# OpenShift Deployment Options Compared

Swiss organizations running Red Hat OpenShift have four realistic paths: ROSA on AWS, ARO on Azure, self-managed on any infrastructure, or a managed service from VSHN. Each option makes different trade-offs on sovereignty, operational burden, and cost.

This page lays out the differences so you can evaluate which model fits your requirements.

## Quick comparison

| | ROSA (AWS) | ARO (Azure) | Self-Managed | VSHN Managed |
|---|---|---|---|---|
| **Operator** | AWS + Red Hat | Microsoft + Red Hat | Your team | VSHN |
| **Data location** | AWS regions (nearest: Frankfurt) | Azure regions (nearest: Zurich) | Your choice | Your choice (Swiss cloud, on-premises, hyperscaler) |
| **Governing law** | US law (CLOUD Act applies) | US law (CLOUD Act applies) | Depends on hosting | Swiss law |
| **Swiss data center** | No (Frankfurt nearest) | Yes (Zurich region) | Yes (if hosted in CH) | Yes (cloudscale.ch, Exoscale, on-premises) |
| **Ops responsibility** | AWS/Red Hat manage control plane; you manage workloads | Microsoft/Red Hat manage control plane; you manage workloads | Everything is yours | VSHN manages cluster + operations |
| **SLA** | 99.95% (control plane) | 99.95% (control plane) | None (your own) | Up to 99.99% |
| **Upgrades & patches** | Shared responsibility | Shared responsibility | Your responsibility | VSHN handles weekly |
| **Monitoring & incident response** | AWS CloudWatch + your tooling | Azure Monitor + your tooling | Your responsibility | 24/7 monitoring, VSHN incident response |
| **Vendor lock-in** | AWS networking, IAM, storage | Azure networking, AD, storage | None (standard OpenShift) | None (standard OpenShift, portable) |
| **Open source** | OpenShift is open; AWS infra is proprietary | OpenShift is open; Azure infra is proprietary | Fully open source stack possible | OpenShift on open-source-friendly Swiss clouds |
| **Best for** | AWS-native teams, no CH residency requirement | Azure-native teams, Zurich region available | Full control, large platform team | Swiss compliance, small-to-mid ops team |

## ROSA: Red Hat OpenShift Service on AWS

ROSA is a jointly managed OpenShift service operated by AWS and Red Hat. AWS provides the infrastructure, Red Hat provides the OpenShift layer.

**What you get:**

- AWS manages the underlying EC2, networking, and storage
- Red Hat manages the OpenShift control plane and core components
- You manage your workloads, namespaces, and application configuration
- Pay-as-you-go pricing through your AWS bill

**Limitations:**

- Nearest AWS region to Switzerland is Frankfurt (eu-central-1), so data leaves Switzerland
- US-incorporated operator, subject to the [CLOUD Act](https://en.wikipedia.org/wiki/CLOUD_Act)
- Tied to AWS infrastructure: VPC, IAM, EBS, ELB. Migrating away means re-engineering networking and storage
- You still need a team for workload operations, CI/CD, and application-level monitoring
- Pricing varies by instance type and region; no fixed monthly fee

**Consider ROSA when:** Your workloads already run on AWS, you don't need Swiss data residency, and you want to reduce cluster management overhead while staying in the AWS ecosystem.

## ARO: Azure Red Hat OpenShift

ARO is the Azure equivalent: Microsoft and Red Hat jointly operate OpenShift on Azure infrastructure.

**What you get:**

- Microsoft manages Azure networking, storage, and compute
- Red Hat manages the OpenShift control plane
- Available in the Switzerland North (Zurich) Azure region
- Integrated billing through your Azure Enterprise Agreement

**Limitations:**

- Microsoft Corporation (USA) operates the infrastructure. US law and CLOUD Act apply regardless of data centre location
- Tied to Azure: VNET, Azure AD, Managed Disks. Migration requires re-engineering
- Workload operations, monitoring, and application management remain your responsibility
- Pricing is per-worker-node-hour plus OpenShift licensing; no fixed monthly fee

**Consider ARO when:** You're already invested in the Azure ecosystem, Switzerland North meets your data location needs, and you have a team to handle workload operations.

## Self-Managed OpenShift

Self-managed means your team installs, operates, and maintains OpenShift end-to-end. You choose the infrastructure: on-premises, Swiss cloud, or hyperscaler.

**What you get:**

- Full control over every layer: infrastructure, OpenShift version, upgrade timing, networking
- No dependency on a third-party operator
- Run on any certified infrastructure (bare metal, VMware vSphere, cloudscale.ch, Exoscale, AWS, Azure, GCP)
- Community Edition (OKD) available at no license cost

**Limitations:**

- **Operational burden is the main cost.** Running OpenShift in production requires:
  - 24/7 on-call rotation (minimum 5 engineers for true 24/7 coverage)
  - Cluster upgrades every 3-4 months (Red Hat support lifecycle)
  - Security patch management, including emergency zero-day response
  - Backup, disaster recovery, and restore testing
  - Monitoring, alerting, and incident response infrastructure
- At Swiss engineering salaries, a 24/7 OpenShift operations team costs over CHF 1M/year in personnel alone
- Even business-hours-only support (2-3 engineers) runs CHF 300,000-450,000/year
- Smaller teams consistently fall behind on upgrades and security patches

**Consider self-managed when:** Your organization has a mature platform engineering team (5+ people), you need full control over every layer, and you treat platform operations as a core competency.

## VSHN Managed OpenShift

VSHN operates your dedicated OpenShift cluster on the infrastructure of your choice. VSHN is a [Red Hat Premier Certified Cloud & Service Provider (CCSP)](https://www.vshn.ch/en/blog/vshn-is-red-hat-premier-ccsp-partner-in-switzerland/) and has been operating OpenShift clusters since 2016.

**What you get:**

- Dedicated cluster, not shared with other customers
- Choice of infrastructure: cloudscale.ch, Exoscale, Google Cloud, VMware vSphere, or on-premises
- Weekly maintenance: OS updates, OpenShift upgrades, zero-day patches
- 24/7 monitoring with proactive incident response
- Up to 99.99% SLA with service credits
- ISO 27001 certified operations
- Swiss company, Swiss law, no CLOUD Act exposure
- Fixed per-vCPU pricing depending on edition (OCP+, OCP, OKE), service level (Best Effort or Guaranteed Availability), and cloud provider tier. See [current pricing](https://products.vshn.ch/openshift/pricing.html)

**Limitations:**

- You delegate cluster-level control to VSHN (by design, this is the point)
- Infrastructure costs (compute, storage, network) billed separately by the cloud provider
- Custom cluster configurations may require engineering hours billed at the [standard hourly rate](https://products.vshn.ch/openshift/pricing.html)

**Consider VSHN when:** You need Swiss data residency, your team is too small for 24/7 OpenShift operations, compliance requires ISO 27001 certified processes, or you want to free your engineers from cluster maintenance.

## Total cost of ownership

Direct license and service fees are only part of the picture. The largest cost driver for OpenShift is people.

| Cost factor | ROSA / ARO | Self-Managed | VSHN Managed |
|---|---|---|---|
| **OpenShift licensing** | Included in service fee | Red Hat subscription required | Included |
| **Infrastructure** | Hyperscaler compute pricing | Your cloud or on-prem costs | Swiss cloud provider costs |
| **Control plane ops** | Managed by vendor | Your team | VSHN |
| **Workload ops** | Your team | Your team | Your team (or VSHN add-on) |
| **24/7 on-call** | Your team (for workloads) | Your team (for everything) | VSHN (cluster level) |
| **FTE overhead** | 1-2 for workload ops | 2-3 (BH) or 5-6 (24/7) for full stack | 0 for cluster ops |
| **Compliance documentation** | Limited (shared responsibility model) | You produce everything | VSHN provides ISO 27001 audit artifacts |

**Example: 8-worker-node cluster (32 vCPUs, OCP edition)**

| Model | Estimated monthly cost | Notes |
|---|---|---|
| ROSA / ARO | Variable (compute + per-node OCP fee) | Check [AWS](https://aws.amazon.com/rosa/pricing/) or [Azure](https://azure.microsoft.com/en-us/pricing/details/openshift/) pricing calculators; add internal ops team cost |
| Self-Managed (BH ops) | CHF 25,000-37,500+ | 2-3 FTEs at CHF 150K/yr + infrastructure + Red Hat subscription |
| Self-Managed (24/7 ops) | CHF 85,000-100,000+ | 5-6 FTEs at CHF 150-200K/yr + infrastructure + Red Hat subscription |
| VSHN Managed | A fraction of self-managed cost | See [current pricing](https://products.vshn.ch/openshift/pricing.html); per-vCPU fee includes operations, monitoring, incident response, upgrades, and Red Hat licensing |

Infrastructure costs from the cloud provider are additional.

## Sovereignty considerations

For a detailed sovereignty analysis covering CLOUD Act exposure, governing law, operational jurisdiction, and data residency, see our [OpenShift sovereignty assessment](/sovereignty/).

Key points:

- **ROSA and ARO** are operated by US companies subject to US law, including data stored in European regions
- **Self-managed** sovereignty depends entirely on your infrastructure and hosting choices
- **VSHN** is a Swiss company under Swiss law with an optional [Switzerland-only support](https://products.vshn.ch/support_plans.html#_option_switzerland_only_support) model

## Next steps

Evaluating your OpenShift deployment model? [Book an architecture review](#contact) with our OpenShift team. We'll assess your current setup and recommend the approach that fits your compliance, operational, and budget requirements.