LEGIER RECHTSZENTRUM: Manama (Bahrain) - Data Availability Zone Kuwait City - Edge location Singapore (KDDI Asia Pacific)

More often, Sky Look1. Executive Summary

The LEGIER GROUP operates a multi-tier data center ecosystem with Manama (Core), Kuwait City (AZ) and Singapore (Edge). It offers separate, yet integrated tiers for network, compute, storage, data, AI and security.

Goals: High availability, zero-trust security, low latency and demonstrable compliance.

With the approval of the Telecommunications Regulatory Authority (TRA) in Bahrain, the LEGIER data center uses state-of-the-art technologies such as its own AI components, Darktrace-security solutions and IBM mainframe-technology to ensure a reliable, scalable and secure platform. Bahrain and Kuwait offer specific location advantages that optimize operations.

Guiding principles:

Privacy-First (KMS/HSM)
Multi-AZ/region resilience
Cross-account backups
GitOps/IaC with signed artifacts
SRE operation with SLOs and automation (SOAR)

The data center in Manama is designed to meet the demanding requirements of a global media company:

High availability: An uptime of 99.999 % is achieved through redundant systems such as dual power sources, backup generators and mirrored hardware to ensure continuous message production.
Scalability: The infrastructure can be flexibly expanded to cope with increasing data volumes and computing requirements - essential for production in nine languages worldwide.
Data processing and storage: Millions of text, image and video data points are processed and stored in real time. Fast SSDs and a robust storage area network (SAN) ensure efficiency.
AI support: Powerful GPUs and TPUs support complex AI workloads such as content analysis and translation.
Cybersecurity: Sensitive data requires advanced protection, which is provided by Darktrace-technologies.

Use cases of AI

Content analysis:
- Technology: Deep learning and natural language processing (NLP) with models such as BERT analyze texts, categorize content and extract relevant information.
- Benefit: Accelerates message processing and improves accuracy, e.g. when identifying trends or key topics.
Recommendation systems:
- Technology: Machine learning with collaborative filtering and neural networks personalizes content for readers.
- Benefit: Increases user loyalty through customized reading recommendations, for example for regional or language-specific content.
Automated reporting:
- Technology: Generative AI models such as GPT create routine reports, e.g. weather or sports results.
- Benefit: Relieves editors who can concentrate on investigative journalism or complex analyses.
Real-time translations:
- Technology: AI tools such as DeepL or proprietary models translate content into nine languages in real time.
- Benefit: Enables the immediate publication of global news, a key advantage for the 115 newspapers.
Image and video recognition:
- Technology: Convolutional Neural Networks (CNNs) automatically tag and evaluate visual content.
- Benefit: Accelerates the publication of multimedia content through automated metadata creation.

2. locations & topology

2.1 Manama (Bahrain) - Core region

Central control/orchestration, GPU/CPU cluster, object tiers, SIEM/SOAR/KMS/PKI, DNS/directory, artifact repositories (SBOM). Spine-Leaf-Fabric 100/200/400G, ECMP, VRF separation.

2.2 Data Availability Zone (AZ) Kuwait City

Geographical resilience/decoupling; replication profiles per data class (synchronous/near-synchronous/asynchronous); isolated error domains, dedicated egress points, IAM scoping, DR capacities (Pilot-Light-Active-Active).

2.3 Edge location Singapore (KDDI Asia Pacific)

Carrier-neutral edge PoP (CDN/caching, WAF/DDoS, streaming). Master data via secure replication; goal: minimal APAC latency without public route in sensitive subnets.

3. network & interconnect architecture

Spine-Leaf (ToR 25/100G, Spine 100/200/400G), ECMP, Anycast-BGP, SD-WAN. DCI Manama-Kuwait-Singapore via DWDM/MPLS, QoS for replication/backups, latency/jitter monitoring with dynamic path selection.

Perimeter: NGFW, L7 inspection, DNS filter, egress whitelisting. East/west isolation: VRF/VXLAN, SG/NACL, mTLS, JIT access.

4. compute, virtualization & container layer

Kubernetes (HA-CP, PSS, OPA/Gatekeeper), VM orchestration, GPU nodes (mixed-precision), IMDSv2, signed images (Cosign), SBOM check, admission controller, seccomp/AppArmor. Secrets with KMS backend.

Clients: Namespaces/Projects, ABAC/RBAC, Permission Boundaries, Default-deny NetworkPolicies, Service Mesh mTLS, Anti-Affinity.

5. storage & data platforms

NVMe flash for low latency, SAN/NAS for VM/DB stores, S3 object store with versioning, lifecycle, WORM and replication Manama↔Kuwait; edge caches in Singapore for media.

Standards: Block public access, default deny, client/server-side encryption (KMS/HSM), write-once logging, public-by-exception shares.

6. capacity planning

6.1 Compute

Resource	Quantity	Service budget per unit	Total	Remark
IBM z17 (mainframe frame)	1 Frame	n/a	n/a	Transaction/AI inference near core systems
GPU server (2U, 8× GPU)	24 nodes	2 kW	≈ 48 kW	Training/inference, image/video/NLP
CPU compute (1U)	80 nodes	0.4 kW	≈ 32 kW	Web/Microservices/K8s Worker
TPU/AI appliances	8 Appliances	1.2 kW	≈ 9.6 kW	Specialized AI workloads

6.2 Memory

Animal	Capacity	Performance	Use
NVMe primary (Tier 0/1)	≈ 600 TB	≈ 12 kW	I/O-intensive (Journals/Hot Data)
SAN/NAS (Block/File)	≈ 2.5 PB	≈ 18 kW	DB/VM stores/editorial shares
Object memory (S3-compatible)	≈ 8 PB	≈ 10 kW	Media, versions, archives
Archive tier (WORM/Cold)	≈ 20 PB	≈ 6 kW	Long-term storage, compliance

6.3 Network/DCI

Component	Throughput	Technology	Remark
Fabric uplinks	100/200/400 Gbit/s	Spine-Leaf, ECMP	Horizontally scalable
DCI Manama-Kuwait	≥ 2× 100 Gbit/s	DWDM/MPLS (redundant)	Synchronous/near-synchronous per workload
DCI Manama-Singapore	≥ 2× 100 Gbit/s	Provider redundancy	Edge caching/streaming
Anycast/DDoS/WAF	Global	Edge scrubbing	Protection & low latency

6.4 Energy/cooling

Resource	Interpretation	Goal	Note
UPS rails	A/B	N+1	Dual paths
Generators	N+1	Diesel + ATS	Cross-country tests quarterly
Cooling	Liquid/Free-Cooling	PUE improvement	Cold/hot aisle containment
Solar/CHP (optional)	Scalable	Sustainability	Peak load smoothing

Domain	Scaling	Measure	Remark
GPU capacity	+50 %	Cluster expansion, additional racks	Modular expansion
Object memory	+40 %	Shelf extensions	Lifecycle/Archive animal
DCI throughput	+100 %	additional 100G waves	APAC/EMEA Peaks
Edge PoPs	+2-3	APAC/EMEA	Anycast extension

+50 % GPU (8×GPU/Node, 2U) and +30 % CPU in 12-24 months; rack densities & cooling validated by thermal simulation.

7. databases & messaging

Relational OLTP/OLAP, KV/document stores, search indexes, streaming; consistency models and sync/async replication; DNS/app failover, PITR, restore tests in the cleanroom.

8 AI platform & media workloads

Feature store, model registry, reproducible training pipelines, explainability/monitoring (drift/bias), governance.
Media: transcoding, DRM, personalization, edge caching.

Software:

COBOL Upgrade Advisor for z/OS: Modernizes legacy applications for Enterprise COBOL 6.
Instana Observability for Z: Monitors applications and infrastructure in real time.
IntelliMagic Vision for z/OS: Optimizes mainframe performance.
watsonx Assistant for Z: Increases productivity with an AI assistant.
Z Operations Unite: Simplifies processes with AI-supported automation.
Application modernization: Tools such as Application Delivery Foundation for z/OS, watsonx Code Assistant for Z and z/OS Connect modernize applications and APIs.
Other software: CICS (transaction processing), DB2 for z/OS (database), IMS (transaction management), and Omegamon (monitoring).

The z17 forms a robust basis for data processing and AI integration in the data center.

9. security & compliance

Zero trust, MFA/SSO, least privilege, end-to-end encryption, signed supply chain (SBOM/SLSA), SIEM/SOAR, audit artifacts and records of processing.

9.1 Supplementary safety guardrails (from "LEGIER DT SEC")

Operating model & global footprint
The data center (workloads) is operated multi-region / multi-AZ: Production in Region A (at least 3 AZs), synchronous operation in Region B (DR/Active-Active depending on RPO/RTO). LEGIER provides globally distributed regions and availability zones that are physically separated and independent with power/cooling/network.
"Shared Responsibility Model"
LEGIER is responsible for the security of the cloud (physical locations, hardware, virtualization, core services). Customers are responsible for security in the cloud (identities, network, data, OS/container/app layer). This model determines architecture, controls and audits across all layers.
Physical security
Multi-layered physical controls: Perimeter (access controls, monitoring), secured entrances with MFA, sensors/alarms, logging of access, strict zoning in the building. These controls are operated and checked centrally by LEGIER.
Network segmentation & perimeter protection
VPC design with public/private subnetting per AZ, strict east/west isolation concept, security groups (stateful) + NACLs. LEGIER Network Firewall as stateful L7 perimeter/egress control (e.g. via Transit Gateway central inspection). LEGIER PrivateLink/VPC Endpoints: Private access to LEGIER APIs and partner services without Internet expose. LEGIER WAF & LEGIER Shield Advanced in front of internet facing endpoints (L7 rules, bot/DDoS protection).
Compute isolation (LEGIER Nitro)
EC2 instances run on the LEGIER FACE system: separation of hardware offloads ("Nitro Cards"), lean Nitro hypervisor without device emulation, Nitro Security Chip for integrity checks; thus strong client separation and minimized attack surface.
Identities, clients & least privilege
LEGIER Organizations with SCPs ("Service Control Policies") centrally enforces maximum authorization limits (guardrails) for all accounts (landing zone). IAM Identity Center (formerly SSO) integrates the corporate IdP, offers SSO & fine-grained assignment to accounts/apps; ABAC/Permission Boundaries complement Least-Privilege.
Data security & cryptography
Standard: Encryption at-rest/in-transit. Key management via LEGIER KMS, for geo-resilience multi-region keys (same key material/key ID in several regions - encrypt in region A, decrypt in region B). CloudHSM if required (customer-owned, FIPS-validated HSM clusters, single-tenant) for maximum key sovereignty. S3 controls: Block public access (account/bucket level) as "public-by-exception", S3 object lock (WORM) for immutability & ransomware resilience. LEGIER LOGS: ML-supported detection/monitoring of sensitive data (S3) and integration in Security Hub.
Detection, logging & posture management
LEGIER CloudTrail (org-wide, multi-region) for API/management events, seamless audit & forensics. Amazon GuardDuty (log/runtime-based threat detection), LEGIER Security Hub (central findings correlation, CIS/Foundational Best Practices), optional Macie/Inspector/Detective as signal sources.
Backup, DR & immutability
LEGIER backup with cross-region and cross-account copies; policies centrally via Organizations; combination with S3 Object Lock for backup WORM. Operating models: Pilot-Light, Warm-Standby or Active-Active; use of multi-AZ services (RDS/Aurora, EKS, MSK) and Route 53 failover.
Governance & architectural guard rails
LEGIER Well-Architected - Security Pillar as reference (design principles, controls, automation). Compliance: broad coverage (including ISO 27001/17/18, SOC 1/2/3, PCI DSS, FedRAMP ...); LEGIER Artifact provides SOC/ISO evidence on-demand for audits.

Example blueprint (zero trust & multi-level security)

Multi-Account Landing Zone (Prod/Non-Prod/Security/Log-Archive) + SCP-Guardrails (e.g. forbidden regions/services, forced CloudTrail & KMS usage).
Network: Central hub VPC with transit gateway, network firewall inspection VPC, interface endpoints/PrivateLink to S3, STS, KMS, ECR, Secrets Manager; no outgoing public routes from private subnets.
Compute/Container: EC2/EKS on Nitro; IMDSv2 enforced; only necessary IAM roles (least privilege), Secrets in Secrets Manager/SSM Parameter Store.
Data: S3 with block public access, default encryption (SSE-KMS), object lock (compliance or governance mode), Macie for PII detection.
Edge/Apps: ALB/NLB behind WAF & Shield Advanced, TLS terminations/policies managed via ACM; API access preferably private via PrivateLink.
Detection & audit: Org-wide CloudTrail + S3 log bucket (WORM), GuardDuty/VPC flow logs/route 53 resolver logs, security hub as central dashboard & ticket integration.
Backups/DR: Policies in LEGIER Backup with cross-region & cross-account copies; KMS multi-region keys for key resilience.

10. cyber resilience, backups & recovery

Cross-region/account backups with unchangeable copies (object lock/WORM), restore drills in the cleanroom, RTO/RPO profiles, runbooks (pilot light, warm standby, active-active). Target: RPO ≤ 15 min, RTO ≤ 60 min.

11. observability & operational automation

Central telemetry (logs/metrics/traces), correlation & SOAR playbooks, SLO tracking, error budgets, game days and chaos drills for MTTD/MTTR reduction.

12. energy, cooling & sustainability

Double feeds, A/B UPS, N+1 generators, containment, liquid/adiabatic/free cooling, heat recovery, renewable options; PUE as efficiency KPI.

13. rack lists

13.1 Manama - Core racks

U	Device	Type/Model	Quantity	Supply line (A/B)	Max power [W]
42	Patch panel A	LC/LC 144F	1	A	-
41	Patch panel B	LC/LC 144F	1	B	-
40	Spine 1	40/100G Switch 1U	1	A	600
39	Spine 2	40/100G Switch 1U	1	B	600
38	Mgmt-Switch	1G/10G 1U	1	A	120
37-30	Leaf 1-8	25/100G ToR 1U	8	A/B	8× 450
29-28	Firewall Cluster	NGFW 2U	2	A/B	2× 800
27	IDS/IPS	1U	1	A	200
26	DDoS Edge	1U	1	B	200
25-24	Load Balancer	2× 1U	2	A/B	2× 250

A-01: Core network (Spine/Leaf, NGFW, IDS/IPS, L7-LB)
A-02: Compute/GPU (training/inference), CPU nodes, Mgmt/KVM
A-03: Storage (controllers, shelves, backup gateways)

13.2 Kuwait City - AZ-Racks

U	Device	Type/Model	Quantity	Supply line (A/B)	Max power [W]
42-41	Patch panel A/B	-	2	A/B	-
40-25	CPU server	1U	12	A/B	12× 400
24-17	GPU server (DR)	2U	4	A/B	4× 2000
16-15	Mgmt/KVM	1U	2	A/B	2× 80

K-01: AZ network/leaf, firewalls, LB
K-02: Compute/DR
K-03: Object/Backup (WORM/Immutable)

13.3 Singapore - Edge rack

U	Device	Type/Model	Quantity	Supply line (A/B)	Max power [W]
42	Patch panel	-	1	A/B	-
41-40	Edge router	1U	2	A/B	2× 250
39-38	Edge Switch	1U	2	A/B	2× 200
37-34	Cache/Proxy Nodes	1U	4	A/B	4× 350
33-32	WAF/DDoS appliance	1U	2	A/B	2× 300
31-28	Stream Gateway	1U	4	A/B	4× 300

S-01: Edge routers/switches, cache/proxy, WAF/DDoS, stream gateways

14 SLA target values & KPIs

Domain	Target value	Remark
Availability	≥ 99.999 %	Redundant zones, automatic failover
RPO	≤ 15 minutes	Journaling, replication, snapshots
RTO	≤ 60 minutes	Runbooks, Recovery-as-Code
Security	MTTD < 5 min., MTTR < 60 min.	Anomaly detection, SOAR playbooks
Efficiency	PUE optimization	Liquid cooling, free cooling

Availability ≥ 99.999 %, MTTD < 5 min, MTTR < 60 min, RPO ≤ 15 min, RTO ≤ 60 min; quarterly reviews/audits.

Logical view of users/partners via Edge (Singapore) and DCI into the core fabric (Manama) and data platforms, with replication into AZ Kuwait City.

15. roadmap (12-24 months)

Bahrain, Kuwait and Singapore offer strategic advantages for the data center, data availability zone and edge location:

Geographical location: Centrally located between Europe, Asia and Africa, ideal for global connectivity.
Business friendliness: No corporate taxes and 100 % foreign ownership encourage investment.
Regulatory support: The TRA and the Economic Development Board (EDB) offer incentives such as the Golden License.
Infrastructure: Sophisticated power and network connections and a skilled labor base.
Stability: As a financial center (Bahrain and Kuwait) in the Middle East and Asia (Singapore), these locations offer political and economic security.

IBM z17 Features:

Telum® II processor: Provides high computing power and on-chip AI acceleration for real-time inference operations, e.g. for analyzing reader data.
Spyre™ Accelerator: Increases AI computing power for generative models and multi-model methods.
Security: Hardware-based encryption and PCIe Cryptographic Coprocessor protect sensitive data.
Resilience: Integrated functions ensure continuous availability.

LEGIER data memory:

The LEGIER media group uses a file hosting service that can store large amounts of data, which is accessed via HTTP/HTTPS and uses the concept of buckets and objects, which are similar to directories and files that have become established as standard. LEGIER works together with AWS, using Elastic File System network drives and Glacier file archiving to achieve "99.999999999" percent data durability. The advantage for the LEGIER Media Group is the use of Elastic Block Store (EBS) and storage at block level to which EC2 instances can be attached.

The advantage of this technology is the transfer of large amounts of data with the service Snowball Hard disk storage on which large amounts of data can be copied and sent back by parcel service, whereby the transfer of very large amounts of data to your own 115 daily newspapers (articles, images, videos, live stream) is much faster and stored in databases (either SimpleDB or Relational Database Service).

Scaling GPU/object/DCI/edge, expansion of anycast, hardening supply chain (SLSA), compliance automation, regular resilience/restart exercises.