Multi-region Azure Government authorization boundary architecture segregating DoD Impact Level 4 (IL4) and Impact Level 5 (IL5) workloads across Azure Gov Virginia, Texas, DoD East, and DoD Central regions. ExpressRoute circuits connect on-premises USACE Active Directory and NIPRNET users through JRSS security stack to hub-spoke VNet topology with centralized Azure Firewall, Private DNS Resolver, and Log Analytics in transit hubs. IL4 zone deploys App Service Environments, SQL Managed Instance, and VMSS web tiers behind Application Gateway WAF with CAC authentication via Entra ID Conditional Access and PIM, while IL5 zone isolates AKS clusters, Cosmos DB, and Function Apps with separate trust boundaries enforced by Azure Policy and Defender for Cloud. This reference architecture demonstrates USACE compliance with DISA BCAP requirements and CUI data protection mandates for federal agencies. Fork this diagram on Diagrams.so to customize subnets, add your agency's security controls, or export as .drawio for RMF documentation packages.