Mohamed Radwan

Sovereign connectivity in dataspaces requires automating network access to ensure security, compliance, and operational scale. In the Data Intelligence Hub, we replace manual firewall updates with a declarative, Kubernetes-native model using Custom Resource Definitions (CRDs). Customers define their allowed IP ranges through a self-service portal, which generates an IpAccessPolicy object representing the desired state. A controller then reconciles this state with the underlying infrastructure, automatically updating Kubernetes Ingress configurations and preventing drift. This architecture ensures auditability, validates inputs before enforcement, and keeps network access aligned with the principles of data sovereignty across multi-tenant environments.

Sovereign observability is now essential as organizations operate Kubernetes across fragmented multi-cloud environments. Traditional monitoring approaches fail when logs and metrics cannot leave their originating region due to compliance and data-residency constraints. This architecture solves the challenge by decoupling storage from querying: each cloud environment writes logs and metrics to its own sovereign object storage while a central observer cluster queries them on demand. Leveraging Prometheus, Thanos, Loki, and Promtail, the system provides global visibility, secure mTLS communication, isolated buckets, and a unified Grafana experience — all without violating sovereignty rules.

At LEAP 2025, T-Systems and Detasad showcased cutting-edge dataspace solutions, driving secure data collaboration, AI innovation, and compliance in Saudi Arabia. Through strategic partnerships and cloud-agnostic platforms, we empower businesses to scale, optimize operations, and unlock new revenue opportunities in the region’s thriving digital economy.

This article outlines our experience migrating workloads from an on-premises data center to the AWS Cloud, culminating in the decommissioning of our last server in December 2024. The migration focused on our Motion Data product, which leverages geo-information analytics from Deutsche Telekom's mobile network to provide anonymized mass movement insights for industries such as retail, tourism, and public transport. Our transition to AWS was driven by rising colocation costs and the need to modernize our infrastructure, which faced limitations due to outdated technology constraints, high maintenance efforts, and inefficient storage and compute resource management. We selected AWS's Replatforming approach to harness managed services, improve scalability, and replace legacy Hadoop infrastructure with a more flexible Spark-on-Kubernetes and S3-based solution. The migration delivered key benefits, including 35% lower infrastructure costs, access to up-to-date technology stacks, and removal of resource constraints for compute workloads. By leveraging AWS-managed services such as Kubernetes (EKS), EMR, and RDS, we optimized performance, simplified operations, and positioned ourselves for future growth and innovation in cloud-native environments.

In diesem Blog erfahren wir, wie T-Systems, ein AWS Sovereign Cloud Partner, die wachsende Nachfrage nach digitaler Souveränität adressiert. Er untersucht die Herausforderungen, mit denen Unternehmen beim Management von Datensicherheit, Einhaltung gesetzlicher Vorschriften und Innovation in einer Cloud-First-Welt konfrontiert sind. Der Beitrag beschreibt die fortschrittlichen Lösungen von T-Systems wie Data Protection as a Service (DPaaS) und Dataspaces, die es Unternehmen ermöglichen, die Kontrolle über ihre Daten zu behalten, die Einhaltung von Vorschriften wie der DSGVO sicherzustellen und eine vertrauenswürdige Datenzusammenarbeit über Ökosysteme hinweg zu ermöglichen. Diese Angebote sind auf Branchen wie Gesundheitswesen, Finanzen und den öffentlichen Sektor zugeschnitten und bieten sichere, skalierbare und konforme Tools für eine Digital-First-Ära.

In a multi-cloud setup, using Rancher to manage Kubernetes clusters requires adding NAT gateway IPs to the Rancher Load Balancer's Security Group. Due to Security Group limits of 1,000 IPs per ENI, employing a Web Application Firewall (WAF) is beneficial. WAF allows 100 IP sets with 10,000 IPs each, supporting up to 1 million IP addresses and providing enhanced logging and metrics.

Unlock the potential of secure cross-organizational data sharing with T-Systems and AWS. This strategic collaboration bridges the gap in achieving true data liberation and control. Experience the Connect Offering, Digital.ID, and LivingLab Sandbox, empowering you to participate effortlessly in data ecosystems while ensuring Gaia-X Conformity. T-Systems and AWS, together in the AWS Solutions Library, bring innovative, secure, and integrated solutions, putting you in control of your data.

Discover the collaborative innovation behind LivingLab, a cutting-edge software development environment developed by Telekom Data Intelligence Hub in partnership with Amazon Web Services (AWS). LivingLab provides a secure sandbox environment, ensuring data sovereignty protection and compliance with industry standards like GAIA-X and IDSA. As proud partners listed in the AWS Solutions Library, we empower organizations through advanced analytics processing and streamlined data management, fostering industry collaboration and digital transformation.

Durch unser Angebot an verschiedenen Cloud-Anbietern wie AWS, GCP, Azure, OTC und GCP Souverän können unsere Kunden den Cloud-Anbieter wählen, der ihren individuellen Bedürfnissen, Präferenzen und Compliance-Anforderungen entspricht, und erhalten so die Flexibilität und Datensouveränität, um ihre Cloud-Strategie zu optimieren.