Build, deploy, and govern sovereign AI with Foundry Local on Azure Local
Not every AI workload can run in the cloud. For many of our customers, data needs to stay within defined boundaries, connectivity may be limited or absent, and latency, governance, and auditability are non-negotiable. With Foundry Local on Azure Local, you can use the same model catalog, developer workflows, and governance capabilities you know from Azure, while running AI entirely within your own environment where your data resides. Foundry Local provides the model catalog and developer experience. Azure Local provides the customer-managed infrastructure. Azure Arc provides unified policy, governance, and lifecycle management across cloud and local environments. This gives developers a consistent way to build, deploy, and operate AI. The same az commands, the same model catalog, the same Arc policies, all running on hardware you control. Expansion of Foundry Local on Azure Local We're expanding the Foundry Local model offering on Azure Local, with support for multi-node deployments and new agents and tools that run locally, in preview. Deploy and run AI models locally. Run models with Foundry Local in customer-managed environments on Azure Local, across sovereign, private, and edge scenarios, including fully disconnected operation. Choose from a flexible, high-performance model catalog. Access proprietary and community models through Foundry Local, now expanded with vLLM-optimized models alongside ONNX-based offerings. You explore and deploy through the same catalog API experience, then operate locally on Azure Local. Build for production realities. Bring governance, identity, and auditability into your applications while keeping execution inside your controlled boundary. See what’s new in Foundry Local on Azure Local in the Tech Community blog. From intelligence to action: agents and tools inside the enterprise boundary Most production AI use cases need two things: grounded answers and the ability to act on them, without sending data outside the environment. Here's how we're enabling that locally. Preview: Agentic retrieval with Foundry Local: Ground agents in enterprise data using retrieval-augmented generation across local Microsoft 365 services, including Exchange and SharePoint. Read the Tech Community blog to learn more. Preview: Agents and tools with Foundry Local: Build AI systems that reason, retrieve information, and take action within customer-controlled environments. Learn more. Preview: Developer acceleration templates: Jump-start local AI application development with new Foundry solution templates, including local chat experiences and video agents, powered by Azure AI Video Indexer. Read the Tech Community to learn more. GitHub Enterprise Local: Now available in public preview Sovereign AI is also about how systems are built and secured, not just where they run. With GitHub Enterprise Local on Azure Local, you can bring your full software development lifecycle on-premises: Source control and repositories CI/CD pipelines Security and DevSecOps workflows GitHub Enterprise Local deploys entirely within customer-owned infrastructure, so teams get the developer tools they expect without compromising on data residency or operational control. This extends modern DevSecOps practice into sovereign environments and pairs naturally with the AI development workflows above: build, secure, and ship your AI applications within the same boundary where they run. Read the tech community blog to learn more about GitHub Enterprise Local and how to join the preview. Accelerating High-performance AI at the Edge with NVIDIA We are expanding our collaboration with NVIDIA to deliver high-performance AI capabilities directly at the edge. At Build, we are bringing: Azure Local and Foundry Local on NVIDIA-powered GPUs, including NVIDIA RTX PRO 6000 Blackwell Server Edition, with expanded GPU support coming soon Integration with Nemotron models, optimized for enterprise performance A scalable foundation for data-intensive, low-latency workloads This partnership ensures that organizations can run advanced AI workloads where data is generated - without dependency on centralized cloud infrastructure. Hardware options: AI factory configurations are available now in the catalog Alongside our hardware partners, we’re bringing integrated solutions to customers building AI within sovereign environments. The Azure Local hardware catalog now includes AI factory configurations from our OEM partners, including NVIDIA-certified 8xH100 systems, with options from DataON, Dell, HPE, and Lenovo. These configurations are sized for the performance that model serving and agentic workloads require on customer-managed infrastructure. Together with Microsoft, we are advancing sovereign AI by bringing the open NVIDIA Nemotron model family to Microsoft Foundry Local on Azure Local. This collaboration gives organizations a production-ready AI platform that enables them to deploy AI where their data resides while maintaining the governance, control, and performance needed to scale AI across the enterprise.” Kari Briski, VP Generative AI Software Products, NVIDIA ”Sovereign AI is becoming increasingly important for governments, regulated industries, and enterprises that want to use AI while maintaining control of their data, location, and operations. Lenovo’s ThinkAgile MX Series delivers trusted, enterprise-grade infrastructure with global deployment expertise to help customers run AI wherever their data resides. Co-engineered with Foundry Local and Azure Local, this solution provides an optimized platform to deploy, run, and scale AI locally with greater simplicity, consistency, and control, while helping meet strict data residency, security, and compliance requirements." Scott Patti - VP Infrastructure Solutions Group (ISG), Lenovo From AI models to trusted, mission-critical systems: what this unlocks for developers and operators AI is evolving from systems that answer questions to systems that plan, reason, and take action across workloads. These capabilities move AI from a cloud-only assumption to something you can deploy where sensitive work actually happens, with governance and operational controls intact. For our customers, this means you can now: Keep data, identities, and audit trails inside your sovereign boundary. Run AI inference and agentic workloads in connected, intermittently connected, or fully disconnected modes. Apply consistent policy and governance across cloud and local environments through Azure Arc. Use the same Foundry catalog and developer experience you already know, on infrastructure you own. Build, secure, and ship your AI applications with GitHub Enterprise Local, keeping source control, CI/CD, and DevSecOps workflows inside the same sovereign boundary. Resources Join us at Build OD837 Shipping physical AI to the edge with Azure Local and Foundry Local https://github.com/microsoft/build26-OD837 OD839 Foundry Local: AI solutions for industrial and sovereign needs https://github.com/microsoft/build26-OD839 LTG425 Expanding horizons: Foundry Local for devices and on-prem https://build.microsoft.com/en-US/sessions/LTG425 Request to join the Foundry Local on Azure Local preview Hands-on walkthrough: Your first model deployment on Foundry Local on Azure Local: from catalog to inference in 10 minutes | Microsoft Community Hub Read our Tech Community blogs: Foundry Local announcing multi-node and vLLM support Agentic Retrival with Foundry Local blog: https://aka.ms/AgentsAndToolsBuildBlog2026 Code sample / model catalog blog: https://aka.ms/foundry-local-model-catalog-blog For more details on the expanded capabilities of Foundry Local for highly secure environments, contact your Microsoft account team Discover Microsoft Sovereign Cloud Explore product documentation at: Foundry Local models on Azure Local: https://aka.ms/FoundryLocalonAzureLocal_documentation Local Agentic retrieval with Foundry Local: https://aka.ms/edge-agentic-retrieval-docsIntroducing GitHub Enterprise Local (Preview): DevOps for Sovereign and Private Cloud Environments
Across the world, many organizations, particularly in government, defense, financial services, and critical infrastructure, must operate within strict sovereign boundaries, often due to regulatory, security, or disconnected environment requirements. Microsoft’s Sovereign Private Cloud is a customer operated cloud model designed for scenarios where sovereignty, operational control, and resiliency are non negotiable. It enables organizations to operate securely and at scale, even in restricted or disconnected environments, while maintaining governance aligned with regulatory and national obligations. Azure Local is the foundation that makes this possible. With Azure Local, organizations can run critical workloads—including virtual machines, Kubernetes, virtual desktop infrastructure, and AI workloads—on infrastructure they own and control, while still benefiting from Azure consistent management, governance, and lifecycle operations. We’re continuing to expand the set of workloads and capabilities supported on Azure Local to meet the needs of organizations operating in sovereign and highly regulated environments. With Microsoft 365 Local, Azure Local now extends beyond infrastructure to support communication and collaboration workloads, enabling productivity and resiliency even in disconnected or restricted conditions. And with Foundry Local, we are supporting modern AI workloads on Azure Local, bringing advanced AI capabilities to infrastructure customers own and operate. We are excited to announce the public preview of GitHub Enterprise Local, which brings GitHub’s enterprise developer platform into sovereign and private cloud environments. GitHub Enterprise Local is fully hosted on customer owned infrastructure, enabling organizations to modernize application development while keeping source code, build pipelines, and development artifacts entirely within their own operational boundaries. What Is GitHub Enterprise Local? GitHub Enterprise Local enables organizations to deploy GitHub Enterprise Server (GHES) entirely within customer‑owned infrastructure using Azure Local as the underlying private cloud platform. The solution is delivered as a prebuilt virtual machine image that runs on Azure Local and operates fully within the customer’s security and network perimeter. All repositories, metadata, CI/CD workflows, and artifacts remain on‑premises. GitHub Enterprise Local is designed to run without internet connectivity by default, making it suitable for both connected and fully disconnected or air‑gapped environments. At the same time, it preserves a GitHub‑consistent experience for developers, allowing teams to continue using familiar workflows for source control, collaboration, and automation. Developer and Platform Capabilities GitHub Enterprise Local provides a comprehensive set of enterprise developer platform capabilities. Teams can host private repositories, manage organizations, and collaborate through pull requests, branch protection rules, and structured code reviews. Issues, wikis, and project collaboration features are also available, enabling end‑to‑end development workflows within the same platform. GitHub Enterprise Local can run on either a single-node or multi-node Azure Local instance depending on customer needs. Single‑node Azure Local runs GHES as a standalone VM, ideal for preview, PoC, and low‑risk scenarios focused on simplicity and cost efficiency. For production-oriented deployments, the same single GHES VM can run on a multi‑node Azure Local cluster, where Azure Local provides VM‑level high availability and failover. For automation and delivery, GitHub Enterprise Local supports GitHub Actions using self‑hosted runners. This allows organizations to build and run CI/CD pipelines entirely within their own environments, with full control over execution context, dependencies, and network access. GitHub Packages can be used for artifact management, supporting common ecosystems such as npm, NuGet, Maven, and container images. GitHub Enterprise Local extends modern development workflows with AI assisted experiences while keeping sensitive data within customer-controlled environments. Developers can use GitHub Copilot in several ways, including as a standalone experience, through Copilot CLI, and in VS Code. They can choose GitHub-managed models by connecting to GitHub.com, or connecting directly to model providers from Copilot CLI, allowing source code to avoid passing through GitHub Cloud. Foundry Local provides an on-premises inference layer that keeps prompts, code context, and model execution inside organizational boundaries. Together, these capabilities create a clear integration path across code automation and AI application development, enabling organizations to modernize the developer experience while preserving operational control, compliance, and auditability. Developer AI Workflow Architecture This architecture demonstrates how GitHub Enterprise Local serves as the secure, customer-managed foundation for source control, collaboration, and workflow orchestration, enabling developers to layer AI-assisted capabilities through GitHub Copilot, GitHub CLI, and Foundry Local—while ensuring that code, data, and AI execution remain fully within organizational boundaries. Architecture Overview GitHub Enterprise Local follows a layered architecture model. Infrastructure Layer Azure Local forms the foundation, deployed on Azure Local–certified hardware. It provides: The virtualization platform for running GitHub Enterprise Local Infrastructure availability and update management Customer‑controlled networking, identity, and security policies Azure Arc‑enabled management for infrastructure lifecycle operations GitHub Enterprise Local Appliance Layer GitHub Enterprise Server (GHES) is deployed as a prebuilt virtual machine image on Azure Local. This VM includes: The GHES application stack Persistent data disks for repositories and metadata Support for replica‑based failover configurations, depending on customer requirements All application data remains within customer infrastructure boundaries. Operations Layer Operational responsibilities are clearly separated: Azure Local administrators manage the Azure Local infrastructure through Azure GitHub administrators manage GHES configuration, upgrades, user access, and ongoing maintenance through the GitHub Management control and site admin dashboard This separation aligns with common enterprise operational models. Connectivity Modes and Deployment Scenarios GHES is designed to operate fully offline, making it suitable for air‑gapped and restricted environments. Azure Local complements this capability by supporting both connected and fully disconnected operational modes. In connected environments, customers can take advantage of centralized management and monitoring of GHES appliance. In disconnected environments, the entire solution can operate in complete isolation, ensuring compliance with strict sovereignty or security mandates. This flexibility allows organizations to adopt a deployment model that aligns with their regulatory, operational, and security requirements. Hardware and Capacity Planning GitHub Enterprise Local virtual machine sizing depends on customer use cases, including: Number of developers Repository size and growth CI/CD pipeline frequency Artifact storage requirements Azure Local supports running GitHub Enterprise Local on both Integrated and Premier hardware solutions, provided sufficient capacity is available. Customers should plan compute, memory, storage, and network resources accordingly. Minimum recommended requirements Billing Overview GitHub Enterprise Local combines user-based application licensing, Azure Local infrastructure-based billing, and separate pricing for AI services such as Copilot and Foundry. GitHub Enterprise Local is billed per user seat. (GitHub Enterprise license) Azure Local is billed per physical CPU core. (Azure Local Billing) Copilot and Foundry have separate service-based pricing. (GitHub Copilot Plans & pricing) Public Preview Access GitHub Enterprise Local on Azure Local is available today in public preview. Customers can request access by completing the public preview registration form. Submissions are reviewed as part of the preview onboarding process. Participate in public preview: GitHub Enterprise Local Preview Sign-Up Learn More GitHub Enterprise Local documentation
Announcing Public Preview of Argo CD extension on AKS and Azure Arc enabled Kubernetes clusters
We are excited to announce public preview of the Argo CD extension for Azure Kubernetes Service (AKS) and Azure Arc-enabled Kubernetes clusters. As GitOps becomes the standard for deploying and operating applications at scale, enterprises need a way to implement GitOps while staying compliant with best practices for security and identity management. Argo CD extension delivers on this need across 3 pillars - Trusted Identity and Secure Access The Argo CD extension integrates with Microsoft Entra ID to provide a secure, enterprise-ready experience for: Secure authentication using Workload Identity federation to Azure Container Registry (ACR) and Azure DevOps. This removes the need for long-lived credentials or hard-coded secrets in Git Repos, moving your CD pipelines closer to a true zero-trust architecture. Single Sign-On (SSO) using existing Azure identities. Enterprise-Grade Hardening and Security This preview introduces several enhancements to improve your security posture: To minimize the attack surface, the extension’s images are built on Azure Linux, specifically engineered for reduced CVEs and improved baseline security. Opt-in to automatic patch releases to stay current on security fixes while maintaining full control over your change management processes. Parity with upstream Argo CD Argo CD extension is designed to remain fully aligned with the upstream Argo CD open‑source project, so teams can use Argo CD as they do today with support for Configuring Argo CD extension with High availability (HA) for production‑grade deployments of critical workloads. Using hub‑and‑spoke architecture for multi‑cluster GitOps scenarios. Application and ApplicationSet, enabling automated and scalable application delivery across large fleets of clusters. Getting Started We invite you to explore the Argo CD extension and provide feedback as we continue to evolve GitOps capabilities for Kubernetes. To get started today, you can enable the extension on your clusters using the Azure CLI. Argo CD extension management via the Azure Portal will be available in a few weeks.Arc Jumpstart Newsletter: March 2025 Edition
We’re thrilled to bring you the latest updates from the Arc Jumpstart team in this month’s newsletter. Whether you are new to the community or a regular Jumpstart contributor, this newsletter will keep you informed about new releases, key events, and opportunities to get involved in within the Azure Adaptive Cloud ecosystem. Check back each month for new ways to connect, share your experiences, and learn from others in the Adaptive Cloud community.Announcing Private Preview: ArgoCD through Microsoft GitOps
We're excited to announce the Private Preview for Microsoft GitOps ArgoCD. Delivered as a cluster extension across Azure Kubernetes Service (AKS) and Azure Arc-enabled Kubernetes, Microsoft GitOps delivers a consistent and robust management, security, and deployment experience for ArgoCD across your heterogeneous environments. This capability complements Microsoft GitOps existing support for Flux, which is currently in General Availability. By signing up for the Private Preview, you'll get access to the ArgoCD cluster extension and the opportunity to connect with and provide feedback to the Microsoft GitOps product group. Sign up today at https://aka.ms/MicrosoftGitOpsPreviewSignup. Advantages of the current Microsoft GitOps experience for ArgoCD include: Simplified, templatized deployment as a cluster extension Managed and automated upgrade reducing overhead Official supportability and security for enterprise readiness Integration with Azure identity and authentication We look forward to continuing to deliver on an exceptional Microsoft GitOps experience across ArgoCD and Flux for customers running containerized workloads not only on Azure, but also on on-premises and other public clouds through Azure Arc.Speed Innovation with Arc-enabled Kubernetes Applications
As our annual Ignite conference begins in Chicago, I am delighted to share the latest in our effort to empower our customers to rapidly build and scale applications across boundaries: Azure Container Storage, Azure Key Vault Secret Store, Arc Gateway, Azure Monitor Pipeline, Workload Identity Federation, new options for AI workloads with AKS Arc, and the launch of our Azure Arc ISV partner program. In addition, we just published a white paper with more details. In today’s quickly evolving business environment, speed and agility in software innovation are crucial for companies to compete. Organizations of all shapes and sizes need to rapidly build (or buy), deploy, and operate secure, resilient applications to stay competitive. Cloud computing has revolutionized how companies do this with modern, cloud native practices. But many applications don’t just run in the cloud, they run across the vast, distributed landscape that defines customer environments today. Coles, an Australian supermarket retailer, needed to streamline their development and update process for the applications their customers depend on whether they are in-store, online or engaged in a hybrid experience using their mobile app. Emirates Global Aluminium needed to optimize production, support advanced AI and automation solutions, enhance cost savings by applying intelligence at the edge, and optimize processing for massive amounts of real-time readings from sensors, machinery, and production lines. Delivering on the needs of organizations like Coles and Emirates Global Aluminum requires specific technologies that help teams reduce complexity and increase release velocity across the application development lifecycle. I like to think of these in three groups, representing areas of investment for us today and moving forward. As customers invest in applications to fuel their business, many of these solutions come from the broad ecosystem of independent software vendors (ISVs). We are taking an ecosystem approach, helping ISVs to develop and market modern, Arc-enabled applications. This is why I am very excited to announce our Azure Arc ISV partner program and our first set of Arc-enabled applications in the Azure Marketplace. Below is a full list of the announcements we are making for this space at Ignite: Announcements New capabilities for the development of enterprise-class Kubernetes applications Azure Container Storage: At the edge, customers experience multiple challenges with data: sharing, resiliency, storage capacity, space management, and cloud connection, among others. We are proud to announce Azure Container Storage enabled by Azure Arc (ACSA), a first-party Kubernetes native Arc extension designed to solve these customer edge storage needs. ACSA offers high availability and fault tolerance for Kubernetes clusters ReadWriteMany persistent volumes that can be provisioned as Kubernetes native Persistent Volume Claims (PVCs). Available configuration options include keeping data local or transferring it to Azure storage services, such as Blob, ADLSgen2 and OneLake Fabric. ACSA is suitable for production workloads and is available as a standard component of the Azure IoT Operations GA release. Azure Key Vault Secret Store: Customers need the confidence and scalability that comes with unified secrets management in the cloud, while maintaining disconnection-resilience for operational activities at the edge. To help them with this, the Azure Key Vault Secret Store Extension for Arc-enabled Kubernetes automatically synchronizes secrets from an Azure Key Vault to a Kubernetes cluster for offline access. This means customers can use Azure Key Vault to store, maintain, and rotate secrets, even when running a Kubernetes cluster in a semi-disconnected state. Synchronized secrets are stored in the cluster secret store, making them available as Kubernetes secrets to be used in all the usual ways—mounted as data volumes or exposed as environment variables to a container in a Pod. Azure Arc Gateway: Customers face challenges with complex network configurations and multiple endpoints, which can be difficult to manage and secure. The Azure Arc Gateway for Arc-enabled Kubernetes alleviates these issues by reducing the number of required endpoints for using Azure Arc, thereby streamlining the enterprise proxy configuration. This simplification makes it significantly easier for customers to set up their networks and leverage the full capabilities of Azure Arc. By centralizing network traffic through a single, unique endpoint, the Azure Arc Gateway not only enhances security by minimizing the attack surface but also improves operational efficiency by reducing the time and effort needed for network setup and maintenance. This centralized approach ensures that customers can manage their Kubernetes clusters more effectively, providing a seamless and consistent experience across diverse environments. Azure Monitor Pipeline: As enterprises scale their infrastructure and applications, the volume of observability data naturally increases, and it is challenging to collect telemetry from certain restricted environments. We are extending our Azure Monitor pipeline at the edge to enable customers to collect telemetry at scale from their edge environment and route to Azure Monitor for observability. With Azure Monitor pipeline at edge, customers can collect telemetry from the resources in segmented networks that do not have a line of sight to cloud. Additionally, the pipeline prevents data loss by caching the telemetry locally during intermittent connectivity periods and backfilling to the cloud, improving reliability and resiliency. Workload Identity Federation: Customers need both simplicity and strong security from their workload identity management, especially when their solutions run in or across distributed environments. Workload Identity Federation delivers this by allowing software workloads running on Kubernetes clusters to access Azure resources without using traditional application credentials like secrets or certificates, which pose security risks. Instead, you can configure a user-assigned managed identity or app registration in Microsoft Entra ID to trust tokens from an external identity provider (IdP) like Kubernetes. This authentication option eliminates the need for manual credential management and reduces the risk of credential leaks or expirations. Creating an ecosystem of Arc-enabled Kubernetes applications Azure Arc ISV partner program: Customers want the ability to utilize third-party (3P) software to build their enterprise applications on Kubernetes. Currently, customers have to run multiple scripts to install any third party application on an Arc-enabled Kubernetes cluster. We are excited to announce the launch of our Azure Arc ISV ecosystem, which enables Azure to be a one-stop-shop. Now customers can install an application that has been validated on Arc and enabled onto their cluster through the Azure portal. With the click of a button in the Azure portal, users can install MongoDB, Redis, CloudCasa, MinIO, and DataStax on their Arc-enabled Kubernetes cluster. This enables customers to develop using enterprise grade tools on top of Azure Arc. This program will enhance the developer ecosystem as we onboard more and more partners. Exciting new ways to engage and get started Join the Adaptive cloud community: Connect with professionals passionate about hybrid, multi-cloud, and edge technologies. This space is designed for those looking to engage with peers and Microsoft experts, explore the latest in Azure Arc, Azure Local, AKS, and IoT, and expand their knowledge through valuable resources and discussions. Whether you are just starting out or an industry professional, this community is the perfect platform to share insights, ask questions, and grow your skills in the evolving Adaptive cloud ecosystem. Learn more about ways to get involved on our Adaptive cloud GitHub. Join the Adaptive cloud Community LinkedIn Group Join the Adaptive cloud Community Teams Channel Visit Arc Jumpstart: Explore the resources available to help you learn what Azure Arc can do for you and your business. Recent additions include Jumpstart Drops, an opportunity to contribute to and use community contributions, and Jumpstart Agora Hypermarket an industry scenario bringing the power of the Adaptive cloud approach for retail to life. I hope you enjoy the week visiting or tuning into Microsoft Ignite. You can find a full listing of opportunities to learn more about our Adaptive cloud approach at Ignite here: aka.ms/AdaptiveCloudIgnite.
Give us your thoughts on running Kubernetes anywhere for a chance to win a $300 USD gift card!
Do you work with Kubernetes? Are you interested in improving Kubernetes experience across hybrid and multicloud environments? Take the survey below for a chance to win a $300 USD virtual gift card! Must be 18 or older. Survey ends on May 10, 2023.
