Isolation guidelines for Impact Level 5 Workloads
- 14 minutes to read
Azure Government supports applications in all regions that require Impact Level 5 (IL5) data, as defined in the US Department of Defense Cloud Security Requirements Guide (SRG). IL5 workloads have a higher degree of impact to the US Department of Defense and must be secured to a higher standard. When supporting these workloads on Azure Government, their isolation requirements can be met in different ways. The guidance below will address configurations and settings for the isolation required to support IL5 data. This document will be updated as new implementations are enabled and as new services are accredited for IL5 data by DISA.
Background
In January 2017, the Impact Level 5 Provisional Authorization (PA) for Azure Government was the first provided to a Hyper Scale cloud provider. This covered two regions of Azure Government (USDoD Central and USDoD East) that were dedicated to the DoD. Based on mission owner feedback and evolving security capabilities, Microsoft has partnered with DISA to expand the IL5 PA in December 2018 to cover all six Azure Government regions while still honoring the isolation requirements needed by the Department of Defense.
Azure Government continues to provide more PaaS features and services to the DoD at Impact Level 5 than any other cloud provider.
Principles and approach
To include a service in Impact Level 5 scope, there are two key areas that will be addressed – Storage Isolation and Compute Isolation. We are focusing on how these services can isolate the compute and storage of Impact Level 5 data. The SRG allows for a shared management and network infrastructure.
Compute isolation
The SRG focuses on segmentation of compute when 'processing' data for Impact Level 5. This means ensuring that a virtual machine that compromises the physical host cannot impact a DoD workload. To remove the risk of runtime attacks and ensure long running workloads are not compromised from other workloads on the same host, all Impact Level 5 virtual machines should be isolated on dedicated physical nodes.
For services where the compute processes are obfuscated from access by the owner and stateless in their processing of data; isolation will be accomplished by focusing on the data being processed and how it is stored and retained. This approach ensures that the data in question is stored in protected mediums and not present on these services for extended periods unless also encrypted as necessary.
Storage isolation
In the most recent PA for Azure Government, DISA has approved logical separation of IL5 from other data using cryptographic means. In Azure this means encryption using keys that are maintained in Azure Key Vault. The keys are owned and managed by the L5 system owner.
When applying this to services, the following evaluation is applied:
- If a service only hosts IL5 data, then the service can control the key on behalf of the end users but must use a dedicated key to protect IL5 data from all other data in the cloud.
- If a service will host IL5 and non-DoD data, then the service must expose the option to use their own key for encryption. That key will be stored in Azure Key Vault. This implementation gives consumers of the service the ability to implement cryptographic separation as needed.
This will ensure all key material for decrypting data is stored separately of the data itself and done so with a hardware key management solution.
Applying this guidance
Impact Level 5 guidelines require workloads to be deployed with a high degree of security, isolation, and control. The below configurations are required in addition to any other configurations or controls needed to meet Impact Level 5. Network isolation, access controls, and other necessary security measures are not necessarily addressed in the guidance below.
Make sure to review the entry for each service you are utilizing and ensure that all isolation requirements have been implemented.
Analytics services
Azure Event Hubs
Azure Event Hubs can be used in Azure Government supporting Impact Level 5 workloads in the following regions:
| Service | USGov VA | USGov IA | USGov TX | USGov AZ | USDoD East | USDoD Cent |
|---|---|---|---|---|---|---|
| Event Hubs | X1 | X1 | X1 | X1 | X | X |
Important
1Use client-side encryption to encrypt data prior to leveraging Azure Event Hubs in the noted regions.
Azure HDInsight
Azure HDInsight can be used in Azure Government supporting Impact Level 5 workloads in the following configurations:
- Azure HDInsight can be deployed to existing storage accounts which have enabled appropriate Storage Service Encryption as discussed in the Azure Storage for guidance.
- Azure HDInsight enables a database option for certain configurations, ensure the appropriate database configuration for TDE is enabled on the chosen option as discussed in the SQL Database for guidance.
| Service | USGov VA | USGov IA | USGov TX | USGov AZ | USDoD East | USDoD Cent |
|---|---|---|---|---|---|---|
| Azure HDInsight | X | X | X | X | X | X |
Azure SQL Data Warehouse
Azure SQL Warehouse can be used in Azure Government supporting Impact Level 5 workloads in the following configurations:
- Add Transparent Data Encryption with customer managed keys via Azure Key Vault (additional documentation and guidance found in the documentation for Azure SQL transparent data encryption).
Note
The instructions to enable this are the same as for Azure SQL database.
| Service | USGov VA | USGov IA | USGov TX | USGov AZ | USDoD East | USDoD Cent |
|---|---|---|---|---|---|---|
| Azure SQL Data Warehouse | X | X | X | X | X | X |
Power BI Embedded
Power BI Embedded can be used in Azure Government supporting Impact Level 5 workloads with no additional configuration in the following regions:
| Service | USGov VA | USGov IA | USGov TX | USGov AZ | USDoD East | USDoD Cent |
|---|---|---|---|---|---|---|
| Power BI Embedded | X | X |
Compute services
Azure Batch
Azure Batch can be used in Azure Government supporting Impact Level 5 workloads in the following configurations:
- Enable User Subscription Mode which will require a Key Vault instance for proper encryption and key storage (see documentation on batch account configurations).
| Service | USGov VA | USGov IA | USGov TX | USGov AZ | USDoD East | USDoD Cent |
|---|---|---|---|---|---|---|
| Azure Batch | X | X | X | X | X | X |
Azure Functions
Azure Functions can be used in Azure Government supporting Impact Level 5 workloads in the following configurations:
- To accommodate proper network and workload isolation, deploy your Azure Functions on App Service Plans configured to leverage the Isolated SKU. More information can be found in the app services plan documentation.
| Service | USGov VA | USGov IA | USGov TX | USGov AZ | USDoD East | USDoD Cent |
|---|---|---|---|---|---|---|
| Azure Functions | X | X | X | X | X | X |
Azure Service Fabric
Azure Service Fabric can be used in Azure Government supporting Impact Level 5 workloads with no additional configuration in the following regions:
| Service | USGov VA | USGov IA | USGov TX | USGov AZ | USDoD East | USDoD Cent |
|---|---|---|---|---|---|---|
| Service Fabric | X | X |
Azure Virtual Machines & Virtual Machine Scale Sets
Microsoft Azure Virtual Machines can be used through multiple deployment mediums. This includes single Virtual Machines as well as Virtual Machines deployed using Azure's virtual machine scale sets feature.
All Virtual Machines should use Disk Encryption for Virtual Machines, Disk Encryption for virtual machine scale sets, or place Virtual Machine disks in a storage account that can hold Impact Level 5 data as described in the Azure Storage section.
| Service | USGov VA | USGov IA | USGov TX | USGov AZ | USDoD East | USDoD Cent |
|---|---|---|---|---|---|---|
| Virtual Machines | X1 | X1 | X1 | X1 | X | X |
| Virtual Machine Scale Sets | X1 | X1 | X1 | X1 | X | X |
Important
1 When deploying VMs in these regions you must use Isolated Virtual Machines as described below.
Isolated Virtual Machines
Specific VM types when deployed consume the entire physical host for that VM. These VMs provide the necessary level of isolation required to support IL5 workloads when deployed outside of the dedicated DoD regions. In addition to deploying on these hosts, the underlying storage and disks for these virtual machines must be configured with encryption at rest.
Each of the above VM types can be deployed leveraging virtual machine scale sets to provide proper compute isolation with all the benefits of virtual machine scale sets in place. When configuring your scale set, select the appropriate SKU. To encrypt the data at rest, see the next section for supportable encryption options.
Current VM SKUs that offer necessary compute isolation include specific offerings from our VM families:
| VM Family | VM SKU |
|---|---|
| D-Series - General Purpose | Standard_DS15_v2Standard_D15_v2 |
| Memory Optimized | Standard_E64is_v3Standard_E64i_v3 |
| Compute Optimized | Standard_F72s_v2 |
| Large Memory Optimized | Standard_M128ms |
| GPU Enabled VMs | Standard_NV24 |
Important
As new hardware generations become available, some VM types may require reconfiguration (scale up or migration to a new VM SKU) to ensure they remain on properly dedicated hardware. This document will be updated to reflect any changes.
Disk Encryption for Virtual Machines
The storage supporting these Virtual Machines can be encrypted in one of two ways to support necessary encryption standards.
- Leverage Azure Disk Encryption to encrypt the drives using DM-Crypt (Linux) or BitLocker (Windows):
- Leverage Azure Storage Service Encryption for Storage Accounts with your own key to encrypt the storage account that holds the disks:
Disk Encryption using Virtual Machine Scale Sets
The disks that support Virtual Machine Scale Sets can be encrypted using Azure Disk Encryption:
Azure Web Apps
Azure Web Apps can be used in Azure Government supporting Impact Level 5 workloads in the following configurations:
- To accommodate proper network and workload isolation, deploy your web apps on the Isolated SKU. More information can be found in the app services plan documentation.
| Service | USGov VA | USGov IA | USGov TX | USGov AZ | USDoD East | USDoD Cent |
|---|---|---|---|---|---|---|
| Azure Web Apps | X | X | X | X | X | X |
Integration services
Azure Service Bus
Azure Service Bus can be used in Azure Government supporting Impact Level 5 workloads in the following regions:
| Service | USGov VA | USGov IA | USGov TX | USGov AZ | USDoD East | USDoD Cent |
|---|---|---|---|---|---|---|
| Service Bus | X1 | X1 | X1 | X1 | X | X |
Important
1Use client-side encryption to encrypt data prior to leveraging Azure Service Bus in the noted regions
Azure API Management
Azure API Management can be used in Azure Government supporting Impact Level 5 workloads with no additional configuration in the following regions:
| Service | USGov VA | USGov IA | USGov TX | USGov AZ | USDoD East | USDoD Cent |
|---|---|---|---|---|---|---|
| API Management | X | X | X | X | X | X |
Management and governance
Azure Backup
Azure Backup can be used in Azure Government supporting all impact levels with no additional configuration in the following regions:
| Service | USGov VA | USGov IA | USGov TX | USGov AZ | USDoD East | USDoD Cent |
|---|---|---|---|---|---|---|
| Azure Backup | X | X | X | X | X | X |
Azure Monitor
Azure Monitor can be used in Azure Government supporting all impact levels with no additional configuration in the following regions:
| Service | USGov VA | USGov IA | USGov TX | USGov AZ | USDoD East | USDoD Cent |
|---|---|---|---|---|---|---|
| Azure Monitor | X | X | X | X | X | X |
Azure Scheduler
Azure Scheduler can be used in Azure Government supporting all impact levels with no additional configuration in the following regions:
| Service | USGov VA | USGov IA | USGov TX | USGov AZ | USDoD East | USDoD Cent |
|---|---|---|---|---|---|---|
| Azure Scheduler | X | X | X | X | X | X |
Media services
Azure Media Services
Azure Media Services can be used in Azure Government supporting Impact Level 5 workloads with no additional configuration in the following regions:
| Service | USGov VA | USGov IA | USGov TX | USGov AZ | USDoD East | USDoD Cent |
|---|---|---|---|---|---|---|
| Media Services | X | X |
Networking services
Azure Application Gateway
Application Gateway can be used in Azure Government supporting all impact levels with no additional configuration required between regions:
| Service | USGov VA | USGov IA | USGov TX | USGov AZ | USDoD East | USDoD Cent |
|---|---|---|---|---|---|---|
| Application Gateway | X | X | X | X | X | X |
Azure DNS
Azure DNS can be used in Azure Government supporting all impact levels with no additional configuration required in the following regions:
| Service | USGov VA | USGov IA | USGov TX | USGov AZ | USDoD East | USDoD Cent |
|---|---|---|---|---|---|---|
| Azure DNS | X | X | X | X | X | X |
Azure ExpressRoute
ExpressRoute can be used in Azure Government supporting all impact levels with no additional configuration required in the following regions:
| Service | USGov VA | USGov IA | USGov TX | USGov AZ | USDoD East | USDoD Cent |
|---|---|---|---|---|---|---|
| ExpressRoute | X | X | X | X | X | X |
Azure Load Balancer
Load Balancer can be used in Azure Government supporting all impact levels with no additional configuration required in the following regions:
| Service | USGov VA | USGov IA | USGov TX | USGov AZ | USDoD East | USDoD Cent |
|---|---|---|---|---|---|---|
| Load Balancer | X | X | X | X | X | X |
Azure Traffic Manager
Azure Traffic Manager can be used in Azure Government supporting all impact levels with no additional configuration required in the following regions:
| Service | USGov VA | USGov IA | USGov TX | USGov AZ | USDoD East | USDoD Cent |
|---|---|---|---|---|---|---|
| Traffic Manager | X | X | X | X | X | X |
Azure Virtual Network
Azure Virtual Network can be used in Azure Government supporting all impact levels with no additional configuration required in the following regions:
| Service | USGov VA | USGov IA | USGov TX | USGov AZ | USDoD East | USDoD Cent |
|---|---|---|---|---|---|---|
| Virtual Network | X | X | X | X | X | X |
Azure VPN Gateway
Azure VPN Gateway can be used in Azure Government supporting all impact levels with no additional configuration required in the following regions:
| Service | USGov VA | USGov IA | USGov TX | USGov AZ | USDoD East | USDoD Cent |
|---|---|---|---|---|---|---|
| VPN Gateway | X | X | X | X | X | X |
Security and identity services
Azure Active Directory
Azure Active Directory can be used in all Azure Government regions, supporting all impact levels with no additional configuration required in the following regions:
| Service | USGov VA | USGov IA | USGov TX | USGov AZ | USDoD East | USDoD Cent |
|---|---|---|---|---|---|---|
| Azure Active Directory | X | X | X | X | X | X |
Microsoft Graph
Microsoft Graph can be used in Azure Government supporting all impact levels with no additional configuration required in the following regions:
| Service | USGov VA | USGov IA | USGov TX | USGov AZ | USDoD East | USDoD Cent |
|---|---|---|---|---|---|---|
| Microsoft Graph | X | X | X | X | X | X |
Azure Key Vault
Azure Key Vault can be used in Azure Government supporting all impact levels with no additional configuration required in the following regions:
| Service | USGov VA | USGov IA | USGov TX | USGov AZ | USDoD East | USDoD Cent |
|---|---|---|---|---|---|---|
| Azure Key Vault | X | X | X | X | X | X |
Storage and database services
Azure Analysis Services
Azure Analysis Services can be used in Azure Government supporting Impact Level 5 workloads with no additional configuration in the following regions:
| Service | USGov VA | USGov IA | USGov TX | USGov AZ | USDoD East | USDoD Cent |
|---|---|---|---|---|---|---|
| Azure Analysis Services | X | X |
Azure Cache for Redis
Azure Cache for Redis can be used in Azure Government supporting Impact Level 5 workloads with no additional configuration in the following regions:
| Service | USGov VA | USGov IA | USGov TX | USGov AZ | USDoD East | USDoD Cent |
|---|---|---|---|---|---|---|
| Azure Cache for Redis | X | X |
Azure Import/Export
Azure Import/Export can be used in Azure Government to import/export Impact Level 5 data. By default, Import/Export will encrypt the data that is written to the disk drive for transport. When creating a target storage account for Import/Export of Impact Level 5 data add storage encryption with customer managed keys (additional documentation and guidance found in the storage services section).
The target storage account for Import and source storage account for Export can reside in any of the following regions:
| Service | USGov VA | USGov IA | USGov TX | USGov AZ | USDoD East | USDoD Cent |
|---|---|---|---|---|---|---|
| Azure Import/Export | X | X | X | X | X | X |
Azure CosmosDB
Azure CosmosDB can be used in Azure Government supporting Impact Level 5 workloads with no additional configuration in the following regions:
| Service | USGov VA | USGov IA | USGov TX | USGov AZ | USDoD East | USDoD Cent |
|---|---|---|---|---|---|---|
| Azure CosmosDB | X | X |
Azure Storage
Azure Storage consists of multiple data features: Blob storage, File storage, Table storage, and Queue storage. Blob storage supports both standard and premium storage, with premium storage using only SSDs for the fastest performance possible. Storage also includes configurations which modify these storage types, such as hot and cool to provide appropriate speed-of-availability for data scenarios. The below outlines which features of storage currently support IL5 workloads.
When using an Azure Storage account, you must follow the steps for using Storage Encryption with Key Vault Managed Keys to ensure the data is protected with customer managed keys.
| Service | USGov VA | USGov IA | USGov TX | USGov AZ | USDoD East | USDoD Cent |
|---|---|---|---|---|---|---|
| Blobs | X | X | X | X | X | X |
| Files | X | X | X | X | X | X |
| Tables | X1 | X1 | X1 | X1 | X | X |
| Queues | X1 | X1 | X1 | X1 | X | X |
Important
1Tables and Queues when used outside the USDoD Regions must encrypt the data before inserting into the Table and Queue. For more information refer to the instructions for using client side encryption.
Storage Encryption with Key Vault Managed Keys
To implement Impact Level 5 compliant controls on an Azure Storage account running in Azure Government outside of the dedicated DoD regions, Encryption at Rest must be implemented with the customer-managed key option enabled (also known as bring-your-own-key).
For more information on how to enable this Azure Storage Encryption feature, please review the supporting documentation for Azure Storage.
Note
When using this encryption method, it is important that it is enabled BEFORE content is added to the storage account. Any content added prior will not be encrypted with the selected key, and only encrypted using standard encryption at rest provided by Azure Storage.`
Azure SQL Database
Azure SQL Database can be used in Azure Government supporting Impact Level 5 workloads in the following configurations:
- Add Transparent Data Encryption with customer managed keys via Azure Key Vault (additional documentation and guidance found in the Azure SQL documentation).
| Service | USGov VA | USGov IA | USGov TX | USGov AZ | USDoD East | USDoD Cent |
|---|---|---|---|---|---|---|
| Azure SQL DB | X | X | X | X | X | X |
Azure SQL Stretch Database
Azure SQL Stretch Database can be used in Azure Government supporting Impact Level 5 workloads in the following configurations:
- Add Transparent Data Encryption with customer managed keys via Azure Key Vault (additional documentation and guidance found in the documentation for Azure SQL transparent data encryption).
| Service | USGov VA | USGov IA | USGov TX | USGov AZ | USDoD East | USDoD Cent |
|---|---|---|---|---|---|---|
| Azure SQL Stretch DB | X | X | X | X | X | X |
Feedback
Loading feedback...