Iran Already Struck AWS in the Gulf: What Azure UAE Faces Next

On March 1, 2026, Iran became the first country to drone-strike a major hyperscale cloud provider. Three AWS data centers in the UAE and Bahrain were hit, two of the three availability zones in AWS ME-CENTRAL-1 went dark, and banking apps, ride-hailing platforms, and enterprise SaaS services across the Gulf went offline for days.

That event is the template for what Azure UAE and Google Cloud now face. The IRGC has issued an April 1 deadline threatening strikes against 18 US companies, including Microsoft and Google. Those companies run data centers within the same geographic corridor Iran already proved it can reach.

Understanding what actually happened to AWS in March tells you exactly what to plan for.

What Happened to AWS on March 1: The Actual Damage

Three AWS facilities were struck: two in the UAE (ME-CENTRAL-1 region) and one in Bahrain (ME-SOUTH-1 region). The drones caused structural damage, disrupted power delivery, and triggered fire suppression systems. The water from suppression added a second wave of damage on top of the initial impact.

Two out of three availability zones in ME-CENTRAL-1 were critically impaired. This is significant because AWS's standard multi-AZ redundancy architecture is not designed to survive losing two of three AZs simultaneously. The assumption is that multiple AZs fail independently, not in a coordinated 40-minute window. Iran exploited the geographic clustering of AZs within a single region.

AWS confirmed outages in EC2, S3, DynamoDB, Lambda, and RDS. The full list of affected services covered essentially every compute, storage, and managed database offering in the region.

The companies that went down were not small players. Abu Dhabi Commercial Bank lost transaction processing capability. Emirates NBD, the UAE's largest bank by assets, reported outages. Payments platforms Hubpay and Alaan went offline. Careem, the Gulf's dominant ride-hailing service, lost connectivity across multiple countries. Snowflake reported data cloud disruptions affecting Gulf-region enterprise customers.

AWS described recovery as "prolonged" and advised customers to migrate workloads to other regions. No specific recovery time estimate was given publicly.

Why Azure UAE Is the Logical Next Target

Microsoft's Azure footprint in the Gulf consists of two data centers: Azure UAE North in Dubai and Azure UAE Central in Abu Dhabi. Both are physical facilities with the same architectural vulnerabilities the AWS strike exploited: concentrated in a single geographic zone, dependent on external power delivery, and clustered close enough that multiple simultaneous drone strikes are achievable.

Azure UAE North and UAE Central together serve as the primary cloud regions for Gulf Cooperation Council enterprise customers who have data residency requirements. Saudi Aramco, UAE government agencies, regional banks, and healthcare providers use these regions specifically because they cannot store data outside Gulf territory under local law. That data residency lock-in is exactly what makes these facilities high-value targets: disrupting them cannot be instantly rerouted.

Microsoft has not publicly confirmed whether Azure UAE infrastructure was hit in the March strikes, denying any outages at the time. The April 1 IRGC statement names Microsoft explicitly alongside an 8 PM Tehran deadline, suggesting the threat assessment has updated.

Google Cloud and G42: A Different Kind of Target

Google's Middle East presence is structurally different from AWS and Azure. Google does not operate a dedicated Cloud region in the UAE with the same multi-AZ architecture. Its exposure comes through its partnership with G42, the Abu Dhabi AI company that received $1.5 billion from Microsoft in 2024 and has data-sharing agreements with multiple US tech firms.

G42 manages compute clusters, runs UAE government AI workloads, and operates physical infrastructure in Abu Dhabi that runs on Microsoft Azure and has Google integration at the application layer. It's on the IRGC target list separately from Microsoft and Google, which suggests Iranian targeting intelligence treats G42's infrastructure as a distinct set of physical assets rather than simply an extension of its US partners.

A strike on G42 facilities would not show up as an AWS or Azure outage in standard monitoring dashboards. It would surface as application-layer failures for UAE government services, AI inference pipelines, and enterprise software that relies on G42-managed compute.

The Services That Go Down When Gulf Cloud Regions Fail

The AWS March 1 outage gives a concrete picture of the blast radius. When two AZs in a cloud region fail simultaneously, these categories of workload fail in this order:

Multi-AZ RDS and Aurora instances fail because they cannot complete failover to a third AZ. Applications that assumed any two-AZ failure would be independent find that the third AZ is insufficient for full service restoration under the load shed by the failed zones.

Lambda functions configured for regional deployment fail outright. Functions configured for edge or global deployment may continue but with degraded latency and potential state consistency issues.

S3 and object storage become unavailable for the region. Cross-region replication helps only if it was configured before the event and if the destination region has sufficient capacity to absorb the migrated load.

SaaS applications that use the affected region as their primary data store — Snowflake was the clearest example in March — lose service for customers who have data placed in that region.

Banking and payments infrastructure fails with the most visible real-world consequences. The AWS March 1 event knocked out three UAE banks and two payments platforms simultaneously. A strike on Azure UAE would replicate this pattern for the substantial set of Gulf financial institutions that have standardized on Microsoft infrastructure.

What Developers With MENA Workloads Should Do Right Now

If you run production workloads on Azure UAE North, Azure UAE Central, Google Cloud infrastructure in the Gulf region, or any G42-powered service, these are the specific questions you need to answer before the April 1 deadline:

First: does your data residency compliance framework allow emergency failover to a non-Gulf region? For organizations under UAE PDPL (Personal Data Protection Law) or Saudi PDPD requirements, the answer is often no for data at rest but may be yes for processing workloads under emergency provisions. Check with your legal team now, not after an outage begins.

Second: have you tested failover to your disaster recovery region in the past 90 days? The AWS March 1 event revealed that many Gulf-region customers had DR configurations that were theoretically correct but had never been tested under realistic load conditions. Untested DR fails when you need it.

Third: what is your RTO assumption? AWS described its recovery as "prolonged." If your business continuity plan assumes cloud regional recovery within 4 hours, update that assumption based on what actually happened in March. The physical damage to data center infrastructure requires on-site repair work that takes days, not hours.

Fourth: for any services using Microsoft Intune for device management — given the Handala group's exploitation of Intune to wipe 200,000 Stryker devices across 79 countries in March — review your Intune conditional access policies and ensure you have break-glass procedures that do not rely on Intune connectivity.

What US Companies on the IRGC List Are Likely Doing

None of the 18 named companies have made public statements, which is the correct operational choice. Confirming which facilities are active and staffed would provide targeting intelligence to the same organization that already successfully struck AWS.

The likely immediate actions behind that silence: moving non-critical personnel from Gulf offices, activating business continuity protocols, increasing physical security at data center perimeters, and coordinating with UAE and Bahrain security services who have overlapping interest in preventing strikes on civilian infrastructure inside their territory.

Gulf governments are also in a position to apply pressure. The UAE hosts US military assets at Al Dhafra Air Base and has signed the Abraham Accords. A kinetic Iranian strike on American corporate infrastructure in Abu Dhabi would be simultaneously an attack on UAE sovereignty, giving Abu Dhabi both the motivation and the legal basis to respond in ways it could not have during earlier phases of the conflict.

Key Takeaways

• Iran struck AWS on March 1: Drone strikes hit 2 of 3 AZs in AWS ME-CENTRAL-1 (UAE) and disrupted ME-SOUTH-1 (Bahrain), knocking out banking, payments, and ride-hailing services across the Gulf
• Azure UAE North and UAE Central face the same geographic vulnerability — both Microsoft data centers are physically accessible to the same drone capabilities Iran demonstrated against AWS
• G42 is a separate physical target: Abu Dhabi AI infrastructure running UAE government and AI workloads, distinct from Azure/Google cloud regions
• Services at risk if Azure UAE fails: UAE banking systems, Gulf enterprise SaaS, data-residency-locked government workloads, any application running multi-AZ configurations in the region
• Standard multi-AZ redundancy does not protect against coordinated simultaneous strikes on multiple AZs — the AWS event proved this
• Developer action items: verify data residency failover permissions, test DR configurations, review Intune conditional access policies, update RTO assumptions from 4 hours to multi-day