Microsoft Azure provides a robust suite of cloud computing services, but it’s crucial to understand the distinction between global Azure and Azure Government, especially when considering compliance and security for sensitive workloads. Both are built on the same foundational technologies, offering Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS). They share Microsoft’s commitment to data security and comprehensive security controls, both operating at FedRAMP High impact level. However, Azure Government provides an additional layer of protection tailored to the needs of US government entities and regulated industries. This article delves into a detailed comparison to help you determine the right environment for your needs.
Enhanced Security and Compliance in Azure Government
While both environments prioritize security, Azure Government distinguishes itself through contractual commitments designed to meet stringent US government regulations. A key differentiator is the requirement that customer data within Azure Government resides solely in the United States. Furthermore, access to systems processing customer data is restricted to screened US persons. These commitments are particularly relevant for organizations handling data subject to US export control regulations like EAR, ITAR, and DoE 10 CFR Part 810. If your data governance policies mandate these stricter controls, Azure Government is designed to provide that assurance.
Developer Considerations: Navigating Differences
For developers, it’s essential to recognize that while the core Azure technologies are the same, certain nuances exist between the two environments. Technical documentation frequently assumes development on global Azure. Therefore, be mindful of these key distinctions when developing applications for Azure Government:
- Service and Feature Availability: Not all services and features available in global Azure regions are immediately available in Azure Government. Availability can vary by region within Azure Government as well.
- Feature Configurations: Even when a service is available in both environments, its configurations or specific features might differ in Azure Government.
Therefore, meticulous review of sample code and configurations is crucial to ensure compatibility and optimal performance within the Azure Government cloud services environment. Refer to the Azure Government developer guide for detailed guidance and best practices.
API Endpoints: Accessing Services in Each Environment
Accessing and managing Azure services programmatically relies on API endpoints. These endpoints differ between global Azure and Azure Government. The table below highlights the API endpoints for common services in both environments. If a service you require isn’t listed, use Azure CLI or PowerShell to programmatically retrieve the Azure Government endpoint for your provisioned services.
| Service category | Service name | Azure Public | Azure Government | Notes |
|---|---|---|---|---|
| AI + machine learning | Azure Bot Service | botframework.com | botframework.azure.us | |
| Azure AI Document Intelligence | cognitiveservices.azure.com | cognitiveservices.azure.us | ||
| Azure OpenAI Service | openai.azure.com | openai.azure.us | ||
| Computer Vision | cognitiveservices.azure.com | cognitiveservices.azure.us | ||
| Custom Vision | cognitiveservices.azure.com | cognitiveservices.azure.us Portal | ||
| Content Moderator | cognitiveservices.azure.com | cognitiveservices.azure.us | ||
| Face API | cognitiveservices.azure.com | cognitiveservices.azure.us | ||
| Language Understanding | cognitiveservices.azure.com | cognitiveservices.azure.us Portal | Part of Azure AI Language | |
| Personalizer | cognitiveservices.azure.com | cognitiveservices.azure.us | ||
| QnA Maker | cognitiveservices.azure.com | cognitiveservices.azure.us | Part of Azure AI Language | |
| Speech service | See STT API docs | Speech StudioSee Speech service endpoints Speech translation endpointsVirginia: https://usgovvirginia.s2s.speech.azure.usArizona: https://usgovarizona.s2s.speech.azure.us |
||
| Text Analytics | cognitiveservices.azure.com | cognitiveservices.azure.us | Part of Azure AI Language | |
| Translator | See Translator API docs | cognitiveservices.azure.us | ||
| Analytics | Azure HDInsight | azurehdinsight.net | azurehdinsight.us | |
| Event Hubs | servicebus.windows.net | servicebus.usgovcloudapi.net | ||
| Power BI | app.powerbi.com | app.powerbigov.us | Power BI US Gov | |
| Compute | Batch | batch.azure.com | batch.usgovcloudapi.net | |
| Cloud Services | cloudapp.net | usgovcloudapp.net | ||
| Containers | Azure Service Fabric | cloudapp.azure.com | cloudapp.usgovcloudapi.net | |
| Container Registry | azurecr.io | azurecr.us | ||
| Databases | Azure Cache for Redis | redis.cache.windows.net | redis.cache.usgovcloudapi.net | See How to connect to other clouds |
| Azure Cosmos DB | documents.azure.com | documents.azure.us | ||
| Azure Database for MariaDB | mariadb.database.azure.com | mariadb.database.usgovcloudapi.net | ||
| Azure Database for MySQL | mysql.database.azure.com | mysql.database.usgovcloudapi.net | ||
| Azure Database for PostgreSQL | postgres.database.azure.com | postgres.database.usgovcloudapi.net | ||
| Azure SQL Database | database.windows.net | database.usgovcloudapi.net | ||
| Identity | Microsoft Entra ID | login.microsoftonline.com | login.microsoftonline.us | |
| certauth.login.microsoftonline.com | certauth.login.microsoftonline.us | |||
| passwordreset.microsoftonline.com | passwordreset.microsoftonline.us | |||
| Integration | Service Bus | servicebus.windows.net | servicebus.usgovcloudapi.net | |
| Internet of Things | Azure IoT Hub | azure-devices.net | azure-devices.us | |
| Azure Maps | atlas.microsoft.com | atlas.azure.us | ||
| Notification Hubs | servicebus.windows.net | servicebus.usgovcloudapi.net | ||
| Management and governance | Azure Automation | azure-automation.net | azure-automation.us | |
| Azure Monitor | mms.microsoft.com | oms.microsoft.us | Log Analytics workspace portal | |
| ods.opinsights.azure.com | ods.opinsights.azure.us | Data collector API | ||
| oms.opinsights.azure.com | oms.opinsights.azure.us | |||
| portal.loganalytics.io | portal.loganalytics.us | |||
| api.loganalytics.io | api.loganalytics.us | |||
| docs.loganalytics.io | docs.loganalytics.us | |||
| adx.monitor.azure.com | adx.monitor.azure.us | Data Explorer queries | ||
| Azure Resource Manager | management.azure.com | management.usgovcloudapi.net | ||
| Gallery URL | gallery.azure.com | gallery.azure.us | ||
| Microsoft Azure portal | portal.azure.com | portal.azure.us | ||
| Microsoft Intune | enterpriseregistration.windows.net | enterpriseregistration.microsoftonline.us | Enterprise registration | |
| manage.microsoft.com | manage.microsoft.us | Enterprise enrollment | ||
| Migration | Azure Site Recovery | hypervrecoverymanager.windowsazure.com | hypervrecoverymanager.windowsazure.us | Site Recovery service |
| backup.windowsazure.com | backup.windowsazure.us | Protection service | ||
| blob.core.windows.net | blob.core.usgovcloudapi.net | Storing VM snapshots | ||
| Networking | Traffic Manager | trafficmanager.net | usgovtrafficmanager.net | |
| Security | Key Vault | vault.azure.net | vault.usgovcloudapi.net | |
| Managed HSM | managedhsm.azure.net | managedhsm.usgovcloudapi.net | ||
| Storage | Azure Backup | backup.windowsazure.com | backup.windowsazure.us | |
| Blob | blob.core.windows.net | blob.core.usgovcloudapi.net | ||
| Queue | queue.core.windows.net | queue.core.usgovcloudapi.net | ||
| Table | table.core.windows.net | table.core.usgovcloudapi.net | ||
| File | file.core.windows.net | file.core.usgovcloudapi.net | ||
| Virtual desktop infrastructure | Azure Virtual Desktop | See AVD docs | See AVD docs | |
| Web | API Management | management.azure.com | management.usgovcloudapi.net | |
| API Management Gateway | azure-api.net | azure-api.us | ||
| API Management management | management.azure-api.net | management.azure-api.us | ||
| API Management Portal | portal.azure-api.net | portal.azure-api.us | ||
| App Configuration | azconfig.io | azconfig.azure.us | ||
| App Service | azurewebsites.net | azurewebsites.us | ||
| Azure AI Search | search.windows.net | search.azure.us | ||
| Azure Functions | azurewebsites.net | azurewebsites.us |
Service Availability: Staying Updated
Microsoft strives to maintain feature parity between Azure Government and global Azure. For the most current information on service availability within Azure Government, always consult Products available by region. This resource provides up-to-date details on service availability by category and region within Azure Government, indicating whether services are generally available or in preview.
It’s generally assumed that if a service is available in Azure Government, all its corresponding features are also available. However, specific variations or limitations do exist and are documented based on the service categories outlined in the Azure services directory.
Key Service Category Differences
While a comprehensive service-by-service comparison is extensive, understanding the nuances within key categories is essential. Here’s a breakdown of notable differences and considerations across several service categories:
AI + Machine Learning
When leveraging AI and Machine Learning services like Azure Bot Service, Azure Machine Learning, and Cognitive Services in Azure Government, be aware of potential feature variations. For instance, within Azure Bot Service, features like Bot Framework Composer integration and certain Channels (Direct Line Speech, Telephony, Microsoft Search) might not be available. Similarly, Azure Machine Learning and Cognitive Services like Content Moderator and Language Understanding (LUIS) may have specific feature limitations in Azure Government. Always refer to the dedicated documentation for each service within sovereign clouds for detailed feature availability.
Analytics
For Analytics services such as Azure HDInsight and Power BI, Azure Government offers robust capabilities. However, for Azure HDInsight in secured virtual networks, ensure you configure Network Security Groups (NSGs) to allow access from specific IP addresses and ports relevant to Azure Government regions. Power BI in Azure Government has specific guidance and potential feature variations outlined in “Power BI for US government customers.” These resources provide essential information for successfully deploying and utilizing analytics solutions in the compliant Azure Government environment.
Databases
Azure Government provides a wide array of database services including Azure SQL Database, Azure Cosmos DB, and managed database services like Azure Database for MySQL and PostgreSQL. However, certain advanced security features like Advanced Threat Protection for Azure Database for MySQL and PostgreSQL might not be available in Azure Government. Furthermore, Azure Cosmos DB for PostgreSQL (formerly Hyperscale Citus) and long-term backup retention for Azure Database for PostgreSQL Single Server are also currently unavailable. Carefully review the feature availability for your chosen database service to ensure it aligns with your requirements.
Developer Tools & Identity
For developers, the Enterprise Dev/Test subscription offer is available within Azure Government. In the realm of Identity, Microsoft Entra ID P1 and P2 are available, but certain features like Trusted IPs for multi-factor authentication have limitations. Conditional Access policies with named locations are recommended as an alternative for managing multi-factor authentication requirements in Azure Government. Notably, Azure Active Directory B2C is not currently offered in Azure Government. When using the Microsoft Authentication Library (MSAL), be sure to consult documentation regarding national clouds for feature variations and limitations.
Management and Governance
Azure Government delivers a comprehensive suite of Management and Governance tools, including Azure Monitor, Azure Automation, and Azure Advisor. However, Azure Automation Analytics solution and certain features within Azure Lighthouse (like Managed Service offers on Azure Marketplace and cross-cloud subscription delegation) are not yet available. Azure Advisor and Azure Managed Grafana have specific documentation outlining feature availability in sovereign clouds. Azure Monitor itself maintains feature parity, but configuration adjustments, particularly SDK endpoint modifications for Application Insights, are necessary to function correctly within Azure Government.
Migration, Networking, Security, Storage, and Web
Across other service categories like Migration, Networking, Security, Storage, and Web, similar patterns emerge. While core services are generally available in Azure Government, specific features or functionalities might have limitations or require configuration adjustments. For example, Azure Front Door in Azure Government does not support managed certificates for HTTPS. Azure Migrate has limitations on containerization features and target region selections. API Management lacks Azure AD B2C integration, and App Service has restrictions on certain resources and deployment options. Always consult the “Products available by region” resource and service-specific documentation for the most accurate and up-to-date feature availability details.
Making the Right Choice: Azure Government or Global Azure?
The decision to utilize Azure Government versus global Azure hinges on your organization’s specific compliance, security, and regulatory requirements. If you operate within the US government sector, handle sensitive government data, or are subject to stringent US export control regulations, Azure Government provides the necessary contractual commitments, enhanced security measures, and regional data residency guarantees. For organizations with less stringent requirements or those primarily focused on commercial workloads, global Azure offers a broader range of services and features with global reach. Carefully evaluate your organization’s needs against the detailed comparisons provided in this article and the official Azure documentation to make an informed decision about the optimal cloud environment for your specific use case.
Next Steps
To further explore Azure Government and determine if it’s the right fit for your organization, consider these next steps:
- Review the official Azure Government documentation: [documentation-government-overview]
- Explore service availability by region: Products available by region
- Contact Microsoft Azure Government sales or support: Azure Government Support
By thoroughly understanding the distinctions between Azure Government and global Azure, you can confidently choose the cloud environment that best aligns with your organization’s security, compliance, and mission-critical objectives.
