Professional Documents
Culture Documents
2
Step 1
Pick an Identity Provider
3
Azure Stack Identity Options
4
Azure Stack Identity Requirements
5
Step 2
Pick a Billing Model
6
Azure Stack Billing Options
7
Azure Stack Billing Option Retail Pricing
8
Azure Stack Registration Requirements
9
HPE GreenLake Flex Capacity for Microsoft Azure Stack
Lower cost, elastic capacity, enterprise support for Hybrid IT
11
Domain Names
12
Certificates
Subject Alternative Names
Required certificate subject and
Deployment folder Scope (per region) SubDomain namespace1
subject alternative names (SAN)1,2
Public Portal portal.<region>.<fqdn> Portals <region>.<fqdn>
Admin Portal adminportal.<region>.<fqdn> Portals <region>.<fqdn>
Azure Resource Manager Public management.<region>.<fqdn> Azure Resource Manager <region>.<fqdn>
Azure Resource Manager Admin adminmanagement.<region>.<fqdn> Azure Resource Manager <region>.<fqdn>
ACSBlob *.blob.<region>.<fqdn> Blob Storage blob.<region>.<fqdn>
ACSTable *.table.<region>.<fqdn> Table Storage table.<region>.<fqdn>
ACSQueue *.queue.<region>.<fqdn> Queue Storage queue.<region>.<fqdn>
KeyVault *.vault.<region>.<fqdn> Key Vault vault.<region>.<fqdn>
KeyVaultInternal *.adminvault.<region>.<fqdn> Internal Keyvault adminvault.<region>.<fqdn>
Admin Extension Host *.adminhosting.<region>.<fqdn> Admin Extension Host adminhosting.<region>.<fqdn>
Public Extension Host *.hosting.<region>.<fqdn> Public Extension Host hosting.<region>.<fqdn>
ADFS2 adfs.<region>.<fqdn> ADFS <region>.<fqdn>
Graph2 graph.<region>.<fqdn> Graph <region>.<fqdn>
1 <fqdn> represents the external domain name of the Azure Stack instance
2 only required when ADFS is used as the identity provider
3 an astericks (*) indicates a wild card
13
Certificates
Requirements
– Certificates must be issued from either an internal CA or a Public CA.
– Network access must exist to the certificate authority used to sign the certificates
– The use of self-signed certificates are not supported
– A single wild card certificate covering all name spaces in the Subject Alternative Name (SAN) field can be
used
– The certificate signature algorithm must be stronger than SHA1
– The certificate format must be PFX, as both the public and private keys are required for Azure Stack
installation
– The certificate pfx files must have a value "Digital Signature" and "KeyEncipherment" in its “Key Usage"
field
– The certificate pfx files must have the values “Server Authentication (1.3.6.1.5.5.7.3.1)” and “Client
Authentication (1.3.6.1.5.5.7.3.2)” in the "Enhanced Key Usage" field
– The certificate's "Issued to:" field must not be the same as its "Issued by:" field
– The passwords to all certificate pfx files must be the same at the time of deployment
14
Certificates
Requirements for SQL, MySQL, and App Service Resource Providers
Required certificate subject and subject
Scope (per region) SubDomain namespace1
alternative names (SAN)1,2
*.appservice.<region>.<fqdn>
appservice.<region>.<fqdn>
*.scm.appservice.<region>.<fqdn> App Service3
scm.appservice.<region>.<fqdn>
*.sso.appservice.<region>.<fqdn>
appservice.<region>.<fqdn>
api.appservice.<region>.<fqdn> App Service4
scm.appservice.<region>.<fqdn>
appservice.<region>.<fqdn>
ftp.appservice.<region>.<fqdn> App Service4
scm.appservice.<region>.<fqdn>
appservice.<region>.<fqdn>
sso.appservice.<region>.<fqdn> App Service4
scm.appservice.<region>.<fqdn>
1 <fqdn> represents the external domain name of the Azure Stack instance
2 an astericks (*) indicates a wild card
3 Requires one certificate with multiple wildcard SANs – multiple wildcard SANs on a single certificate might not be supported by all CAs
4 The App Service resource provider explicitly requires the use of separate certificates for these endpoints
15
Step 4
Provide your network information
16
Network
Environmental Parameters
– Time Synchronization (NTP) servers
– DNS Forwarders – comma separated IP addresses
– Syslog Server – IP address (optional)
– Network subnets – 5 (or more) subnets dedicated to the Azure Stack deployment
– Route exchange – BGP or static routes are supported between TORs and uplink switches
– Autonomous System Number (ASN) for uplink switches if BGP is selected
– ASN for TORs
– ASN for Azure Stack (aka SLB/MUX)
17
Subnet Information
– Access to HLH RDP through TOR – Access to the Azure public cloud**
– OneView appliance
– Optional connectivity to OneView web console through TOR
– Access to DNS forwarders and time servers*
Hardware Lifecycle Host Azure Stack Hosts TOR Switch BOR Switch
Hyper-V Internet
NIC Software Gateway
Team Hyper-V
NIC
Team
BMC Switch NAT/tProxy
BMC
*Minimal traffic and throughput required
BMC
**For Azure AD connected deployments
BMC Network
19
Storage & Internal VIPs
Network
– Private Network
– Never leaves the rack
– Storage Replication
– Internal VIPs
– Virtual IPs for Azure Stack infrastructure
– Used internally by Azure Stack components
Hardware Lifecycle Host Azure Stack Hosts TOR Switch BOR Switch
Hyper-V Internet
NIC Software Gateway
Team Hyper-V
NIC
Team
BMC Switch NAT/tProxy
BMC
BMC 20
Infrastructure Network
Hardware Lifecycle Host Azure Stack Hosts TOR Switch BOR Switch
Hyper-V Internet
*Minimal traffic and throughput required NIC Software Gateway
Team Hyper-V
**For Azure AD connected deployments NIC
Team
BMC Switch NAT/tProxy
BMC
BMC 21
External Network
Hyper-V Internet
*True of most ‘connected’ scenarios NIC
Team
Software Gateway
Hyper-V
**For Azure AD connected deployments NIC
Team
BMC Switch NAT/tProxy
BMC
BMC
22
Inbound/Outbound Protocol Requirements*
Inbound Outbound
Endpoint (VIP) DNS host A record Protocol Purpose URL Protocol
AD FS Adfs.<region>.<fqdn> HTTPS login.windows.net HTTP
Portal (administrator) Adminportal.<region>.<fqdn> HTTPS Identity1,2 login.microsoftonline.com
HTTPS
Azure Resource Manager (administrator) Adminmanagement.<region>.<fqdn> HTTPS graph.windows.net
Portal (user) Portal.<region>.<fqdn> HTTPS https://management.azure.com
Azure Resource Manager (user) Management.<region>.<fqdn> HTTPS https://*.blob.core.windows.net
Marketplace syndication HTTPS
Graph Graph.<region>.<fqdn> HTTPS https://*.azureedge.net
Certificate revocation list Crl.<region>.<fqdn> HTTP https://*.microsoftazurestack.com
DNS *.<region>.<fqdn> TCP,UDP Patch & Update https://*.azureedge.net HTTPS
1
Key Vault (user) *.vault.<region>.<fqdn> HTTPS Registration https://management.azure.com HTTPS
Key Vault (administrator) *.adminvault.<region>.<fqdn> HTTPS https://*.microsoftazurestack.com
Usage HTTPS
HTTP https://*.trafficmanager.com
Storage Queue *.queue.<region>.<fqdn>
HTTPS Insight Remote
https://api.support.hpe.com HTTPS
HTTP Support2
Storage Table *.table.<region>.<fqdn>
HTTPS
HTTP
Storage Blob *.blob.<region>.<fqdn>
HTTPS
SQL Resource Provider sqladapter.dbadapter.<region>.<fqdn> HTTPS
MySQL Resource Provider mysqladapter.dbadapter.<region>.<fqdn> HTTPS *Additional port information available at:
https://docs.microsoft.com/en-us/azure/azure-stack/azure-stack-integrate-endpoints
*.appservice.<region>.<fqdn> TCP
1Required by Infrastructure network
*.scm.appservice.<region>.<fqdn> TCP
App Service
api.appservice.<region>.<fqdn> TCP 2Required by BMC network
ftp.appservice.<region>.<fqdn> TCP,UDP
23
Switch Infrastructure
Network
– BMC, TOR, and BOR switches
– Inter-switch communications
– Access to DNS forwarders and time servers
– Access to Syslog server
Hardware Lifecycle Host Azure Stack Hosts TOR Switch BOR Switch
Hyper-V Internet
NIC Software Gateway
Team Hyper-V
NIC
Team
BMC Switch NAT/tProxy
BMC
BMC
24
Switch Infrastructure Network
All together
Hardware Lifecycle Host Azure Stack Hosts TOR Switch BOR Switch
Hyper-V Internet
NIC Software Gateway
Team Hyper-V
NIC
Team
BMC Switch NAT/tProxy
BMC
BMC
BMC Network
25
High-level Integration (initial release)
Border Device Rack
–Up-stream switching
– Redundant pair of switches (Border/BOR)
/30 iLO /30
– Part of the customers existing network
BMC
BGP Routing Integration Option
Border Device Rack
BOR1 BOR2
to TORs
ASN 647x1
BGP Routing Integration Option
Border Device Rack
BOR1 BOR2
BOR1 BOR2
–Static Routes
– Infrastructure (inbound)
Fault Domain /30 /30 /30
BMC
Dynamic BGP advertisement
to TORs
ASN 647x1
Static Routing Integration Option
Border Device Rack
BOR1 BOR2
# TOR Example
ip route-static 0.0.0.0 0 10.1.80.0
#
bgp 647x1
router-id 10.1.80.12 Fault Domain /30 /30 /30
peer 10.1.80.11 as-number 647x1
peer 10.1.81.0 24 as-number 648x1 BOR Static Routes to TORs
Infrastructure
peer 10.1.81.0 24 connect-interface LoopBack0
BMC Management Azure Stack Rack
peer 10.1.81.0 24 ebgp-max-hop 2 Switch Management
# Point-to-Point Links
address-family ipv4 unicast Publi-VIPs VPC/MLAG
TOR1 TOR2
bestroute as-path-neglect PEER
balance 8
balance as-path-neglect
network 10.1.80.8 255.255.255.254 TOR Static Default Route
Software Load Balancer
network 10.1.80.12 255.255.255.255 (0.0.0.0/0) to BORs
network 10.1.80.16 255.255.255.254 Internal VIPs
network 10.1.81.0 255.255.255.0 Dynamic BGP advertisement
External VIPs
network 10.1.82.0 255.255.255.128 to SLB
peer 10.1.80.11 enable /30
ASN 648x1 /30
peer 10.1.81.0 24 enable
BMC
Dynamic BGP advertisement
to TORs
ASN 647x1
External Connectivity
Existing network Border Device Rack
Edge
Internet TOR
BMC
Tenant Connectivity Provider Network
Express Route
– vNET IP ranges can overlap Azure Public Cloud Customer Network Border Device Rack
–Internet (NAT)
–Public IP (optional inbound) Express Route Edge Internet Edge Customer Edge Switch Border Switches