Isolation guidelines for Impact Level 5 workloads
Azure Government supports applications in all regions that require Impact Level 5 (IL5) data, as defined in the US Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG). IL5 workloads have a higher degree of impact to the DoD and must be secured to a higher standard. When you deploy these workloads on Azure Government, you can meet their isolation requirements in various ways. The guidance in this document addresses configurations and settings needed to meet the IL5 isolation requirements. We'll update this document as new implementations are enabled and as new services are authorized for IL5 data by the Defense Information Systems Agency (DISA).
Background
In January 2017, DISA awarded the IL5 Provisional Authorization (PA) to Azure Government for DoD, making it the first IL5 PA awarded to a hyperscale cloud provider. The PA covered two Azure Government for DoD regions (US DoD Central and US DoD East) that are dedicated to the DoD. Based on DoD mission owner feedback and evolving security capabilities, Microsoft has partnered with DISA to expand the IL5 PA boundary in December 2018 to cover Azure Government, which is available from three regions (US Gov Arizona, US Gov Texas, and US Gov Virginia) to US federal, state, local, and tribal governments and their partners. The IL5 expansion to Azure Government honors the isolation requirements mandated by the DoD.
Azure Government continues to provide more PaaS services suitable for DoD IL5 workloads than any other cloud services environment.
Principles and approach
You need to address two key areas for Azure services in IL5 scope: storage isolation and compute isolation. We'll focus on how these services can help isolate the compute and storage of IL5 data. The SRG allows for a shared management and network infrastructure. This article is focused on Azure Government compute and storage isolation approaches. If an Azure service is available in Azure Government for DoD and authorized at IL5, then it is by default suitable for IL5 workloads with no additional isolation configuration required. Azure Government for DoD is reserved for DoD agencies and their partners, enabling physical separation from non-DoD tenants by design.
For Azure service availability in Azure Government and Azure Government for DoD, see Products available by region. For IL5 authorization status, see Azure Government services by audit scope.
Compute isolation
IL5 separation requirements are stated in the SRG Section 5.2.2.3. The SRG focuses on compute separation during "processing" of IL5 data. This separation ensures that a virtual machine that could potentially compromise the physical host can't affect a DoD workload. To remove the risk of runtime attacks and ensure long running workloads aren't compromised from other workloads on the same host, all IL5 virtual machines should be isolated via Azure Dedicated Host. Doing so provides a dedicated physical server to host your Azure Virtual Machines (VMs) for Windows and Linux.
For services where the compute processes are obfuscated from access by the owner and stateless in their processing of data, you should accomplish isolation by focusing on the data being processed and how it's stored and retained. This approach ensures the data is stored in protected mediums. It also ensures the data isn't present on these services for extended periods unless it's encrypted as needed.
Storage isolation
In the most recent PA for Azure Government, DISA approved logical separation of IL5 from other data via cryptographic means. In Azure, this approach involves data encryption via keys that are maintained in Azure Key Vault and stored in FIPS 140-2 validated Hardware Security Modules (HSM). The keys are owned and managed by the IL5 system owner.
Here's how this approach applies to services:
- If a service hosts only IL5 data, the service can control the key for end users. But it must use a dedicated key to protect IL5 data from all other data in the cloud.
- If a service will host IL5 and non-DoD data, the service must expose the option for end users to use their own encryption keys that are maintained in Azure Key Vault. This implementation gives consumers of the service the ability to implement cryptographic separation as needed.
This approach ensures all key material for decrypting data is stored separately from the data itself using a hardware-based key management solution.
The DoD requirements for encrypting data at rest are provided in the SRG Section 5.11. Note that DoD emphasizes encrypting all data at rest stored in virtual machine virtual hard drives, mass storage facilities at the block or file level, and database records where the mission owner does not have sole control over the database service. For cloud applications where encrypting data at rest with DoD key control is not possible, mission owners must perform a risk analysis with relevant data owners before transmitting data into a cloud service offering.
Applying this guidance
IL5 guidelines require workloads to be deployed with a high degree of security, isolation, and control. The following configurations are required in addition to any other configurations or controls needed to meet IL5 requirements. Network isolation, access controls, and other necessary security measures aren't necessarily addressed in this article.
Be sure to review the entry for each service you're using and ensure that all isolation requirements are implemented.
AI + machine learning
For AI and machine learning services availability in Azure Government, see Products available by region.
Azure Bot Services
Azure Bot Services supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Azure Cognitive Search
Azure Cognitive Search supports Impact Level 5 workloads in Azure Government with this configuration:
- Configure encryption at rest of content in Azure Cognitive Search by using customer-managed keys in Azure Key Vault.
Azure Machine Learning
Azure Machine Learning supports Impact Level 5 workloads in Azure Government with this configuration:
- Configure encryption at rest of content in Azure Machine Learning by using customer-managed keys in Azure Key Vault. Azure Machine Learning stores snapshots, output, and logs in the Azure Blob Storage account that's associated with the Azure Machine Learning workspace and customer subscription. All the data stored in Azure Blob Storage is encrypted at rest with Microsoft-managed keys. Customers can use their own keys for data stored in Azure Blob Storage. See Configure encryption with customer-managed keys stored in Azure Key Vault.
Cognitive Services: Computer Vision
Computer Vision supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Cognitive Services: Content Moderator
The Azure Cognitive Services Content Moderator service supports Impact Level 5 workloads in Azure Government with this configuration:
- Configure encryption at rest of content in the Content Moderator service by using customer-managed keys in Azure Key Vault.
Cognitive Services: Face
The Cognitive Services Face service supports Impact Level 5 workloads in Azure Government with this configuration:
- Configure encryption at rest of content in the Face service by using customer-managed keys in Azure Key Vault.
Cognitive Services: Language Understanding
The Cognitive Services Language Understanding service supports Impact Level 5 workloads in Azure Government with this configuration:
- Configure encryption at rest of content in the Language Understanding service by using customer-managed keys in Azure Key Vault.
Cognitive Services: Text Analytics
The Cognitive Services Text Analytics service supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Cognitive Services: Translator
The Cognitive Services Translator service supports Impact Level 5 workloads in Azure Government with this configuration:
- Configure encryption at rest of content in the Translator service by using customer-managed keys in Azure Key Vault.
Cognitive Services: Speech Services
Cognitive Services Speech Services supports Impact Level 5 workloads in Azure Government with this configuration:
- Configure encryption at rest of content in Speech Services by using customer-managed keys in Azure Key Vault.
Analytics
For Analytics services availability in Azure Government, see Products available by region.
Azure Analysis Services
Azure Analysis Services supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Azure Data Explorer
Azure Data Explorer supports Impact Level 5 workloads in Azure Government with this configuration:
- Data in Azure Data Explorer clusters in Azure is secured and encrypted with Microsoft-managed keys by default. For additional control over encryption keys, you can supply customer-managed keys to use for data encryption and manage encryption of your data at the storage level with your own keys.
Azure Stream Analytics
Azure Stream Analytics supports Impact Level 5 workloads in Azure Government with this configuration:
- Configure encryption at rest of content in Azure Stream Analytics by using customer-managed keys in Azure Key Vault.
Azure Synapse Analytics
Azure Synapse Analytics supports Impact Level 5 workloads in Azure Government with this configuration:
Add transparent data encryption with customer-managed keys via Azure Key Vault. For more information, see Azure SQL transparent data encryption.
Note
The instructions to enable this configuration are the same as the instructions to do so for Azure SQL Database.
Data Factory
Azure Data Factory supports Impact Level 5 workloads in Azure Government with this configuration:
- Secure data store credentials by storing encrypted credentials in a Data Factory managed store. Data Factory helps protect your data store credentials by encrypting them with certificates managed by Microsoft. For more information about Azure Storage security, see Azure Storage security overview. You can also store the data store's credentials in Azure Key Vault. Data Factory retrieves the credentials during the execution of an activity. For more information, see Store credentials in Azure Key Vault.
Event Hubs
Azure Event Hubs supports Impact Level 5 workloads in Azure Government.
Important
Use client-side encryption to encrypt data before using Azure Event Hubs in Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia.
HDInsight
Azure HDInsight supports Impact Level 5 workloads in Azure Government with these configurations:
- Azure HDInsight can be deployed to existing storage accounts that have enabled appropriate Storage service encryption, as discussed in the guidance for Azure Storage.
- Azure HDInsight enables a database option for certain configurations. Ensure the appropriate database configuration for TDE is enabled on the option you choose. This process is discussed in the guidance for Azure SQL Database.
Power Automate
Power Automate (formerly Microsoft Flow) supports Impact Level 5 workloads in Azure Government with no additional configuration required. It is available and authorized at IL5 in Azure Government regions.
Power BI Embedded
Power BI Embedded supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Compute
For Compute services availability in Azure Government, see Products available by region.
Azure Functions
Azure Functions supports Impact Level 5 workloads in Azure Government with this configuration:
- To accommodate proper network and workload isolation, deploy your Azure functions on App Service plans configured to use the Isolated SKU. For more information, see the App Service plan documentation.
Batch
Azure Batch supports Impact Level 5 workloads in Azure Government with this configuration:
- Enable user subscription mode, which will require a Key Vault instance for proper encryption and key storage. For more information, see the documentation on batch account configurations.
Cloud Services
Azure Cloud Services supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Service Fabric
Azure Service Fabric supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Virtual Machines and virtual machine scale sets
You can use Azure virtual machines with multiple deployment mediums. You can do so for single virtual machines and for virtual machines deployed via the Azure virtual machine scale sets feature.
All virtual machines should use Disk Encryption for virtual machines or Disk Encryption for virtual machine scale sets, or place virtual machine disks in a storage account that can hold Impact Level 5 data as described in the Azure Storage section.
Important
When you deploy VMs in Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia, you must use Azure Dedicated Host, as described in the next section.
Azure Dedicated Host
Azure Dedicated Host provides physical servers that can host one or more virtual machines and that are dedicated to one Azure subscription. Dedicated hosts are the same physical servers used in our datacenters, provided as a resource. You can provision dedicated hosts within a region, Availability Zone, and fault domain. You can then place VMs directly into your provisioned hosts, in whatever configuration meets your needs.
These VMs provide the necessary level of isolation required to support IL5 workloads when deployed outside of the dedicated DoD regions. When you use Dedicated Host, your Azure VMs are placed on an isolated and dedicated physical server that runs only your organization’s workloads to meet compliance guidelines and standards.
Current Dedicated Host SKUs (VM series and Host Type) that offer the required compute isolation include SKUs in the VM families listed on the Dedicated Host pricing page.
Isolated virtual machines
Virtual machine scale sets aren't currently supported on Azure Dedicated Host. But specific VM types, when deployed, consume the entire physical host for the VM. Each of the following VM types can be deployed via virtual machine scale sets to provide proper compute isolation with all the benefits of virtual machine scale sets in place. When you configure your scale set, select the appropriate SKU. To encrypt the data at rest, see the next section for supportable encryption options.
Current VM SKUs that offer the required compute isolation include SKUs in these VM families:
| VM family | VM SKU |
|---|---|
| D-Series (general purpose) | Standard_DS15_v2Standard_D15_v2 |
| Memory optimized | Standard_E64is_v3Standard_E64i_v3 |
| Compute optimized | Standard_F72s_v2 |
| Large memory optimized | Standard_M128ms |
| GPU-enabled | Standard_NV24 |
Important
As new hardware generations become available, some VM types might require reconfiguration (scale up or migration to a new VM SKU) to ensure they remain on properly dedicated hardware. This document will be updated to reflect any changes.
Disk Encryption for virtual machines
You can encrypt the storage that supports these virtual machines in one of two ways to support necessary encryption standards.
- Use Azure Disk Encryption to encrypt the drives by using dm-crypt (Linux) or BitLocker (Windows):
- Use Azure Storage service encryption for storage accounts with your own key to encrypt the storage account that holds the disks:
Disk Encryption for virtual machine scale sets
You can encrypt disks that support virtual machine scale sets by using Azure Disk Encryption:
Containers
For Containers services availability in Azure Government, see Products available by region.
Azure Kubernetes Service
Azure Kubernetes Service (AKS) supports Impact Level 5 workloads in Azure Government with these configurations:
- Configure encryption at rest of content in AKS by using customer-managed keys in Azure Key Vault.
- For workloads that require isolation from other customer workloads, you can use isolated virtual machines as the agent nodes in an AKS cluster.
Container Instances
Azure Container Instances supports Impact Level 5 workloads in Azure Government with this configuration:
- Azure Container Instances automatically encrypts data related to your containers when it's persisted in the cloud. Data in Container Instances is encrypted and decrypted with 256-bit AES encryption and enabled for all Container Instances deployments. You can rely on Microsoft-managed keys for the encryption of your container data, or you can manage the encryption by using your own keys. For more information, see Encrypt deployment data.
The Container Instances Dedicated SKU provides an isolated and dedicated compute environment for running containers with increased security. When you use the Dedicated SKU, each container group has a dedicated physical server in an Azure datacenter.
Container Registry
Azure Container Registry supports Impact Level 5 workloads in Azure Government with this configuration:
- When you store images and other artifacts in a Container Registry, Azure automatically encrypts the registry content at rest by using service-managed keys. You can supplement the default encryption with an additional encryption layer by using a key that you create and manage in Azure Key Vault.
Databases
For Databases services availability in Azure Government, see Products available by region.
Azure Cache for Redis
Azure Cache for Redis supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Azure Cosmos DB
Azure Cosmos DB supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Azure Database for MySQL
Azure Database for MySQL supports Impact Level 5 workloads in Azure Government with this configuration:
- Data encryption with customer-managed keys for Azure Database for MySQL enables you to bring your own key (BYOK) for data protection at rest. This encryption is set at the server level. For a given server, a customer-managed key, called the key encryption key (KEK), is used to encrypt the data encryption key (DEK) used by the service. For more information, see Azure Database for MySQL data encryption with a customer-managed key.
Azure Database for PostgreSQL
Azure Database for PostgreSQL supports Impact Level 5 workloads in Azure Government with this configuration:
- Data encryption with customer-managed keys for Azure Database for PostgreSQL Single Server is set at the server level. For a given server, a customer-managed key, called the key encryption key (KEK), is used to encrypt the data encryption key (DEK) used by the service. For more information, see Azure Database for PostgreSQL Single Server data encryption with a customer-managed key.
Azure SQL Database
Azure SQL Database supports Impact Level 5 workloads in Azure Government with this configuration:
- Add transparent data encryption with customer-managed keys via Azure Key Vault. For more information, see the Azure SQL documentation.
SQL Server Stretch Database
SQL Server Stretch Database supports Impact Level 5 workloads in Azure Government with this configuration:
- Add transparent data encryption with customer-managed keys via Azure Key Vault. For more information, see Azure SQL transparent data encryption.
Developer tools
For Developer tools availability in Azure Government, see Products available by region.
Azure DevTest Labs
Azure DevTest Labs supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Hybrid
Azure Stack Edge
You can protect data via storage accounts because your device is associated with a storage account that's used as a destination for your data in Azure. Access to the storage account is controlled by the subscription and FIPS-compliant storage access keys associated with the storage account. For more information, see Protect your data.
Azure Stack Edge supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Identity
For Identity services availability in Azure Government, see Products available by region.
Azure Active Directory
Azure Active Directory supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Multifactor authentication
Multifactor authentication supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Integration
For Integration services availability in Azure Government, see Products available by region.
API Management
Azure API Management supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Azure Logic Apps
Azure Logic Apps supports Impact Level 5 workloads in Azure Government. To meet these requirements, Logic Apps supports the capability for you to create and run workflows in an environment with dedicated resources so that you can avoid sharing computing resources with other tenants. For more information, see Secure access and data in Azure Logic Apps: Isolation guidance.
Event Grid
Azure Event Grid can persist customer content for no more than 24 hours. For more information, see Authenticate event delivery to event handlers. All data written to disk is encrypted with Microsoft-managed keys.
Azure Event Grid supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Service Bus
Azure Service Bus supports Impact Level 5 workloads in Azure Government.
Important
Use client-side encryption to encrypt data before using Azure Service Bus in Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia.
Internet of Things
For Internet of Things services availability in Azure Government, see Products available by region.
Azure IoT Hub
Azure IoT Hub supports Impact Level 5 workloads in Azure Government with this configuration:
- IoT Hub supports encryption of data at rest with customer-managed keys, also known as "bring your own key" (BYOK). Azure IoT Hub provides encryption of data at rest and in transit. By default, Azure IoT Hub uses Microsoft-managed keys to encrypt the data. Customer-managed key support enables customers to encrypt data at rest by using an encryption key that they manage via Azure Key Vault.
Notification Hubs
Azure Notification Hubs supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Management and governance
For Management and governance services availability in Azure Government, see Products available by region.
Automation
Automation supports Impact Level 5 workloads in Azure Government with these configurations:
Use the Hybrid Runbook Worker feature of Azure Automation to run runbooks directly on the VM that's hosting the role and against resources in your environment. Runbooks are stored and managed in Azure Automation. They are then delivered to one or more assigned computers known as "Hybrid Runbook Workers." Use Azure Dedicated Host or isolated virtual machine types for the Hybrid Worker role. When deployed, isolated VM types consume the entire physical host for the VM, providing the level of isolation required to support IL5 workloads.
Azure Dedicated Host provides physical servers that can host one or more virtual machines and that are dedicated to one Azure subscription.
By default, your Azure Automation account uses Microsoft-managed keys. You can manage the encryption of secure assets for your Automation account by using your own keys. When you specify a customer-managed key at the level of the Automation account, that key is used to protect and control access to the account encryption key for the Automation account. For more information, see Encryption of secure assets in Azure Automation.
Azure Advisor
Azure Advisor supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Azure Backup
Azure Backup supports all impact levels in Azure Government with no additional configuration required.
Azure Blueprints
Azure Blueprints supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Azure Cost Management and Billing
Azure Cost Management and Billing supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Azure Lighthouse
Azure Lighthouse supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Azure Managed Applications
Azure Managed Applications supports Impact Level 5 workloads in Azure Government with this configuration:
- You can store your managed application definition in a storage account that you provide when you create the application. Doing so allows you to manage its location and access for your regulatory needs. For more information, see Bring your own storage.
Azure Monitor
Azure Monitor supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Important
See additional guidance for Log Analytics, which is a feature of Azure Monitor.
Azure Policy
Azure Policy supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Azure Policy Guest Configuration
Azure Policy Guest Configuration supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Azure portal
The Azure portal supports Impact Level 5 workloads in Azure Government with no additional configuration required.
You can add a markdown tile to your Azure dashboards to display custom static content. For example, you can show basic instructions, an image, or a set of hyperlinks on a markdown tile.
Azure Resource Graph
Azure Resource Graph supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Azure Resource Manager
Azure Resource Manager supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Azure Scheduler
Azure Scheduler is being retired and replaced by Azure Logic Apps. To continue working with the jobs that you set up in Scheduler, please migrate to Azure Logic Apps as soon as you can.
Azure Site Recovery
Azure Site Recovery supports Impact Level 5 workloads in Azure Government with this configuration:
- You can replicate Azure VMs with managed disks enabled for customer-managed keys from one Azure region to another. For more information, see Replicate machines with customer-managed key disks.
Cloud Shell
Azure Cloud Shell supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Log Analytics
Log Analytics is intended to be used for monitoring the health and status of services and infrastructure. The monitoring data and logs primarily store logs and metrics that are service generated. When used in this primary capacity, Log Analytics supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Log Analytics may also be used to ingest additional customer-provided logs. These logs may include data ingested as part of operating Azure Security Center or Azure Sentinel. If the ingested logs or the queries written against these logs are categorized as IL5 data, then you should configure customer-managed keys (CMK) for your Log Analytics workspaces and Application Insights components. Once configured, any data sent to your workspaces or components is encrypted with your Azure Key Vault key. For more information, see Azure Monitor customer-managed keys.
Media
For Media services availability in Azure Government, see Products available by region.
Azure Media Services
Azure Media Services supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Migration
For Migration services availability in Azure Government, see Products available by region.
Azure Migrate
Azure Migrate supports Impact Level 5 workloads in Azure Government with this configuration:
- Configure encryption at rest of content in Azure Migrate by using customer-managed keys in Azure Key Vault.
Azure Database Migration Service
Azure Database Migration Service supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Networking
For Networking services availability in Azure Government, see Products available by region.
Application Gateway
Azure Application Gateway supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Azure DNS
Azure DNS supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Azure ExpressRoute
ExpressRoute supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Azure Firewall
Azure Firewall supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Azure Front Door
Azure Front Door supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Load Balancer
Azure Load Balancer supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Network Watcher
Azure Network Watcher and Network Watcher traffic analytics support Impact Level 5 workloads in Azure Government with no additional configuration required.
Traffic Manager
Azure Traffic Manager supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Virtual Network
Azure Virtual Network supports Impact Level 5 workloads in Azure Government with no additional configuration required.
VPN Gateway
Azure VPN Gateway supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Security
For Security services availability in Azure Government, see Products available by region.
Azure Dedicated HSM
Azure Dedicated HSM supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Azure Sentinel
Azure Sentinel supports Impact Level 5 workloads in Azure Government with this configuration:
- Configure encryption at rest of content in Azure Sentinel by using customer-managed keys in Azure Key Vault.
Key Vault
Azure Key Vault supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Security Center
Azure Security Center supports Impact Level 5 workloads in Azure Government with no additional configuration required.
Customer Lockbox
Customer Lockbox for Microsoft Azure supports Impact Level 5 workloads in Azure Government with no additional configuration required. It is available and authorized at IL5 in Azure Government US Gov Arizona, US Gov Texas, and US Gov Virginia regions.
Microsoft Defender for Endpoint
Defender for Endpoint (formerly Microsoft Defender Advanced Threat Protection, also known as Microsoft Defender ATP) supports Impact Level 5 workloads in Azure Government with no additional configuration required. It is available and authorized at IL5 in Azure Government and Azure Government for DoD regions.
Microsoft Defender for Identity
Defender for Identity (formerly Azure Advanced Threat Protection, also known as Azure ATP) supports Impact Level 5 workloads in Azure Government with no additional configuration required. It is available and authorized at IL5 in Azure Government regions.
Microsoft Graph
Microsoft Graph supports Impact Level 5 workloads in Azure Government with no additional configuration required. It is available and authorized at IL5 in Azure Government and Azure Government for DoD regions.
Storage
For Storage services availability in Azure Government, see Products available by region.
Azure Import/Export service
Azure Import/Export service can be used in Azure Government to import and export Impact Level 5 data. By default, the Import/Export service will encrypt data that's written to the hard drive for transport. When you create a target storage account for import and export of Impact Level 5 data, add storage encryption via customer-managed keys. For more information, see the storage services section of this document.
The target storage account for import and source storage account for export can be located in any Azure Government or Azure Government for DoD regions.
Archive Storage
Azure Archive Storage can be used in Azure Government to support Impact Level 5 data. Azure Archive Storage is a tier of Azure Storage. It automatically helps secure data at rest by using 256-bit AES encryption. Just like hot and cool tiers, Archive Storage can be set at the blob level. To enable access to the content, you need to rehydrate the archived blob or copy it to an online tier, at which point customers can enforce customer-managed keys that are in place for their online storage tiers. When you create a target storage account for Impact Level 5 data in Archive Storage, add storage encryption via customer-managed keys. For more information, see the storage services section.
The target storage account for Archive Storage can be located in any Azure Government or Azure Government for DoD region.
Storage
Azure Storage consists of multiple data features: Blob Storage, File Storage, Table Storage, and Queue Storage. Blob Storage supports both standard and premium storage. Premium storage uses only SSDs, to provide the fastest performance possible. Storage also includes configurations that modify these storage types, like hot and cool to provide appropriate speed-of-availability for data scenarios.
When you use an Azure Storage account, you must follow the steps for storage encryption with Key Vault managed keys to ensure the data is protected with customer-managed keys. Azure Storage supports Impact Level 5 workloads in all Azure Government and Azure Government for DoD regions.
Important
When you use Tables and Queues outside the US DoD regions, you must encrypt the data before you insert it into the table or queue. For more information, see the instructions for using client-side encryption.
Storage encryption with Key Vault managed keys
To implement Impact Level 5 compliant controls on an Azure Storage account that runs in Azure Government outside of the dedicated DoD regions, you must use encryption at rest with the customer-managed key option enabled. The customer-managed key option is also known as "bring your own key."
For more information about how to enable this Azure Storage encryption feature, see the documentation for Azure Storage.
Note
When you use this encryption method, you need to enable it before you add content to the storage account. Any content that's added earlier won't be encrypted with the selected key. It will be encrypted only via the standard encryption at rest provided by Azure Storage.
Azure File Sync
Azure File Sync supports Impact Level 5 workloads in Azure Government with this configuration:
- Configure encryption at rest of content in Azure File Sync by using customer-managed keys in Azure Key Vault.
StorSimple
StorSimple supports Impact Level 5 workloads in Azure Government with this configuration:
- To help ensure the security and integrity of data moved to the cloud, StorSimple allows you to define cloud storage encryption keys. You specify the cloud storage encryption key when you create a volume container.
Web
For Web services availability in Azure Government, see Products available by region.
Web Apps feature of Azure App Service
Web Apps supports Impact Level 5 workloads in Azure Government with this configuration:
- To accommodate proper network and workload isolation, deploy your web apps on the Isolated SKU. For more information, see the App Service plan documentation.