LaunchDarkly in federal environments
Read time: 4 minutes
Last edited: Mar 28, 2024
Overview
This topic explains how the version of LaunchDarkly that is available on domains controlled by the United States government is different from the version of LaunchDarkly available to the general public. If you are an employee or contractor for a United States federal agency and use LaunchDarkly in your work, you likely use the federal instance of LaunchDarkly. This instance is compliant with the United States government's Federal Risk and Authorization Management Program (FedRAMP).
In order to maintain FedRAMP compliance, LaunchDarkly's federal instance uses enhanced infrastructure and security configurations compared to the generally available instance of LaunchDarkly. Many components that function automatically in the generally available instance instead use encryption, authentication, or require authorization to perform functions in the federal instance. In addition, third-party components that are federally compliant, such as AWS and Datadog, have policies and agents enabled to maintain compliance when connecting to LaunchDarkly.
Using the federal version of this docs site
You can view a federal instance-specific version of this documentation site.
The federal version of the docs site is different from the standard version in the following ways:
- Federal instance URLs display with
.usURLs, including within code samples. To learn more, read Understanding federal instance URLs. - Features and integrations that the federal instance does not support are marked with a warning message. To learn more, read Supported features.
To view the federal instance-specific version of this documentation site, change the site version menu to "Federal docs":
Understanding which features are available in the federal instance
The LaunchDarkly federal instance has near-parity with the generally available LaunchDarkly instance. There are some exceptions, which are explained below.
Supported features
The federal instance supports the following features:
- Core flagging features through the LaunchDarkly application and API
- Code references, if the
ld-find-code-refsutility is compiled with FIPS 140-2 support - Customer metrics
- Data Export to Amazon Kinesis
- Experimentation
- The Relay Proxy
- SDKs
The federal instance does not support the following features:
- Live events
- The Cloudflare SDK
- The Roku SDK
- The Vercel SDK
- Inbox notifications for approval requests
- The Billing tab
- Certain areas of the Usage tab
- The quick search bar
- Some mobile lifecycle features are partially supported. Federal customers cannot target based on supported or unsupported status, and do not have applications created automatically. To learn more about these features, read Applications and application versions.
Supported integrations
Integrations connect LaunchDarkly to other systems and move data between them. However, not all of the following connected systems are FedRAMP-authorized, so you may need additional approvals from your FedRAMP sponsor to use them. It is your responsibility as a LaunchDarkly customer to ensure that any systems you connect to LaunchDarkly are authorized appropriately.
The federal instance supports the following integrations:
- AppDynamics
- Datadog
- Dynatrace
- Elastic (ELK) Stack
- Grafana
- Honeycomb
- Mezmo
- Microsoft Teams incoming webhooks
- New Relic One
- Slack Incoming Webhooks
- Splunk
- Splunk Observability Cloud
- Terraform
The federal instance does not support any other LaunchDarkly integrations.
Understanding federal instance URLs
The federal instance, including the LaunchDarkly application, the federal instance API, and some SDK initialization option settings, does not use the standard .com URL path. Instead, it uses the US government's .us URL path. If application or network layer firewalls are in use on your network, they will need to allowlist these URLs for LaunchDarkly to function properly.
These URLs include:
- https://app.launchdarkly.us
- https://clientsdk.launchdarkly.us
- https://clientstream.launchdarkly.us
- https://events.launchdarkly.us
- https://sdk.launchdarkly.us
- https://stream.launchdarkly.us
Initializing an SDK for the federal instance
You can initialize an SDK for the federal instance using the initialization options for the SDK.
Depending on the SDK, you may need to configure multiple service endpoints in the initialization options. These could include the base and polling endpoint, streaming endpoint, and events endpoint. Server-side SDKs normally require streaming and events settings, not polling. For a list of available service endpoints, read Understanding federal instance URLs.
The details of how to set these options differ between SDKs, as LaunchDarkly respects each language's URI and URL naming conventions and supported services. For this reason, it is critical to reference the documentation for each individual SDK.
Configure your SDK: Service endpoint configuration
Using open-source LaunchDarkly components with FIPS 140-2 encryption
If you are using the LaunchDarkly Relay Proxy or code references, you may need to take additional steps to ensure these components are using FIPS 140-2 validated encryption modules. The LaunchDarkly federal instance uses FIPS 140-2 validated encryption modules in all applicable places. To learn more, read LaunchDarkly in environments requiring FIPS 140-2 validated encryption modules.