More goodness in Azure US Government

More great announcements have come out in the past couple days regarding Azure US Government.  Below are the highlights.

G-Series VMs
The G-Series provides more memory and more local solid state drive (SSD) storage than other Azure virtual machine sizes.  G-Series VMs provide up to 32 cores and 448GB of RAM!  In addition to massive memory and local SSD storage, the G-Series provides unparalleled computational performance by using the latest Intel Xeon processor E5 v3 family, ideal for your most demanding applications.  Find out more about G-Series VMs here.

F5 BIG-IP virtual appliance
F5 is pleased to announce the general availability of its BIG-IP Virtual Edition (VE) application delivery controller (ADC) solutions in the Microsoft Azure US Government Cloud. Customers who want to deploy mission-critical government applications in Microsoft-managed and physically-isolated datacenters within the continental United States can now take advantage of F5’s market-leading application services to make their applications faster, more available, and more secure.  Read more about this announcement here.

Red Hat VM Images in a Pay-as-you-go Model for Azure Government.
We are happy to announce that government customers can now deploy Red Hat Enterprise Linux 6.8 and 7.2 VM images in a Pay-As-You-Go model directly from the Azure Government Marketplace with per-minute billing.  This is following our partnership announcement with Red Hat in Azure Government on July 27th, 2016.  As more and more government customers move to the cloud, we realized that there was demand for a fully supported version of Linux with the agility that Azure Government. We’ve added this capability to meet this demand.   Read more about this announcement here.

Two new Azure US Government Regions Announced

Today Microsoft announced their intent to open new Azure US Government regions in Arizona and Texas.  Slated to be generally available in 2017, the new regions will add to their existing regions in Virginia and Iowa and are new additions beyond the Department of Defense regions recently announced. Now, Azure has a total of six dedicated regions for government customers – more than any other cloud provider.

You can learn more about this announcement from a recently blog post by Tom Keane, General manager for Microsoft Azure.

More new features in Azure Government

Today the Microsoft Azure engineering team has released several new features into the Azure US Government regions:

Azure Batch
Azure Batch is our job scheduling and compute pool management service that helps developers easily scale their compute-intensive workloads to tens, hundreds, or thousands of virtual machines without having to manage the infrastructure. As a managed service, Azure Batch handles the heavy lifting of provisioning, monitoring and scaling virtual machines.  Additional information on Azure Batch can be found here.

Redis Cache
Azure Redis Cache is a distributed, in-memory, managed cache that helps you build highly scalable and responsive applications, by providing you with fast access to your data. It’s based on the popular open-source Redis Cache, and it gives you access to a secured, dedicated Redis cache that’s managed by Microsoft.   Additional information on Redis Cache can be found here.

Service Fabric
Service Fabric is a mature, feature-rich microservices application platform with built-in support for lifecycle management, stateless and stateful services, performance at scale, 24×7 availability, and cost efficiency.  Service Fabric integrates with Azure features and services, making operations and management simpler, and leveraging the power of Azure cloud.  Service Fabric is available at no additional cost in Azure – you only pay for the underlying compute, network and storage used by your Service Fabric Cluster and microservices. Additional information on Service Fabric can be found here.

Virtual Machine Scale Sets (VMSS)
VM Scale Sets are a way to manage Azure VMs as a group, providing easy deployment and management options, and simple ways to integrate with Azure autoscale and load balancing. If your machines can all be configured the same, you can reduce the overhead of managing them individually, and elastically scale your VMs to match the workload. VM Scale Sets are available at no additional cost over the compute resources being used, and are available in all regions that support Azure Resource Manager.  Additional information on VMSS can be found here.

VM-series Expansion
The following VM series sizes are now available for Microsoft US Azure Government customers:

  • A1-A7 VM series for ARM
  • D/DS VM series for ARM
  • Dv2 VM series for ARM and Classic
  • F VM series for ARM

To keep up on the latest information on Microsoft Azure US Government, visit the official blog at:

New features in Microsoft Azure Government

Over the past several days, Microsoft has released multiple new features into the Microsoft Azure US Government regions.  Below are the highlights.

New Portal – Generally Availability
The new portal which enables access to Azure Resource Manager (ARM)  features such as role based access control, tagging, resource groups and new IaaS resources is now generally available.  You can access the new portal at

Azure App Services – Generally Availability
Azure App Services provides developers a platform to build, deploy and run powerful web and mobile applications.  Included in this release are Web Apps, API Apps, and Mobile Apps.   Additional details can be found on the Azure Government blog.

Log Analytics and Microsoft Operations Management Suite Portal – Generally Available
Log Analytics is a service in Operations Management Suite (OMS) that helps you collect and analyze data generated by resources in your cloud and on-premises environments. It gives you real-time insights using integrated search and custom dashboards to readily analyze millions of records across all your workloads and servers regardless of their physical location.  You can read more about OMS on the Azure Government blog.

Azure SQL Data Warehouse – Generally Available
Azure SQL Data Warehouse is a cloud-based, fully managed database capable of processing massive amounts of data, both relational and non-relational. Built on our massively parallel processing (MPP) architecture, SQL Data Warehouse allows you to manage your data quickly and flexibly.  Additional details on the Azure SQL Data Warehouse can be found here.

SQL Server Stretch Database – Generally Available
SQL Server Stretch Database part of SQL Server 2016 that allows you to selectively, securely and transparently migrate your on-premise cold or historical data, to Azure. Allowing you to free up disk space and reduce your enterprise storage costs, without impacting your existing business operations and applications. It allows you to take on that journey to the cloud, on your terms.  Additional details on SQL Server Stretch Database can be found here.

Azure Blueprint Program
Azure Government Engineering is pleased to announce the initial release of the Azure Blueprint program! The program is designed to facilitate the secure and compliant use of Azure for government agencies and third-party providers building on behalf of government.  Details of this new program can be found here.

Storage Service Encryption in Azure US Government

Azure Storage Service Encryption (SSE) for Data at Rest is now available as part of the deployment of the ARM storage resource provider in Azure US Government regions

The official documentation for SSE states:

Azure Storage Service Encryption (SSE) for Data at Rest helps you protect and safeguard your data to meet your organizational security and compliance commitments. With this feature, Azure Storage automatically encrypts your data prior to persisting to storage and decrypts prior to retrieval. The encryption, decryption, and key management are totally transparent to users.

Once a storage account is enabled for SSE all new blob data written to the storage account will be encrypted with 256-bit AES encryption managed by Microsoft.  Any existing blob data in the storage account will not be encrypted until some change occurs to the data which causes it to be written back to storage.

To get started with SSE in Azure US Government you first need to create a ARM storage account and place it in a new or existing resource group.  This can be accomplished with the
New-AzureRMStorageAccount PowerShell command.

Enabling SSE on an ARM storage account is done with the
Set-AzureRMStorageAccount PowerShell command and passing in Blob as a option for the EnableEncryptionService parameter.  For example, if you have a storage account named myencryptstorage in a resource group named storagerg you would run the following PowerShell command to enable SSE:

Set-AzureRMStorageAccount –Name myencryptstorage –ResourceGroupName storagerg –EnableEncryptionService Blob

To Verify that SSE is enabled on the storage account shown above you can run the command shown below.  A return of true indicates that encryption is enabled on the storage account.

(get-azurermstorageaccount –ResourceGroupName storagerg –Name myencryptstorage).Encryption.Services.Blob.Enabled

For a complete description of SSE and answers to frequently asked questions, please review the official Azure documentation.

ARM In Azure US Government

Yesterday afternoon Microsoft deployed providers for several Azure Resource Manager (ARM) services into all Azure US Government regions.  These new providers enable users to create and manage ARM storage, networking, compute  and data resources through Azure PowerShell.  Support for these new resource providers will be enabled in the Azure preview portal at a future date.

With this latest update the following ARM features have been enabled:

Compute (PowerShell)

  • Virtual Machines
  • Service Fabric

Networking (PowerShell)

  • Application Gateway
  • ExpressRoute
  • Load Balancer
  • Virtual Networks
  • VPN Gateway
  • Network Security Group

Data & Storage

These providers work hand in hand with the previously deployed ARM infrastructure which enables resource groups, tagging, templates and role base access control.

It is expected that additional resource providers will be deployed over the coming months which will enable even more capabilities in Microsoft Azure US Government regions.  To view the resource providers currently available in Azure US Government you can run the following PowerShell command: 
Get-AzureRmResourceProvider –ListAvailable

Azure SQL DB v12 Now in Azure US Gov

Today Microsoft has announced the general availability of the latest service version of Azure SQL Database (v12) in Microsoft Azure US Government.

Benefits of using Azure SQL v12

  • Compatible: Near-complete SQL Server 2016 engine compatibility.
  • Performant: Increased Premium performance levels at no additional cost and support for larger database sizes.
  • Secure: Intelligent security and protection including Azure Active Directory authentication support. 
  • Reliable: Improved backup, recovery, and replication times.  

More details can be found soon on the Azure Government Blog.

Using Resource Groups and Tagging in Azure Government

Azure Government is moving closer and closer to having the next generation portal and full Azure Resource Manager support.  Recent updates now make it possible to better organize and classify resources for lifecycle management, security and identification.  Below I would like to highlight some of these features and some best practices you can start using today.

Azure Resource Groups

Azure Resource Groups provide a mechanism to group together a collection of Azure Resources.  This enables administrators to manage the lifecycle as a single entity, assign tags (more on that in a moment), and apply role based access control.   Since Azure Resource Groups are not part of the original Azure classic environment, you will not see these exposed in the classic portal environment, however you will see them in the new portal.  The interesting thing is that when you create any resource in Azure, no matter if it is a classic resource or an upcoming Azure Resource Manager resource, they will always be placed in an Azure Resource Group. 

If you are creating classic resources using the classic portal or classic Azure PowerShell commands you will not have an option to choose what Azure Resource Group the resources are assigned to.  They will instead be assigned to default resource groups based upon the region and type of resource being created.   If you utilize the new portal or Azure Resource Manager PowerShell commands to create classic resources you have the ability to specify either an exiting resource group or to create a new resource group for your new resource.  

Best practice:  Always group resources together in a resource group if they share the same lifecycle or are resources related to a single solution.  This will enable easier management of the resources and provide role based access control and  group tagging for the resources.

If you already have a bunch of existing Azure classic resources you may wish to start moving them into Azure Resource Groups based upon the best practice noted above.   This will require you to utilize the new Azure Resource Manager PowerShell commands or the new portal.  

Best practice: Ensure you have a solid enterprise naming convention in place for naming resource groups and resources.  This will make navigating, locating, and managing resources much easier.

To create a new Azure Resource Group, you will need to utilize the new Azure Resource Manager (ARM) PowerShell commands.  Make sure you have installed the latest Azure PowerShell components from before starting.  You will log into Azure Government with the following command to access the ARM commands:

Login-AzureRMAccount –EnvironmentName AzureUSGovernment

Once you are logged in you can get a list of your existing / default resource groups by running the command:


You can also easily view a list of existing resource groups through the new Azure portal.   The portal also enables you to quickly drill down into a group to see what resources are already assigned. 

Unfortunately as of today (8/4/2016) the new preview portal does not allow you to create new resource groups.  To create a new resource group you will need to utilize PowerShell.  Below is an example of creating a new resource group in the US Government Virginia region with a name of MyDemoResourceGroup.

New-AzureRmResourceGroup -Location “USGov Virginia” -Name MyDemoResourceGroup

Now that we have a resource group we can begin creating new resources or move existing resources into it.   The simplest way to do this is by using the new portal.   Below are a few quick steps to move a resource from one group to another:

  1. Open up the new portal and drill down into a resource group that contains a resource you wish to move.
  2. Select the resource and from the settings panel choose properties.
  3. Under the resource group heading in the properties panel you will find a ling to Change resource group.  Clicking on this will provide you with a move resource panel.
  4. Choose the resources you wish to move, select the destination resource group, check the acknowledgement check box, and then click OK.   Within a few moments your resources will be moved into the destination resource group.

There are some limitations to moving resources between groups which are outlined in a documentation article titled “Move resources to new resource group or subscription”.   I highly recommend reading over this article.  You will also find examples of using PowerShell to move resources between groups in this article.


Once the resources are well organized in a structure of resource groups it is now possible to utilize tagging for identification purposes.  Although classic resources do not support tagging, you can apply tags to resource groups.   This means that you can still utilize tags to help categorize and organize your classic Azure resources.

Tags are a simple collection of key – value pairs that are associated with a resource group or an Azure Resource Manager resource.   As mentioned above, it is not possible to apply tags directly to classic Azure resources.

Best practice: Identify a tagging standard for your organization.  Ensure that all new resource groups and resources (when applicable) have the same basic tag structure. 

Resource groups and Azure Resource Manager resources can be assigned multiple key – value tags.   This provides a maximum amount of flexibility to build out a standard that works best for an organization.   Below is a small sample of keys that you may wish to assign to a resource group:

  • Agency / Department
  • Project
  • Type (Dev/QA/Test)
  • Cost Center

The easiest way to apply tags to a resource group is through the new Azure portal.   With just a few steps you can add tags with values to your resource groups.

  1. Open up the new Azure portal and choose a resource group.
  2. In the resource group details panel, click on the tag graphic in the upper right section.
  3. Enter in your key-value tag pairs for the resource group.

Once you have tagged resources you can utilize PowerShell to quickly locate resource groups or resources with a specific tag key and value.   The PowerShell command below outputs all resource group names that have the tag name of Agency with a value of Finance.

Find-AzureRmResourceGroup -Tag @{ Name=”Agency”; Value=”Finance” } -WarningAction SilentlyContinue | %{ $_.Name }

Even though Azure classic resources cannot have tags on them directly, we can utilize Azure Resource Groups to group to tag a collection of Azure classic resources.  

Role Based Access Control

By combining Azure Resource Groups with Role Base Access Control (RBAC) your organization can quickly assign proper access permissions.  RBAC enables you to provide fine grain permissions to individuals that need access to view or manage Azure Resources.  This allows us to get away from the classic model where the only management roles were subscription administrator or subscription co-administrator.   Now we can enable a more delegated approach to resource management.

Unlike tagging, RBAC can be applied to classic resources along with resource groups and ARM resources.

Note: Users who are not subscription administrators or co-administrators but have been assigned RBAC permissions on a classic object cannot manage that object using Azure Classic Powershell or the classic portal.   They must use the Azure Resource Manager PowerShell login and commands or perform management actions using the new portal.

Going Forward

The future is looking great for Azure Government!  As more ARM resource providers are deployed we will have more and more great capabilities to utilize, including ARM templates.   My recommendation is that if you are an Azure Government customer , you should begin poking around in the new preview portal.  This will prepare you well for upcoming updates to Azure Government.

Azure PowerShell for documenting VNETs

During a recent conversation I had with one of my customers I was asked if there was a way to export VNet settings from their Azure US Government subscription.  Of course PowerShell provides us the answer, however, it is not a simple single command.  

There is one command which allows you to export out all subscription VNETs along with their subnets and gateway information to an XML file.  There is another set of commands that enables you to query and navigate XML data in PowerShell.  Finally there is a command for getting network security group (NSG) information that is assigned to a subnet.

By combining all of these commands together into a structured script you can get a very good picture of your VNET configurations across your subscription.   I have built a sample script which you can download from here.

The script is for demonstration purposes only and comes with no support.  Do not utilize the script for production purposes without fully reviewing and understanding the code.   The script only looks at NSGs which are associated to subnets.  Currently Azure US Government only supports the ASM deployment model.  This script was designed to only work with that model and therefore may not be useful to people running workloads in Azure commercial under ARM.

Technology Blog