Azure AKS EU Alternative 2026 — Microsoft CLOUD Act Risk in Managed Kubernetes
Post #2 in the sota.io EU Managed Kubernetes Series
Azure Kubernetes Service (AKS) is Microsoft's managed Kubernetes offering and the second-largest managed Kubernetes platform globally after AWS EKS. For European enterprises running containerised workloads, AKS appears attractive: Azure has EU data centres in West Europe (Netherlands), North Europe (Ireland), Germany West Central (Frankfurt), and France Central (Paris). Microsoft even launched its EU Data Boundary programme in 2023, promising to keep EU customer data within the EU.
But there is a problem that no Azure region or data boundary pledge can solve: Microsoft Corporation is incorporated in Washington State, USA. Under the Clarifying Lawful Overseas Use of Data (CLOUD) Act (18 U.S.C. § 2713), US courts can compel US companies to disclose data stored anywhere in the world — including Frankfurt, Dublin, and Amsterdam. The CLOUD Act applies to Microsoft regardless of where the data sits.
This post quantifies AKS's CLOUD Act exposure across five dimensions, explains what that means for your Kubernetes control plane data under GDPR, and shows you concrete EU-native alternatives that run managed Kubernetes without US jurisdiction.
CLOUD Act Score: Azure AKS — 21/25
| Dimension | Score | Rationale |
|---|---|---|
| Corporate Jurisdiction | 5/5 | Microsoft Corporation, Redmond WA. Washington State + Delaware (securities). 100% US-domiciled. |
| PRISM/IC Programme Participation | 5/5 | Microsoft joined PRISM in 2007 (first tech company). Snowden slides confirmed NSA had direct access to Hotmail/Outlook/SkyDrive. Azure infrastructure is the same corporate entity. |
| FISA 702 / NSL Exposure | 4/5 | Microsoft publishes bi-annual Transparency Reports. NSL gag orders documented. Notably: Microsoft Corp. v. United States (2018) Supreme Court case was triggered by a Microsoft CLOUD Act predecessor challenge — the case was mooted when Congress passed the CLOUD Act itself. |
| EU Data Residency Effectiveness | 4/5 | Azure EU Data Boundary exists but explicitly states: "The EUDB does not address legal process served under non-EU laws." A US court order can still reach EU-region data. |
| Subprocessor CLOUD Act Exposure | 3/5 | AKS uses Azure Monitor, Azure Container Registry, Azure AD/Entra ID — all Microsoft entities subject to CLOUD Act. Sub-processors largely within same corporate group. |
Total: 21/25 — AKS carries substantial CLOUD Act exposure. Every component of the AKS control plane runs on Microsoft infrastructure subject to US legal process.
What AKS Components Are Exposed?
Azure AKS follows the same control-plane-as-a-service architecture as GKE and EKS. Microsoft manages the API server, etcd, scheduler, and controller manager on your behalf. Understanding what each component means for data sovereignty:
AKS API Server
The Kubernetes API server is the brain of your cluster. Every kubectl apply, deployment manifest, ConfigMap, and Secret passes through it. In AKS, the API server runs inside Microsoft's Azure subscription — it is a US-operated service even when your node pools are in EU Azure regions.
What this means: any Kubernetes object you store — including Secrets, ConfigMaps, service accounts, RBAC policies — is processed by a US-jurisdiction service. A CLOUD Act warrant targeting Microsoft could compel disclosure of these objects.
etcd — The Real Data Store
etcd is the persistent store for all cluster state. In AKS, etcd is Microsoft-managed. Your etcd data is encrypted at rest by default using AES-256, but Microsoft holds the encryption keys. Key management can be delegated to Azure Key Vault — but Azure Key Vault is also a Microsoft service subject to CLOUD Act.
Kubernetes Secrets stored in etcd (API keys, database passwords, TLS certificates) are therefore reachable via CLOUD Act warrant unless you use an external secrets manager with customer-managed HSM outside Azure (e.g., HashiCorp Vault self-hosted in EU).
Entra ID (Azure AD) Integration
AKS's default authentication integrates with Microsoft Entra ID (formerly Azure Active Directory). This means:
- Identity tokens for cluster access are issued by a US-jurisdiction IdP
- Group memberships controlling RBAC are stored in Microsoft's US-headquartered identity service
- Service principal credentials are managed in Entra ID
As we covered in our Microsoft Entra ID EU alternative post, Entra ID itself scores 20/25 on CLOUD Act exposure. Using Entra ID with AKS compounds the jurisdictional problem.
Azure Monitor and Container Insights
AKS deeply integrates with Azure Monitor and Container Insights for logs and metrics. Container Insights sends container logs, performance metrics, and resource utilisation data to Azure Monitor workspaces. If those workspaces are in EU regions, the data is stored in the EU — but processed and made accessible by a US-jurisdiction service.
For GDPR Article 32 (appropriate technical measures), the question is not just where data sits but who has access to it. Microsoft — as a US entity — can be compelled to access that data.
EU Data Boundary: What It Covers and What It Doesn't
Microsoft's EU Data Boundary is a real initiative and deserves an honest assessment. Since January 2023, Microsoft has been storing and processing commercial customer data for Azure, Microsoft 365, and Dynamics 365 within the EU/EEA. The commitment covers:
- Data at rest: stored in EU Azure regions
- Data in transit: processed within EU during normal operations
- Support data: some categories now stay EU-side
What the EU Data Boundary explicitly does NOT cover:
-
Legal process under non-EU law. The EUDB documentation states: "Customer data in the EU Data Boundary does not offer protection from lawful legal process served under applicable non-EU laws, including the US CLOUD Act."
-
Safety and security telemetry. Security signals, threat intelligence, and abuse prevention data are exempt from EUDB.
-
Pseudonymised diagnostics. Performance and diagnostic telemetry may leave the EU boundary.
The EU Data Boundary is a meaningful operational commitment — but it is not a legal firewall against the CLOUD Act. Microsoft was the first company to challenge CLOUD Act predecessor laws in court (the Microsoft Ireland case). They lost when Congress passed the CLOUD Act to clarify the law. Microsoft complies with lawful CLOUD Act orders.
GDPR Risk Matrix for AKS
| GDPR Article | Risk | Mitigation Difficulty |
|---|---|---|
| Art. 28 (Processor obligations) | HIGH — Microsoft DPA exists but cannot guarantee exclusion of US legal process | Low (DPA signed, but contractually insufficient) |
| Art. 32 (Security of processing) | MEDIUM — AKS encryption is strong, but Microsoft holds key access rights | Medium (customer-managed keys possible but complex) |
| Art. 44-49 (International transfers) | HIGH — AKS control plane technically operates as US service even in EU regions | High (SCCs signed, adequacy uncertain post-Schrems III risk) |
| Art. 82/83 (Liability) | HIGH — If Kubernetes Secrets accessed via US court order, controller may be liable | No technical mitigation available |
| DORA (Financial sector) | CRITICAL — Financial entities under DORA must demonstrate exit from systemic providers; AKS concentration risk | High — DORA RTS §40 requires resilience from US-jurisdiction services |
Pricing Comparison: AKS vs EU-Native Alternatives
AKS's pricing model is deceptively attractive: the control plane is free. But the node costs in Azure EU regions are significantly higher than EU-native providers.
3-node production cluster benchmark (4 vCPU / 16 GB RAM each):
| Provider | Node Type | Monthly Node Cost | Control Plane | Total/Month | CLOUD Act |
|---|---|---|---|---|---|
| Azure AKS | Standard_D4s_v5 (West Europe) | €175 | Free | ~€175 | 21/25 |
| Scaleway Kapsule | PRO2-M (4 vCPU / 16 GB) | €78 | Free | ~€78 | 0/25 |
| OVHcloud Managed K8s | B2-15 (4 vCPU / 15 GB) | €98 | Free | ~€98 | 1/25 |
| Hetzner k3s | CX31 (2 vCPU / 8 GB) × 3 | €15 | Self-managed | ~€15 | 0/25 |
| Civo K3s | Medium (4 vCPU / 8 GB) | €40 | Free | ~€40 | 2/25 |
AKS EU nodes cost 2–12× more than EU-native alternatives — while still carrying 21/25 CLOUD Act exposure.
Note: Prices as of May 2026. Hetzner k3s requires self-managing the control plane (k3s or kubeadm) which adds operational overhead.
EU-Native Kubernetes Alternatives (Detailed)
1. Scaleway Kapsule — CLOUD Act Score: 0/25 ✅
Scaleway SAS, Paris, France — incorporated under French law, no US parent, no US operations.
Scaleway Kapsule is a fully managed Kubernetes service with control-plane-as-a-service. The Scaleway API server, etcd, and scheduler are operated entirely by a French company under French/EU law. No CLOUD Act exposure.
Key specs:
- Managed control plane: free
- Worker nodes: from €0.0078/hr per node
- Regions: Paris (PAR1/PAR2), Amsterdam (AMS1), Warsaw (WAW1/WAW2)
- Kubernetes versions: follows upstream cadence (1.28, 1.29, 1.30)
- Container registry: Scaleway Registry (EU-native)
- Storage: Scaleway Block Storage (persistent volumes)
GDPR compliance: Scaleway publishes a DPA + sub-processor list. As a French entity, Scaleway is directly under GDPR jurisdiction. Standard Contractual Clauses are not required for EU→EU data flows.
Limitations vs AKS: smaller ecosystem, fewer managed add-ons (no Azure Policy equivalent), less enterprise support SLA options. For teams heavily invested in Azure tooling (Azure DevOps, Entra ID), migration requires tooling changes.
2. OVHcloud Managed Kubernetes — CLOUD Act Score: 1/25 ✅
OVH SAS, Roubaix, France — incorporated under French law.
OVHcloud's Managed Kubernetes service runs on OVHcloud infrastructure across 33 data centres in Europe. The control plane is managed by OVH SAS. The 1/25 CLOUD Act score comes from a minor AWS sub-processor usage in analytics (not in the Kubernetes control path).
Key specs:
- Managed control plane: free
- Worker nodes: from €0.037/hr (B2-7: 2 vCPU / 7 GB)
- Regions: Germany (GRA), France (GRA, RBX, SBG), Poland (WAW), UK (LON), Canada (BHS)
- Kubernetes versions: 1.28–1.30
- Persistent volumes: OVHcloud Block Storage
- LoadBalancer: OVHcloud Load Balancer
Enterprise features: OVHcloud has ISAE 3402 Type II, ISO 27001, ISO 27701, HDS (health data) certifications. Suitable for regulated industries.
3. Hetzner + k3s — CLOUD Act Score: 0/25 ✅
Hetzner Online GmbH, Gunzenhausen, Germany — German Gesellschaft mit beschränkter Haftung, no US ownership.
Hetzner does not offer a managed Kubernetes service, but many European teams run k3s on Hetzner Cloud nodes as a cost-effective alternative. You manage the control plane yourself (k3s installation takes ~10 minutes), but you get:
- Nodes: from €3.92/mo (CX21: 2 vCPU / 4 GB RAM)
- Locations: Falkenstein/Nuremberg (Germany), Helsinki (Finland), Ashburn/Hillsboro (US — avoid for GDPR)
- No CLOUD Act exposure when using DE/FI locations
Tools like k3sup, Rancher, or Cluster API Provider Hetzner automate cluster provisioning. The tradeoff: no managed control plane means you're responsible for etcd backups, upgrades, and API server availability.
Cost example: 3×CX31 (2 vCPU / 8 GB) + Hetzner Load Balancer LB11 = €15 + €5 = €20/month vs AKS €175/month. That's 8.75× cheaper for equivalent workloads.
4. AWS EKS in EU (Separate Analysis)
For completeness: AWS EKS is covered in our dedicated AWS EKS EU Alternative post. EKS scores 22/25 on CLOUD Act — higher than AKS. AWS is subject to the same structural CLOUD Act problem.
AKS → Scaleway Kapsule Migration Guide
Phase 1: Inventory (1 week)
# Export all workloads from AKS
kubectl get all --all-namespaces -o yaml > aks-all-resources.yaml
# List PersistentVolumeClaims
kubectl get pvc --all-namespaces -o yaml > aks-pvcs.yaml
# Export Secrets (WARNING: plain base64 in YAML — handle securely)
kubectl get secrets --all-namespaces -o yaml > aks-secrets.yaml
# Check cluster add-ons
az aks show --name <cluster-name> --resource-group <rg> --query addonProfiles
Identify:
- Workloads using Azure-specific features (Azure Files, Azure Blob CSI, Event Grid webhooks)
- Entra ID RBAC dependencies
- Azure Monitor / Container Insights integrations
- Azure Container Registry references
Phase 2: Parallel Cluster Setup (1 week)
# Install Scaleway CLI
scw init
# Create Kapsule cluster
scw k8s cluster create \
name=my-cluster \
version=1.30 \
region=fr-par \
pools.0.node-type=PRO2-M \
pools.0.size=3 \
pools.0.autoscaling=true \
pools.0.min-size=3 \
pools.0.max-size=10
# Get kubeconfig
scw k8s kubeconfig install <cluster-id>
Phase 3: Replace Azure-Specific Dependencies
| AKS Component | EU Alternative |
|---|---|
| Azure Container Registry | Scaleway Registry or Harbor (self-hosted) |
| Azure Files / Disk CSI | Scaleway Block Storage CSI |
| Azure AD/Entra ID RBAC | Zitadel (CH) or Keycloak (Red Hat EU) |
| Azure Monitor / Container Insights | Grafana Cloud (EU region) or VictoriaMetrics (self-hosted) |
| Azure Key Vault | HashiCorp Vault (self-hosted) or Infisical EU |
| Azure Load Balancer | Scaleway Load Balancer or MetalLB |
Phase 4: DNS Cutover and ROPA Update
Once workloads run on Kapsule, update your Record of Processing Activities (ROPA) under GDPR Art. 30:
- Remove Microsoft Azure from sub-processor list
- Add Scaleway SAS as EU-resident sub-processor
- Update DPA inventory
- Notify Data Protection Officer
GDPR Compliance Checklist for AKS Users
Before migrating (or if staying on AKS), verify:
- Signed current Microsoft DPA (Data Processing Addendum)
- Azure EU Data Boundary opt-in enabled for your subscription
- Kubernetes Secrets not containing personal data (prefer external secrets manager)
- Customer-managed encryption keys via Azure Key Vault (not Microsoft-managed)
- Network policy restricting egress to non-EU endpoints
- Azure Policy enforcing EU region constraints for all AKS resources
- Incident response plan covering US legal process disclosure scenario
- Sub-processor inventory updated to include Microsoft as non-EU processor
- SCCs in place (Microsoft provides these, but adequacy challenge risk remains)
Who Should Stay on AKS?
AKS remains a strong choice for teams that:
-
Are already Azure-native — If your team uses Azure DevOps, Entra ID, Azure Monitor, and Azure Blob Storage throughout, the operational integration of AKS is genuinely valuable.
-
Have evaluated residual CLOUD Act risk as acceptable — Some workloads (internal tooling, non-personal-data analytics) may have acceptable risk profiles even with 21/25 CLOUD Act exposure.
-
Operate under US jurisdiction anyway — US-headquartered subsidiaries, or teams whose parent company is US-based, may have no incremental risk from AKS.
-
Require DORA compliance with US operations — DORA permits critical third-party providers under exit planning requirements; AKS is not automatically excluded, but exit planning documentation is mandatory.
Summary
Azure AKS scores 21/25 on our CLOUD Act exposure matrix. The managed control plane (API server, etcd, scheduler) is operated by Microsoft Corporation — a US entity subject to CLOUD Act warrants regardless of which Azure region your nodes run in. Microsoft's EU Data Boundary is a meaningful operational commitment but explicitly carves out legal process under US law.
For European teams with GDPR Article 44-49 transfer restrictions, DORA concentration risk requirements, or data sovereignty mandates, EU-native alternatives offer the same Kubernetes experience:
- Scaleway Kapsule (0/25) — fully managed, French law, from €78/month
- OVHcloud Managed Kubernetes (1/25) — French law, ISAE 3402, from €98/month
- Hetzner + k3s (0/25) — German law, lowest cost, from €20/month
Next in the EU Managed Kubernetes Series: DigitalOcean Kubernetes EU Alternative — DigitalOcean Inc. Delaware Corp, CLOUD Act exposure in a simpler managed K8s offering.
Also in this series:
- Google GKE EU Alternative 2026 — CLOUD Act 20/25, etcd Jurisdiction
- AWS EKS EU Alternative 2026 — CLOUD Act 22/25
sota.io is an EU-native PaaS — container deployments without CLOUD Act exposure. All infrastructure is operated by European entities under EU law. Start free →
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.