Local Identity — ARM Template Deployment (SAN)
DOCUMENT CATEGORY: Runbook SCOPE: ARM template SAN cluster deployment with Local Identity PURPOSE: Deploy Azure Local with external SAN storage and Local Identity (Key Vault) via ARM MASTER REFERENCE: Microsoft Learn — Deploy via ARM (Disaggregated)
Status: Active
Overview
This runbook deploys a disaggregated Azure Local cluster using ARM templates with:
- Storage: External SAN (Fiber Channel)
- Identity: Local Identity with Azure Key Vault
This is the most automated option for SAN + non-AD deployments, combining infrastructure-as-code repeatability with the simplicity of local identity authentication.
Prerequisites
Complete all items from the SAN Prerequisites and the Local Identity Prerequisites sections.
Key Parameter Differences
The SAN + Local Identity ARM template combines parameters from both the disaggregated and local identity templates:
| Parameter | Value |
|---|---|
storageConfiguration | "SAN" |
domainFqdn | Empty string "" (no AD) |
adouPath | Empty string "" (no AD) |
keyVaultName | Name of the Azure Key Vault for secrets |
intentList | Management + Compute only (no storage intent) |
sanNetworkList | FC fabric network configuration |
Step-by-Step
Step 1: Obtain the ARM Template
Download the disaggregated ARM template from Microsoft Learn.
Step 2: Create the Parameters File
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"clusterName": { "value": "<cluster-name>" },
"location": { "value": "<azure-region>" },
"domainFqdn": { "value": "" },
"adouPath": { "value": "" },
"storageConfiguration": { "value": "SAN" },
"networkingPattern": { "value": "managementAndCompute" },
"keyVaultName": { "value": "<key-vault-name>" }
}
}
Step 3: Deploy
az deployment group create \
--resource-group <resource-group> \
--template-file azuredeploy.json \
--parameters @azuredeploy.parameters.san.local-identity.json
Step 4: Monitor
az deployment group show \
--resource-group <resource-group> \
--name <deployment-name> \
--query "properties.provisioningState" -o tsv
Post-Deployment
- Connect workload LUNs — see Connect External Storage
- Proceed to Phase 06: Post-Deployment
Troubleshooting
| Issue | Resolution |
|---|---|
| Template validation fails | Verify domainFqdn and adouPath are empty strings for Local Identity. Verify storageConfiguration is "SAN". |
| Key Vault access denied | Ensure the deploying identity has Key Vault Contributor and Key Vault Secrets Officer roles. |
| SAN disks not detected | Verify FC zoning and MPIO on all nodes before deployment. |
Navigation
| ← Local Identity — Portal (SAN) | ↑ SAN Deployment | Phase 06: Post-Deployment → |
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2026-05-01 | Azure Local Cloud | Initial release |