 
• Microsoft will comply with all laws and regulations applicable to its provision of its online services, including security breach notification laws. However, Microsoft is not responsible for compliance with any laws or regulations applicable to the customer or the customer’s industry that are not generally applicable to information technology service providers. Microsoft does not determine whether customer data includes information subject to any specific law or regulation.
• Microsoft contractually commits to meet GDPR requirements not only in the European Union but in all public cloud regions.