Sovereign Clouds
How to design landing zones for government, regulated, and air-gapped environments.
Azure Sovereign Clouds
Azure Government
Overview
| Feature | Azure Public | Azure Government |
|---|---|---|
| Operator | Microsoft | Microsoft |
| Location | Global | US only (6 regions) |
| Compliance | Standard | FedRAMP High, DoD IL2-5, CJIS |
| Network | Internet | Isolated government network |
| Portal | portal.azure.com | portal.azure.us |
| Endpoints | *.azure.com | *.azure.us |
Regions
| Region | Data Center |
|---|---|
| US Gov Virginia | Boydton, VA |
| US Gov Texas | San Antonio, TX |
| US Gov Arizona | Phoenix, AZ |
| US DoD East | US East |
| US DoD Central | US Central |
| US Gov Secret | Classified |
Endpoint Differences
// Public Azure
var storageEndpoint = 'core.windows.net'
var keyVaultEndpoint = 'vault.azure.net'
var sqlEndpoint = 'database.windows.net'
// Azure Government
var storageEndpoint = 'core.usgovcloudapi.net'
var keyVaultEndpoint = 'vault.usgovcloudapi.net'
var sqlEndpoint = 'database.usgovcloudapi.net'
Bicep: Environment-Aware Module
@description('Azure environment')
@allowed(['AzureCloud', 'AzureUSGovernment', 'AzureChinaCloud'])
param environment string = 'AzureCloud'
var endpoints = {
AzureCloud: {
storage: 'core.windows.net'
keyVault: 'vault.azure.net'
sql: 'database.windows.net'
}
AzureUSGovernment: {
storage: 'core.usgovcloudapi.net'
keyVault: 'vault.usgovcloudapi.net'
sql: 'database.usgovcloudapi.net'
}
AzureChinaCloud: {
storage: 'core.chinacloudapi.cn'
keyVault: 'vault.azure.cn'
sql: 'database.chinacloudapi.cn'
}
}
var currentEndpoints = endpoints[environment]
resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
name: storageAccountName
location: location
// Storage account endpoints will automatically use correct suffix
}
output storageEndpoint string = 'https://${storageAccountName}.blob.${currentEndpoints.storage}'
Service Availability
Service Comparison
| Service | Public | US Gov | China |
|---|---|---|---|
| Virtual Machines | ✅ | ✅ | ✅ |
| Azure Kubernetes | ✅ | ✅ | ✅ |
| Azure SQL | ✅ | ✅ | ✅ |
| Cosmos DB | ✅ | ✅ | ✅ |
| Azure OpenAI | ✅ | ⚠️ Limited | ❌ |
| Azure Machine Learning | ✅ | ✅ | ✅ |
| Azure Sentinel | ✅ | ✅ | ❌ |
| Azure Firewall | ✅ | ✅ | ✅ |
Check service availability: Azure Products by Region
Compliance Requirements
FedRAMP
Compliance Policies
// Deploy FedRAMP High baseline
resource fedRAMPHighPolicy 'Microsoft.Authorization/policyAssignments@2022-06-01' = {
name: 'fedramp-high'
location: location
identity: {
type: 'SystemAssigned'
}
properties: {
policyDefinitionId: '/providers/Microsoft.Authorization/policySetDefinitions/d5264498-16f4-418a-b659-fa7ef418175f'
displayName: 'FedRAMP High'
enforcementMode: 'Default'
}
}
// Deploy NIST SP 800-53 Rev 5
resource nist80053Policy 'Microsoft.Authorization/policyAssignments@2022-06-01' = {
name: 'nist-800-53-r5'
location: location
identity: {
type: 'SystemAssigned'
}
properties: {
policyDefinitionId: '/providers/Microsoft.Authorization/policySetDefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f'
displayName: 'NIST SP 800-53 Rev. 5'
enforcementMode: 'Default'
}
}
Network Isolation
Government Network Architecture
Private-Only Deployment
// Storage account with no public access
resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
name: storageAccountName
location: location
kind: 'StorageV2'
sku: {
name: 'Standard_GRS'
}
properties: {
publicNetworkAccess: 'Disabled'
networkAcls: {
defaultAction: 'Deny'
bypass: 'None'
}
minimumTlsVersion: 'TLS1_2'
supportsHttpsTrafficOnly: true
encryption: {
requireInfrastructureEncryption: true
services: {
blob: {
enabled: true
keyType: 'Account'
}
file: {
enabled: true
keyType: 'Account'
}
}
keySource: 'Microsoft.Keyvault'
keyvaultproperties: {
keyvaulturi: keyVault.properties.vaultUri
keyname: encryptionKey.name
}
}
}
}
Air-Gapped Environments
Disconnected Architecture
Azure Stack Hub
| Feature | Azure Public | Azure Stack Hub |
|---|---|---|
| Location | Microsoft DCs | Customer DC |
| Connectivity | Internet | Disconnected possible |
| Updates | Automatic | Manual |
| Compliance | Shared | Customer owned |
Landing Zone Modifications
Government-Specific Policies
// Deny public endpoints
resource denyPublicEndpoints 'Microsoft.Authorization/policyDefinitions@2021-06-01' = {
name: 'deny-public-endpoints'
properties: {
displayName: 'Deny public endpoints on PaaS services'
policyType: 'Custom'
mode: 'All'
policyRule: {
if: {
anyOf: [
{
allOf: [
{
field: 'type'
equals: 'Microsoft.Storage/storageAccounts'
}
{
field: 'Microsoft.Storage/storageAccounts/publicNetworkAccess'
notEquals: 'Disabled'
}
]
}
{
allOf: [
{
field: 'type'
equals: 'Microsoft.KeyVault/vaults'
}
{
field: 'Microsoft.KeyVault/vaults/publicNetworkAccess'
notEquals: 'Disabled'
}
]
}
{
allOf: [
{
field: 'type'
equals: 'Microsoft.Sql/servers'
}
{
field: 'Microsoft.Sql/servers/publicNetworkAccess'
notEquals: 'Disabled'
}
]
}
]
}
then: {
effect: 'Deny'
}
}
}
}
// Require CMK encryption
resource requireCMK 'Microsoft.Authorization/policyDefinitions@2021-06-01' = {
name: 'require-cmk-encryption'
properties: {
displayName: 'Require customer-managed keys for encryption'
policyType: 'Custom'
mode: 'All'
policyRule: {
if: {
allOf: [
{
field: 'type'
equals: 'Microsoft.Storage/storageAccounts'
}
{
field: 'Microsoft.Storage/storageAccounts/encryption.keySource'
notEquals: 'Microsoft.Keyvault'
}
]
}
then: {
effect: 'Deny'
}
}
}
}
Quick Reference Card
| Environment | Portal | Suffix | Compliance |
|---|---|---|---|
| Public | portal.azure.com | azure.com | Standard |
| US Gov | portal.azure.us | azure.us | FedRAMP, DoD |
| China | portal.azure.cn | azure.cn | China regulations |
| Secret | Classified | - | DoD IL6 |
Next Steps
Continue to Migration Patterns to learn about brownfield to landing zone migrations.