Isolation guidelines for Impact Level 5 workloads

Azure Government supports applications in all regions that require Impact Level 5 (IL5) data, as defined in the US Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG). IL5 workloads have a higher degree of impact to the DoD and must be secured to a higher standard. When you deploy these workloads on Azure Government, you can meet their isolation requirements in various ways. The guidance in this document addresses configurations and settings needed to meet the IL5 isolation requirements. We'll update this document as new implementations are enabled and as new services are authorized for IL5 data by the Defense Information Systems Agency (DISA).

Background

In January 2017, DISA awarded the IL5 Provisional Authorization (PA) to Azure Government for DoD, making it the first IL5 PA awarded to a hyperscale cloud provider. The PA covered two Azure Government for DoD regions (US DoD Central and US DoD East) that are dedicated to the DoD. Based on DoD mission owner feedback and evolving security capabilities, Microsoft has partnered with DISA to expand the IL5 PA boundary in December 2018 to cover Azure Government, which is available from three regions (US Gov Arizona, US Gov Texas, and US Gov Virginia) to US federal, state, local, and tribal governments and their partners. The IL5 expansion to Azure Government honors the isolation requirements mandated by the DoD.

Azure Government continues to provide more PaaS services suitable for DoD IL5 workloads than any other cloud services environment.

Principles and approach

You need to address two key areas for Azure services in IL5 scope: storage isolation and compute isolation. We'll focus on how these services can help isolate the compute and storage of IL5 data. The SRG allows for a shared management and network infrastructure. This article is focused on Azure Government compute and storage isolation approaches. If an Azure service is available in Azure Government for DoD and authorized at IL5, then it is by default suitable for IL5 workloads with no additional isolation configuration required. Azure Government for DoD is reserved for DoD agencies and their partners, enabling physical separation from non-DoD tenants by design.

For Azure service availability in Azure Government and Azure Government for DoD, see Products available by region. For IL5 authorization status, see Azure Government services by audit scope.

Compute isolation

IL5 separation requirements are stated in the SRG Section 5.2.2.3. The SRG focuses on compute separation during "processing" of IL5 data. This separation ensures that a virtual machine that could potentially compromise the physical host can't affect a DoD workload. To remove the risk of runtime attacks and ensure long running workloads aren't compromised from other workloads on the same host, all IL5 virtual machines should be isolated via Azure Dedicated Host. Doing so provides a dedicated physical server to host your Azure Virtual Machines (VMs) for Windows and Linux.

For services where the compute processes are obfuscated from access by the owner and stateless in their processing of data, you should accomplish isolation by focusing on the data being processed and how it's stored and retained. This approach ensures the data is stored in protected mediums. It also ensures the data isn't present on these services for extended periods unless it's encrypted as needed.

Storage isolation

In the most recent PA for Azure Government, DISA approved logical separation of IL5 from other data via cryptographic means. In Azure, this approach involves data encryption via keys that are maintained in Azure Key Vault and stored in FIPS 140-2 validated Hardware Security Modules (HSM). The keys are owned and managed by the IL5 system owner.

Here's how this approach applies to services:

  • If a service hosts only IL5 data, the service can control the key for end users. But it must use a dedicated key to protect IL5 data from all other data in the cloud.
  • If a service will host IL5 and non-DoD data, the service must expose the option for end users to use their own encryption keys that are maintained in Azure Key Vault. This implementation gives consumers of the service the ability to implement cryptographic separation as needed.

This approach ensures all key material for decrypting data is stored separately from the data itself using a hardware-based key management solution.

The DoD requirements for encrypting data at rest are provided in the SRG Section 5.11. Note that DoD emphasizes encrypting all data at rest stored in virtual machine virtual hard drives, mass storage facilities at the block or file level, and database records where the mission owner does not have sole control over the database service. For cloud applications where encrypting data at rest with DoD key control is not possible, mission owners must perform a risk analysis with relevant data owners before transmitting data into a cloud service offering.

Applying this guidance

IL5 guidelines require workloads to be deployed with a high degree of security, isolation, and control. The following configurations are required in addition to any other configurations or controls needed to meet IL5 requirements. Network isolation, access controls, and other necessary security measures aren't necessarily addressed in this article.

Be sure to review the entry for each service you're using and ensure that all isolation requirements are implemented.

AI + machine learning

For AI and machine learning services availability in Azure Government, see Products available by region.

Azure Bot Services

Azure Bot Services supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Azure Cognitive Search supports Impact Level 5 workloads in Azure Government with this configuration:

Azure Machine Learning

Azure Machine Learning supports Impact Level 5 workloads in Azure Government with this configuration:

Cognitive Services: Computer Vision

Computer Vision supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Cognitive Services: Content Moderator

The Azure Cognitive Services Content Moderator service supports Impact Level 5 workloads in Azure Government with this configuration:

Cognitive Services: Face

The Cognitive Services Face service supports Impact Level 5 workloads in Azure Government with this configuration:

Cognitive Services: Language Understanding

The Cognitive Services Language Understanding service supports Impact Level 5 workloads in Azure Government with this configuration:

Cognitive Services: Text Analytics

The Cognitive Services Text Analytics service supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Cognitive Services: Translator

The Cognitive Services Translator service supports Impact Level 5 workloads in Azure Government with this configuration:

Cognitive Services: Speech Services

Cognitive Services Speech Services supports Impact Level 5 workloads in Azure Government with this configuration:

Analytics

For Analytics services availability in Azure Government, see Products available by region.

Azure Analysis Services

Azure Analysis Services supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Azure Data Explorer

Azure Data Explorer supports Impact Level 5 workloads in Azure Government with this configuration:

  • Data in Azure Data Explorer clusters in Azure is secured and encrypted with Microsoft-managed keys by default. For additional control over encryption keys, you can supply customer-managed keys to use for data encryption and manage encryption of your data at the storage level with your own keys.

Azure Stream Analytics

Azure Stream Analytics supports Impact Level 5 workloads in Azure Government with this configuration:

Azure Synapse Analytics

Azure Synapse Analytics supports Impact Level 5 workloads in Azure Government with this configuration:

  • Add transparent data encryption with customer-managed keys via Azure Key Vault. For more information, see Azure SQL transparent data encryption.

    Note

    The instructions to enable this configuration are the same as the instructions to do so for Azure SQL Database.

Data Factory

Azure Data Factory supports Impact Level 5 workloads in Azure Government with this configuration:

  • Secure data store credentials by storing encrypted credentials in a Data Factory managed store. Data Factory helps protect your data store credentials by encrypting them with certificates managed by Microsoft. For more information about Azure Storage security, see Azure Storage security overview. You can also store the data store's credentials in Azure Key Vault. Data Factory retrieves the credentials during the execution of an activity. For more information, see Store credentials in Azure Key Vault.

Event Hubs

Azure Event Hubs supports Impact Level 5 workloads in Azure Government.

Important

Use client-side encryption to encrypt data before using Azure Event Hubs in Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia.

HDInsight

Azure HDInsight supports Impact Level 5 workloads in Azure Government with these configurations:

  • Azure HDInsight can be deployed to existing storage accounts that have enabled appropriate Storage service encryption, as discussed in the guidance for Azure Storage.
  • Azure HDInsight enables a database option for certain configurations. Ensure the appropriate database configuration for TDE is enabled on the option you choose. This process is discussed in the guidance for Azure SQL Database.

Power Automate

Power Automate (formerly Microsoft Flow) supports Impact Level 5 workloads in Azure Government with no additional configuration required. It is available and authorized at IL5 in Azure Government regions.

Power BI Embedded

Power BI Embedded supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Compute

For Compute services availability in Azure Government, see Products available by region.

Azure Functions

Azure Functions supports Impact Level 5 workloads in Azure Government with this configuration:

  • To accommodate proper network and workload isolation, deploy your Azure functions on App Service plans configured to use the Isolated SKU. For more information, see the App Service plan documentation.

Batch

Azure Batch supports Impact Level 5 workloads in Azure Government with this configuration:

  • Enable user subscription mode, which will require a Key Vault instance for proper encryption and key storage. For more information, see the documentation on batch account configurations.

Cloud Services

Azure Cloud Services supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Service Fabric

Azure Service Fabric supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Virtual Machines and virtual machine scale sets

You can use Azure virtual machines with multiple deployment mediums. You can do so for single virtual machines and for virtual machines deployed via the Azure virtual machine scale sets feature.

All virtual machines should use Disk Encryption for virtual machines or Disk Encryption for virtual machine scale sets, or place virtual machine disks in a storage account that can hold Impact Level 5 data as described in the Azure Storage section.

Important

When you deploy VMs in Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia, you must use Azure Dedicated Host, as described in the next section.

Azure Dedicated Host

Azure Dedicated Host provides physical servers that can host one or more virtual machines and that are dedicated to one Azure subscription. Dedicated hosts are the same physical servers used in our datacenters, provided as a resource. You can provision dedicated hosts within a region, Availability Zone, and fault domain. You can then place VMs directly into your provisioned hosts, in whatever configuration meets your needs.

These VMs provide the necessary level of isolation required to support IL5 workloads when deployed outside of the dedicated DoD regions. When you use Dedicated Host, your Azure VMs are placed on an isolated and dedicated physical server that runs only your organization’s workloads to meet compliance guidelines and standards.

Current Dedicated Host SKUs (VM series and Host Type) that offer the required compute isolation include SKUs in the VM families listed on the Dedicated Host pricing page.

Isolated virtual machines

Virtual machine scale sets aren't currently supported on Azure Dedicated Host. But specific VM types, when deployed, consume the entire physical host for the VM. Each of the following VM types can be deployed via virtual machine scale sets to provide proper compute isolation with all the benefits of virtual machine scale sets in place. When you configure your scale set, select the appropriate SKU. To encrypt the data at rest, see the next section for supportable encryption options.

Current VM SKUs that offer the required compute isolation include SKUs in these VM families:

VM family VM SKU
D-Series (general purpose) Standard_DS15_v2Standard_D15_v2
Memory optimized Standard_E64is_v3Standard_E64i_v3
Compute optimized Standard_F72s_v2
Large memory optimized Standard_M128ms
GPU-enabled Standard_NV24

Important

As new hardware generations become available, some VM types might require reconfiguration (scale up or migration to a new VM SKU) to ensure they remain on properly dedicated hardware. This document will be updated to reflect any changes.

Disk Encryption for virtual machines

You can encrypt the storage that supports these virtual machines in one of two ways to support necessary encryption standards.

Disk Encryption for virtual machine scale sets

You can encrypt disks that support virtual machine scale sets by using Azure Disk Encryption:

Containers

For Containers services availability in Azure Government, see Products available by region.

Azure Kubernetes Service

Azure Kubernetes Service (AKS) supports Impact Level 5 workloads in Azure Government with these configurations:

Container Instances

Azure Container Instances supports Impact Level 5 workloads in Azure Government with this configuration:

  • Azure Container Instances automatically encrypts data related to your containers when it's persisted in the cloud. Data in Container Instances is encrypted and decrypted with 256-bit AES encryption and enabled for all Container Instances deployments. You can rely on Microsoft-managed keys for the encryption of your container data, or you can manage the encryption by using your own keys. For more information, see Encrypt deployment data.

The Container Instances Dedicated SKU provides an isolated and dedicated compute environment for running containers with increased security. When you use the Dedicated SKU, each container group has a dedicated physical server in an Azure datacenter.

Container Registry

Azure Container Registry supports Impact Level 5 workloads in Azure Government with this configuration:

  • When you store images and other artifacts in a Container Registry, Azure automatically encrypts the registry content at rest by using service-managed keys. You can supplement the default encryption with an additional encryption layer by using a key that you create and manage in Azure Key Vault.

Databases

For Databases services availability in Azure Government, see Products available by region.

Azure Cache for Redis

Azure Cache for Redis supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Azure Cosmos DB

Azure Cosmos DB supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Azure Database for MySQL

Azure Database for MySQL supports Impact Level 5 workloads in Azure Government with this configuration:

  • Data encryption with customer-managed keys for Azure Database for MySQL enables you to bring your own key (BYOK) for data protection at rest. This encryption is set at the server level. For a given server, a customer-managed key, called the key encryption key (KEK), is used to encrypt the data encryption key (DEK) used by the service. For more information, see Azure Database for MySQL data encryption with a customer-managed key.

Azure Database for PostgreSQL

Azure Database for PostgreSQL supports Impact Level 5 workloads in Azure Government with this configuration:

Azure SQL Database

Azure SQL Database supports Impact Level 5 workloads in Azure Government with this configuration:

  • Add transparent data encryption with customer-managed keys via Azure Key Vault. For more information, see the Azure SQL documentation.

SQL Server Stretch Database

SQL Server Stretch Database supports Impact Level 5 workloads in Azure Government with this configuration:

Developer tools

For Developer tools availability in Azure Government, see Products available by region.

Azure DevTest Labs

Azure DevTest Labs supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Hybrid

Azure Stack Edge

You can protect data via storage accounts because your device is associated with a storage account that's used as a destination for your data in Azure. Access to the storage account is controlled by the subscription and FIPS-compliant storage access keys associated with the storage account. For more information, see Protect your data.

Azure Stack Edge supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Identity

For Identity services availability in Azure Government, see Products available by region.

Azure Active Directory

Azure Active Directory supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Multifactor authentication

Multifactor authentication supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Integration

For Integration services availability in Azure Government, see Products available by region.

API Management

Azure API Management supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Azure Logic Apps

Azure Logic Apps supports Impact Level 5 workloads in Azure Government. To meet these requirements, Logic Apps supports the capability for you to create and run workflows in an environment with dedicated resources so that you can avoid sharing computing resources with other tenants. For more information, see Secure access and data in Azure Logic Apps: Isolation guidance.

Event Grid

Azure Event Grid can persist customer content for no more than 24 hours. For more information, see Authenticate event delivery to event handlers. All data written to disk is encrypted with Microsoft-managed keys.

Azure Event Grid supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Service Bus

Azure Service Bus supports Impact Level 5 workloads in Azure Government.

Important

Use client-side encryption to encrypt data before using Azure Service Bus in Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia.

Internet of Things

For Internet of Things services availability in Azure Government, see Products available by region.

Azure IoT Hub

Azure IoT Hub supports Impact Level 5 workloads in Azure Government with this configuration:

  • IoT Hub supports encryption of data at rest with customer-managed keys, also known as "bring your own key" (BYOK). Azure IoT Hub provides encryption of data at rest and in transit. By default, Azure IoT Hub uses Microsoft-managed keys to encrypt the data. Customer-managed key support enables customers to encrypt data at rest by using an encryption key that they manage via Azure Key Vault.

Notification Hubs

Azure Notification Hubs supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Management and governance

For Management and governance services availability in Azure Government, see Products available by region.

Automation

Automation supports Impact Level 5 workloads in Azure Government with these configurations:

  • Use the Hybrid Runbook Worker feature of Azure Automation to run runbooks directly on the VM that's hosting the role and against resources in your environment. Runbooks are stored and managed in Azure Automation. They are then delivered to one or more assigned computers known as "Hybrid Runbook Workers." Use Azure Dedicated Host or isolated virtual machine types for the Hybrid Worker role. When deployed, isolated VM types consume the entire physical host for the VM, providing the level of isolation required to support IL5 workloads.

    Azure Dedicated Host provides physical servers that can host one or more virtual machines and that are dedicated to one Azure subscription.

  • By default, your Azure Automation account uses Microsoft-managed keys. You can manage the encryption of secure assets for your Automation account by using your own keys. When you specify a customer-managed key at the level of the Automation account, that key is used to protect and control access to the account encryption key for the Automation account. For more information, see Encryption of secure assets in Azure Automation.

Azure Advisor

Azure Advisor supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Azure Backup

Azure Backup supports all impact levels in Azure Government with no additional configuration required.

Azure Blueprints

Azure Blueprints supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Azure Cost Management and Billing

Azure Cost Management and Billing supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Azure Lighthouse

Azure Lighthouse supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Azure Managed Applications

Azure Managed Applications supports Impact Level 5 workloads in Azure Government with this configuration:

  • You can store your managed application definition in a storage account that you provide when you create the application. Doing so allows you to manage its location and access for your regulatory needs. For more information, see Bring your own storage.

Azure Monitor

Azure Monitor supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Important

See additional guidance for Log Analytics, which is a feature of Azure Monitor.

Azure Policy

Azure Policy supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Azure Policy Guest Configuration

Azure Policy Guest Configuration supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Azure portal

The Azure portal supports Impact Level 5 workloads in Azure Government with no additional configuration required.

You can add a markdown tile to your Azure dashboards to display custom static content. For example, you can show basic instructions, an image, or a set of hyperlinks on a markdown tile.

Azure Resource Graph

Azure Resource Graph supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Azure Resource Manager

Azure Resource Manager supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Azure Scheduler

Azure Scheduler is being retired and replaced by Azure Logic Apps. To continue working with the jobs that you set up in Scheduler, please migrate to Azure Logic Apps as soon as you can.

Azure Site Recovery

Azure Site Recovery supports Impact Level 5 workloads in Azure Government with this configuration:

Cloud Shell

Azure Cloud Shell supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Log Analytics

Log Analytics is intended to be used for monitoring the health and status of services and infrastructure. The monitoring data and logs primarily store logs and metrics that are service generated. When used in this primary capacity, Log Analytics supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Log Analytics may also be used to ingest additional customer-provided logs. These logs may include data ingested as part of operating Azure Security Center or Azure Sentinel. If the ingested logs or the queries written against these logs are categorized as IL5 data, then you should configure customer-managed keys (CMK) for your Log Analytics workspaces and Application Insights components. Once configured, any data sent to your workspaces or components is encrypted with your Azure Key Vault key. For more information, see Azure Monitor customer-managed keys.

Media

For Media services availability in Azure Government, see Products available by region.

Azure Media Services

Azure Media Services supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Migration

For Migration services availability in Azure Government, see Products available by region.

Azure Migrate

Azure Migrate supports Impact Level 5 workloads in Azure Government with this configuration:

Azure Database Migration Service

Azure Database Migration Service supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Networking

For Networking services availability in Azure Government, see Products available by region.

Application Gateway

Azure Application Gateway supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Azure DNS

Azure DNS supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Azure ExpressRoute

ExpressRoute supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Azure Firewall

Azure Firewall supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Azure Front Door

Azure Front Door supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Load Balancer

Azure Load Balancer supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Network Watcher

Azure Network Watcher and Network Watcher traffic analytics support Impact Level 5 workloads in Azure Government with no additional configuration required.

Traffic Manager

Azure Traffic Manager supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Virtual Network

Azure Virtual Network supports Impact Level 5 workloads in Azure Government with no additional configuration required.

VPN Gateway

Azure VPN Gateway supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Security

For Security services availability in Azure Government, see Products available by region.

Azure Dedicated HSM

Azure Dedicated HSM supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Azure Sentinel

Azure Sentinel supports Impact Level 5 workloads in Azure Government with this configuration:

Key Vault

Azure Key Vault supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Security Center

Azure Security Center supports Impact Level 5 workloads in Azure Government with no additional configuration required.

Customer Lockbox

Customer Lockbox for Microsoft Azure supports Impact Level 5 workloads in Azure Government with no additional configuration required. It is available and authorized at IL5 in Azure Government US Gov Arizona, US Gov Texas, and US Gov Virginia regions.

Microsoft Defender for Endpoint

Defender for Endpoint (formerly Microsoft Defender Advanced Threat Protection, also known as Microsoft Defender ATP) supports Impact Level 5 workloads in Azure Government with no additional configuration required. It is available and authorized at IL5 in Azure Government and Azure Government for DoD regions.

Microsoft Defender for Identity

Defender for Identity (formerly Azure Advanced Threat Protection, also known as Azure ATP) supports Impact Level 5 workloads in Azure Government with no additional configuration required. It is available and authorized at IL5 in Azure Government regions.

Microsoft Graph

Microsoft Graph supports Impact Level 5 workloads in Azure Government with no additional configuration required. It is available and authorized at IL5 in Azure Government and Azure Government for DoD regions.

Storage

For Storage services availability in Azure Government, see Products available by region.

Azure Import/Export service

Azure Import/Export service can be used in Azure Government to import and export Impact Level 5 data. By default, the Import/Export service will encrypt data that's written to the hard drive for transport. When you create a target storage account for import and export of Impact Level 5 data, add storage encryption via customer-managed keys. For more information, see the storage services section of this document.

The target storage account for import and source storage account for export can be located in any Azure Government or Azure Government for DoD regions.

Archive Storage

Azure Archive Storage can be used in Azure Government to support Impact Level 5 data. Azure Archive Storage is a tier of Azure Storage. It automatically helps secure data at rest by using 256-bit AES encryption. Just like hot and cool tiers, Archive Storage can be set at the blob level. To enable access to the content, you need to rehydrate the archived blob or copy it to an online tier, at which point customers can enforce customer-managed keys that are in place for their online storage tiers. When you create a target storage account for Impact Level 5 data in Archive Storage, add storage encryption via customer-managed keys. For more information, see the storage services section.

The target storage account for Archive Storage can be located in any Azure Government or Azure Government for DoD region.

Storage

Azure Storage consists of multiple data features: Blob Storage, File Storage, Table Storage, and Queue Storage. Blob Storage supports both standard and premium storage. Premium storage uses only SSDs, to provide the fastest performance possible. Storage also includes configurations that modify these storage types, like hot and cool to provide appropriate speed-of-availability for data scenarios.

When you use an Azure Storage account, you must follow the steps for storage encryption with Key Vault managed keys to ensure the data is protected with customer-managed keys. Azure Storage supports Impact Level 5 workloads in all Azure Government and Azure Government for DoD regions.

Important

When you use Tables and Queues outside the US DoD regions, you must encrypt the data before you insert it into the table or queue. For more information, see the instructions for using client-side encryption.

Storage encryption with Key Vault managed keys

To implement Impact Level 5 compliant controls on an Azure Storage account that runs in Azure Government outside of the dedicated DoD regions, you must use encryption at rest with the customer-managed key option enabled. The customer-managed key option is also known as "bring your own key."

For more information about how to enable this Azure Storage encryption feature, see the documentation for Azure Storage.

Note

When you use this encryption method, you need to enable it before you add content to the storage account. Any content that's added earlier won't be encrypted with the selected key. It will be encrypted only via the standard encryption at rest provided by Azure Storage.

Azure File Sync

Azure File Sync supports Impact Level 5 workloads in Azure Government with this configuration:

StorSimple

StorSimple supports Impact Level 5 workloads in Azure Government with this configuration:

  • To help ensure the security and integrity of data moved to the cloud, StorSimple allows you to define cloud storage encryption keys. You specify the cloud storage encryption key when you create a volume container.

Web

For Web services availability in Azure Government, see Products available by region.

Web Apps feature of Azure App Service

Web Apps supports Impact Level 5 workloads in Azure Government with this configuration:

  • To accommodate proper network and workload isolation, deploy your web apps on the Isolated SKU. For more information, see the App Service plan documentation.