An official website of the United States government US flag signifying that this is a United States federal government website

GovCloud guide

GovCloud guide

cloud.gov currently has two “environments” where orgs can live: the legacy East/West environment (located in AWS East/West) and the main GovCloud environment (located in AWS GovCloud). The cloud.gov FedRAMP JAB P-ATO only covers the GovCloud environment.

For new users: All new sandboxes and orgs are in the GovCloud environment, so if you just started using cloud.gov, follow the GovCloud instructions throughout the cloud.gov documentation.

For teams migrating to GovCloud: If you’ve been using cloud.gov for a while, you and your team may have already migrated your orgs and applications to GovCloud, or you may still be in the process of migrating. This page explains changes to look out for in GovCloud.

Documentation for East/West and GovCloud

cloud.gov documentation has different instructions for East/West and GovCloud users in many places, especially for logging into the command line interface and dashboard. You’ll see the following notation:

In the East/West environment (what's this?)

East/West-specific information

In the GovCloud environment (what's this?)

GovCloud-specific information

Breaking changes in GovCloud

  • GSA, EPA and FDIC accounts already work in GovCloud. Others need to be explicitly invited.
  • The API endpoint (for now) is api.fr.cloud.gov. When you log in on the command line, use this new command: cf login -a https://api.fr.cloud.gov --sso
  • To access the Dashboard, visit https://dashboard.fr.cloud.gov/.
  • There are different names and plans for some services.

    AWS East/West service name AWS GovCloud equivalent
    elasticsearch-swarm-* elasticsearch*
    rds aws-rds
    redis*-swarm redis*
  • There is a small set of differences between the older “Warden/DEA” backend (used for the AWS East/West environment) and the newer “Diego/cells” backend (used for the AWS GovCloud environment). Review the Diego migration guide for minor changes you may need to make before migrating, and check for common issues if you run into a problem.

New features

Experimental new features

Tips

Migration

As part of cloud.gov achieving FedRAMP authorization, all tenants in the AWS East/West will need to move to the new GovCloud environment. March 15th is the deadline for moving to the new GovCloud environment.

Who this affects

Any systems running in the AWS East/West version of cloud.gov. To find all of the apps you have access to, visit https://dashboard.cloud.gov. All apps that aren’t moved by March 15th will be deleted, so make sure that you or someone on your team coordinates with the cloud.gov team to ensure your migration is completed as smoothly as possible.

Costs

For resource usage, we will bill East/West usage until your migration is complete, then switch to billing GovCloud usage. In other words, you will not be double-charged while migrating.

The cloud.gov team estimates that migrating a single “system” should take between one hour and one week of developer time, depending on:

  • For the developer(s) handling the move:
    • Level of cloud.gov experience
    • Familiarity with the architecture of the system
  • Complexity of the architecture
  • Whether the system is already following the deployment best practices
  • If the system is using one or more databases/services
  • The availability requirements of your system
    • How big of a deal is it if your system goes down for a few minutes? or an hour or more?

Any labor involved from your project team is the responsibility of your project. There is no additional charge for support from the cloud.gov team assisting your developers with the migration.

Process

  1. Get access to the GovCloud environment.
  2. Request the creation of your org in the GovCloud environment:
    • If you are in 18F/TTS at GSA, fill out the organization request form. Specify that the org should be created in GovCloud. An admin will confirm the information, create the org for you, and notify you. This should happen within one business day.
    • For everyone else, one of your org managers should email cloud-gov-support@gsa.gov to request the creation of your org in GovCloud. Please include “[GovCloud Org Request]” in the subject heading and specify the name of your current East/West org.
  3. Install the CF Targets plugin.
  4. Give permissions to the appropriate people.
  5. Deploy the application to the GovCloud environment.
  6. If you are using a data store provided by cloud.gov, migrate the data. See the services documentation. For MySQL and PostgreSQL, you can use the cg-migrate-db plugin.
  7. If you are leveraging cloud.gov’s User Account and Authentication (UAA) server you must register your application with the GovCloud UAA server, update your integration to use the GovCloud endpoints and make sure to use your newly issued client_secret.
  8. Test the new deployment(s) thoroughly.
  9. Set up your custom domain, if applicable.
  10. Set up continuous deployment. (Not required, but strongly recommended.)
  11. Once you are confident that the move is complete, ask support to delete the old resources. Some might not be applicable.