The IRGC claimed it struck Oracle's data center in Dubai and Amazon's cloud computing facility in Bahrain this week, describing both as retaliation for US attacks on Iran. Dubai's media office denied the Oracle strike. The Amazon facility in Bahrain had already sustained damage from an Iranian strike the day prior, confirmed by Bahrain's Interior Ministry, which reported civil defense teams working to extinguish a fire at the site.
The data center industry has spent the past decade building redundancy models around power outages, cooling failures, network partitions, and natural disasters. Nobody was modeling inbound missiles.
Oracle operates a cloud region in Dubai (me-dubai-1), launched in 2021, serving government, financial services, and enterprise workloads across the UAE and broader Gulf. Amazon Web Services runs its Middle East (Bahrain) region (me-south-1) with three availability zones, live since 2019. Both are full production cloud regions serving real workloads, not staging environments or edge caches. Bahrain's AWS region is the primary availability zone for customers across the Gulf Cooperation Council states.
The Financial Times reported the Bahrain Amazon facility was damaged on Wednesday. Bahrain's Interior Ministry confirmed a fire at a company facility following what it described as an Iranian attack. The Abu Dhabi media office separately reported significant damage at the Habshan gas facilities, with one Egyptian citizen killed and four injured from intercepted debris.
Fars News Agency, affiliated with the IRGC, listed bridges in Kuwait, Saudi Arabia, Abu Dhabi, and Jordan as additional potential military targets. The targeting list signals that infrastructure, including digital infrastructure, is now a deliberate target category in the regional conflict.
AWS, Oracle, Microsoft Azure, and Google Cloud all operate cloud regions in the Gulf. AWS me-south-1 in Bahrain and Oracle me-dubai-1 are now confirmed or claimed targets. Azure operates in the UAE (Dubai and Abu Dhabi). Google Cloud operates in Doha. The Gulf has been positioned as a growth corridor for hyperscale cloud and AI compute, supported by sovereign investment and low-latency connectivity to South Asian and African markets.
Data center risk models are built around probability distributions of equipment failure, power grid instability, and extreme weather events. A cooling system failure is a well-understood risk with established mitigation: redundant CDUs, N+1 chiller configurations, thermal runaway protocols, automatic load shedding. These are the scenarios that operators drill and vendors design for.
A ballistic strike on a facility is a categorically different risk. It destroys the physical plant. Redundant cooling loops do not matter when the building is on fire. N+1 power configurations do not matter when the site is offline. The entire framework of uptime guarantees, SLA structures, and Tier certification that the data center industry relies on to communicate reliability to customers assumes the building is standing.
Gulf-region data centers were sited based on sovereign investment incentives, proximity to growing markets, favorable tax structures, and increasingly, access to cheap natural gas for power generation. Physical security assessments for new builds in the region will now include a variable that was not in the models 30 days ago.
The AI buildout has been expanding into the Middle East aggressively. Saudi Arabia's NEOM project includes data center capacity. The UAE has positioned itself as an AI hub, with G42 operating GPU clusters and sovereign AI initiatives drawing investment from Microsoft, among others. These investments assumed a baseline of physical security that the past week has called into question.
The Guardian reported this week that higher energy costs from the Iran conflict could threaten the fragile economics of the AI boom. The AI sector generated roughly $60 billion in revenue last year against approximately $400 billion in capital expenditure. That 6.7-to-1 capex-to-revenue ratio was already under scrutiny. Brent crude at $116 per barrel adds direct cost pressure to every facility that relies on gas-fired or oil-dependent grid power, which includes most Gulf-region data centers.
The Bank of England's financial policy committee warned before the conflict escalated that AI company share prices were vulnerable to energy cost increases. The conflict is providing the test. Roughly $120 billion in data center debt has been moved off-balance sheet through special purpose vehicles and asset-backed securities in the past two years. The interconnected financing structures mean that distress at a single node, a facility damaged by a strike, an insurance claim that exceeds coverage, a customer SLA breach that triggers penalty clauses, can propagate across counterparties and financing layers.
When a data center sustains physical damage, the cooling system is among the most vulnerable components. Outdoor heat rejection equipment, dry coolers, cooling towers, and condenser units sit exposed on rooftops and in equipment yards. CDU piping runs through mechanical rooms with no blast hardening. Chilled water loops use hundreds of meters of copper and steel piping that deform under concussive force. A facility that loses its cooling loop loses its compute within minutes, regardless of whether the IT equipment was directly hit.
The rebuild timeline for cooling infrastructure at a damaged facility is measured in months, not weeks. CDU lead times run 16-24 weeks under normal procurement conditions. Replacement chillers are on similar timelines. Current tariff conditions add cost and schedule pressure to every component in the thermal chain. A facility in the Gulf that loses its cooling plant is looking at a six-to-twelve month recovery timeline before it can return to full operation, assuming the building structure itself is salvageable.
The immediate consequence for operators with Gulf-region exposure is a reassessment of geographic concentration risk. Workloads that require regional presence for latency or data sovereignty reasons will stay in the Gulf. Workloads that were placed in the Gulf for cost or capacity reasons have alternatives.
The alternatives have their own cooling constraints. Southeast Asia is hot and humid, requiring significant dehumidification energy. Northern Europe has favorable ambient temperatures but faces grid capacity limits and regulatory overhead. North America has capacity but $64 billion in projects are blocked or delayed by community opposition. Alaska is arguing it should be in the conversation, citing cold-climate cooling advantages and underutilized grid capacity, though it has passed zero data center legislation while 21 other states have enacted 40-plus measures.
Every geographic alternative to the Gulf carries its own thermal management cost profile, its own water and power constraints, and its own regulatory exposure. The difference is that none of them are currently being targeted by the IRGC.
Data center insurance policies generally cover natural disasters, equipment failure, and business interruption. Coverage for acts of war varies by policy and jurisdiction, and wartime exclusions are standard in many property and casualty policies. Operators with Gulf-region facilities are likely reviewing their coverage terms this week. The question of whether an IRGC missile strike is an "act of war" versus a "terrorist act" versus a "hostile act by a foreign state" is the kind of definitional argument that insurance adjusters and lawyers will spend years resolving.
Customer SLAs are simpler. If the facility is offline, the SLA is breached. Whether the cause is a chiller failure or an Iranian missile, the financial penalty to the operator is the same. The reputational cost is higher. An operator that loses a facility to a missile strike did not fail at operations. But the customer whose workloads went dark does not care about the distinction.
The data center industry has gotten very good at modeling thermal risk, power risk, and supply chain risk. Physical destruction of facilities by state-level military actors was a scenario reserved for classified government continuity-of-operations planning, not commercial cloud infrastructure. That boundary no longer holds. The Gulf-region hyperscale buildout priced in many risks. This was not one of them.