Skip to content

feat(finops-hub): Add sovereign cloud support#2072

Open
MSBrett wants to merge 3 commits intodevfrom
features/fix-gov-cloud-suffixes
Open

feat(finops-hub): Add sovereign cloud support#2072
MSBrett wants to merge 3 commits intodevfrom
features/fix-gov-cloud-suffixes

Conversation

@MSBrett
Copy link
Copy Markdown
Contributor

@MSBrett MSBrett commented Mar 27, 2026

Summary

Adds sovereign cloud support to FinOps Hubs, enabling deployment to Azure US Government, Azure China (21Vianet), and other sovereign environments.

Changes

Bicep template changes (src/templates/finops-hub/)

  • Kusto DNS suffix: Replace hardcoded .kusto.windows.net with an environment-aware lookup map covering AzureCloud, AzureUSGovernment, and AzureChinaCloud, with a replace() fallback heuristic for unknown clouds. Fixes an incorrect China suffix (kusto.chinacloudapi.cnkusto.windows.cn).
  • Open data URL: Add openDataBaseUrl parameter (threaded through main.bicephub.bicepAnalytics/app.bicep) so sovereign environments without internet access can point to a local storage account instead of GitHub.
  • Conditional ADF resources: Automatically skip ADF GitHub linked service and dataset when openDataBaseUrl points to the hub's own storage account.
  • Storage URL validation: Update createUiDefinition.json regex to accept storage suffixes from all clouds (not just .windows.net).
  • Dashboard portal links: Replace 27 hardcoded portal.azure.com URLs in dashboard.json with a build-time $$defined-portal-url$$ token.
  • Dashboard cluster URI: Clear the hardcoded clusterUri — users configure it to their cluster after import.
  • Build script: Add -PortalUrl parameter to Build-Toolkit.ps1 (defaults to https://portal.azure.com).
  • Bug fix: Fix gitapp.hub.com typo in ADF linked service URL → github.com.

Documentation (docs-mslearn/toolkit/hubs/)

  • deploy-sovereign.md: New Microsoft Learn how-to guide covering build, open-data preparation, deployment, and dashboard configuration for sovereign clouds. Follows deploy.md conventions (front matter, tab selectors, admonitions, related content).

Testing

  • Bicep compiles clean (bicep build main.bicep)
  • JSON validity verified
  • Grep verification: no hardcoded .kusto.windows.net, portal.azure.com, logic.azure.com, or gitapp.hub.com in changed files
  • Red-team audit: all DNS suffix claims verified against Azure Private Link DNS zone docs
  • Blue-team validation: all code assertions verified against repo files
  • ❎ Log not needed

Checklist

  • Bicep changes scoped to src/templates/finops-hub/ only
  • No changes to PowerShell module, Optimization Engine, or other templates
  • Documentation follows Microsoft style guide (sentence casing, active voice, no end punctuation on headings)
  • deploy-sovereign.md matches deploy.md format conventions

msbrett and others added 2 commits March 26, 2026 16:18
feat(finops-hub): Add sovereign cloud support
c044312 
- Replace hardcoded .kusto.windows.net with environment-aware lookup map
  covering AzureCloud, AzureUSGovernment, AzureChinaCloud with fallback
  heuristic for unknown clouds
- Fix China ADX suffix: kusto.windows.cn (not kusto.chinacloudapi.cn)
- Add openDataBaseUrl parameter for sovereign open-data ingestion
  (main.bicep → hub.bicep → Analytics/app.bicep)
- Auto-skip ADF GitHub resources when open data is local storage
- Fix createUiDefinition regex to accept all cloud storage suffixes
- Replace 27 hardcoded portal.azure.com URLs in dashboard.json with
  build-time variable token
- Add -PortalUrl parameter to Build-Toolkit.ps1
- Clear hardcoded clusterUri in dashboard.json (user configures post-import)
- Fix gitapp.hub.com typo in ADF linked service URL
- Add SOVEREIGN-CLOUD-GUIDE.md: deployment workflow, suffix inventory,
  prerequisites, verified against Microsoft Learn docs

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
docs(finops-hub): Add sovereign cloud deployment guide
c0e64b6 
- Add deploy-sovereign.md: Microsoft Learn how-to guide for sovereign
  cloud deployments (US Government, China, other sovereign environments)
- deploy-sovereign.md follows deploy.md conventions: front matter,
  tab selectors, admonitions, nextstepaction blocks, related content

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs: Review 👀 PR that is ready to be reviewed label Mar 27, 2026
docs: Add sovereign cloud support to changelog
7ca7c17 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@flanakin flanakin Awaiting requested review from flanakin flanakin is a code owner

@RolandKrummenacher RolandKrummenacher Awaiting requested review from RolandKrummenacher RolandKrummenacher is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Needs: Review 👀 PR that is ready to be reviewed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MSBrett