Skip to main content
Version: Next

Phase 04: Azure Management Infrastructure

Runbook Azure

DOCUMENT CATEGORY: Runbook SCOPE: Azure management resources deployment PURPOSE: Deploy networking, VMs, and monitoring resources MASTER REFERENCE: Microsoft Learn - Azure Networking

Status: Active

Overview

This phase deploys all Azure-side infrastructure needed for Azure Local management and operations. The deployment is organized into three steps:

  1. Deploy Infrastructure — Provision Azure networking, security, and VM resources (choose CI/CD or manual)
  2. Configure VMs — Configure management VM workloads (AD DS, utility server, NDM, Lighthouse, WAC)
  3. Validate — Verify connectivity and service health
Hybrid Connectivity Required

This phase deploys resources in Azure. Site-to-Site VPN or ExpressRoute connectivity between Azure and your on-premises environment is required for management VMs to communicate with Azure Local clusters. Ensure hybrid connectivity is planned before proceeding.

flowchart LR
  A["Step 1\nDeploy Infrastructure"] --> B["Step 2\nConfigure VMs"]
  B --> C["Step 3\nValidate"]
  
  A1[CI/CD Pipeline] --> A
  A2[Manual Deployment] --> A

Step 1: Deploy Infrastructure

Provision Azure networking, platform resources, and management VMs. Choose the deployment method that best suits your needs:

✅ Recommended for production deployments

Deploy the complete Azure management infrastructure using the automated CI/CD Pipeline with the azurelocal-toolkit Terraform modules.

Benefits:

  • ✅ Consistent, repeatable deployments
  • ✅ Infrastructure as Code (IaC) with version control
  • ✅ Automated testing and validation
  • ✅ Proper state management via CI/CD pipeline
  • ✅ Faster deployment with parallel resource creation

Repository: github.com/AzureLocal/azurelocal-toolkit

CI/CD Module Scope

The CI/CD module deploys core infrastructure but has the following limitations:

Not Included in CI/CD Module:

  • OpenGear Lighthouse Server — Must be deployed via Manual Task 11
  • Windows Admin Center (WAC) Server — Must be deployed via Manual Task 11

Fixed Configuration:

For deployments requiring these components or custom landing zones, supplement with Manual Deployment steps.

👉 Go to CI/CD Pipeline Deployment

Step 2: Configure VMs

After infrastructure is deployed (regardless of deployment method), configure the management VM workloads:

👉 Go to VM Configuration

TaskComponentClassificationPurpose
1Configure AD DSRequiredPromote DCs, create forest, configure DNS
2Configure Utility ServerRecommendedDomain join, install admin tools (jump box)
3Configure NDM ServerRecommendedrsyslog, SNMP trap receiver for Azure Monitor
4Configure Lighthouse ServerRecommendedDocker, OpenGear Lighthouse container
5Configure WACRecommendedWindows Admin Center gateway
info

VM Configuration tasks apply to all deployment methods. Whether you used CI/CD or manual deployment for infrastructure, these steps are always required.

Step 3: Validate

After completing VM configuration, verify:

  • VPN connectivity between Azure and on-premises is operational
  • Domain Controllers are reachable and DNS resolves correctly
  • Utility server can RDP to Azure Local cluster nodes
  • NDM server is receiving syslog/SNMP data from network devices
  • WAC can connect to Azure Local cluster
  • Log Analytics Workspace is collecting data

Component Summary

All components deployed across Steps 1 and 2:

Management Mode (Once per Environment)

Infrastructure Resources (Step 1)

ComponentClassificationCI/CD ModuleManualPurpose
Virtual Network & SubnetsRequiredAzure Local management network
VPN GatewayRequiredSite-to-site connectivity to on-prem
VPN ConnectionRequiredEstablish tunnel to on-prem site
Azure BastionRecommendedSecure RDP/SSH access to VMs
Network Security GroupsRequiredSubnet-level security rules
NAT GatewayRequiredOutbound internet for management VMs
Arc GatewayOptionalAzure Arc hybrid connectivity
Log Analytics WorkspaceRecommendedMonitoring and HCI Insights
Key VaultRequiredSecrets management (passwords, keys)
Management VMsRequired⚠️ OptionalDC, Utility, NDM, Lighthouse, WAC VMs

VM Configuration (Step 2)

ComponentClassificationPurpose
Active Directory Domain ServicesRequiredPromote DCs, create forest, configure DNS
Utility Server (Jump Box)RecommendedDomain join, admin tools, RDP gateway
NDM ServerRecommendedrsyslog + SNMP collection → Azure Monitor
Lighthouse ServerRecommendedOpenGear console server management
Windows Admin CenterRecommendedWeb-based cluster management portal

Cluster Mode (Once per Cluster)

Cluster-specific resources are deployed separately for each Azure Local cluster:

  • VPN Connection (Local Network Gateway + Connection): Deploy per-site
  • Cluster Key Vault: See cluster deployment stages
  • Cluster Log Analytics Workspace: See cluster deployment stages

Prerequisites

Before starting this phase, ensure:

Next Steps

After completing this phase:

  1. Verify VPN connectivity with on-premises network team
  2. Configure AD sites and services on Domain Controllers
  3. Store credentials in Key Vault (admin passwords, service accounts)
  4. Proceed to Phase 05: Identity & Access Management
PreviousUpNext
Phase 03: RBAC PermissionsAzure FoundationPhase 05: Identity & Access Management

End of Document

Version Control

  • Created: 2025-09-15 by Hybrid Cloud Solutions
  • Last Updated: 2026-03-20 by Hybrid Cloud Solutions
  • Version: 2.0.0
  • Tags: azure-local, management-infrastructure, networking, vpn, key-vault, domain-controllers, bastion
  • Keywords: management infrastructure, virtual network, VPN gateway, bastion, NSG, NAT gateway, key vault, domain controller, log analytics
  • Author: Hybrid Cloud Solutions