Updated May 2026

Azure Government CMMC Cost: $1,500 to $9,000 per month

Azure Government holds FedRAMP High authorisation and DoD Provisional Authorisation up to IL5, making it eligible to host CUI workloads under DFARS 252.204-7012. For most sub-100-user defense contractors, monthly spend runs $1,500 to $9,000 depending on workload size, with Sentinel and Defender for Cloud as the two big optional-but-recommended security cost lines.

Where Azure Government fits in a CMMC stack

Azure Government is the Microsoft-operated sovereign cloud for application workloads in regulated US government environments. It runs in dedicated datacentres operated by US-citizen staff and is physically and logically separated from commercial Azure. The standard tier holds FedRAMP High authorisation and DoD Provisional Authorisation up to Impact Level 5 (IL5), which makes it eligible for CUI processing under DFARS 252.204-7012(b)(2)(ii)(D). The Azure Government DoD tier extends to Impact Level 6 for higher-classification workloads. The authorisation table is published at learn.microsoft.com/en-us/azure/compliance and is updated periodically.

For most defense contractors, the decision between Azure Government and AWS GovCloud comes down to existing platform investment. If your engineering team already runs on .NET, SQL Server, and Visual Studio, Azure Government will be the faster ramp because the development patterns transfer directly. If your team is Linux-and-open-source, AWS GovCloud will feel more native. Both clouds will host the same workloads at broadly similar prices; the differential is rarely more than 10-15 percent for equivalent service. The per-service comparison is documented in the AWS GovCloud cost page.

The Microsoft-native advantage on the security side is the integration between Azure Government, Microsoft 365 GCC High, Defender for Cloud, Defender for Endpoint, and Microsoft Sentinel. These five components feed each other through built-in connectors, which means evidence collection for a C3PAO assessment is more streamlined than a multi-vendor stack. For organisations already on GCC High for productivity, putting application workloads in Azure Government often saves 100-200 hours of integration and evidence-collection effort during the assessment.

Per-service pricing for a typical enclave

Service	Unit price (Azure Gov)	Typical monthly
VM D2s_v5 (web tier, 2x)	$0.115/hr	$170 - $340
VM D4s_v5 (app tier, 2x)	$0.230/hr	$330 - $660
Azure SQL GP Gen5 2vCore	$0.526/hr	$380 - $760
Storage Account (1TB Standard LRS)	$0.024/GB/mo	$25
Managed Disk (500GB Premium SSD)	$0.135/GB/mo	$68
Application Gateway WAF v2 (small)	$0.243/hr + cu	$220 - $400
Defender for Cloud Standard (per resource)	$15/server/mo, varies	$100 - $400
Microsoft Sentinel (10GB/day ingest)	$2.46/GB analytics	$200 - $750
Key Vault (10 keys + ops)	$1/key/mo	$10 - $40
VPN Gateway (Basic SKU)	$0.04/hr	$30 - $60
Data transfer out (50GB to internet)	$0.087/GB	$45
Azure Support Standard plan	$100/mo	$100
Small-enclave total		$1,678 - $3,578

Prices verified against the Azure Government pricing pages at azure.microsoft.com/en-us/explore/global-infrastructure/government and the Azure pricing calculator with Azure Government region selected.

Enclave size scenarios

Scenario	Workload profile	Monthly run rate	Annual
XS enclave	2 VMs (B-series), Azure SQL Basic, 100GB storage, Defender Standard on prod only	$700 - $1,400	$8K - $17K
Small enclave	4-6 VMs, Azure SQL GP, 1TB storage, full security tooling, Sentinel light	$1,500 - $3,500	$18K - $42K
Medium enclave	10-15 VMs, Azure SQL BC, 5TB storage, multi-subscription, Sentinel 50GB/day	$3,500 - $9,000	$42K - $108K
Large enclave	30+ VMs, Azure SQL HS, 20TB storage, ExpressRoute, Sentinel 200GB/day	$9,000 - $28,000	$108K - $336K

Sentinel ingest pricing in detail

Microsoft Sentinel costs are driven by daily ingest volume, which has two components: the underlying Log Analytics workspace ingest cost (roughly $2.30 per GB pay-as-you-go) and the Sentinel analytics premium (roughly $2.00 per GB on top of the workspace cost). For a small CUI enclave generating 10GB per day of log data (CloudTrail equivalent, Defender events, custom app logs), monthly Sentinel cost runs $200-$750 depending on the mix of ingest sources and whether commitment-tier discounts are applied.

The biggest single Sentinel cost lever is which data sources you ingest. Microsoft 365 GCC High audit logs are free to ingest into Sentinel (Microsoft does not charge for the ingest cost of data originating in Microsoft's own GCC High tenant). Defender for Endpoint advanced hunting data also comes in cheaply. The expensive sources tend to be third-party firewall syslog, VPC Flow Log equivalents, and high-cardinality custom application logs. Architecting which sources go to Sentinel versus a cheaper alternative log store is a meaningful cost lever.

Commitment tiers cut ingest cost meaningfully. A 100GB-per-day commitment tier at $123 per day is roughly 47 percent cheaper than pay-as-you-go ingest. For contractors with predictable steady-state log volume, the commitment tier almost always pays back. For contractors still ramping, pay-as-you-go is the right starting position. See the SIEM cost calculator sister site for cross-vendor comparisons.

CMMC-driven Azure service decisions

For Level 2 evidence, Azure-native services map cleanly to specific NIST 800-171 controls. Azure Monitor and Log Analytics for the AU-2 audit logging family. Azure Activity Log and Azure Policy for CM-2 baseline configuration. Azure Key Vault with HSM-backed keys for SC-13 encryption requirements (the HSM premium SKU is required for FIPS 140-2 Level 3, roughly $1,000 per month per HSM pool). Azure Active Directory (now Entra ID) Government for IA-2 identification and authentication. Microsoft Defender for Endpoint on every VM for SI-3 malicious-code-protection and SI-4 monitoring. These services together typically add $300-$1,200 per month for a small enclave.

Azure Bastion deserves a separate mention for AC-17(3) remote access management. Bastion provides browser-based RDP/SSH access to private VMs without exposing public IPs, which is the cleanest way to evidence the remote-access control. Cost is roughly $140-$170 per month per Bastion deployment. For multi-VNET enclaves with only occasional admin access, the Developer SKU at roughly $80 per month is enough.

Related cost pages

Frequently asked questions

Is Azure Government different from Microsoft 365 GCC High?

Yes, they are two different sovereign cloud offerings from Microsoft. Azure Government is the platform-as-a-service / infrastructure-as-a-service cloud for custom workloads (VMs, databases, custom applications, AI services). Microsoft 365 GCC High is the productivity-suite cloud (Exchange, SharePoint, OneDrive, Teams). Both run on Azure Government datacentre infrastructure but they are different commercial products with different licensing and different per-user economics. Many defense contractors use both: GCC High for productivity, Azure Government for custom application workloads.

How much does an Azure Government enclave cost?

For a typical sub-100-user contractor running CUI workloads in Azure Government, monthly spend ranges $1,500 to $9,000 depending on workload size and the security tooling layered on top. VM compute drives 35-55 percent of the bill; storage drives 15-25 percent; Azure SQL or other managed database services drive 10-25 percent; Defender for Cloud and Sentinel drive 10-20 percent; networking (including ExpressRoute or VPN) drives the rest.

What is Azure DoD vs Azure Government?

Azure Government has two tiers. The standard Azure Government tier (formerly Azure Government Secret) holds FedRAMP High authorisation and supports CUI processing under DFARS 7012. The Azure Government DoD tier (formerly Azure Government Top Secret) is authorised for higher-classification workloads (DoD Impact Level 5 and Impact Level 6). For most CMMC Level 2 contractors, standard Azure Government is the appropriate tier. Level 3 contractors handling more sensitive workloads may need IL5 or IL6.

Is Microsoft Sentinel required for CMMC Level 2?

No specific SIEM is required by name, but Level 2 mandates centralised audit log collection and analysis under AU-2, AU-3, AU-6, and SI-4 control families. For Azure Government workloads, Microsoft Sentinel is the most-integrated SIEM option. It ingests from Azure Activity Logs, Microsoft 365 GCC High, Defender for Cloud, Defender for Endpoint, and most non-Microsoft sources. Cost typically runs $200-$2,000 per month for a small-to-mid enclave depending on log volume. Compare with third-party SIEM options on the SIEM cost calculator sister site.

What is the cheapest path to a CMMC-ready Azure Government enclave?

The cheapest path is to size compute conservatively (B-series burstable VMs work for low-utilisation workloads at roughly half the price of equivalent D-series), use Azure Reserved Instances for steady-state workloads (30-60 percent saving versus pay-as-you-go), keep storage in Standard tier unless performance demands Premium, use Defender for Cloud Standard tier only on production resources, and feed Sentinel only the log sources that are required for control evidence (not every available connector). An XS enclave configured this way runs $700-$1,400 per month plus the licence cost of any productivity workloads on GCC High.

Can I run hybrid CMMC workloads with Azure Government + on-premises?

Yes. ExpressRoute Government provides a dedicated private connection between an on-premises facility and Azure Government, with no traffic traversing the public internet. Cost: roughly $300-$400 per month for a 1Gbps port plus consumption charges. Site-to-Site VPN over the public internet is a cheaper alternative at roughly $30-$50 per tunnel-month but introduces internet path-dependency that some C3PAOs will probe. For most sub-100-user contractors, VPN is acceptable; for large engineering organisations with constant data transfer, ExpressRoute pays back.