Skip to main content
This page applies only to Azure AKS deployments. FIPS compliance configuration is not applicable to Virtual Machine deployments.

Overview

Federal Information Processing Standard (FIPS) 140-2 compliance is required for certain US government and regulated industry deployments. Enabling FIPS compliance in your Vantage deployment requires specific configuration changes during infrastructure creation and installation.

Key Differences from Standard Deployment

ComponentStandard DeploymentFIPS-Enabled Deployment
Redis Version6.2 or later6.2 to 7.0.7 only
File Share TypeSMBNFS
AKS Node PoolsStandardFIPS-enabled
Storage AccessPublic or PrivateVirtual network only (for NFS)

Requirements

Redis Version Restriction

For FIPS compliance, Redis must be version 6.2 to 7.0.7 (not newer). Versions 7.0.8 and later are not supported for FIPS deployments.

NFS Share Considerations

When FIPS is enabled, Network File System (NFS) shares are used instead of SMB shares:
  • NFS share storage account configuration can allow access from public IP addresses
  • However, you cannot mount NFS shares from a public IP address
  • You can only connect to NFS shares from a machine on a virtual network trusted by the storage account

Infrastructure Creation with FIPS

When creating Azure infrastructure for a FIPS-compliant deployment, add the enableFIPS=true parameter to the ARM template deployments.

Create AKS Cluster with FIPS

az deployment group create --name aks-cluster \
  --resource-group <resource_group_name> \
  --template-file files/infrastructure/azure/arms/Cluster.Manual.json \
  --parameters kubernetesClusterName=<cluster_name> \
  --parameters enableFIPS=true

Configure NFS Share Access

After creating the FIPS-enabled cluster, run the following commands to connect the shared storage account with NFS share: 
# Get the principal ID of the AKS cluster
export principalId=$(az aks show --name <cluster_name> -g <resource_group_name> \
  -o tsv --query identity.principalId)

# Get the subnet scope
export scope=$(az aks show --name <cluster_name> -g <resource_group_name> \
  -o tsv --query agentPoolProfiles[*].vnetSubnetId | uniq)

# Create role assignment for the cluster to access storage
az role assignment create --role "Contributor" \
  --assignee-principal-type ServicePrincipal \
  --assignee-object-id $principalId \
  --scope $scope

Create Storage Accounts with FIPS

az deployment group create --name storage \
  --resource-group <resource_group_name> \
  --template-file files/infrastructure/azure/arms/StorageAccounts.Template.json \
  --parameters kubernetesClusterName=<cluster_name> \
  --parameters enableFIPS=true

Configuration Parameters

env_specific.yml

Enable FIPS support by setting the following parameter: 
k8s_fips_enabled: true

Azure Government Cloud

If deploying to Azure Government Cloud, add the s3endpointSuffix parameter immediately after k8s_fips_enabled: 
k8s_fips_enabled: true
s3endpointSuffix: core.usgovcloudapi.net
Only add s3endpointSuffix when deploying to Azure Government Cloud. Do not include this parameter for standard Azure commercial cloud deployments.

Complete FIPS Configuration Example

env: vantage
poc: false

domain: yourdomain.gov
product_host: "vantage.{{ domain }}"

loadbalancer:
  external_ip: X.X.X.X

container_registry_host: "registry.yourdomain.gov"
container_registry_user: "service"
container_registry_password: "password"
container_registry_name: "{{ container_registry_host }}/vantage"

techcore:
  use_gpu_workers: false
  use_nn_extraction_training_workers: false

logging:
  enabled: true
  elasticsearch:
    enabled: false
  file:
    enabled: true

platform_admin_email: [email protected]

smtp:
  host: X.X.X.X
  login: null
  password: ""
  port: 587
  useSSL: false

mailFrom: [email protected]

database:
  type: sqlserver
  host: X.X.X.X
  username: login
  password: password
  encrypt: true  # Recommended for FIPS

s3storage:
  skills:
    accessKey: skills_storage_account_name
    secretKey: skills_storage_account_key
  processing:
    accessKey: processing_storage_account_name
    secretKey: processing_storage_account_key
  temporary:
    accessKey: temporary_storage_account_name
    secretKey: temporary_storage_account_key
  sharedfolder:
    accessKey: sharedfolder_storage_account_name
    secretKey: sharedfolder_storage_account_key
    resourcegroup: your_resource_group
  archive:
    accessKey: archive_storage_account_name
    secretKey: archive_storage_account_key

# Redis cluster - must be version 6.2 to 7.0.7 for FIPS
redis:
  ips: ['172.16.10.101', '172.16.10.102', '172.16.10.103', '172.16.10.104', '172.16.10.105', '172.16.10.106']
  port: 6379
  password: redispassword
  ssl: true  # Recommended for FIPS

reporting:
  enabled: false

id_reading:
  enabled: false

# FIPS Configuration
k8s_fips_enabled: true

# Uncomment for Azure Government Cloud only:
# s3endpointSuffix: core.usgovcloudapi.net

Verification

After deployment, verify FIPS is enabled on your AKS nodes: 
# Get node information
kubectl get nodes -o wide

# Check FIPS status on a node (connect to node first)
cat /proc/sys/crypto/fips_enabled
# Output: 1 (FIPS enabled) or 0 (FIPS disabled)