Skip to main content
Version: 1.0.0

Phase 04: Azure Management Infrastructure

Runbook Azure

DOCUMENT CATEGORY: Runbook
SCOPE: Azure management resources deployment
PURPOSE: Deploy networking, VMs, and monitoring resources
MASTER REFERENCE: Microsoft Learn - Azure Networking

Status: Active

Overview

This phase deploys all Azure-side infrastructure needed for Azure Local management and operations. The deployment is organized into three steps:

  1. Deploy Infrastructure — Provision Azure networking, security, and VM resources (choose CI/CD or manual)
  2. Configure VMs — Configure management VM workloads (AD DS, utility server, NDM, Lighthouse, WAC)
  3. Validate — Verify connectivity and service health
Hybrid Connectivity Required

This phase deploys resources in Azure. Site-to-Site VPN or ExpressRoute connectivity between Azure and your on-premises environment is required for management VMs to communicate with Azure Local clusters. Ensure hybrid connectivity is planned before proceeding.

flowchart LR
  A["Step 1\nDeploy Infrastructure"] --> B["Step 2\nConfigure VMs"]
  B --> C["Step 3\nValidate"]
  
  A1[CI/CD Pipeline] --> A
  A2[Manual Deployment] --> A

Step 1: Deploy Infrastructure

Provision Azure networking, platform resources, and management VMs. Choose the deployment method that best suits your needs:

✅ Recommended for production deployments

Deploy the complete Azure management infrastructure using the automated CI/CD Pipeline with the azurelocal-toolkit Terraform modules.

Benefits:

  • ✅ Consistent, repeatable deployments
  • ✅ Infrastructure as Code (IaC) with version control
  • ✅ Automated testing and validation
  • ✅ Proper state management via CI/CD pipeline
  • ✅ Faster deployment with parallel resource creation

Repository: github.com/AzureLocal/azurelocal-toolkit

CI/CD Module Scope

The CI/CD module deploys core infrastructure but has the following limitations:

Not Included in CI/CD Module:

  • Management VM workloads — OS-level configuration (AD DS, WAC, etc.) is always manual — see Management Servers

Fixed Configuration:

For deployments requiring these components or custom landing zones, supplement with Manual Deployment steps.

👉 Go to CI/CD Pipeline Deployment

Step 2: Management Servers

Capture management server details as variables for use across all deployment phases. Configuration tasks run in Part 5 alongside the services that consume each server.

👉 Go to Management Servers

ServerVariable KeyRoleConfiguration Phase
Domain Controllers (dc1, dc2)compute.vms.management.dc1/dc2Active Directory, DNSEnvironment-specific
Jumpbox / Utilitycompute.vms.management.jumpboxAdmin jump serverPart 5, Phase 02, Task 05
Windows Admin Centercompute.vms.management.wacCluster management portalPart 5, Phase 02, Task 05
Syslog / NDMcompute.vms.management.syslogSyslog + SNMP receiverPart 5, Phase 02, Task 07
Deployment-Agnostic

These servers can reside in Azure, Azure Local, or on-premises. Set deployment_target: azure | azurelocal | onprem per server in your variables. See Management Servers for all variable details.

Step 3: Validate

After completing VM configuration, verify:

  • VPN connectivity between Azure and on-premises is operational
  • Domain Controllers are reachable and DNS resolves correctly
  • Jumpbox can reach Azure Local cluster nodes
  • Management server variables captured in config/variables.yml
  • Log Analytics Workspace is collecting data

Component Summary

All components deployed across Steps 1 and 2:

Management Mode (Once per Environment)

Infrastructure Resources (Step 1)

ComponentClassificationCI/CD ModuleManualPurpose
Virtual Network & SubnetsRequiredAzure Local management network
VPN GatewayRequiredSite-to-site connectivity to on-prem
VPN ConnectionRequiredEstablish tunnel to on-prem site
Azure BastionRecommendedSecure RDP/SSH access to VMs
Network Security GroupsRequiredSubnet-level security rules
NAT GatewayRequiredOutbound internet for management VMs
Arc GatewayOptionalAzure Arc hybrid connectivity
Log Analytics WorkspaceRecommendedMonitoring and HCI Insights
Key VaultRequiredSecrets management (passwords, keys)
Management VMsRequired⚠️ OptionalDC, Utility/Jumpbox, WAC, Syslog VMs

Management Servers (Step 2)

ServerVariable KeyRoleConfiguration
Domain Controllerscompute.vms.management.dc1/dc2Active Directory, DNSEnvironment-specific
Jumpbox / Utility Servercompute.vms.management.jumpboxJump server, admin toolingPart 5, Phase 02, Task 05
Windows Admin Centercompute.vms.management.wacWeb-based cluster managementPart 5, Phase 02, Task 05
Syslog / NDM Servercompute.vms.management.syslogrsyslog + SNMP → Azure MonitorPart 5, Phase 02, Task 07

Cluster Mode (Once per Cluster)

Cluster-specific resources are deployed separately for each Azure Local cluster:

  • VPN Connection (Local Network Gateway + Connection): Deploy per-site
  • Cluster Key Vault: See cluster deployment stages
  • Cluster Log Analytics Workspace: See cluster deployment stages

Prerequisites

Before starting this phase, ensure:

Next Steps

After completing this phase:

  1. Verify VPN connectivity with on-premises network team
  2. Configure AD sites and services on Domain Controllers
  3. Store credentials in Key Vault (admin passwords, service accounts)
  4. Proceed to Phase 05: Identity & Access Management
PreviousUpNext
Phase 03: RBAC PermissionsAzure FoundationPhase 05: Identity & Access Management

End of Document

Version Control

  • Created: 2025-09-15 by Hybrid Cloud Solutions
  • Last Updated: 2026-03-20 by Hybrid Cloud Solutions
  • Version: 2.0.0
  • Tags: azure-local, management-infrastructure, networking, vpn, key-vault, domain-controllers, bastion
  • Keywords: management infrastructure, virtual network, VPN gateway, bastion, NSG, NAT gateway, key vault, domain controller, log analytics
  • Author: Hybrid Cloud Solutions