Enable government missions in the cloud with Azure Government | Azure Friday
Hey friends! With Azure Government U.S. public sector entities receive a physically-isolated instance of Microsoft Azure that employs world- class security and compliance services that are critical to U.S. governments. Steve is back to give me an updated view of Azure Government, including how it's both the same and different from the Azure public cloud. Today on Azure Friday. Hey friends, I'm Scott Hanselman. I'm here with Steve Michelotti who's going to talk to me about Azure Government, so this is a separate, secret Azure that none of us know about? Well, I wouldn't exactly say it's secret, right? I think the best thing we can do is start off by defining what is Azure Government. So, with Azure Government it is a sovereign cloud for U.S.
government cloud customers only. So, what do we mean when we say a sovereign cloud? Essentially what we're talking about? Here is a separate instance of Azure, so,if we think of Azure as a hyper scale worldwide cloud across data centers and regions throughout the entire world, Azure Government is a hyperscale cloud that's spread out over data centers in regions in the continental United States that is available to U.S. government customers only, instead of the general public and and.
So, that's what we're talking about. Actually, a physically separated isolated instance of Azure, so it's got its own data centers. It's got its own. Network, An express route and those type of things, but it's the same technology, so it's not that we have some extra secure secret version of the code running in Azure Government is no. It's the same high standard code that we have in Azure commercial, but it's that the thing that gives Azure Government these higher levels of compliance is that because of this separation, this physical separation and because the data centers are the operators and the data centers are screened, US persons only.
Those are the things that give us the higher levels of compliance, but the same technology. The same, you know, region pairs where the data centers are 500 miles of physical separation and the full range of E as in past services that you're used to in Azure commercial. Those are the same same in Azure Government. OK, that makes sense. Let me draw a couple of analogies and see if I get it right so you know right now I don't know if my blog isn't sitting next to your blog or you know or Walmart or someone like just sitting there. I have no sense.
In the public Azure cloud, who's my neighbor but with the Azure public Cloud, I can do things like, you know Azure service plans or availability zones, and I can say, well, I know I'm on. I'm on my own rack or I'm on my own machine, or I can have an Azure app service instance that is, but I'm always in the same building. I'm on the same network I'm being operated by the same people who clock in every day. The public cloud is used by the public, of which I'm a member of that, but I can guarantee that my blog is not sitting next to.
The US government website that's exactly correct. That's a great analogy, and it's that separation that is exactly what we're talking about here. So, you can think of Azure government as a community website for the government community, but not to the general public. OK, that makes sense. That's cool, so there's not like 30 of these.
Like in Azure. There's five regions. Yeah, actually, that's a good segue. Let's talk about the number of regions, 'cause it depends on on which level we're talking about, so to speak.
So, when we are talking about the range of government customers, it really is the full gambit. So, actually we have lots of government customers that are right here on regular Azure commercial and that goes up to FedRAMP High and so you know, we do a lot to support our our customers there. What will talk about primarily today is this area right here in Azure Government? This is the sovereign cloud, this second column right down here that goes up to Impact Level 5, which is the highest levels classification for highest level of compliance. I should say for uncla...,
unclassified workloads and FedRAMP High and additional compliance regimes. And then we have a couple other government clouds as well with Azure Secret and Top Secret. So, Azure commercial and government are not air-gapped clouds. You can get to them from the Internet, whereas Secret and Top Secret are air gapped, therefore classified workloads.
And if you want to know more about those you can read about those on our Microsoft blog. But Azure Government right here is where we will dive into the demos today. So, when you're choosing which cloud and you know with the various regions of half a dozen reasons, regions.
Just in Azure Government alone that this second area right here, you're really making the selection based on your workload. What are the compliance requirements and needs of your workload? Interesting. OK, so, with these impact levels, these Department of Defense Impact Levels, internally at Microsoft we have this thing called medium business impact or small business impact and they they you go to a SharePoint site and it'll you'll say, oh, I'm going to put my documents about.net or whatever. I'm working on up there and if it says Medium Business Impact, I always think to myself if this got out there would be a medium big deal as opposed to every once in awhile. I'll go and I'll meet with somebody like you know, once a year I get to see Satya and then suddenly I'm on the High Business Impact. section of the SharePoint and I think oh, and this really shouldn't get out.
This has an impact. That's a big deal. Yeah, that's a good analogy. That's a good analogy that makes sense. So, what we're going to do now is I'm going to just dive into a bunch of demos from here, and you're going to see a common thread through all of these demos and that common thread is that.
With Azure Government, you may need to do one little thing differently to connect, but once you're connected you have a parity of user experience, so a developer experience user experience, you're going to see that experience is the same. So, right off the bat, what I'm going to do here is you notice that this says Microsoft Azure Government right here, and the URL is portal dot Azure dot US and if you see those two things, you know that you are in the Microsoft Azure Government portal as compared to the commercial portal, so you just do one little thing different to connect i.e., different URL and use your government credentials and you're in.
But once you're in, you're going to have a parity of user experience. So, for example, I'm going to click All services right here. And by the way, I have two tabs on my browser. Here's my tab for Azure Government, and here's my tab for regular commercial Azure.
And if I flip over to this tab over here for commercial Azure and do that same thing if I flip back and forth between these two tabs here, you're going to notice that looks virtually identical. Maybe there's one icon different here, one icon, different there, but virtually identical, so I'm going to stay over here in. Azure Government and I'm going to click all and as we do that we can see that we have a range of services on Azure Government from compute to networking to storage services, various web technologies, container technologies like Kubernetes and AKS, various databases, Cosmos DB and and MySQL, and serverless technology like Azure Functions and Logic Apps, Analytics, AI/ML. Really, the range of Azure services that you'll see we have them on. Azure Government, so you know if you look if I made was that always the case.
I mean, I remember in early, early days with things like Azure Stack and Azure public...Azure public seem to always be on the leading edge and then you'd always be a couple of months or years behind. How? How much parity is there so the what? What's the best word to use here? But you you make, it's it's extremely different from where we were a few years ago and I remember when you and I were were doing this similar demo many years ago.
It was very different when we look at the parity today. Yeah, it's amazing. It's near identical parity in the sense that you can go over to Azure Public portal and you can see like preview services over there. You won't see those in Azure Government, we buy make simply do not bring preview services over to Azure Government. But for those services that have been GA'd, you know with a user base and Azure public you'll typically see those services appear in Azure Gov, if not immediately within about a month or two.
So, we've really worked hard in the last few years to bring that parity up to speed. That's cool, so I see so then. Everything here is really vetted and if a preview service were to show up in here, that means that they're focused on Azure Government and they care about the government requirements that makes sense. You got it exactly. So let's see what the differences and the experience. Let's go ahead and provision a resource.
So I'm going to click over here to App services and let's just go ahead and click the create button here and see does it look the same? Does it look different and what we're going to see here is from an experience standpoint, it is going to be the same, so I'm going to select an existing resource group called Azure Friday. And let's just provision a new site called AZ Friday. This makes me a government agency. Now I just want to make sure everyone is clear about that exactly. No question about it here, so I'll select a runtime stack and then right here, the only difference you're going to see is instead of seeing a selection of regions us throughout the entire world, it's going to be scoped down to just the Azure Government regions.
So, so cool like I'm noticing. Also, just as a point here 'cause I'm interested like.net five like. You don't have to wait. It's there, you want Linux. You want Docker containers. You want windows like that.
Look at that. You've even got done at 6 exactly early access or right depending on when someone watches this video, no question, so it's a great example of the parity that how quickly we get it in. Also, that's good since I'm on the East Coast, I'll pick Virginia and I'll go ahead and just go ahead and create that app.
And it only takes a few seconds to provision, but we're actually not going to wait for it. 'cause I want to jump into the next demo here, so pointing and clicking is great in the portal when you want to get stuff done quickly, but usually we want to rely on scripting and automation to have repeatable processes to set stuff up now. What's interesting in the government space is sometimes in certain government machines you don't always have the ability to install whatever tools. You want on your machine, sometimes you can, but sometimes you can't. So wouldn't it be nice to just be able to come right in here and I just click this button right here for Cloud Shell in the portal and and by the way, there's my website just provisioned and what Cloud Shell gives you is just like an Azure commercial.
It gives you a command line in the cloud browser based did not have to install any tools on my machine. I can select between PowerShell and Bash. I have PowerShell right here and I have a full file system where I can run commands. I can even go into the Azure drive and I can look at my resources this way so I can come in and go into a subscription.
I can I can list what's in that subscription if I want to look at, you, know my resource groups or my web apps and I can navigate around really easily using these types of commands. In fact there is that AZ Friday website that you just saw me provision a few moments ago, so cloud shows really nice from a government for anyone really, but especially in the government case where you can't always in every instance install command line tools. At your whim, so and and let me point something else out.
Zoom in on the enabled hostnames there, because this is important. You pointed out that portal dot USDOT portal dot Azure dot US. Here we've got Azure Friday dot Azure websites use really, you know, hitting that main point that there's no bridge between this instance of Azure Azure Government and Azure public cloud like this is its own thing, and that's what makes it so useful for the government that the sovereign cloud is, it's it has to be sovereign and sovereign means it's in control of its own destiny, and it's got a wall around it. That's exactly right, and by default you pointed out that these hostnames are different than in the public cloud.
But if I want to put a custom domain on this, I certainly can do that as well. Julia.gov aura dot whatever dot US right? You got it. You got it. That's very quick now would I? I live in a small town in rural Oregon. Would my small town run their public website on Azure Government? Or is it that we don't have any have any secrets? That's the question. Potentially yes, but what that really is determined by is what are the requirements of the workload? Do they have a work of that requires those higher levels of compliance? If yes, then this is a perfect example.
Maybe you know there's citizen. Data or something like that. You want higher levels compliance, but if you're just running a public website, probably you don't need that.
You could just do that workload on Azure commercial. It's really their choice. Some customers, well, they if they just using Azure Government, they put everything there. It really you have the flexibility to do it. In either case, fantastic. OK, now the next thing I want to show in this instance.
One thing that was really nice about cloud Shell. It was not only automatically installed, I'm putting that in air quotes because it lives in the browser, but I didn't have to do any login process, it was already logged in. Immediately to my Azure Government instance, but let's say you actually do want to use our existing tools like the command line tools we give on your local machine, so I'm going to show that next now Scott, you and I later can determine we can do our comparisons of our custom terminal settings and everything I do appreciate your. I do appreciate your custom prompt and your usage of the Windows terminal very nice, but I thought I thought you would like that so anyway.
What's the key takeaway here? Is the Azure CLI is cross platform. You can use it in any terminal in any shell. It's your choice. You know, stick with what you're comfortable with. I happen to be running this in PowerShell using Windows Terminal and I want to show you a few things here.
So the first thing I'm going to do is I'm going to run this Azure CLI and there it is easy. That's our Azure command line and I want to run this command called list locations and you might notice I'm outputting that to a table and when we run this command you're going to notice that the output of the command is actually going to show the. Regions of what I'm currently in right now. At this moment my CLI instance.
What is it logged into and if we look here we're going to see that these are regions that are all throughout the entire world, so this is a great indication that. Not logged into Azure Government right now with my CLI, I'm logged into Azure commercial and if I run this command right here AZ cloud list I want to show a one thing in particular about this. This shows the list of clouds that I can log into and what I want to show specifically is right here and this kind of segues into what you were talking about a second ago.
There's Azure U.S. government. Notice how they all have different endpoints, not just the default endpoint like we were pointing out for the host names, but even those management endpoints. With you know, Azure resource manager and all that kind of stuff. Just another thing to drive home the point that these are physically different endpoints. Different instance of right right? I see their Maria DB, My SQL and Postgres, all of which are services that a government person might want to use, and they're all inside that.
That managed data center, even though they're the services that they're used to using. So that means that I could probably put Azure Government on my on my LinkedIn, 'cause I know how to use it. Now, 'cause I know how to use Azure there you go perfect. That's exactly right, that's exactly right. So what I'm going to do now is I'm going to run AC cloud list in again, but this time I'm going to output it as a table 'cause I don't want to look at all of the JSON endpoints. I just want the the bare minimum information because the thing I want to point out is he is active flag is set to true for the Azure cloud and what we want is that is active flag to be such a true for the Azure U.S. government cloud.
So the one thing differently we have to do here is a Z cloud set and we need to give it a name and I'm just going to double click. Azure U.S. government right there and then right Click to paste it into my line and that's going to set my context to point to the Azure U.S. government cloud. Now at that point I can just run the regular easy login command that I would do anytime I'm using the Azure CLI. And again the experience will be the same. So I run a Z login.
It knows that my context is switched to Azure Government and I get you can see the browser popping up here. It knows that my context. Is Azure Government so it's asking me to select one of my Azure Government accounts and like that yeah I'm logged into and also worth pointing out and again I'm a nerd about this.
The the the domain that you just went to to do that. That login was actually a dot US domain and as well so even the authentication went through a Microsoft dot US login so that security end to end. Yes you got it exactly right. So now that I've done that one thing where I just pointed it to the Gov cloud. I'm just going to hit the up arrow a couple times.
On my terminal here and I'm going to go back to that original command that you saw me run a minute ago of list locations and I'm just going to rerun that exact command that you saw me run one minute ago and you're going to notice that this time the output is going to look slightly different. Instead of showing this list of data centers that throughout the entire world, now you're seeing that exact command, but it's returning different results here. The regions that are in the Gov cloud. So at this point I'm logged in. I can.
On any command I want that I would you know that I'm I'm used to running from the AZ CLI. For example, if I want to get a list of my web apps, I can run that type of thing. I'll put it as a table and now I'm just getting the exact same parity of user experience that I would get in Azure commercial. Now we've looked at in there it is right there, and once again will just point out the AZ Friday right there.
So we've looked at the portal and this one thing different connects the URL and we saw Cloud Shell. We saw the CLI. What about some of the tools we use from a development perspective or even some admin things? So what I just did there was I typed code dot to bring up vcode and I just want to show a couple things here.
Is this icon right here? This little aicon let me give an arrow here. That's the Azure icon and that is when we install Azure extensions into VS code that a icon for Azure is where those extensions get installed. We click that and we can see that as extensions and that's another thing we worked very hard to make sure that those extensions work with Azure Government as well. So for example if I do Control-Shift-P and it's asking me right here, sign in to the Azure cloud that's coming from those extensions. And so if I say yes, I want to sign into the cloud, so do while you're doing that, does anything. Does everything work like I don't need to? Does any tool that I come up on or anything that talks to an Azure endpoint need to be updated to talk to and a sovereign cloud or they just work? It should just work and and the reason is because the Azure extensions used this Azure account sort of base extension as long as they're all using that, which I believe they are all at this point it should just work 'cause that handles that common experience at a kind of single central level.
And in fact there it is I I just while we were talking. I clicked log into Azure Government once again the exact same and that was the thing you were pointing out with the the US URL. So it's the exact same experience.
And now when I come into this if I click this a icon you can see we have all these different things. Here we have app services and functions and storage account so I can look at my databases and this gives me the ability to see all of my resources in Azure Government exactly. The same way I would see them in Azure commercial so I can expand, you know, my web apps and once again there's the AZ Friday that I just provisioned. Just want to keep showing that and then over down here in the storage accounts I'm going to expand this one storage account right here and we're going to see that I have a storage account in Azure Government and it's called Azure Friday Gov and you can see that this has a BLOB container in it called docs. There's my BLOB container and you can see this just has some Jason. Documents right here and if I double click this first one, this is just kind of a generic JSON document and you're going to notice it online.
16 it says hello World, so let's change that to hello Azure Friday. Let's put a couple exclamations in there and just like that, it's actually saved it back to Azure storage. So these extensions are working seamlessly in Azure public as well as Azure Government all based on your login context and what you're currently doing exactly the tools just. Work so for the final demo I want to show we've. We've looked at it from the portal perspective in a scripting perspective and vscode.
I want to show my final demo is more of a developer perspective, so let's bring up Visual Studio and look at some C code and if we look at this code right here, what I like to say is that the most noteworthy thing about this code is that there's nothing noteworthy about it. This is the exact code you would write in Azure public. I practically copied and pasted this code from the documentation.
Page and a couple of things I do want to point out. Notice the first line. I'm using the chained token credential that is from Azure identity, so the new Azure identity Stuff works seamlessly with Azure Government and so you can notice that I'm passing the Azure CLI credential in here, but we could use a managed identity for if we were saying that it will use whatever the ambient currently logged in thing that the Azure CLI is doing. Yes, so this is a great thing to do from a development standpoint on my local box. A lot of people use the Azure CLI credential of Visual Studio credential notice. Remember, I've logged into the Azure CLI a few minutes ago, so it's just going to work.
So with the gene crypto credential, you can say Azure CLI Visual Studio managed identity and so locally you would use CLI or Visual Studio, but if you haven't deployed up in Azure you might be running under managed identity, so again that's just out of the box behavior from the chain token credential that we get from Azure identity. Nice, but at that point all the code is the same. It's whether I'm writing this in commercial or public because the CLI credentials already set to an Azure Government context. The code can be blissfully unaware that something called Azure Government even exists, right? Blob client here. I do a memory stream.
I called download async and I get the string and I'm just going to do a console write line at the end to you know output the contents of that particular blob and if you notice the URL up here at the doc1.json, that's the exact blob that I just showed a second ago when we were looking at it in VS Code. So I'm just going to do a Control-F5 here to run it from Visual Studio.
Thinking or there we go right there and we can see there's "Hello Azure Friday." Change that from Hello World "Hello Azure Friday." When I was in VS Code and then we can see the result over here in Visual Studio. So just another example of that.
So cool taking a step back just a quick recap. Again, one thing differently to connect and then everything else is the same. That's true if we're in the portal, Cloud Shell in the portal, the CLI tools, PowerShell, VS Code tools, Visual Studio, I'm writing. C# from a developer perspective, regardless of where you are in the Azure tool ecosystem, maybe one thing differently to connect and you will have a parity of user experience from there and Azure Government. Fantastic! Well this has got a bunch of ramifications and like I said I'm updating my LinkedIn right away. 'cause now that I've watched.
Azure Friday I have a familiarity with Azure Government and I hope the folks that are watching won't be so afraid of it anymore, because if you know Azure, you know this stuff already exactly exactly. Alright. Thank you. I am learning all about Azure Government and all the great things that you can do in the sovereign cloud today on Azure Friday. Hey, thanks for watching this episode of Azure Friday. Now I need you to like it. Comment on it, tell your friends, retweet it.
Watch more Azure Friday.