/vsiaz/ driver does not respect Azure Government Cloud endpoints

[tigerhobbs]

Feature description

/vsiaz/ driver does not respect Azure Government Cloud endpoints

Summary

The /vsiaz/ virtual file system driver does not properly support Azure Government Cloud (or other sovereign clouds) endpoints. When configured with Gov Cloud storage credentials, GDAL still attempts to connect to commercial cloud endpoints (core.windows.net) instead of the configured Gov Cloud endpoints (core.usgovcloudapi.net).

Environment

• GDAL Version: 3.12.1
• Rasterio Version: 1.5.0
• Platform: Azure Functions (Linux), Python 3.12
• Azure Cloud: US Government Cloud (core.usgovcloudapi.net)

Expected Behavior

When using /vsiaz/ with Azure Government Cloud storage credentials, GDAL should:

1. Respect the EndpointSuffix from the connection string or environment variables
2. Connect to https://<account>.blob.core.usgovcloudapi.net
3. Successfully read Cloud Optimized GeoTIFFs using HTTP range requests

Actual Behavior

GDAL attempts to connect to the commercial cloud endpoint regardless of configuration:

CURL error: Could not resolve host: <account>.blob.core.windows.net

Even when Gov Cloud credentials are provided, the driver constructs URLs using core.windows.net instead of core.usgovcloudapi.net.

Steps to Reproduce

Using Python/Rasterio:

import rasterio
import rasterio.env
import os

# Set up Gov Cloud credentials
os.environ['AZURE_STORAGE_ACCOUNT'] = 'mygovaccount'
os.environ['AZURE_STORAGE_ACCESS_KEY'] = 'mykey'
os.environ['AZURE_STORAGE_CONNECTION_STRING'] = 'DefaultEndpointsProtocol=https;AccountName=mygovaccount;AccountKey=mykey;EndpointSuffix=core.usgovcloudapi.net'

# Attempt to open file from Gov Cloud storage
with rasterio.env.Env(
    AZURE_STORAGE_ACCOUNT='mygovaccount',
    AZURE_STORAGE_ACCESS_KEY='mykey',
    AZURE_STORAGE_AUTH_TYPE='Key'
):
    with rasterio.open('/vsiaz/mycontainer/myfile.tif') as src:
        print(src.meta)

Result: Connection fails with DNS error trying to resolve mygovaccount.blob.core.windows.net

Using gdalinfo CLI:

export AZURE_STORAGE_ACCOUNT=mygovaccount
export AZURE_STORAGE_ACCESS_KEY=mykey

gdalinfo /vsiaz/mycontainer/myfile.tif

Result: Same DNS resolution error

Attempted Workarounds

The following environment variables and configurations were attempted without success:

1. Setting AZURE_STORAGE_CONNECTION_STRING with EndpointSuffix=core.usgovcloudapi.net

   • Not respected by /vsiaz/ driver

2. Setting AZURE_STORAGE_BLOB_ENDPOINT

   AZURE_STORAGE_BLOB_ENDPOINT='https://mygovaccount.blob.core.usgovcloudapi.net'

   • Causes GDAL to try resolving core.usgovcloudapi.net as a hostname

3. Setting CPL_AZURE_ENDPOINT

   CPL_AZURE_ENDPOINT='core.usgovcloudapi.net'

   • Same DNS resolution issue

4. Using /vsicurl/ with full URL

   with rasterio.open('/vsicurl/https://mygovaccount.blob.core.usgovcloudapi.net/container/file.tif') as src:

   • Works but requires manual SAS token generation and doesn't leverage Azure authentication

Impact

This limitation affects:

• Azure Government Cloud users (US federal agencies, DoD, etc.)
• Azure China Cloud users (core.chinacloudapi.cn)
• Azure Germany Cloud users (core.cloudapi.de)

These users cannot leverage Cloud Optimized GeoTIFF streaming capabilities with GDAL/Rasterio and must download entire files, defeating the purpose of COG format for large datasets.

Additional context

No response

[rouault]

Microsoft is no longer providing funding to the GDAL sponsorship program as noted in #13617 .Note the end of it "Do you have a sales contact with a cloud that once sponsored GDAL? Do you pump 100s of terrabytes of content through a cloud that once sponsored GDAL? Please let these organizations know the GDAL VSI specializations matter a lot to you, and their sponsorship enables you to buy more of their product."

[tigerhobbs]

Thank you for the response. I will pass this message along.