AWS VPC EU Alternative 2026: Flow Logs, DNS Queries, and GDPR Under the CLOUD Act

Post #727 in the sota.io EU Compliance Series

Amazon Virtual Private Cloud (VPC) is the networking foundation of virtually every AWS workload. When a European company deploys an application on AWS — whether EC2 instances, ECS containers, RDS databases, Lambda functions, or any managed service — that deployment runs inside a VPC. The VPC controls IP addressing, routing tables, subnets, security groups, network access control lists, and the flow of traffic between resources.

Because VPC is the universal substrate of AWS networking, its GDPR implications extend to every other AWS service. The network layer records data flows that other services generate. VPC Flow Logs capture the IP addresses involved in every TCP, UDP, and ICMP connection. Route 53 Resolver processes DNS queries from every service in the VPC. Transit Gateway propagates network flows across multiple VPCs and accounts. AWS Network Access Analyzer maps the reachability of your entire AWS network topology.

Amazon operates VPC in European regions: eu-west-1 (Ireland), eu-central-1 (Frankfurt), eu-west-3 (Paris), eu-south-1 (Milan), eu-north-1 (Stockholm). Network resources in those regions process traffic physically within Europe. European engineering teams frequently deploy VPC resources with the assumption that EU region selection satisfies their GDPR obligations.

The jurisdictional problem is not geographic. Amazon Web Services, Inc. is a Delaware corporation headquartered in Seattle, Washington. The CLOUD Act (18 U.S.C. § 2713) compels US companies to produce customer data stored anywhere in the world when ordered by a US court or government agency. A valid US government order can reach your VPC Flow Logs in Frankfurt — logs that record every IP-level connection between your users' browsers and your backend services.

What AWS VPC Stores That Touches Personal Data

VPC functions as the invisible substrate beneath all AWS workloads. This foundational position creates personal data exposure that is less visible than application-layer processing but more pervasive.

VPC Flow Logs: Every Connection as a Personal Data Record

VPC Flow Logs are an optional but widely-used AWS feature that captures information about IP traffic flowing through network interfaces in your VPC. Teams enable flow logs for security monitoring, network troubleshooting, and compliance auditing — purposes that create an extensive record of personal data under GDPR.

A default VPC flow log record contains:

• srcaddr — the source IP address (IPv4 or IPv6) of the traffic
• dstaddr — the destination IP address
• srcport and dstport — source and destination ports
• protocol — the IP protocol number (TCP=6, UDP=17, ICMP=1)
• packets and bytes — traffic volume for the flow interval
• start and end — Unix timestamps of the aggregation window
• action — whether the traffic was ACCEPT or REJECT by security groups or NACLs
• log-status — whether the record was successfully logged

Under GDPR Article 4(1), personal data is "any information relating to an identified or identifiable natural person." The Court of Justice of the European Union established in Breyer v. Germany (C-582/14, 2016) that IP addresses are personal data when the data controller has the legal means to identify the person behind the IP address. For any European business operating a customer-facing service, the IP addresses in VPC flow logs are personal data.

A production VPC serving a European web application generates thousands of flow log records per minute. Each record containing a user's source IP address — the address of their home connection, their office network, or their mobile carrier — is a personal data record. Those records flow from AWS infrastructure through CloudWatch Logs or S3, both operated under US jurisdiction, subject to CLOUD Act compulsion.

VPC flow logs support custom formats with additional fields. When teams enable extended metadata — including traffic-path, flow-direction, or tcp-flags — the records become richer behavioral data. The TCP flag field distinguishes SYN, SYN-ACK, FIN, and RST packets, encoding information about connection establishment and teardown patterns. Combined with IP addresses and timestamps, extended flow log data constitutes behavioral profiling of network-level user activity.

AWS delivers flow logs to destinations under its control: CloudWatch Logs (an AWS service), S3 (an AWS service), or Amazon Data Firehose (an AWS service). Even if your S3 bucket for log storage sits in an EU region, the delivery mechanism and the bucket infrastructure remain under Amazon Web Services, Inc. jurisdiction.

Route 53 Resolver: DNS Queries as Behavioral Data

Every resource deployed inside a VPC uses DNS to resolve service endpoints, external domain names, and inter-service addresses. Amazon provides Route 53 Resolver as the built-in DNS resolver for VPC resources. By default, every EC2 instance, Lambda function, and container inside a VPC sends DNS queries to the VPC's .2 DNS endpoint — which is Route 53 Resolver.

Route 53 Resolver DNS query logging is an optional feature that captures the details of DNS queries generated by resources in your VPC. When enabled, each log record contains:

• The source IP address of the resource making the DNS query
• The queried domain name
• The query type (A, AAAA, MX, TXT, etc.)
• The DNS response code
• A timestamp

DNS query logs from a production VPC contain behavioral data about what your services are doing and who is triggering those actions. If a user request triggers your application to resolve a payment processor's domain, that DNS query — timestamped and attributed to the source IP of your application server, traceable through load balancer access logs back to the user's IP — creates a behavioral chain under AWS custody.

More directly: if resources inside your VPC include client-facing services that perform outbound DNS lookups based on user-supplied input (for example, a domain verification service or a URL previewer), the DNS query logs contain personal data that maps user interactions to resolved domain names.

Route 53 Resolver also supports inbound and outbound endpoints for hybrid cloud environments. Organizations connecting on-premises DNS infrastructure to AWS VPC DNS send DNS traffic across these endpoints — extending the scope of Route 53 Resolver processing into on-premises environments and, for European companies with on-premises infrastructure, potentially routing EU employee DNS queries through AWS-controlled infrastructure.

AWS PrivateLink and VPC Endpoint Traffic

AWS PrivateLink allows VPC resources to connect to AWS services (S3, DynamoDB, CloudWatch, etc.) and to services published by other AWS customers through VPC Endpoints, without routing traffic over the public internet. The architecture creates private IP addresses inside your VPC that front AWS service endpoints.

PrivateLink is often presented as a privacy-enhancing technology because it avoids public internet routing. This framing obscures the relevant jurisdictional question. Traffic flowing through PrivateLink endpoints does not leave AWS infrastructure — but AWS infrastructure is operated by Amazon Web Services, Inc. under US jurisdiction. The fact that the traffic remains within AWS's network does not change the CLOUD Act reachability of that traffic.

Interface VPC Endpoints — the PrivateLink-backed endpoint type — have elastic network interfaces (ENIs) in your VPC subnets. Flow logs for those ENIs capture traffic between your VPC resources and AWS service endpoints. The records include the destination IP address of the endpoint ENI, which maps to the specific AWS service. These records allow reconstruction of which AWS services your application used, at what times, in what volumes — metadata that falls within GDPR Article 4(1) when connected to user request flows.

Gateway Endpoints for S3 and DynamoDB add routing table entries to your VPC route tables. Traffic to S3 and DynamoDB prefix lists routes through AWS-managed gateway infrastructure. The traffic itself traverses AWS-controlled network equipment regardless of the endpoint mechanism.

Transit Gateway Flow Logs: Cross-Account Jurisdiction Expansion

AWS Transit Gateway allows organizations to connect multiple VPCs and on-premises networks through a central routing hub. Large enterprises commonly use Transit Gateway to create hub-and-spoke network topologies, connecting dozens or hundreds of VPCs across multiple AWS accounts and regions.

Transit Gateway supports flow logs that capture traffic flowing through the transit gateway's network interfaces. For organizations using Transit Gateway to connect VPCs across multiple business units, subsidiaries, or product teams, the Transit Gateway flow logs create a consolidated record of inter-VPC traffic flows. Those records are stored in CloudWatch Logs or S3 under AWS control.

For European organizations using Transit Gateway to connect VPCs in different EU regions — for example, a primary deployment in Frankfurt connected to a disaster recovery environment in Ireland — the Transit Gateway attachment in each region and the Transit Gateway itself are managed by AWS infrastructure. CLOUD Act compulsion of Transit Gateway flow logs provides a US government actor with a complete picture of cross-VPC traffic flows across the organization's European cloud footprint.

Transit Gateway Multicast adds another dimension: multicast group membership records associate specific instances with multicast groups. For applications using multicast for service discovery or media distribution, group membership data stored in Transit Gateway infrastructure constitutes additional personal data exposure.

Network Access Analyzer and Reachability Analyzer

AWS Network Access Analyzer is a service that identifies unintended network access to your AWS resources. You define network access requirements and AWS analyzes your VPC configuration — security groups, route tables, NACLs, VPC endpoints, and their combinations — to identify configurations that violate your requirements.

Network Access Analyzer findings are stored by AWS and include detailed descriptions of the network paths in your VPC. While the data analyzed is configuration data rather than traffic data, the analysis results reveal the topology of your network — which resources are reachable from the internet, which backend services are reachable from which subnets, and which security group rules allow which traffic patterns.

VPC Reachability Analyzer performs point-to-point path analysis, tracing the network path between two endpoints in your VPC and identifying configuration-level blockers. The analysis results, stored by AWS, document your internal network architecture in detail.

For organizations processing sensitive data under GDPR — particularly Art. 32 security obligations requiring appropriate technical measures — having your network topology analyzed and the results stored by a US-jurisdiction service creates additional compliance surface. Art. 32 requires that you implement appropriate technical and organizational measures to ensure network security. Whether network topology data stored under US jurisdiction constitutes a risk depends on the sensitivity of the services that topology exposes.

EU Alternatives to AWS VPC for Private Networking

European cloud providers offer private networking capabilities that keep network configuration and flow data under EU-jurisdiction operators. The key difference is not technical equivalence — VPC is a mature service with extensive features — but organizational jurisdiction over the infrastructure and its logs.

Hetzner Cloud Private Networks

Hetzner Online GmbH is a German company headquartered in Gunzenhausen, Bavaria. Hetzner Cloud Private Networks provide RFC 1918 IP addressing for resources within a Hetzner Cloud project, with routing between servers in the same private network and subnet configuration.

Hetzner Private Networks support multiple subnets within a network, routing between subnets through a configurable gateway, and VPN connectivity through standard IPsec or WireGuard implementations. Traffic within Hetzner Private Networks stays within Hetzner's infrastructure — a German GmbH without a US parent entity, outside CLOUD Act jurisdiction.

Hetzner's network does not provide flow logging as a managed service, which means organizations implementing Hetzner Private Networks do not automatically generate the IP-address-level personal data records that VPC Flow Logs create. This architectural simplicity is a GDPR advantage: not generating personal data avoids the obligation to protect and retain it. Teams requiring network-level traffic visibility implement logging at the application layer or through self-managed network monitoring tools such as ntopng or Zeek deployed on EU infrastructure.

OVHcloud vRack

OVHcloud (OVH Groupe SAS) is a French company headquartered in Roubaix, Hauts-de-France. OVH Groupe is majority-owned by the Klaba family with no US corporate parent. OVHcloud vRack (Virtual Rack) is a private VLAN service that connects OVHcloud dedicated servers, Hosted Private Cloud resources, and Public Cloud instances across OVHcloud's European data centers.

vRack operates at Layer 2, extending a private Ethernet broadcast domain across OVHcloud infrastructure. Organizations can connect resources in different OVHcloud data centers — Paris, Gravelines, Strasbourg, Frankfurt, London, Warsaw — through the vRack fabric without traffic traversing the public internet. vRack supports 802.1Q VLAN tagging for traffic segmentation.

For European organizations with on-premises infrastructure or multi-site requirements, vRack's Layer 2 extension provides connectivity that keeps network-level traffic within OVHcloud's French-operated infrastructure. OVHcloud is subject to French and EU law, not CLOUD Act jurisdiction.

Scaleway VPC

Scaleway (Online SAS) is a French cloud provider owned by Iliad Group, headquartered in Paris. Scaleway VPC provides private networking for Scaleway resources including Instances, Managed Databases, Kubernetes Kapsule clusters, and Managed Load Balancers.

Scaleway VPC supports multiple Private Networks within a project, each with a configurable IPv4 CIDR block. Resources in the same Private Network communicate directly without routing through the public internet. Scaleway's routing infrastructure connecting Private Networks and external connectivity operates under Scaleway's control — an Iliad Group subsidiary without US corporate ownership.

Scaleway Private Networks integrate with Scaleway's Managed Services, including Managed Databases, Kubernetes Kapsule, and Managed Load Balancers. This integration allows fully private architectures where application traffic never leaves the Scaleway private network layer — a design that minimizes external exposure while keeping all infrastructure under EU-jurisdiction control.

Contabo Private Networking

Contabo GmbH is a German company headquartered in Munich, Bavaria. Contabo offers private networking for Virtual Private Servers deployed in Contabo's European data centers (Frankfurt, Nuremberg, Munich). Contabo Private Networks provide Layer 3 connectivity between servers in the same data center without traffic leaving Contabo's internal network.

For cost-sensitive applications, Contabo's private networking combined with dedicated VPS deployment offers EU-sovereign private networking at significantly lower cost than hyperscaler alternatives. The tradeoff is feature depth: Contabo private networking does not offer the feature breadth of VPC (no managed NAT gateway, no advanced route tables, no service endpoints), making it appropriate for architectures that can accept simpler networking models.

sota.io: EU-Native PaaS Without VPC Complexity

sota.io is a European PaaS platform that deploys applications on Hetzner Cloud and other EU-jurisdiction infrastructure. Applications deployed on sota.io run in containers managed by sota.io's orchestration layer — without requiring organizations to manage VPC configuration, flow logs, security groups, or route tables.

The absence of self-managed VPC configuration removes the GDPR compliance surface that VPC creates. There are no flow logs under US custody because the underlying infrastructure does not generate VPC-style flow logs stored by a US-jurisdiction operator. Network isolation between customer workloads is enforced at the container and infrastructure layer by sota.io, which operates as an EU-jurisdiction entity.

For European development teams whose AWS VPC usage is primarily driven by the requirement to isolate application workloads and control network access to databases and backend services, sota.io's managed networking handles those requirements without creating the jurisdictional exposure of a US-owned cloud network substrate.

Migration Considerations

Network topology mapping: Before migrating away from AWS VPC, map the full dependency graph of your VPC configuration — security groups, NACLs, route tables, VPC endpoints, Transit Gateway attachments, PrivateLink services, and peering connections. AWS VPC's feature surface is extensive; understanding which features your architecture actively uses determines which EU-native alternatives are technically viable.

Flow log retention obligations: If your organization uses VPC flow logs for security monitoring, incident response, or compliance auditing, establish a retention and analysis plan for the transition period. During migration, both AWS-origin and EU-origin network logs may coexist. Ensure your GDPR Art. 30 records of processing activities reflect the transition state.

DNS dependency audit: Applications inside a VPC frequently depend on Route 53 Resolver for internal service discovery. Migrating to EU-native networking requires mapping all DNS-dependent service communication and adapting service discovery to the target platform's DNS model (for example, Kubernetes DNS on Scaleway Kapsule, or Consul deployed on Hetzner Private Networks).

Security group rule translation: AWS security groups are stateful firewall rules at the instance level. EU alternatives implement equivalent controls differently — Hetzner Cloud uses server-level firewall rules with similar stateful behavior, Scaleway uses Security Groups, OVHcloud uses security groups and NACLs on the Public Cloud side. The logic is equivalent; the API and configuration format differ.

Applying GDPR Principles to Network Infrastructure

GDPR Article 25 requires data protection by design and by default. For network infrastructure, this means designing your cloud networking to minimize the generation of personal data — specifically, IP-address-level flow records — and ensuring that unavoidable network logs are stored under EU-jurisdiction operators.

AWS VPC's flow logging, DNS query logging, and Transit Gateway logging capabilities are valuable for operational purposes. They are also pervasive generators of personal data under the CJEU Breyer standard. Storing that data under a US CLOUD Act entity — even in an EU region — creates an ongoing jurisdictional exposure that is inherent to the AWS VPC architecture.

EU-native private networking from Hetzner, OVHcloud, or Scaleway provides technically equivalent private networking with network infrastructure and its associated operational logs remaining under EU-jurisdiction operators. For organizations with GDPR obligations, the relevant question is not whether AWS VPC is technically capable — it is whether the jurisdictional exposure of having your network-layer personal data under US CLOUD Act compulsion is acceptable given your regulatory obligations and your users' reasonable expectations about their data.

sota.io provides EU-native application hosting on Hetzner and Scaleway infrastructure. Applications deploy without managing VPC configuration, flow logs, or US-jurisdiction network substrates. Start your free trial or read more EU compliance guides.