Data Mesh

Domain-oriented data ownership with federated governance and sovereignty controls.

Overview

Data Mesh is an architectural paradigm that treats data as a product owned by domain teams. For sovereign cloud environments, this approach aligns well with data residency requirements as each domain can manage its data within approved boundaries while sharing through governed APIs.

Learning Objectives

After completing this section, you will be able to:

✅ Design data mesh architectures with sovereignty controls
✅ Implement federated governance with Microsoft Purview
✅ Configure domain data products with regional boundaries
✅ Enable secure cross-domain data sharing

Data Mesh Architecture

Principle	Sovereignty Implementation
Domain Ownership	Each domain owns data residency decisions
Data as Product	APIs with regional routing
Self-serve Platform	Pre-approved regional infrastructure
Federated Governance	Purview + Azure Policy

Federated Governance

Microsoft Purview Configuration

# Create Purview account for data governance
New-AzPurviewAccount `
    -Name "sovereign-purview" `
    -ResourceGroupName "governance-rg" `
    -Location "westeurope" `
    -ManagedResourceGroupName "purview-managed-rg"

# Register domain data sources
Register-AzPurviewDataSource `
    -AccountName "sovereign-purview" `
    -DataSourceName "sales-domain" `
    -DataSourceType "AzureSqlDatabase" `
    -ResourceId "/subscriptions/{sub}/resourceGroups/sales-rg/providers/Microsoft.Sql/servers/sales-sql/databases/salesdb"

Governance Policies

# Data governance policy structure
governancePolicies:
  dataResidency:
    enforced: true
    allowedRegions:
      - "westeurope"
      - "northeurope"

  dataClassification:
    autoClassify: true
    rules:
      - pattern: "SSN|Social Security"
        classification: "PII.HighRisk"
      - pattern: "email|phone"
        classification: "PII.Contact"

  dataCatalog:
    requireDescription: true
    requireOwner: true
    requireSensitivityLabel: true

  accessControl:
    requireApproval: true
    approvers: ["data-steward@domain"]

Domain Data Products

Sales Domain (EU)

# Sales domain data product definition
dataProduct:
  name: "Sales Analytics"
  domain: "Sales"
  owner: "sales-data-team@contoso.com"

  dataResidency:
    region: "EU"
    storageLocations:
      - "westeurope"

  interfaces:
    - type: "API"
      endpoint: "https://sales-api.contoso.eu/v1"
      authentication: "OAuth2"
      scopes:
        - "sales.read"
        - "sales.aggregate"

    - type: "SQL"
      endpoint: "sales-sql.database.windows.net"
      authentication: "AzureAD"
      accessLevel: "Read-Only"

  sla:
    availability: 99.9
    latency: "< 100ms"
    freshness: "< 1 hour"

  qualityMetrics:
    completeness: 98
    accuracy: 99
    timeliness: 95

Customer Domain (EU)

dataProduct:
  name: "Customer 360"
  domain: "Customer"
  owner: "customer-data-team@contoso.com"

  dataResidency:
    region: "EU"
    piiHandling: "Encrypted-CMK"

  interfaces:
    - type: "API"
      endpoint: "https://customer-api.contoso.eu/v1"
      rateLimit: 1000

  dataContracts:
    - consumer: "Sales Domain"
      purpose: "Customer enrichment"
      fields: ["customerId", "segment", "region"]
      excludedFields: ["email", "phone", "address"]

Data Products API

API Design Pattern

// Data Product API with sovereignty controls
[ApiController]
[Route("api/v1/sales")]
public class SalesDataProductController : ControllerBase
{
    [HttpGet("aggregates")]
    [Authorize(Policy = "SalesRead")]
    public async Task<IActionResult> GetAggregates(
        [FromQuery] string region,
        [FromQuery] DateTime from,
        [FromQuery] DateTime to)
    {
        // Validate requester's region access
        var callerRegion = HttpContext.User.FindFirst("region")?.Value;
        if (!_sovereigntyService.CanAccessRegion(callerRegion, region))
        {
            return Forbid("Cross-region access not permitted");
        }

        // Return aggregated, non-PII data
        var aggregates = await _salesService.GetAggregatesAsync(region, from, to);

        return Ok(new DataProductResponse
        {
            Data = aggregates,
            Metadata = new DataProductMetadata
            {
                Freshness = DateTime.UtcNow,
                Region = region,
                Quality = await _qualityService.GetMetricsAsync()
            }
        });
    }
}

Data Contract Pattern

graph LR
    subgraph Sales ["Sales Domain (EU)"]
        A[Sales Data<br/>Product]
    end

    subgraph Customer ["Customer Domain (EU)"]
        B[Customer Data<br/>Product]
    end

    subgraph Analytics ["Analytics Domain (EU)"]
        C[Analytics<br/>Platform]
    end

    A -->|"Contract: Sales Metrics<br/>Fields: revenue, units"| C
    B -->|"Contract: Customer Segments<br/>Fields: segment, region"| C
    B -.->|"❌ PII Excluded"| C

    style Sales fill:#E8F4FD,stroke:#0078D4
    style Customer fill:#FFF4E6,stroke:#FF8C00
    style Analytics fill:#D4E9D7,stroke:#107C10

Contract Enforcement

# Data contract validator
class DataContractValidator:
    def validate_output(self, data: pd.DataFrame, contract: DataContract) -> bool:
        # Check allowed fields only
        allowed_fields = set(contract.allowed_fields)
        actual_fields = set(data.columns)

        if not actual_fields.issubset(allowed_fields):
            raise DataContractViolation(
                f"Unauthorized fields: {actual_fields - allowed_fields}"
            )

        # Check excluded fields (PII)
        excluded = set(contract.excluded_fields)
        if actual_fields.intersection(excluded):
            raise DataContractViolation(
                f"PII fields included: {actual_fields.intersection(excluded)}"
            )

        # Validate data quality
        quality_metrics = self.calculate_quality(data)
        if quality_metrics.completeness < contract.min_completeness:
            raise DataQualityViolation("Completeness below threshold")

        return True

Self-Serve Platform

Domain Provisioning Template

// Self-serve domain infrastructure
module domainInfra 'domain-template.bicep' = {
  name: '${domainName}-infrastructure'
  params: {
    domainName: domainName
    region: 'westeurope'  // Fixed for EU sovereignty

    // Pre-approved resources
    sqlServerSku: 'GP_Gen5_2'
    storageAccountSku: 'Standard_GRS'

    // Security baseline
    enablePrivateEndpoints: true
    enableCMK: true
    enablePurviewIntegration: true

    // Tagging for governance
    tags: {
      Domain: domainName
      DataOwner: dataOwnerEmail
      Classification: 'Confidential'
      Region: 'EU'
    }
  }
}

Implementation Checklist

Next Steps

Observability Stack → — Monitor data products
DevSecOps Pipeline → — Automate data platform deployment

Reference: Microsoft Purview — Microsoft Learn