CLASSIFICATION POSTURE · PROTECTED
DEFENCE · MICROSOFT AZURE
Sovereign Azure, designed for the controls Australian defence actually requires.
We design, deploy, and operate AI-enabled software on sovereign Microsoft Azure regions. Landing zones, AI services, identity, logging, and compliance integration, engineered for IRAP-aligned controls and PROTECTED-classification workloads. The cloud surface our live ADF deployment runs on.
Sovereign cloud is not a checkbox on a procurement form. It is a posture, a set of decisions made early, repeated consistently, and held by the team that operates the system.
PRACTICE OVERVIEW
Azure, taken seriously as a sovereign defence environment.
Microsoft Azure has the deepest sovereign-cloud presence in Australia of any hyperscaler, both in the breadth of services available in the Australian regions and in the depth of partnership with the Australian government on classified workload hosting. For defence customers building or operating AI-enabled mission software, sovereign Azure is often the most pragmatic landing place. RankSaga's reference defence deployment runs on it.
Our Azure practice is staffed by engineers who treat sovereignty as the starting constraint, not a late-stage compliance overlay. Region selection, landing-zone topology, identity integration, key management, logging, and the integration of Azure AI services into a customer's mission-software stack, every decision is made against IRAP-aligned controls and the customer's classification posture from day one.
The work is not generic Azure work. Defence environments routinely require single-tenant model serving, customer-managed keys for everything that touches sensitive data, network architectures that constrain east-west traffic and prevent unintended egress, and identity integration with the customer's enterprise directory under conditional-access controls. We have shipped this configuration and operate it in production. The systems we build on Azure are not hardened later; they are designed for the production posture from the first sprint.
Where the customer's deployment requires sovereign Azure plus an air-gapped enclave on top, we cover both. Our reference ADF deployment runs sovereign Azure infrastructure with an air-gapped operating environment on top of it. The combination is operationally viable; making it operationally viable is what RankSaga is for.
WHAT WE DO
Sovereign Azure, by the surface we touch.
01 / Capability
Sovereign Landing Zones
Australian-region Azure landing zones architected for IRAP-aligned controls, subscription topology, network segmentation, identity, key management, and logging all set against the customer's classification posture from the start.
02 / Capability
AI Services Integration
Azure OpenAI, Azure Machine Learning, Cognitive Search, and Document Intelligence integrated into mission-software stacks under customer-managed keys, customer-controlled networking, and customer-owned audit surfaces.
03 / Capability
Identity & Access
Entra ID integration with the customer's enterprise directory, conditional-access policy aligned to the customer's risk posture, role-based access into mission applications, and audit logging that meets the customer's accreditation requirements.
04 / Capability
Boundary & Network Architecture
Hub-and-spoke topologies, private endpoint strategies, and egress controls designed for defence environments. Including configurations that support an air-gapped operating environment on top of the sovereign infrastructure.
05 / Capability
Logging, Audit, and Sentinel
Customer-controlled log aggregation, retention, and SIEM integration. Sentinel deployment for security operations where it fits the posture, and on-prem-flavoured alternatives where it does not.
06 / Capability
Operations Inside the Sovereign Region
Embedded engineers operating the deployment alongside the customer's platform team, patching, scaling, incident response, model lifecycle, and the boring-but-essential continuous work of keeping a production defence system running.
OPERATING MODEL
Architect for the posture. Build inside the region. Operate continuously.
Sovereign Azure work follows the same forward-deployed engagement model we run elsewhere, adapted to the specifics of Microsoft Azure and to the controls the customer's accreditation pathway requires.
01 / Step
Posture & Landing Zone Design
We start with the controls. Region selection, subscription topology, identity integration, key management, network architecture, and logging are designed against the customer's classification posture and IRAP-aligned controls before any workload is provisioned.
02 / Step
Build in the Sovereign Region
The application surface, mission software, AI services, integration layers, operator UI, is built and deployed directly into the sovereign Azure region. Working software in operator hands within weeks, against the production controls.
03 / Step
Embedded Operations
We stay deployed alongside the customer's platform team. Patching, model lifecycle, incident response, and the iterative hardening that keeps the system aligned with both the threat model and the customer's accreditation posture.
POSTURE DETAIL
How we configure sovereign Azure deployments.
Region
Australia East / Australia Central, with cross-region failover where the workload requires and the customer's classification posture allows.
Identity
Entra ID, integrated with the customer's enterprise directory under conditional-access policy aligned to the customer's risk posture.
Key Management
Customer-managed keys via Azure Key Vault for every encryption boundary that touches sensitive data, including model artefacts and vector indices.
Network
Hub-and-spoke topology, private endpoints by default, explicit egress controls, and a documented boundary posture reviewed against the customer's accreditation pathway.
Logging & Audit
Customer-controlled log aggregation, retention aligned to accreditation requirements, and SIEM integration via Microsoft Sentinel or customer-preferred alternative.
Air-Gapped Overlay
Where required, sovereign Azure infrastructure underneath an air-gapped operating environment, the configuration our reference ADF deployment runs.
REFERENCE
Live for the Australian Armed Forces.
Our production defence deployment runs on sovereign Microsoft Azure infrastructure in an Australian region, with an air-gapped operating environment on top of it. We architected the posture, deployed the workload, and operate the system continuously.
- ·Sovereign Australian Azure region with IRAP-aligned controls.
- ·Customer-managed keys across every encryption boundary.
- ·Customer-controlled logging, audit, and SIEM integration.
- ·Air-gapped operating environment on top of the sovereign infrastructure.
RELATED CAPABILITIES
Sovereign Azure, in context.
Adjacent
Air-Gapped Deployment →
When the deployment requires a disconnected operating environment on top of the sovereign infrastructure.
Adjacent
Defence-Grade AI Systems →
When the application running on Azure is an AI system that requires auditability and human-in-the-loop review.
Adjacent
Mission Software Engineering →
When the Azure deployment is part of a broader operator-facing mission application.
QUESTIONS
Sovereign Azure, in practice.
Why Azure for Australian defence workloads specifically?+
Microsoft has the deepest Australian sovereign cloud footprint of any hyperscaler, region presence, breadth of services in those regions, and depth of engagement with the Australian government on classified workload hosting. For most Australian defence AI workloads, sovereign Azure is the most pragmatic landing place. We use it because it works.
Do you also work in commercial Azure regions?+
Yes, for less-sensitive workloads or partner-nation customers. The same engineering team builds across both, and the architectural posture transfers. Sovereign-region work has additional controls; commercial-region work uses the same hardening discipline where the customer requires it.
Can the deployment run air-gapped on Azure?+
Yes, that is the configuration our reference ADF deployment runs. Sovereign Azure infrastructure underneath, with an air-gapped operating environment on top. See our /defense/air-gapped-deployment/ capability for the discipline that makes that viable in production.
What's the engagement model for IRAP uplift?+
We design for IRAP-aligned controls from day one, but formal IRAP assessment is the customer's process. We provide the architecture, the documentation, and the engineering work that meets the controls; the assessment itself is owned by the customer with their assessor.
Will you work alongside our existing platform team?+
Yes. Most of our sovereign Azure work is alongside an existing customer platform team rather than as a replacement. We bring forward-deployed engineers who integrate with that team, share the load, and stay deployed for the duration the customer requires.
ENGAGE
Sovereign Azure works when you treat it as the starting constraint, not the final hurdle.
If you are operating, or planning to operate, defence-grade AI workloads on sovereign Azure and want a team that has done it in production for the ADF, we should talk.
ENGAGE
Bring us in on the problem before it has a name.
We work best when we are embedded early, alongside the team that owns the mission, the data, and the operational risk. Government, commercial enterprise, or defence: if your environment is regulated, sensitive, or air-gapped, that is where we are most useful.