Compare Azure Government and global Azure

Microsoft Azure Government uses same underlying technologies as global Azure, which includes the core components of Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS). Both Azure and Azure Government have the same comprehensive security controls in place and the same Microsoft commitment on the safeguarding of customer data. Whereas both cloud environments are assessed and authorized at the FedRAMP High impact level, Azure Government provides an extra layer of protection to customers through contractual commitments regarding storage of customer data in the United States and limiting potential access to systems processing customer data to screened US persons. These commitments may be of interest to customers using the cloud to store or process data subject to US export control regulations.

Note

These lists and tables do not include feature or bundle availability in the Azure Government Secret or Azure Government Top Secret clouds. For more information about specific availability for air-gapped clouds, please contact your account team.

Export control implications

You're responsible for designing and deploying your applications to meet US export control requirements such as the requirements prescribed in the EAR, ITAR, and DoE 10 CFR Part 810. In doing so, you shouldn't include sensitive or restricted information in Azure resource names, as explained in Considerations for naming Azure resources.

Guidance for developers

Most of the currently available technical content assumes that applications are being developed on global Azure rather than on Azure Government. For this reason, it’s important to be aware of two key differences in applications that you develop for hosting in Azure Government.

  • Certain services and features that are in specific regions of global Azure might not be available in Azure Government.

  • Feature configurations in Azure Government might differ from those in global Azure.

Therefore, it's important to review your sample code and configurations to ensure that you are building within the Azure Government cloud services environment.

For more information, see Azure Government developer guide.

Note

This article has been updated to use the new Azure PowerShell Az module. You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. For Az module installation instructions, see Install the Azure Az PowerShell module.

You can use AzureCLI or PowerShell to obtain Azure Government endpoints for services you provisioned:

  • Use Azure CLI to run the az cloud show command and provide AzureUSGovernment as the name of the target cloud environment. For example,

    az cloud show --name AzureUSGovernment
    

    should get you different endpoints for Azure Government.

  • Use a PowerShell cmdlet such as Get-AzEnvironment to get endpoints and metadata for an instance of Azure service. For example,

    Get-AzEnvironment -Name AzureUSGovernment
    

    should get you properties for Azure Government. This cmdlet gets environments from your subscription data file.

Table below lists API endpoints in Azure vs. Azure Government for accessing and managing some of the more common services. If you provisioned a service that isn't listed in the table below, see the Azure CLI and PowerShell examples above for suggestions on how to obtain the corresponding Azure Government endpoint.


Service category Service name Azure Public Azure Government Notes
AI + machine learning Azure Bot Service botframework.com botframework.azure.us
Azure AI Document Intelligence cognitiveservices.azure.com cognitiveservices.azure.us
Computer Vision cognitiveservices.azure.com cognitiveservices.azure.us
Custom Vision cognitiveservices.azure.com cognitiveservices.azure.us
Portal
Content Moderator cognitiveservices.azure.com cognitiveservices.azure.us
Face API cognitiveservices.azure.com cognitiveservices.azure.us
Language Understanding cognitiveservices.azure.com cognitiveservices.azure.us
Portal
Part of Azure AI Language
Personalizer cognitiveservices.azure.com cognitiveservices.azure.us
QnA Maker cognitiveservices.azure.com cognitiveservices.azure.us Part of Azure AI Language
Speech service See STT API docs Speech Studio

See Speech service endpoints

Speech translation endpoints
Virginia: https://usgovvirginia.s2s.speech.azure.us
Arizona: https://usgovarizona.s2s.speech.azure.us
Text Analytics cognitiveservices.azure.com cognitiveservices.azure.us Part of Azure AI Language
Translator See Translator API docs cognitiveservices.azure.us
Analytics Azure HDInsight azurehdinsight.net azurehdinsight.us
Event Hubs servicebus.windows.net servicebus.usgovcloudapi.net
Power BI app.powerbi.com app.powerbigov.us Power BI US Gov
Compute Batch batch.azure.com batch.usgovcloudapi.net
Cloud Services cloudapp.net usgovcloudapp.net
Containers Azure Service Fabric cloudapp.azure.com cloudapp.usgovcloudapi.net
Container Registry azurecr.io azurecr.us
Databases Azure Cache for Redis redis.cache.windows.net redis.cache.usgovcloudapi.net See How to connect to other clouds
Azure Cosmos DB documents.azure.com documents.azure.us
Azure Database for MariaDB mariadb.database.azure.com mariadb.database.usgovcloudapi.net
Azure Database for MySQL mysql.database.azure.com mysql.database.usgovcloudapi.net
Azure Database for PostgreSQL postgres.database.azure.com postgres.database.usgovcloudapi.net
Azure SQL Database database.windows.net database.usgovcloudapi.net
Identity Microsoft Entra ID login.microsoftonline.com login.microsoftonline.us
certauth.login.microsoftonline.com certauth.login.microsoftonline.us
passwordreset.microsoftonline.com passwordreset.microsoftonline.us
Integration Service Bus servicebus.windows.net servicebus.usgovcloudapi.net
Internet of Things Azure IoT Hub azure-devices.net azure-devices.us
Azure Maps atlas.microsoft.com atlas.azure.us
Notification Hubs servicebus.windows.net servicebus.usgovcloudapi.net
Management and governance Azure Automation azure-automation.net azure-automation.us
Azure Monitor mms.microsoft.com oms.microsoft.us Log Analytics workspace portal
ods.opinsights.azure.com ods.opinsights.azure.us Data collector API
oms.opinsights.azure.com oms.opinsights.azure.us
portal.loganalytics.io portal.loganalytics.us
api.loganalytics.io api.loganalytics.us
docs.loganalytics.io docs.loganalytics.us
adx.monitor.azure.com adx.monitor.azure.us Data Explorer queries
Azure Resource Manager management.azure.com management.usgovcloudapi.net
Cost Management consumption.azure.com consumption.azure.us
Gallery URL gallery.azure.com gallery.azure.us
Microsoft Azure portal portal.azure.com portal.azure.us
Microsoft Intune enterpriseregistration.windows.net enterpriseregistration.microsoftonline.us Enterprise registration
manage.microsoft.com manage.microsoft.us Enterprise enrollment
Migration Azure Site Recovery hypervrecoverymanager.windowsazure.com hypervrecoverymanager.windowsazure.us Site Recovery service
backup.windowsazure.com backup.windowsazure.us Protection service
blob.core.windows.net blob.core.usgovcloudapi.net Storing VM snapshots
Networking Traffic Manager trafficmanager.net usgovtrafficmanager.net
Security Key Vault vault.azure.net vault.usgovcloudapi.net
Storage Azure Backup backup.windowsazure.com backup.windowsazure.us
Blob blob.core.windows.net blob.core.usgovcloudapi.net
Queue queue.core.windows.net queue.core.usgovcloudapi.net
Table table.core.windows.net table.core.usgovcloudapi.net
File file.core.windows.net file.core.usgovcloudapi.net
Virtual desktop infrastructure Azure Virtual Desktop See AVD docs See AVD docs
Web API Management management.azure.com management.usgovcloudapi.net
API Management Gateway azure-api.net azure-api.us
API Management management management.azure-api.net management.azure-api.us
API Management Portal portal.azure-api.net portal.azure-api.us
App Configuration azconfig.io azconfig.azure.us
App Service azurewebsites.net azurewebsites.us
Azure AI Search search.windows.net search.windows.us
Azure Functions azurewebsites.net azurewebsites.us

Service availability

Microsoft's goal for Azure Government is to match service availability in Azure. For service availability in Azure Government, see Products available by region. Services available in Azure Government are listed by category and whether they're Generally Available or available through Preview. If a service is available in Azure Government, that fact isn't reiterated in the rest of this article. Instead, you're encouraged to review Products available by region for the latest, up-to-date information on service availability.

In general, service availability in Azure Government implies that all corresponding service features are available to you. Variations to this approach and other applicable limitations are tracked and explained in this article based on the main service categories outlined in the online directory of Azure services. Other considerations for service deployment and usage in Azure Government are also provided.

AI + machine learning

This section outlines variations and considerations when using Azure Bot Service, Azure Machine Learning, and Cognitive Services in the Azure Government environment. For service availability, see Products available by region.

Azure Bot Service

The following Azure Bot Service features aren't currently available in Azure Government:

  • Bot Framework Composer integration
  • Channels (due to availability of dependent services)
    • Direct Line Speech Channel
    • Telephony Channel (Preview)
    • Microsoft Search Channel (Preview)
    • Kik Channel (deprecated)

For information on how to deploy Bot Framework and Azure Bot Service bots to Azure Government, see Configure Bot Framework bots for US Government customers.

Azure Machine Learning

For feature variations and limitations, see Azure Machine Learning feature availability across cloud regions.

Azure AI services: Content Moderator

The following Content Moderator features aren't currently available in Azure Government:

  • Review UI and Review APIs.

Azure AI Language Understanding (LUIS)

The following Language Understanding features aren't currently available in Azure Government:

  • Speech Requests
  • Prebuilt Domains

Azure AI Language Understanding (LUIS) is part of Azure AI Language.

Azure AI Speech

For feature variations and limitations, including API endpoints, see Speech service in sovereign clouds.

Azure AI services: Translator

For feature variations and limitations, including API endpoints, see Translator in sovereign clouds.

Analytics

This section outlines variations and considerations when using Analytics services in the Azure Government environment. For service availability, see Products available by region.

Azure HDInsight

For secured virtual networks, you'll want to allow network security groups (NSGs) access to certain IP addresses and ports. For Azure Government, you should allow the following IP addresses (all with an Allowed port of 443):

Region Allowed IP addresses Allowed port
US DoD Central 52.180.249.174
52.180.250.239
443
US DoD East 52.181.164.168
52.181.164.151
443
US Gov Texas 52.238.116.212
52.238.112.86
443
US Gov Virginia 13.72.49.126
13.72.55.55
13.72.184.124
13.72.190.110
443
US Gov Arizona 52.127.3.176
52.127.3.178
443

For a demo on how to build data-centric solutions on Azure Government using HDInsight, see Azure AI services, HDInsight, and Power BI on Azure Government.

Power BI

For usage guidance, feature variations, and limitations, see Power BI for US government customers. For a demo on how to build data-centric solutions on Azure Government using Power BI, see Azure AI services, HDInsight, and Power BI on Azure Government.

Power BI Embedded

To learn how to embed analytical content within your business process application, see Tutorial: Embed a Power BI content into your application for national clouds.

Databases

This section outlines variations and considerations when using Databases services in the Azure Government environment. For service availability, see Products available by region.

Azure Database for MySQL

The following Azure Database for MySQL features aren't currently available in Azure Government:

  • Advanced Threat Protection

Azure Database for PostgreSQL

For Flexible Server availability in Azure Government regions, see Azure Database for PostgreSQL – Flexible Server.

The following Azure Database for PostgreSQL features aren't currently available in Azure Government:

  • Azure Cosmos DB for PostgreSQL, formerly Azure Database for PostgreSQL – Hyperscale (Citus). For more information about supported regions, see Regional availability for Azure Cosmos DB for PostgreSQL.
  • The following features of the Single Server deployment option
    • Advanced Threat Protection
    • Backup with long-term retention

Developer tools

This section outlines variations and considerations when using Developer tools in the Azure Government environment. For service availability, see Products available by region.

Enterprise Dev/Test subscription offer

  • Enterprise Dev/Test subscription offer in existing or separate tenant is currently available only in Azure public as documented in Azure EA portal administration.

Identity

This section outlines variations and considerations when using Identity services in the Azure Government environment. For service availability, see Products available by region.

Microsoft Entra ID P1 and P2

For feature variations and limitations, see Cloud feature availability.

For information on how to use Power BI capabilities for collaboration between Azure and Azure Government, see Cross-cloud B2B.

The following features have known limitations in Azure Government:

  • Limitations with B2B Collaboration in supported Azure US Government tenants:

  • Limitations with multi-factor authentication:

    • Trusted IPs isn't supported in Azure Government. Instead, use Conditional Access policies with named locations to establish when multi-factor authentication should and shouldn't be required based off the user's current IP address.

Azure Active Directory B2C

Azure Active Directory B2C is not available in Azure Government.

Microsoft Authentication Library (MSAL)

The Microsoft Authentication Library (MSAL) enables developers to acquire security tokens from the Microsoft identity platform to authenticate users and access secured web APIs. For feature variations and limitations, see National clouds and MSAL.

Management and governance

This section outlines variations and considerations when using Management and Governance services in the Azure Government environment. For service availability, see Products available by region.

Automation

The following Automation features aren't currently available in Azure Government:

  • Automation analytics solution

Azure Advisor

For feature variations and limitations, see Azure Advisor in sovereign clouds.

Azure Lighthouse

The following Azure Lighthouse features aren't currently available in Azure Government:

  • Managed Service offers published to Azure Marketplace
  • Delegation of subscriptions across a national cloud and the Azure public cloud, or across two separate national clouds, isn't supported
  • Privileged Identity Management (PIM) feature isn't enabled, for example, just-in-time (JIT) / eligible authorization capability

Azure Monitor

Azure Monitor enables the same features in both Azure and Azure Government.

  • System Center Operations Manager 2019 is supported equally well in both Azure and Azure Government.

The following options are available for previous versions of System Center Operations Manager:

  • Integrating System Center Operations Manager 2016 with Azure Government requires an updated Advisor management pack that is included with Update Rollup 2 or later.
  • System Center Operations Manager 2012 R2 requires an updated Advisor management pack included with Update Rollup 3 or later.

For more information, see Connect Operations Manager to Azure Monitor.

Frequently asked questions

  • Can I migrate data from Azure Monitor logs in Azure to Azure Government?
    • No. It isn't possible to move data or your workspace from Azure to Azure Government.
  • Can I switch between Azure and Azure Government workspaces from the Operations Management Suite portal?
    • No. The portals for Azure and Azure Government are separate and don't share information.

Application Insights

Application Insights (part of Azure Monitor) enables the same features in both Azure and Azure Government. This section describes the supplemental configuration that is required to use Application Insights in Azure Government.

Visual Studio – In Azure Government, you can enable monitoring on your ASP.NET, ASP.NET Core, Java, and Node.js based applications running on Azure App Service. For more information, see Application monitoring for Azure App Service overview. In Visual Studio, go to Tools|Options|Accounts|Registered Azure Clouds|Add New Azure Cloud and select Azure US Government as the Discovery endpoint. After that, adding an account in File|Account Settings will prompt you for which cloud you want to add from.

SDK endpoint modifications – In order to send data from Application Insights to an Azure Government region, you'll need to modify the default endpoint addresses that are used by the Application Insights SDKs. Each SDK requires slightly different modifications, as described in Application Insights overriding default endpoints.

Firewall exceptions – Application Insights uses several IP addresses. You might need to know these addresses if the app that you're monitoring is hosted behind a firewall. For more information, see IP addresses used by Azure Monitor from where you can download Azure Government IP addresses.

Note

Although these addresses are static, it's possible that we'll need to change them from time to time. All Application Insights traffic represents outbound traffic except for availability monitoring and webhooks, which require inbound firewall rules.

You need to open some outgoing ports in your server's firewall to allow the Application Insights SDK and/or Status Monitor to send data to the portal:

Purpose URL IP address Ports
Telemetry dc.applicationinsights.us 23.97.4.113 443

Cost Management and Billing

The following Azure Cost Management + Billing features aren't currently available in Azure Government:

  • Cost Management + Billing for cloud solution providers (CSPs)

Media

This section outlines variations and considerations when using Media services in the Azure Government environment. For service availability, see Products available by region.

Media Services

For Azure Media Services v3 feature variations in Azure Government, see Azure Media Services v3 clouds and regions availability.

Migration

This section outlines variations and considerations when using Migration services in the Azure Government environment. For service availability, see Products available by region.

Azure Migrate

The following Azure Migrate features aren't currently available in Azure Government:

  • Containerizing Java Web Apps on Apache Tomcat (on Linux servers) and deploying them on Linux containers on App Service.
  • Containerizing Java Web Apps on Apache Tomcat (on Linux servers) and deploying them on Linux containers on Azure Kubernetes Service (AKS).
  • Containerizing ASP.NET apps and deploying them on Windows containers on AKS.
  • Containerizing ASP.NET apps and deploying them on Windows containers on App Service.
  • You can only create assessments for Azure Government as target regions and using Azure Government offers.

For more information, see Azure Migrate support matrix. For a list of Azure Government URLs needed by the Azure Migrate appliance when connecting to the internet, see Azure Migrate appliance URL access.

Networking

This section outlines variations and considerations when using Networking services in the Azure Government environment. For service availability, see Products available by region.

Azure ExpressRoute

For an overview of ExpressRoute, see What is Azure ExpressRoute?. For an overview of how BGP communities are used with ExpressRoute in Azure Government, see BGP community support in National Clouds.

Azure Front Door

Azure Front Door (AFD) Standard and Premium tiers are available in general availability in Azure Government regions US Gov Arizona and US Gov Texas. The following Azure Front Door feature isn’t supported in Azure Government:

  • Managed certificate for enabling HTTPS; instead use your own certificate.

Traffic Manager

Traffic Manager health checks can originate from certain IP addresses for Azure Government. Review the IP addresses in the JSON file to ensure that incoming connections from these IP addresses are allowed at the endpoints to check its health status.

Security

This section outlines variations and considerations when using Security services in the Azure Government environment. For service availability, see Products available by region.

Microsoft Defender for Endpoint

For feature variations and limitations, see Microsoft Defender for Endpoint for US Government customers.

Microsoft Defender for IoT

For feature variations and limitations, see Cloud feature availability for US Government customers.

Azure Information Protection

Azure Information Protection Premium is part of the Enterprise Mobility + Security suite. For details on this service and how to use it, see Azure Information Protection Premium Government Service Description.

Microsoft Defender for Cloud

For feature variations and limitations, see Cloud feature availability for US Government customers.

Microsoft Sentinel

For feature variations and limitations, see Cloud feature availability for US Government customers.

Storage

This section outlines variations and considerations when using Storage services in the Azure Government environment. For service availability, see Products available by region.

Azure NetApp Files

For Azure NetApp Files feature availability in Azure Government and how to access the Azure NetApp Files service within Azure Government, see Azure NetApp Files for Azure Government.

Azure Import/Export

With Import/Export jobs for US Gov Arizona or US Gov Texas, the mailing address is for US Gov Virginia. The data is loaded into selected storage accounts from the US Gov Virginia region. For all jobs, we recommend that you rotate your storage account keys after the job is complete to remove any access granted during the process. For more information, see Manage storage account access keys.

Web

This section outlines variations and considerations when using Web services in the Azure Government environment. For service availability, see Products available by region.

API Management

The following API Management features aren't currently available in Azure Government:

  • Azure AD B2C integration

App Service

The following App Service resources aren't currently available in Azure Government:

  • App Service Certificate
  • App Service Managed Certificate
  • App Service Domain

The following App Service features aren't currently available in Azure Government:

  • Deployment
    • Deployment options: only Local Git Repository and External Repository are available

Azure Functions

When connecting your Functions app to Application Insights in Azure Government, make sure you use APPLICATIONINSIGHTS_CONNECTION_STRING, which lets you customize the Application Insights endpoint.

Next steps

Learn more about Azure Government:

Start using Azure Government: