This article covers how the Secureframe Virtual supports engineering environments, including GPU-backed workstations, network security, access control, and logging
Region Support
Region ID | Code | Label |
usgovvirginia | va | US Gov Virginia (default) |
usgovarizona | az | US Gov Arizona |
usgovtexas | tx | US Gov Texas |
VM Sizes
Azure VM Size | Label | Specifications | Region Availability |
Standard_D2ds_v4 | Light | 2 vCPUs, 8 GB RAM | All regions |
Standard_D4ds_v4 | Medium | 4 vCPUs, 16 GB RAM | All regions |
Standard_D8ds_v4 | Heavy | 8 vCPUs, 32 GB RAM | All regions |
Standard_NV6ads_A10_v5 | Power (GPU enabled) | 6 vCPUs, 55 GB RAM, 1/6 NVIDIA A10 GPU | Virginia |
Standard_NV4as_v4 | Power (GPU enabled) | 4 vCPUs, 14 GB RAM, 1/8 AMD Radeon MI25 GPU | Arizona |
Hardware & Performance
Instance Types for Engineering Workloads
The Enclave's "Power" instance type, available in the Virginia and Arizona regions, is designed to support GPU-backed engineering workloads including 3D modeling applications like SolidWorks. If the Power instance doesn't meet your hardware requirements, custom instance types are also supported — anything Azure offers within Azure US Government regions can be provisioned.
VDI Latency for CAD Modeling
Interactive performance depends on two factors: the instance hardware meeting the application's recommended specs, and your proximity to the data center. Round-trip times of approximately 50ms are realistic when connecting to a nearby region — this is nearly indistinguishable from working on a local device. As a reference point, connecting from Toronto to the Virginia region (~1,000km) achieves this.
Infrastructure & Server Support
Engineering Workstations
GPU-backed Power instances can be provisioned to support a team of engineering workstations.
PDM Vault and SQL Servers
Supporting shared servers — such as a SolidWorks PDM vault or a dedicated SQL Server — accessible to multiple virtual desktops is not available out of the box today. Currently, virtual desktops are isolated from each other on the network by default. Adding server infrastructure that desktops can communicate with is something Secureframe can support, but it requires coordination. Reach out to your Secureframe contact to discuss your specific architecture needs.
Network Security & Boundary
How the Enclave Boundary Works
Virtual desktops are placed on an isolated virtual network. A network security group is applied to the subnet, which does two things:
Blocks communication between virtual desktops (compartmentalization of CUI)
Denies all inbound traffic from the public internet
The only allowed connectivity is outbound via a NAT gateway, or remote desktop connections mediated through Azure Virtual Desktop.
Replacing On-Prem VLAN Segmentation
For organizations currently relying on Hyper-V or VLAN-based segmentation to isolate CUI, the Enclave's network architecture provides an equivalent boundary without requiring on-prem infrastructure management.
Access Control
How User Access is Granted
Secureframe automatically configures role assignments based on the Entra accounts assigned to machines within the Secureframe application. Only users explicitly assigned to a virtual desktop will be able to access it. Assigned users will see their virtual desktops appear directly in their Windows app.
Logging & Monitoring
Built-in Logging
Secureframe is rolling out automatic configuration of logging and alerting via Azure Log Analytics for Enclave environments.
Frequently Asked Questions (FAQ)
Can the enclave support a PDM vault and SQL server?
This is critical because it's the one area where the answer is "not out of the box yet" — prospects need to know this upfront so there are no surprises mid-sale.
Will VDI performance handle real-time 3D CAD modeling?
This is usually the first objection in any VDI conversation. Having a clear, confident answer with real latency numbers (~50ms, Toronto to Virginia example) makes it very defensible.
How is the network boundary enforced?
For CMMC/CUI use cases, auditors are going to ask exactly this. The answer is specific and strong — isolated VNet, NSG blocking inter-desktop traffic, no public inbound — and worth surfacing prominently.