Compare Azure Government and global Azure

Microsoft Azure Government uses same underlying technologies as global Azure, which includes the core components of Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS). Both Azure and Azure Government have the same comprehensive security controls in place, as well as the same Microsoft commitment on the safeguarding of customer data. Whereas both cloud environments are assessed and authorized at the FedRAMP High impact level, Azure Government provides an additional layer of protection to customers through contractual commitments regarding storage of Customer Data in the United States and limiting potential access to systems processing Customer Data to screened US persons. These commitments may be of interest to customers using the cloud to store or process data subject to US export control regulations such as the EAR, ITAR, and DoE 10 CFR Part 810.

Export control implications

Customers are responsible for designing and deploying their applications to meet export control requirements such as those prescribed in the EAR and ITAR. In doing so, customers should not include sensitive or restricted information in Azure resource names, as explained in Considerations for Naming Azure Resources. Data stored or processed in customer VMs, storage accounts, databases, Azure Import/Export, Azure Cache for Redis, ExpressRoute, Azure Cognitive Search, App Service, API Management, and other Azure services suitable for holding, processing, or transmitting Customer Data can contain export-controlled data. However, metadata for these Azure services is not permitted to contain export-controlled data. This metadata includes all configuration data entered when creating and maintaining an Azure service, including subscription names, service names, server names, database names, tenant role names, resource groups, deployment names, resource names, resource tags, circuit name, etc. It also includes all shipping information that is used to transport media for Azure Import/Export, such as carrier name, tracking number, description, return information, drive list, package list, storage account name, container name, etc. Sensitive data should not be included in HTTP headers sent to the REST API in search/query strings as part of the API.

Guidance for developers

Azure Government services operate the same way as the corresponding services in global Azure, which is why most of the existing online Azure documentation applies equally well to Azure Government. However, there are some key differences that developers working on applications hosted in Azure Government must be aware of. For detailed information, see Guidance for developers. As a developer, you must know how to connect to Azure Government and once you connect you will mostly have the same experience as in global Azure. Table below lists URLs in Azure vs. Azure Government for accessing and managing various services.

Service category Service name Azure Public Azure Government Notes
AI + Machine Learning Azure Bot Service *.botframework.com *.botframework.azure.us
Computer Vision See Computer Vision docs Endpoint URL
Custom Vision See Training and Prediction API references Portal
Content Moderator See Content Moderator docs Endpoint URL
Face See Face API docs Endpoint URL
Language Understanding See LUIS REST API docs Portal
QnA Maker See QnA Maker docs QnA Maker endpoint
Speech Service See STT API docs Custom Speech Portal
Translator Text See Translator API docs Endpoint URL
Analytics HDInsight *.azurehdinsight.net *.azurehdinsight.us
Power BI app.powerbi.com app.powerbigov.us Power BI US Gov
Compute Batch *.batch.azure.com *.batch.usgovcloudapi.net
Cloud Services *.cloudapp.net *.usgovcloudapp.net
Azure Functions *.azurewebsites.net *.azurewebsites.us
Databases Azure Cache for Redis *.redis.cache.windows.net *.redis.cache.usgovcloudapi.net See How to connect to other clouds
Azure Cosmos DB *.documents.azure.com *.documents.azure.us
Azure Database for MariaDB *.mariadb.database.azure.com *.mariadb.database.usgovcloudapi.net
Azure Database for MySQL *.mysql.database.azure.com *.mysql.database.usgovcloudapi.net
Azure Database for PostgreSQL *.postgres.database.azure.com *.postgres.database.usgovcloudapi.net
Azure SQL Database *.database.windows.net *.database.usgovcloudapi.net
Integration Service Bus *.servicebus.windows.net *.servicebus.usgovcloudapi.net
Internet of Things Azure Event Hubs *.servicebus.windows.net *.servicebus.usgovcloudapi.net
Azure IoT Hub *.azure-devices.net *.azure-devices.us
Azure Maps atlas.microsoft.com atlas.azure.us
Notification Hubs *.servicebus.windows.net *.servicebus.usgovcloudapi.net
Management and Governance Azure Monitor logs mms.microsoft.com oms.microsoft.us Log Analytics workspace portal
workspaceId.ods.opinsights.azure.com workspaceId.ods.opinsights.azure.us Data collector API
*.ods.opinsights.azure.com *.ods.opinsights.azure.us Agent comms - configuring firewall settings
*.oms.opinsights.azure.com *.oms.opinsights.azure.us Agent comms - configuring firewall settings
*.blob.core.windows.net *.blob.core.usgovcloudapi.net Agent comms - configuring firewall settings
portal.loganalytics.io portal.loganalytics.us Advanced Analytics Portal - configuring firewall settings
api.loganalytics.io api.loganalytics.us Advanced Analytics Portal - configuring firewall settings
docs.loganalytics.io docs.loganalytics.us Advanced Analytics Portal - configuring firewall settings
*.azure-automation.net *.azure-automation.us Azure Automation - configuring firewall settings
N/A *.usgovtrafficmanager.net Azure Traffic Manager - configuring firewall settings
Migration Azure Site Recovery *.hypervrecoverymanager.windowsazure.com *.hypervrecoverymanager.windowsazure.com Site Recovery service
*.backup.windowsazure.com/ *.backup.windowsazure.us/ Protection service
*.blob.core.windows.net/ *.blob.core.usgovcloudapi.net/ Storing VM snapshots
Public download MySQL Gov download MySQL Download MySQL
Security Azure Active Directory https://login.microsoftonline.com https://login.microsoftonline.us
Key Vault *.vault.azure.net *.vault.usgovcloudapi.net Endpoint
cfa8b339-82a2-471a-a3c9-0fc0be7a4093 7e7c393b-45d0-48b1-a35e-2905ddf8183c Service Principal ID
Azure Key Vault Azure Key Vault Service Principal Name
Storage Blob *.blob.core.windows.net *.blob.core.usgovcloudapi.net
Queue *.queue.core.windows.net *.queue.core.usgovcloudapi.net
Table *.table.core.windows.net *.table.core.usgovcloudapi.net
File *.file.core.windows.net *.file.core.usgovcloudapi.net
Web API Management Gateway *.azure-api.net *.azure-api.us
API Management Portal *.portal.azure-api.net *.portal.azure-api.us
API Management management *.management.azure-api.net *.management.azure-api.us
App Service *.azurewebsites.net *.azurewebsites.us Endpoint
abfa0a7c-a6b6-4736-8310-5855508787cd 6a02c803-dafd-4136-b4c3-5a6f318b4714 Service Principal ID
Azure Cognitive Search *.search.windows.net *.search.windows.us

Service availability

Microsoft's goal is to enable 100% parity in service availability between Azure and Azure Government. To find out which services are available in Azure Government, customers should visit the products available by region dashboard. The services available in Azure Government are listed by category, as well as whether they are Generally Available or available through Preview. If a service is available in Azure Government, that fact is not reiterated in the sections below. Instead, customers are encouraged to visit the products available by region dashboard for the latest, up-to-date information on service availability.

In general, service availability in Azure Government implies that all corresponding service features are available to customers. Variations to this approach and other applicable limitations are tracked and explained in the sections below based on the main service categories outlined in the online directory of Azure services. Additional considerations for service deployment and usage in Azure Government are also provided.

AI + Machine Learning

This section outlines variations and considerations when using Cognitive Services and the Azure Bot Service in the Azure Government environment. For service availability, see the products available by region dashboard.

Azure Bot Service

The following Azure Bot Service features are not currently available in Azure Government:

  • BotBuilder V3 Bot Templates
  • Channels
    • Cortana channel
    • Skype for Business Channel
    • Teams Channel
    • Slack Channel
    • Office 365 Email Channel
    • Facebook Messenger Channel
    • Telegram Channel
    • Kik Messenger Channel
    • GroupMe Channel
    • Skype Channel
  • Application Insights related capabilities including the Analytics Tab
  • Speech Priming Feature
  • Payment Card Feature

Commonly used services in bot applications that are not currently available in Azure Government:

  • Application Insights
  • Speech Service

For more information, see How do I create a bot that uses US Government data center.

Content Moderator

The following Content Moderator features are not currently available in Azure Government:

  • Review UI and Review APIs.

Language Understanding

The following Language Understanding features are not currently available in Azure Government:

  • Speech Requests
  • Prebuilt Domains

Speech Service

The following Speech Service features are not currently available in Azure Government:

Translator Text

The following Translator Text features are not currently available in Azure Government:

  • Custom Translator
  • Translator Hub

Analytics

This section outlines variations and considerations when using Analytics services in the Azure Government environment. For service availability, see the products available by region dashboard.

HDInsight

The following HDInsight features are not currently available in Azure Government:

  • HDInsight on Windows.
  • Azure Data Lake Store. Azure Blob Storage is the only available storage option currently.

For secured virtual networks, you will want to allow Network Security Groups (NSGs) access to certain IP addresses and ports. For Azure Government, you should allow the following IP addresses (all with an Allowed port of 443):

Region Allowed IP addresses Allowed port
US DoD Central 52.180.249.174
52.180.250.239
443
US DoD East 52.181.164.168
52.181.164.151
443
US Gov Texas 52.238.116.212
52.238.112.86
443
US Gov Virginia 13.72.49.126
13.72.55.55
13.72.184.124
13.72.190.110
443
US Gov Arizona 52.127.3.176
52.127.3.178
443

You can see a demo on how to build data-centric solutions on Azure Government using HDInsight.

Power BI

The following Power BI features are not currently available in Azure Government:

  • Portal support.

You can see a demo on how to build data-centric solutions on Azure Government using Power BI.

Note

The content pack that typically makes activity logs and such available is not intended for use on Government tenants. The intention is to use Log Analytics for the purpose of the logs that aren't available through the content pack.

Power BI Embedded

The following Power BI Embedded features are not yet available in Azure Government:

  • Portal support.

Compute

This section outlines variations and considerations when using Compute services in the Azure Government environment. For service availability, see the products available by region dashboard.

Virtual Machines

The following Virtual Machines features are not currently available in Azure Government:

  • Settings
    • Continuous delivery
  • Operations
    • Auto-Shutdown
  • Monitoring
    • Application Insights
  • Support + Troubleshooting
    • Ubuntu Advantage support plan

Azure Functions

The following Azure Functions features are not currently available in Azure Government:

Databases

This section outlines variations and considerations when using Databases services in the Azure Government environment. For service availability, see the products available by region dashboard.

Azure Database for MySQL

The following Azure Database for MySQL features are not currently available in Azure Government:

  • Advanced Threat Protection
  • Private endpoint connections

Azure Database for PostgreSQL

The following Azure Database for PostgreSQL features are not currently available in Azure Government:

  • Advanced Threat Protection
  • Private endpoint connections

Developer Tools

This section outlines variations and considerations when using Developer Tools services in the Azure Government environment. For service availability, see the products available by region dashboard.

Azure DevTest Labs

The following Azure DevTest Labs features are not currently available in Azure Government:

  • Auto shutdown feature for Azure Compute VMs; however, setting auto shutdown for Labs and Lab Virtual Machines is available.

Internet of Things

This section outlines variations and considerations when using Internet of Things services in the Azure Government environment. For service availability, see the products available by region dashboard.

Azure IoT Hub

If you are using the IoT Hub connection string (instead of the Event Hub-compatible settings) with the Microsoft Azure Service Bus .NET client library to receive telemetry or operations monitoring events, then be sure to use WindowsAzure.ServiceBus NuGet package version 4.1.2 or higher.

Management and Governance

This section outlines variations and considerations when using Management and Governance services in the Azure Government environment. For service availability, see the products available by region dashboard.

Note

This article has been updated to use the new Azure PowerShell Az module. You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. For Az module installation instructions, see Install Azure PowerShell.

Application Insights

This section describes the supplemental configuration that is required to use Application Insights (part of Azure Monitor) in Azure Government.

Enable Application Insights for ASP.NET & ASP.NET Core with Visual Studio

Azure Government customers can enable Application Insights with a codeless agent for their Azure App Services hosted applications or via the traditional Add Applications Insights Telemetry button in Visual Studio, which requires a small manual workaround. Customers experiencing the associated issue may see error messages like "There is no Azure subscription associated with this account or "The selected subscription does not support Application Insights even though the microsoft.insights resource provider has a status of registered for the subscription. To mitigate this issue, you must perform the following steps:

  1. Switch Visual Studio to target the Azure Government cloud.

  2. Create (or if already existing set) the User Environment variable for AzureGraphApiVersion as follows: (To create a User Environment variable go to Control Panel > System > Advanced system settings > Advanced > Environment Variables.)

    Variable name: AzureGraphApiVersion Variable value: 2014-04-01

  3. Make the appropriate Application Insights SDK endpoint modifications for either ASP.NET or ASP.NET Core depending on your project type.

Snapshot Debugger Snapshot Debugger is now available for Azure Government customers. To use Snapshot Debugger the only additional prerequisite is to insure that you are using Snapshot Collector version 1.3.5 or later. Then simply follow the standard Snapshot Debugger documentation.

SDK endpoint modifications In order to send data from Application Insights to the Azure Government region, you will need to modify the default endpoint addresses that are used by the Application Insights SDKs. Each SDK requires slightly different modifications, as described in Application Insights overriding default endpoints.

Note

Connection strings are the new preferred method of setting custom endpoints within Application Insights.

Firewall exceptions Application Insights uses a number of IP addresses. You might need to know these addresses if the app that you are monitoring is hosted behind a firewall.

Note

Although these addresses are static, it's possible that we will need to change them from time to time. All Application Insights traffic represents outbound traffic except for availability monitoring and webhooks, which require inbound firewall rules.

You need to open some outgoing ports in your server's firewall to allow the Application insights SDK and/or Status Monitor to send data to the portal:

Purpose URL IP address Ports
Telemetry dc.applicationinsights.us 23.97.4.113 443

Azure Monitor

The following Azure Monitor features are not currently available in Azure Government:

  • Solutions that are in preview in Microsoft Azure, including:
    • Windows 10 Upgrade Analytics solution
    • Application Insights solution
    • Azure Networking Security Group Analytics solution
    • Azure Automation Analytics solution
    • Key Vault Analytics solution
  • Solutions and features that require updates to on-premises software, including:
    • Surface Hub solution
  • Features that are in preview in global Azure, including:
    • Export of data to Power BI
  • Azure metrics and Azure diagnostics

The following Azure Monitor features behave differently in Azure Government:

Frequently asked questions

  • Can I migrate data from Azure Monitor logs in Microsoft Azure to Azure Government?
    • No. It is not possible to move data or your workspace from Microsoft Azure to Azure Government.
  • Can I switch between Microsoft Azure and Azure Government workspaces from the Operations Management Suite portal?
    • No. The portals for Microsoft Azure and Azure Government are separate and do not share information.

Azure Advisor

The following Azure Advisor recommendation features are not currently available in Azure Government:

  • High Availability
    • Configure your VPN gateway to active-active for connection resilience
    • Create Azure Service Health alerts to be notified when Azure issues affect you
    • Configure Traffic Manager endpoints for resiliency
    • Use soft delete for your Azure Storage Account
  • Performance
    • Improve App Service performance and reliability
    • Reduce DNS time to live on your Traffic Manager profile to fail over to healthy endpoints faster
    • Improve SQL Data Warehouse performance
    • Use Premium Storage
    • Migrate your Storage Account to Azure Resource Manager
  • Cost
    • Buy reserved virtual machines instances to save money over pay-as-you-go costs
    • Eliminate unprovisioned ExpressRoute circuits
    • Delete or reconfigure idle virtual network gateways

The calculation used to recommend that you should right-size or shut down underutilized virtual machines is as follows in Azure Government:

Advisor monitors your virtual machine usage for 7 days and identifies low-utilization virtual machines. Virtual machines are considered low utilization if their CPU utilization is 5% or less and their network utilization is less than 2% or if the current workload can be accommodated by a smaller virtual machine size. If you want to be more aggressive at identifying underutilized virtual machines, you can adjust the CPU utilization rule on a per subscription basis.

Media

This section outlines variations and considerations when using Media services in the Azure Government environment. For service availability, see the products available by region dashboard. For Azure Media Services v3 availability, see Azure clouds and regions in which Media Services v3 exists.

Media Services

For information on how to connect to Media Services v2, see Access the Azure Media Services API with Azure AD authentication. The following Media Services features are not currently available in Azure Government:

  • Analyzing – the Azure Media Indexer 2 Preview Azure Media Analytics media processor is not available in Azure Government.
  • CDN integration – there is no CDN integration with streaming endpoints in Azure Government data centers.

Migration

This section outlines variations and considerations when using Migration services in the Azure Government environment. For service availability, see the products available by region dashboard.

Azure Migrate

The following Azure Migrate features are not currently available in Azure Government:

  • Dependency visualization functionality as Azure Migrate depends on Service Map for dependency visualization which is currently unavailable in Azure Government.
  • You can only create assessments for Azure Government as target regions and using Azure Government offers.

Azure Site Recovery

The following Azure Site Recovery features are not currently available in Azure Government:

  • Email notification

Networking

This section outlines variations and considerations when using Networking services in the Azure Government environment. For service availability, see the products available by region dashboard.

Azure ExpressRoute

Azure ExpressRoute is used to create private connections between Azure Government datacenters and customer's on-premises infrastructure or a colocation facility. ExpressRoute connections do not go over the public Internet—they offer optimized pathways (shortest hops, lowest latency, highest performance, etc.) for customers and Azure Government geo-redundant regions.

  • By default, all Azure Government ExpressRoute connectivity is configured active-active redundant with support for bursting, and it delivers up to 10 G circuit capacity (smallest is 50 MB).
  • Microsoft owns and operates all fiber infrastructure between Azure Government regions and Azure Government ExpressRoute Meet-Me locations.
  • Azure Government ExpressRoute provides connectivity to Microsoft Azure, Office 365, and Dynamics 365 cloud services.

Aside from ExpressRoute, customers can also use an IPSec protected VPN (site-to-site for a typical organization) to connect securely from their on-premises infrastructure to Azure Government. For network services to support Azure Government customer applications and solutions, it is strongly recommended that ExpressRoute (private connectivity) is implemented to connect to Azure Government. If VPN connections are used, the following should be considered:

  • Customers should contact their authorizing official/agency to determine whether private connectivity or other secure connection mechanism is required and to identify any additional restrictions to consider.
  • Customers should decide whether to mandate that the site-to-site VPN is routed through a private connectivity zone.
  • Customers should obtain either a Multi-Protocol Label Switching (MPLS) circuit or VPN with a licensed private connectivity access provider.

All customers who utilize a private connectivity architecture should validate that an appropriate implementation is established and maintained for the customer connection to the Gateway Network/Internet (GN/I) edge router demarcation point for Azure Government. Similarly, your organization must establish network connectivity between your on-premises environment and Gateway Network/Customer (GN/C) edge router demarcation point for Azure Government.

BGP communities

This section provides an overview of how BGP communities are used with ExpressRoute in Azure Government. Microsoft advertises routes in the public and Microsoft peering paths with routes tagged with appropriate community values. The rationale for doing so and the details on community values are described below.

If you are connecting to Microsoft through ExpressRoute at any one peering location within the Azure Government region, you will have access to all Microsoft cloud services across all regions within the government boundary. For example, if you connected to Microsoft in Washington D.C. through ExpressRoute, you would have access to all Microsoft cloud services hosted in Azure Government. ExpressRoute overview provides details on locations and partners, as well as a list of peering locations for Azure Government.

You can purchase more than one ExpressRoute circuit. Having multiple connections offers you significant benefits on high availability due to geo-redundancy. In cases where you have multiple ExpressRoute circuits, you will receive the same set of prefixes advertised from Microsoft on the public peering and Microsoft peering paths. This means you will have multiple paths from your network into Microsoft. This can potentially cause sub-optimal routing decisions to be made within your network. As a result, you may experience sub-optimal connectivity experiences to different services.

Microsoft tags prefixes advertised through public peering and Microsoft peering with appropriate BGP community values indicating the region the prefixes are hosted in. You can rely on the community values to make appropriate routing decisions to offer optimal routing to customers. For additional details, see Optimize ExpressRoute Routing.

Azure Government region BGP community value
US Gov Arizona 12076:51106
US Gov Virginia 12076:51105
US Gov Texas 12076:51108
US DoD Central 12076:51209
US DoD East 12076:51205

All routes advertised from Microsoft are tagged with the appropriate community value.

In addition to the above, Microsoft also tags prefixes based on the service they belong to. This applies only to the Microsoft peering. The table below provides a mapping of service to BGP community value.

Service in national clouds BGP community value
Exchange Online 12076:5110
SharePoint Online 12076:5120
Skype for Business Online 12076:5130
Dynamics 365 12076:5140
Other Office 365 Online services 12076:5200

Note

Microsoft does not honor any BGP community values that you set on the routes advertised to Microsoft.

Traffic Manager

Traffic Manager health checks can originate from certain IP addresses for Azure Government. Review the IP addresses in the JSON file to ensure that incoming connections from these IP addresses are allowed at the endpoints to check its health status.

Security

This section outlines variations and considerations when using Security services in the Azure Government environment. For service availability, see the products available by region dashboard.

Azure Active Directory Premium P1 and P2

The following features have known limitations in Azure Government:

  • Limitations with B2B Collaboration in supported Azure US Government tenants:

    • B2B Collaboration is available in Azure US Government tenants created after June, 2019. Over time, more tenants will get access to this functionality. See How can I tell if B2B collaboration is available in my Azure US Government tenant?.
    • B2B collaboration is currently only supported between tenants that are both within Azure US Government cloud and that both support B2B collaboration. If you invite a user in a tenant that isn't part of the Azure US Government cloud or that doesn't yet support B2B collaboration, the invitation will fail or the user will be unable to redeem the invitation.
    • B2B collaboration via Power BI is not supported. When you invite a guest user from within Power BI, the B2B flow is not used and the guest user won't appear in the tenant's user list. If a guest user is invited through other means, they'll appear in the Power BI user list, but any sharing request to the user will fail and display a 403 Forbidden error.
    • Office 365 Groups are not supported for B2B users and can't be enabled.
    • Some SQL tools such as SSMS require you to set the appropriate cloud parameter. In the tool's Azure Service setup options, set the cloud parameter to Azure US Government.
  • Limitations with Multi-factor Authentication:

    • Hardware OATH tokens are not available in Azure Government.
    • Trusted IPs are not supported in Azure Government. Instead, use Conditional Access policies with named locations to establish when Multi-Factor Authentication should and should not be required based off the user's current IP address.
  • Limitations with Azure AD Join:

    • Enterprise state roaming for Windows 10 devices is not available

Azure Information Protection

Azure Information Protection Premium is part of the Enterprise Mobility + Security suite. For details on this service and how to use it, see the Azure Information Protection Premium Government Service Description.

Azure Security Center

The following Azure Security Center features are not currently available in Azure Government:

  • 1st and 3rd party integrations

    • The Qualys Vulnerability Assessment agent.

    Note

    Security Center internal assessments are provided to discover security misconfigurations, based on Common Configuration Enumeration such as password policy, windows FW rules, local machine audit and security policy, and additional OS hardening settings.

  • Threat detection

    • Specific detections: Detections based on VM log periodic batches, Azure core router network logs, threat intelligence reports, and detections for App Service.

    Note

    Near real-time alerts generated based on security events and raw data collected from the VMs are captured and displayed.

    • Security incidents: The aggregation of alerts for a resource, known as a security incident.
    • Threat intelligence enrichment: Geo-enrichment and the threat intelligence option.
    • UEBA for Azure resources: Integration with Microsoft Cloud App Security for user and entity behavior analytics on Azure resources.
    • Advanced threat detection: Azure Security Center standard tier in Azure Government does not support threat detection for App Service.

    Threat detection for storage accounts is available in US government clouds, but no other sovereign or Azure government cloud regions.

  • Server protection

    • OS Security Configuration: Vulnerability specific metadata, such as the potential impact and countermeasures for OS security configuration vulnerabilities.

Azure Security Center FAQ

For Azure Security Center FAQ, see Azure Security Center frequently asked questions public documentation. Additional FAQ for Azure Security Center in Azure Government are listed below.

What will customers be charged for Azure Security Center in Azure Government? The standard tier of Azure Security Center is free for the first 30 days. Should you choose to continue to use public preview or generally available standard features beyond 30 days, we automatically start to charge for the service.

What features are available for Azure Security Center government customers? A detailed list of feature variations in the Azure Security Center government offering can found in the variations section of this article. All other Azure Security Center capabilities can be referenced in the Azure Security Center public documentation.

What is the compliance commitment for Azure Security Center in Azure Government? Azure Security Center in Azure Government has achieved FedRAMP High authorization.

Is Azure Security Center available for DoD customers? Azure Security Center is deployed on Azure Government regions but not DoD regions. Azure resources created in DoD regions can still utilize Security Center capabilities. However, using it will result in Security Center collected data being moved out from DoD regions and stored in Azure Government regions. By default, all Security Center features which collect and store data are disabled for resources hosted in DoD regions. The type of data collected and stored varies depending on the selected feature. Customers who want to enable Azure Security Center features for DoD resources are recommended to consider data residency before doing so.

Azure Sentinel

The following features have known limitations in Azure Government:

Enterprise Mobility + Security (EMS)

For information about EMS suite capabilities in Azure Government, see the Enterprise Mobility + Security for US Government Service Description.

Storage

This section outlines variations and considerations when using Storage services in the Azure Government environment. For service availability, see the products available by region dashboard.

Azure Storage

For a Quickstart that will help you get started with Storage in Azure Government, see Develop with Storage API on Azure Government.

Storage pairing in Azure Government Azure relies on paired regions to deliver geo-redundant storage. The following table shows the primary and secondary region pairings in Azure Government.

Geography Regional Pair A Regional Pair B
US Government US Gov Arizona US Gov Texas
US Government US Gov Virginia US Gov Texas

Table in Guidance for developers section shows URL endpoints for main Azure Storage services.

Note

All your scripts and code need to account for the appropriate endpoints. See Configure Azure Storage Connection Strings.

For more information on APIs, see the Cloud Storage Account Constructor.

The endpoint suffix to use in these overloads is core.usgovcloudapi.net.

Note

If error 53 ("The network path was not found") is returned while you're mounting the file share, a firewall might be blocking the outbound port. Try mounting the file share on VM that's in the same Azure subscription as the storage account.

When you're deploying the StorSimple Manager service, use the https://portal.azure.us/ URL for the Azure Government portal. For deployment instructions for StorSimple Virtual Array, see StorSimple Virtual Array system requirements. For the StorSimple 8000 series, see StorSimple software, high availability, and networking requirements and go to the Deploy section from the left menu. For more information on StorSimple, see the StorSimple documentation.

Azure Import/Export

With Import/Export jobs for US Gov Arizona or US Gov Texas, the mailing address is for US Gov Virginia. The data is loaded into selected storage accounts from the US Gov Virginia region.

For DoD L5 data, use a DoD region storage account to ensure that data is loaded directly into the DoD regions.

For all jobs, we recommend that you rotate your storage account keys after the job is complete to remove any access granted during the process. For more information, see Manage storage account access keys.

Web

This section outlines variations and considerations when using Web services in the Azure Government environment. For service availability, see the products available by region dashboard.

API Management

The following API Management features are not currently available in Azure Government:

  • Azure AD B2C Integration

App Service

The following App Service features are not currently available in Azure Government:

  • Resource
    • App Service Certificate
  • Deployment
    • Deployment Options: only Local Git Repository and External Repository are available
  • Development Tools
    • Resource explorer

For a self-directed exploration of search functionality using public government data, visit the Content Search and Intelligence web site, select the dataset "US Court of Appeals District 1", and then choose one of the demo options.

Search features that have been widely adopted in government search applications include cognitive skills, useful for extracting structure and information from large undifferentiated text documents.

Basic query syntax, formulating queries to search over large amounts of content, is also relevant to application developers. Azure Cognitive Search supports two syntaxes: simple and full. You can review query expression examples for an orientation.

Next steps

Learn more about Azure Government:

Start using Azure Government: