Ensuring Regional (Health) Data Residency with AWS

When dealing with sensitive data—particularly in regulated sectors like healthcare or finance—one of the biggest challenges is ensuring that all data remains in the user’s local region, thereby adhering to local data residency and privacy laws. For applications like Health3.app aimed at a global user base this requirement can complicate the architecture. In this post on Health Data Residency, I’ll focus on AWS which provides a powerful combination of services—CloudFrontLambda@Edge, and API Gateway—that I found useful to ensure that user data is processed only in the correct region.

This post will walk you through how these AWS services are set up to work together in Health3’s case, how they solve the data residency problem, and how you can architect your applications to comply with strict privacy and regulatory requirements.

The Core Challenge: Regional Data Residency

Why It Matters

In industries such as healthcare, finance, or government, there are stringent compliance regulations (e.g., HIPAA, GDPR, etc.) that dictate how and where data must be stored and processed. Aside from ensuring that such data is stored in the same region in which the user legally resides, the underlying requirement often goes further and states that sensitive data cannot “leave” a region (e.g., a country or jurisdiction). In a global application, simply storing the data in multiple locations isn’t enough. You must also ensure that all processing of that data takes place within the user’s local region. When deploying your application in a cloud, you must consider this requirement and not default to whatever region the cloud decides to serve your client’s requests in.

AWS CloudFront: The Global Entrypoint

Overview

AWS CloudFront is a content delivery network (CDN) service offered by AWS. It delivers content to users with low latency by caching copies at edge locations closer to them. This edge-caching layer is the first step in your Health Data Residency strategy. In our architecture, CloudFront also becomes the global entry point for the application’s requests.

How CloudFront Addresses The Data Residency Requirement

  • Nearest Edge Location: When a user in, say, Germany makes a request to your application, that request terminates at the nearest physical CloudFront edge location. In this case, this would likely be AWS region eu-central-1 located in Frankfurt, ensuring minimal latency. This doesn’t solve the data residency requirements automatically, as the user’s legal jurisdiction (place of residency) might not align with where they are accessing the app from (while travelling etc.).
  • Security: CloudFront integrates well with AWS WAF (Web Application Firewall) and AWS Shield, adding further security layers. This is critical when dealing with sensitive data.

While AWS Cloudfront will intercept your data at nearest Edge location, it cannot by itself decide which region processes the request, or which region’s database will be used for any necessary data storage. That’s where Lambda@Edge enters the picture.

Lambda@Edge: Intelligent Request Routing

What Is Lambda@Edge

Lambda@Edge allows you to run serverless functions at CloudFront edge locations. You can intercept, inspect and modify requests (or responses) as they flow through CloudFront. This gives you powerful routing logic, executed physically close to the end user.

Key Use Cases

  • Geo-based Routing: You can inspect the user’s location (for example via cloudfront-viewer-country request header) to determine which AWS region should handle the request.
  • Account-based Routing: Typically, users’ data must stay within their data residency “home” location even if the user is traveling (or using VPN) and temporarily finds themselves in a different geographical location. Lambda@Edge can evaluate the user account’s location and then direct the request accordingly.
  • Enforcing Health Data Residency by directing every request to the user’s home region.

How It Works In Practise

  • Incoming Request: A request comes into your CloudFront distribution, in which you have previously configured all of the various origins ( region-specific endpoints for your business logic ).
  • Trigger at the Edge: You set up a viewer-request or origin-request trigger. Lambda@Edge runs your custom code (e.g. Node.js or Python) at the nearest CloudFront location.
  • Request Manipulation: Lambda@Edge checks the user’s location or is provided with account settings. It modifies the request if necessary, such as changing the origin hostname in CloudFront’s configuration to point to a region-specific endpoint.
  • Redirect to Regional Backend: The request is then forwarded to an origin (for instance, an Amazon API Gateway endpoint) that exists in the user’s required AWS region.

API Gateway: The Regional Business Logic Entry Point

Why Use Amazon API Gateway

Once the request is routed to the correct AWS region, you need a way to handle the business logic securely and efficiently. API Gateway is a managed service that makes it easy to build, deploy and manage APIs at scale.

Integration With Lambda (Non-Edge)

API Gateway can trigger AWS Lambda functions residing in the same AWS region, where you can execute the business logic. This ensures that:

  • All computations on that data happen in the region-specific Lambda function.
  • Data never leaves teh region due to the architecture enforced by CloudFront + Lambda@Edge.

With regional API Gateway + Lambda, core business logic is locked down to satisfy Health Data Residency mandates.

Additional Services

From there on, the API Gateway may integrate a range of various AWS services to provide the business processing functionality you app needs. For example you may choose to deploy Amazon DynamoDB or Amazon RDS in the same region for persistence to ensure data residency of data at rest. Some of your business logic might use AI-based processing via AWS Sagemaker, AWS Bedrock, AWS Textract.

Putting It All Together

  • User Request: User in Region X (e.g. central Europe) makes a request.
  • CloudFront Entry: The request goes to the nearest CloudFront edge location.
  • Lambda@Edge Execution:
    • Lambda@Edge inspects the request context or user’s account region.
    • It modifies or sets the origin to the appropriate regional endpoint (e.g. an API Gateway URL in eu-central-1)
  • Forward to the Regional Endpoint: The request is forwarded to the chosen region’s API Gateway.
  • Regional Lambda Execution: API Gateway triggers the region’s Lambda (non-Edge) function to process business logic.
  • Data in the Correct Region:
    • All data retrieval, storage, or manipulation happens within eu-central-1 (or whichever region is applicable).
    • No data is transported, parsed, or stored outside the user’s region.

Benefits Of This Architecture

  • Compliance: The chief benefit is ensuring you meet data residency and compliance requirements. Each user’s data stays within their specific region at rest and for business-specific processing.
  • Low Latency: By leveraging global edge locations, you reduce latency for the initial connection. With region-specific backends, you ensure the user is served from the region mandated by legal requirements.
  • Scalability: This architecture can scale up or down based on traffic.
  • Maintainability: While this approach might look complex, AWS’s serverless services reduce the burden of server management and allow for a more consistent, code-driven approach to infrastructure.

Further Concerns

There are multiple areas, which need to be further considered when deploying such architecture for strict data residency and compliance. The setup described above gives us a solid foundation, but the following topics need to be planned properly and provided with safeguards to avoid any pitfalls. For the sake of this article, they are simply listed without further elaboration. I may explore these separately in the future.

  • Geolocation – As mentioned before, Geolocation itself can be inaccurate or bypassed, due to VPNs, Proxies, or incorrect mapping.
  • Sensitive Data Passing Through Edge – Precautions need to be taken to not unintentionally process or store sensitive data here.
  • Complexity of Region Management – Maintaining services split across regions can lead to version drift or other inconsistencies.
  • Handling “Data in Transit” vs “Data at Rest” –  Some strict data sovereignty rules may prohibit even transient data from crossing borders.
  • Edge Cases – Travelling Users – Combination of Geolocation and Data in Transit points from above. Traveling user might need to access their data from “home”.
  • Logging and Observability Across Regions – Tooling or pipelines that aggregate logs could inadvertently export or expose sensitive data.
  • Failure Scenarios and Fallbacks – If edge location or region experience downtime, routing logic may fail or revent to default.

Conclusion

For global applications handling sensitive data – in healthcare, finance, government… – meeting regional data residency laws is a non-negotiable requirement. AWS’s CloudFront and Lambda@Edge enable you to decide at the network edge where each request goes, while API Gateway and regional Lambdas enforce that all data processing stays local.

By carefully planning your routing conditions (e.g., user location or account jurisdiction), you can guarantee that sensitive data never crosses regional boundaries. While the architecture might be more nuanced than a single global endpoint, the compliance, user trust, and regulatory peace of mind are well worth the investment.

Key Takeaway: When architecting application deployed to Amazon cloud for global Health Data Residency, use CloudFront + Lambda@Edge for intelligent request routing, and API Gateway + Lambda in region-specific deployments for your core business logic. This combination delivers a powerful, scalable, and compliant solution for sensitive data handling in a global environment.

Tagged

Leave a Reply