Tag Archives: government

Choosing the right Azure Environment – Should I use the Public or the Government Cloud?

One of the first things I discuss with new government customers is where they want to deploy – Azure Commercial (aka the public cloud) or Azure Government.  Many organizations feel that they should “obviously” be in the government cloud because they are either part of the state, local, or federal government or work closely with those groups.

The fact is Azure Government exists to meet a specific set of guidelines that government agencies often (but not always) must follow (FEDRAMP, DISA IL4, ITAR, etc.).  Each organization needs to understand what attestations/certifications/regulations matter to them and chose the LEAST RESTRICTIVE cloud environment that meets those stipulations.

The truth is most “government” organizations in the United States use Azure [commercial] either exclusively or for at least some of their cloud space.

When making your decision:

  1. Take time to see which environments meet your needs.  Many people are surprised at how robust the Azure [commercial] compliance space is.  https://www.microsoft.com/en-us/trustcenter/compliance/complianceofferings
  2. Take our 1.5hr FREE online class that goes into greater detail on what Azure Government is and is not.  https://docs.microsoft.com/en-us/learn/modules/intro-to-azure-government/
  3. Take a look at the list of services you need versus those available at https://azure.microsoft.com/en-us/global-infrastructure/services/
  4. Take a look at the table below for the quick and dirty overview of both environments.
Comparison Point Microsoft Azure Commercial (MAC) Microsoft Azure Government (MAG)
Operational staff Microsoft screening Screened US citizens
Physical security Biometrics, isolation, fencing, etc. Same as MAC
Scope of offering All Azure features Features limited by certification
Portal (ARM) https://portal.azure.com https://portal.azure.us
Pricing concerns Base pricing, minus EA/commitment discount (if any) Base pricing, plus MAG premium, minus EA/commitment discount (if any)
Availability Anyone, on demand Requires approval from Microsoft
Identity (Azure AD) Integrates Office 365 & 3rd party SaaS Isolated, no integration
Coverage World Wide CONUS Only (traffic will not leave US)

Moving Azure Images from the Commercial to the Azure Government Cloud (MAG)

*previously posted at https://blogs.msdn.microsoft.com/nicole_welch/2016/04/moving-azure-provider-images-from-the-commercial-to-azure-government-cloud-mag/

Some times we see customers move Microsoft provided images from the Azure commercial cloud to the Azure Government (MAG) cloud.  While this is technically supported, there are several things to consider.  When using the Microsoft provided images, there are configuration settings that are specific to the cloud environment.  When you move the VM (by moving the VHD), you risk having the wrong settings for your new cloud location.

Below is a list of settings that need to be changed.  This is NOT comprehensive and will be updated as needed.  Keeping mind the various endpoint that are different as well (https://azure.microsoft.com/en-us/documentation/articles/azure-government-developer-guide/)

Commercial Value MAG Value
KMS kms.core.windows.net:1688 kms.core.usgovcloudapi.net:1688

Azure Government – Missing Features or Services?

If you’ve experimented with the general Azure cloud (often called Microsoft Azure Commercial or MAC), it can be a shock when you move into Microsoft Azure Government (MAG) and notice not everything is the same.  Today I’m briefly going to discuss why there are feature differences, how to track them down, and how to lobby for the features you need.

Note: in this blog I use the terms service, offering, and feature interchangeably.  There is debate (even internally!) on the difference between the terms, but my goal here is to cover both new offerings and extensions to existing offerings.

Is the feature available in MAG at all?

Many features are turned on by region (a physical data center).  The first thing is to check and see if the offering (say a DS series VM) is available anywhere in MAG.

  1. Goto https://azure.microsoft.com/en-us/regions/services/
  2. Select only the Azure Government region checkbox
  3. You can now see this VM is only available in the Virginia data center.

image

If possible, deploy in that region so you can use the feature/service.  However, we understand that is not always possible.  Before any new large-scale deployments you should take a look at the list of services per region and ensure you use the region that best offers the services you need.  You don’t want to end up putting yourself in a situation where you have to wait on required services to be deployed by Microsoft!

To stay current on new releases (and they happen at least once a week!) I recommend subscribing to the Azure Government blog at https://blogs.msdn.microsoft.com/azuregov/ 

The features/service is not available where I need it!

Why not?  This is the big question I get from customers and of course there is no one easy answer.  These are the main reasons cited:

  • Features often depend on physical hardware and so they often deploy to each region at slightly different times depending on the hardware deployment.  I.e. with a new VM size/series
  • Some features are delayed as we work on the required compliances or attestations.
  • Engineering wants to release features as quickly as possible.  If the product can be deployed/engineered the same in MAC and MAG they are often released at the same time.  However if significant changes are required for MAG they don’t want to delay the MAC release.  In those cases the feature most likely will be deployed to MAC and then MAG after the required modifications are made.  Often features are delayed 6-9 months in MAG.
  • There is no/limited demand expected in MAG.

But I need it!

First, contact Microsoft.  You can talk with your sales team, account team, or even open a case via the portal (portal.azure.us).  We may have an estimate that can be shared if you are under NDA.

Second, vote it up!  At https://feedback.azure.com/forums/558487-azure-government you can nominate new features, add your vote to requests made by others, and generally make your voice heard.  This is a VERY powerful tool, even though it looks innocuous.  Cloud computing is about consumption and by offering the services you want, we increase consumption.  However knowing exactly what customers want is complicated and can come down to a “gut feel.”  By assigning metrics (used for good this time!) we can see exactly how important a feature or change is to the community and react accordingly.  Azure Engineering does review this and uses this data in their planning.  While a highly “voted” item isn’t guaranteed to be implemented quickly, it will increase the visibility and urgency around it.

Here’s a few tips for submitting/voting on improvements.

  1. Include hard facts.  We want numbers, timelines, and project implications.  I.e. if the M series were available in Texas we would deploy an additional 10 VMs by the end of 1Q 2018.  This gives Microsoft an idea of the urgency/timeline, infrastructure required to support the request, and the impact to our accounts.
  2. Include clear details.  I.e. if this is available in MAC, include the blog announcement or documentation too so we know exactly what you are requesting.  Often features have similar names, vary between cloud providers, etc. resulting in confusion.
  3. Include the consequences.  If this request isn’t met, what is the result?  I.e. if Service Map is not made available in MAG OMS will we not migrate our monitoring of 8000 servers into OMS.
  4. Share with your friends!  Votes count, so if you add a request have all your peers vote for it too.
  5. And be realistic.  Asking for a feature not even planned for MAC is unlikely to be approved for MAG.  Asking for a feature fulfilling a clear business need is much more likely to get backing.

If you get stuck or have questions, feel free to comment!

*previously posted on https://blogs.msdn.microsoft.com/nicole_welch/2017/12/azure-government-missing-features-or-services/

Azure Automation–Using Sample Runbooks in Azure Government

If you hit issues using the Gallery runbooks (like StopAzureV2Vm seen below), you may need to add a value to the environment name.  Just like when connecting to Azure Government via Azure PowerShell or CLI, you need to specify the environment name.

Add the value per the screenshot below and you should be fine!

clip_image001

previously posted on https://blogs.msdn.microsoft.com/nicole_welch/2018/02/azure-automation-using-sample-runbooks-in-azure-government/