Scenario 04 · Data-sovereignty edge
A SaaS serves European customers under GDPR, and post-Schrems II its DPA forbids exposing personal data to non-EU jurisdiction — including the moment of TLS termination, where a provider sees plaintext. But the engineering team's backends, CI, and data stores live wherever it's cheapest. They need the edge — termination and request processing — provably inside the EU, while the rest of the stack stays portable.
Architecture
The origin opens the tunnel outbound, so the backend network needs no inbound firewall holes. TLS terminates only at the EU edge — no third party, and no US entity, ever sees plaintext.
The setup
Stand up the edge on EU infrastructure (here, a Hetzner VM in Falkenstein). It runs the data plane on
:443 and the tunnel control plane on :7844:
# Edge VM in Germany — terminates TLS inside EU jurisdiction
hcloud server create \
--name edge-de-1 \
--type cx22 \
--image zenoingress-edge \
--location fsn1 # Falkenstein, DE
# Edge exposes: :443 data plane (TLS terminate, PQC)
# :7844 control plane (tunnel registration)
Then point the in-cluster proxy at the edge in tunnel mode. The origin connects outbound, authenticating with a token and a client certificate (mutual TLS) — so the edge only ever accepts a tunnel from your own proxy:
tunnel:
enabled: true
edge_address: "edge-de-1.example.eu:7844"
auth_token: "sk_prod_…" # from a Secret
hostnames:
- "app.example.eu"
- "api.example.eu"
tls:
enabled: true
client_cert: /etc/zeno/tunnel/tls.crt # mutual TLS to the edge
client_key: /etc/zeno/tunnel/tls.key
reconnect_backoff: "1s..30s" # exponential, auto-reconnect
See docs/eu_only_edge_ingress.md for a full 100%-EU stack (DNS, registrar, CDN/WAF, ACME).
What happens
app.example.eu to the EU edge VM. The client opens
TLS 1.3 with post-quantum key exchange directly to it.
Outcome
You own the edge that terminates TLS, so plaintext and processing stay pinned to EU jurisdiction — with an outbound, mTLS-authenticated tunnel that keeps backends portable and the origin network sealed.
Run this yourself
Once the tunnel is up, the certificate the client sees is issued for your domain by the EU edge — not a third party's — and the edge resolves to an EU address:
$ # the tunnel is registered and serving
$ curl -sI https://app.example.eu | head -1
HTTP/2 200
$ # TLS terminates at YOUR EU edge — check the issuer + the IP
$ echo | openssl s_client -connect app.example.eu:443 \
-servername app.example.eu 2>/dev/null | openssl x509 -noout -issuer
issuer=C=IT, O=Actalis S.p.A., CN=Actalis Domain Validation CA
$ dig +short app.example.eu
5.75.xxx.xxx # Hetzner, Falkenstein (DE)
An edge you own, a tunnel that dials out. Free for one production cluster.
Deploy Free