仅欧洲替代方案 Microsoft Azure.
Microsoft Azure is the cloud most often defended with the words "but we already use Microsoft for everything." That defence does not survive a Schrems II analysis: Microsoft Corporation is a US company, every Azure subsidiary is US-controlled, and Microsoft has explicitly acknowledged in court (Microsoft Ireland, 2018) that it would comply with valid US legal process for data anywhere globally — which is precisely what the CLOUD Act later codified. The "Microsoft Cloud for Sovereignty" and Bleu (Microsoft × Capgemini × Orange) initiatives are interesting but technology-licensed from a US parent. For genuine EU sovereignty, you exit. Below is the map.
"欧盟区域"不等于主权。四个问题决定一切。
数据驻留告诉你数据在哪里。主权告诉你哪个法律体系可以强制访问。四个答案都必须成立——否则该技术栈就不主权。
数据物理存储在哪里?
不是"在云中"——而是哪个数据中心、在哪个国家、受哪个司法管辖区管辖。
您的数据路径中还有谁?
每一个接触数据的供应商:CDN、邮件中继、错误追踪、分析管道。
哪些法律可以强制披露?
美国总部的供应商受 FISA 702 和 CLOUD Act 管辖——即使数据存放在法兰克福。
谁实际持有加密密钥?
如果云供应商同时持有数据和密钥,无论 DPA 如何,他们都能读取数据。
在司法管辖权和密钥托管上失败。
欧盟数据、美国母公司、默认路径中的美国次级处理者、供应商管理的密钥。
四项全部通过。
托管在欧盟、由欧盟总部基础设施提供。默认路径中零美国次级处理者。客户持有或欧盟 KMS 密钥。在您的第 28 条 DPA 中按名称列出。
为什么团队正在退出 Microsoft Azure
Azure exits typically come from one of three triggers: a public-sector tender that explicitly excludes US-jurisdiction processors, a healthcare or financial services audit that flagged Microsoft 365 + Azure as a single concentration risk under DORA, or a CISO who calculated that the licence true-up costs and "free" Azure credits actually translate to vendor lock-in worth six figures. The Azure ecosystem has tighter coupling than AWS — Active Directory, Office 365, Defender, Sentinel are typically all in the mix — which makes the migration more invasive than its AWS equivalent. It is still doable; we have done it.
Microsoft Azure 服务及其仅欧盟等效方案
迁移不是"换一个盒子"。下面的映射是我们为离开以下平台的客户运行的 Microsoft Azure 基于 Schrems II — 完全欧盟司法管辖权,数据路径中没有美国母公司。
| Microsoft Azure 服务 | 仅欧盟替代方案 | 工程说明 |
|---|---|---|
| Azure Virtual Machines | Hetzner Cloud, OVH, IONOS, Scaleway Instances | IaaS migration is straightforward; the Windows licensing chapter requires more thought (BYOL or move to Linux-where-possible). |
| Azure Blob Storage | OVH Object Storage, Wasabi EU, self-hosted Ceph or MinIO | S3-compatible EU storage is the migration target; SDK changes are minimal. |
| Azure SQL Database | Azure → PostgreSQL or MySQL on EU managed providers (OVH, Aiven), or self-managed | Schema porting from Azure SQL (T-SQL flavour) is the longest single task; tools like AWS SCT or pgloader help. Often a good moment to revisit ORM choices. |
| Azure Front Door / CDN | Bunny.net, KeyCDN | Bunny offers comparable POP density and dramatically lower per-GB pricing. |
| Azure DNS | Hetzner DNS, Bunny DNS, deSEC | For most use cases Hetzner DNS is sufficient; deSEC adds DNSSEC by default. |
| AKS (managed Kubernetes) | Scaleway Kapsule, OVH Managed Kubernetes, IONOS K8s, or self-managed Talos / K3s on Hetzner | Helm charts and YAML transfer cleanly; Azure-specific addons (Application Gateway Ingress, Azure CNI) need replacement with standard equivalents. |
| Azure Functions | Scaleway Serverless Functions, self-hosted Knative or OpenFaaS | Most Azure Functions workloads fit a small EU Kubernetes cluster running Knative. |
| Azure Active Directory / Entra ID | Keycloak (RH-sponsored) on EU infra, Authentik (DE), self-hosted SCIM/OIDC providers | The hardest single migration. Plan for a 3-month parallel-run window. SSO integrations across SaaS need re-mapping. |
| Azure Service Bus / Event Grid | Self-hosted RabbitMQ or NATS, Apache Kafka on EU compute | Managed queueing options in the EU sovereign space are limited; self-managed is standard. |
| Azure Monitor / Application Insights | Self-hosted Prometheus + Grafana + Loki + Tempo, or Grafana Cloud EU region | OpenTelemetry instrumentation makes the swap mechanical for application code. |
| Azure Cosmos DB | PostgreSQL with appropriate indexing on EU managed services, or ScyllaDB / FoundationDB self-hosted | No 1:1 replacement for global multi-region active-active; if your workload truly needs that pattern, the conversation is different. |
| Defender / Sentinel (security) | Wazuh (self-hosted), CrowdSec (FR), self-hosted SIEM on EU compute | CrowdSec is FR-headquartered and increasingly competitive in the SIEM/IDS space. |
| Key Vault | Hashicorp Vault on EU infra, optionally HSM-backed | Vault is the production-grade sovereign answer; we operate it for clients. |
| Microsoft 365 (email, Teams, OneDrive) | mailbox.org (DE), Tuta (DE), Nextcloud (DE) for storage, Element/Matrix or Mattermost for chat | Often the harder political conversation than the infrastructure migration. Frequently kept on M365 with documented exposure rather than migrated. |
我们如何迁移离开 Microsoft Azure
典型的中端市场迁移分三个阶段进行。以下数字假设一个 6-10 人的工程团队和中等复杂的应用程序技术栈。
Audit & ID-mapping
Inventory Azure services, Entra ID dependencies, SSO integrations and licensing. The identity layer is the longest tail. Output: phased plan with the SSO migration scoped separately.
Edge, monitoring, soft dependencies
Replace Front Door, Azure DNS, App Insights and Blob Storage. Pre-stage EU compute and replicate database. Move CI/CD off Azure DevOps if applicable.
Compute, DB, identity cutover
AKS workloads to managed EU K8s. SQL Database to PostgreSQL with logical replication for live cutover. Identity migration with parallel-run; cut SSO over per application.
5-year TCO on Azure exits we have run: typically 25–45% cheaper, with the largest savings coming from licence true-up avoidance and bandwidth/egress. Bear in mind: if your team uses Microsoft 365 and is staying on it, the identity-layer migration only partially decouples — that decision belongs at board level.
常见问题
Does Microsoft Cloud for Sovereignty solve the Schrems II problem?
It improves the documentation story but does not change the underlying jurisdiction: Microsoft Corporation remains the parent. For workloads where the analysis turns on parent-jurisdiction (i.e. most regulated workloads after Schrems II), it is not sufficient on its own.
What about Bleu? Or T-Systems Open Sovereign Cloud?
Bleu (Microsoft × Capgemini × Orange) and T-Systems Open Sovereign Cloud (Google Cloud licensed) are pseudo-sovereign offerings — operated by EU-headquartered entities under licence from a US technology partner. They can satisfy specific regulatory requirements (notably the French SecNumCloud certification for Bleu) but inherit a stack they cannot independently maintain. For most buyers, a clean EU-native stack is the architecturally simpler answer.
Can we leave Azure but keep Microsoft 365?
Yes, and many of our clients run that hybrid. The trade-off is that personal data flowing through M365 (email content, OneDrive files, Teams chat) remains under Microsoft processing. Document it in your DPA, apply supplementary measures (encryption at rest with EU-held keys for sensitive folders), and keep customer-data infrastructure on the sovereign stack.
How does this affect our Microsoft Enterprise Agreement?
Existing EAs typically have annual or multi-year terms; the migration target is to stop the next renewal or right-size it, not to break the current contract. Your account manager will offer concessions when they hear "we are evaluating sovereign alternatives." Use that.
Is Active Directory replaceable in practice?
Replaceable in stages. Keycloak handles OIDC/SAML/SCIM well; for Windows-domain authentication on physical desktops, Samba 4 with FreeIPA is the established open-source path. The transition typically runs alongside a "modern workplace" simplification — fewer per-app SSOs, more standard OIDC.
How long does an Azure exit take?
For a mid-size workload (50–200 VMs, 1–2 SQL DBs, AKS, Entra ID): 16–24 weeks elapsed time. With a managed-infrastructure partner driving the choreography: 10–16 weeks. The identity layer is the schedule risk, not the compute.