Prerequisites and Assumptions
DOCUMENT CATEGORY: Runbook SCOPE: Pre-deployment requirements PURPOSE: Validate all prerequisites before implementation MASTER REFERENCE: Microsoft Learn - Prerequisites
Status: Active
This document outlines all requirements that must be met before beginning Azure Local deployment. All prerequisites must be validated before proceeding to implementation stages.
Executive Summary
Azure Local deployment requires completion of comprehensive planning activities, properly configured hardware and software environments, and appropriate Azure permissions. This document serves as your pre-deployment checklist.
Critical Path: Planning Phase → Prerequisites Validation → Implementation Stages
1. Planning Phase Prerequisites
All planning documents must be completed and approved before implementation begins.
Required Planning Documents
| Document | Status | Purpose | Link |
|---|---|---|---|
| Discovery Checklist | ✅ Required | Customer environment assessment and requirements gathering | Discovery Checklist |
| Site Assessment | ✅ Required | Physical infrastructure and network evaluation | Site Assessment |
| Naming Standards | ✅ Required | Resource naming conventions and patterns | Naming Standards |
| Landing Zone Strategy | ✅ Required | Azure foundation architecture and governance | Landing Zone Strategy |
Planning Deliverables
- variables.yml populated with environment-specific values
- Variable schema aligned with customer requirements
- Network architecture documented and approved
- Security and compliance requirements identified
2. Hardware Prerequisites
Hardware must be racked, powered, and cabled per vendor guidance before beginning provisioning stages. This includes:
- All Dell AX servers physically installed in racks
- Power cables connected to redundant PDUs
- Network cables installed per cabling design specifications
- iDRAC/BMC interfaces accessible and configured
- Console access available for all servers
The provisioning runbook assumes physical infrastructure is complete and validated.
Server Requirements
Azure Local supports 1-16 physical servers per cluster.
| Component | Minimum | Recommended | Notes |
|---|---|---|---|
| CPU | Intel Xeon Gold/Platinum or AMD EPYC 7000 series | Latest generation enterprise CPUs | Must support virtualization |
| RAM | 256GB per server | 512GB+ per server | ECC memory required |
| Storage | 1TB SSD/NVMe (OS boot) + 2TB+ across 2+ data drives | All-NVMe configuration | Controllers must be HBA/passthrough mode — RAID not supported |
| Network | 2x 10GbE NICs minimum | 2x 25GbE or higher | RDMA-capable for performance |
Physical Infrastructure
- Rack Mounting: Servers properly racked per vendor specifications
- Power: Redundant power supplies connected to separate PDUs
- Cooling: Adequate rack cooling and environmental controls
- Cable Management: Clean cable routing with proper labeling
- Access: Physical security controls for server room/rack access
Management Access
- iDRAC/BMC: All servers accessible via out-of-band management
- Console Access: Direct console access available for troubleshooting
- Network Access: Management interfaces reachable from administration workstations
3. Software Prerequisites
Operating System
- This runbook targets Azure Local 24H2 (Build 2601)
- Core installation (no Desktop Experience available; management via Windows Admin Center or remote tools)
- Domain-joined or local identity configuration (domain recommended for production)
Management Tools
| Tool | Version | Purpose | Installation |
|---|---|---|---|
| Windows Admin Center | 2311+ | Dell hardware health telemetry (optional) | Download |
| Azure CLI | 2.50+ | Azure resource management | winget install Microsoft.AzureCLI |
| Azure PowerShell | 10.0+ | Azure automation | Install-Module -Name Az -Force |
| Azure Stack HCI PowerShell | Latest | HCI-specific cmdlets | Included with Azure Local |
Windows Admin Center is not required for Azure Local deployment or day-to-day cluster management — Microsoft recommends the Azure Portal as the primary management interface.
However, WAC is recommended for Dell environments because it hosts the Dell OpenManage Integration with Microsoft Windows Admin Center (OMIMSWAC) extension. OMIMSWAC collects Dell-specific hardware telemetry (fans, power supplies, temperatures, drive health) via iDRAC and pushes it to Azure Monitor Insights, enabling proactive hardware alerting and centralized visibility in the Azure Portal.
If you are not using Dell hardware, or do not require hardware health telemetry in Azure Monitor, WAC can be skipped entirely.
Development Tools
- Git for repository access
- PowerShell 7+ for advanced scripting
- VS Code with PowerShell extension (recommended)
- GitLab access for CI/CD pipelines
4. Azure Prerequisites
Subscription Requirements
- Azure subscription with sufficient quota for Azure Local resources
- Billing account configured and accessible
- Support plan (Standard or higher recommended for production)
Required Permissions
This section summarizes the required permissions. Step-by-step role assignment procedures are covered in Part 2: Azure Foundation — Phase 03: RBAC Permissions.
The deployment user (or service principal) requires the following roles, per Microsoft Learn — Assign required permissions for Azure Local deployment:
Subscription-level roles:
| Role | Purpose | Reference |
|---|---|---|
Contributor | Create and manage Azure resources, register resource providers | Deployment checklist |
User Access Administrator | Assign RBAC to identities, Arc-enable machines | Deployment checklist |
Azure Stack HCI Administrator | Azure Local cluster management | Assign permissions |
Reader | View resources in the Azure portal | Assign permissions |
Resource group-level roles (Azure Local cluster resource group):
| Role | Purpose | Reference |
|---|---|---|
Key Vault Data Access Administrator | Manage data plane permissions to deployment Key Vault | Assign permissions |
Key Vault Secrets Officer | Read and write secrets in deployment Key Vault | Assign permissions |
Key Vault Contributor | Create and manage Key Vault resources for deployment | Assign permissions |
Storage Account Contributor | Create storage accounts for deployment | Assign permissions |
Azure Connected Machine Onboarding | Register machines with Azure Arc | Arc prerequisites |
Azure Connected Machine Resource Administrator | Manage Arc-enabled machine resources | Arc prerequisites |
Required Resource Providers
Register these 12 resource providers before deployment. Registration requires Owner or Contributor on the subscription and is performed in Part 2: Azure Foundation — Phase 02: Resource Providers.
| # | Provider Namespace | Purpose |
|---|---|---|
| 1 | Microsoft.HybridCompute | Azure Arc-enabled servers |
| 2 | Microsoft.GuestConfiguration | Azure Policy guest configuration |
| 3 | Microsoft.HybridConnectivity | Azure Arc connectivity |
| 4 | Microsoft.AzureStackHCI | Azure Local cluster management (core) |
| 5 | Microsoft.Kubernetes | Arc-enabled Kubernetes |
| 6 | Microsoft.KubernetesConfiguration | Kubernetes configuration |
| 7 | Microsoft.ExtendedLocation | Custom locations for Arc |
| 8 | Microsoft.ResourceConnector | Azure Arc Resource Bridge |
| 9 | Microsoft.HybridContainerService | Hybrid container workloads |
| 10 | Microsoft.Attestation | Security attestation |
| 11 | Microsoft.Storage | Storage accounts for deployment |
| 12 | Microsoft.Insights | Monitoring and logging (required for Key Vault audit logging validation) |
If Microsoft.Insights is not registered, the diagnostic account and Key Vault audit logging fails during deployment validation.
Azure Arc Prerequisites
- Azure Stack HCI OS installed on all cluster nodes (see Section 3: Software Prerequisites)
- Outbound internet connectivity to required Azure Arc endpoints (see Section 5: Network Prerequisites)
- Arc Gateway configured if deploying through a proxy environment (optional)
- RBAC roles for Arc registration (
Azure Connected Machine Onboarding+Azure Connected Machine Resource Administrator) assigned per the permissions table above
5. Network Prerequisites
This section covers prerequisites only. Full network design and switch configuration procedures are in Part 3: On-Prem Readiness — Phase 03: Network Infrastructure.
IP and Subnet Planning
The following must be defined before deployment begins (from the Microsoft Learn deployment checklist):
| Requirement | Details |
|---|---|
| Management network subnet | Minimum 6 contiguous IPs for infrastructure services (first IP assigned to failover clustering) |
| Storage VLAN IDs | Two unique VLAN IDs for storage networks (Network ATC defaults: 711 and 712) |
| DNS server | Must resolve the Active Directory domain. Cannot use IPs from reserved Kubernetes subnets 10.96.0.0/12 or 10.244.0.0/16 |
| NTP source | Time synchronization for all nodes (domain controllers or dedicated NTP appliance) |
| Static IP configuration | All cluster nodes use static management IPs — DHCP is not used for node deployment |
Outbound Internet Connectivity
All cluster nodes require outbound access on ports 80 (HTTP) and 443 (HTTPS) for:
- Azure Arc registration and ongoing management
- Windows Update and security patches
- Azure marketplace and extension downloads
- Telemetry, monitoring, and diagnostics
Azure Local does not support HTTPS inspection. Ensure HTTPS inspection is disabled along the entire networking path. This includes Entra ID tenant restrictions v1, which are not supported for Azure Local management network communication.
Firewall Requirements
Microsoft publishes region-specific consolidated endpoint lists that include Azure Local, Arc-enabled servers, Azure Resource Bridge, and AKS endpoints. Do not maintain a manual URL allowlist — use the official lists:
| Region | Consolidated Endpoint List |
|---|---|
| East US | eastus-hci-endpoints.md |
| West Europe | westeurope-hci-endpoints.md |
| Canada Central | canadacentral-hci-endpoints.md |
| South Central US | southcentralus-hci-endpoints.md |
| Other regions | See Firewall requirements for Azure Local |
OEM-specific endpoints (required in addition to the above):
| OEM | Endpoint List |
|---|---|
| Dell | Dell Azure Local endpoints |
| HPE | HPE Azure Local endpoints |
| Lenovo | Lenovo Azure Local endpoints |
Additional service endpoints may be required depending on enabled features (Azure Monitor Agent, Azure Site Recovery, Microsoft Defender, etc.). See Firewall requirements for additional Azure services.
Network Architecture
Azure Local uses Network ATC intents to define traffic types. The following network segments are required:
| Network | Purpose | VLAN | RDMA |
|---|---|---|---|
| Management | Cluster management, Arc connectivity, DNS, AD | Customer-assigned | No |
| Storage 1 | Storage Spaces Direct replication (East-West) | 711 (default) | Yes |
| Storage 2 | Storage Spaces Direct replication (East-West) | 712 (default) | Yes |
| Compute/VM | Tenant VM traffic, live migration | Customer-assigned | Optional (guest RDMA) |
Physical switch requirements (per Microsoft Learn — Physical network requirements):
- IEEE 802.1Q (VLANs) — required for all traffic types
- IEEE 802.1Qbb (Priority Flow Control) — required for storage traffic
- IEEE 802.1Qaz (Enhanced Transmission Selection) — required for storage traffic
- IEEE 802.1AB (LLDP) — required for network discovery
- MTU 9174 for storage traffic (jumbo frames)
- Switchless (direct connect) supported for storage traffic in clusters up to 3 nodes
Arc Gateway (Optional)
If cluster nodes cannot reach Azure endpoints directly, deploy an Arc Gateway to proxy Arc traffic. Arc Gateway configuration is defined in variables.yml under deployment.arc_gateway.
6. Security & Identity Prerequisites
Prerequisites (Required Before Deployment)
| Requirement | Details | Verified By |
|---|---|---|
| Microsoft Entra ID tenant | Active tenant with the Azure Local subscription associated | Planning & Discovery |
| Active Directory domain | Functional AD DS domain with DNS resolution; used for cluster node identity | Part 3: On-Prem Readiness — Phase 01: Active Directory |
| LCM deployment user account | Dedicated AD account with appropriate permissions; password must be 14+ characters with complexity requirements | Part 3: On-Prem Readiness — Phase 01: Task 04 |
| Local administrator credentials | Identical username/password across all cluster nodes; 14+ character complexity requirement | OS installation (Part 4, Phase 02) |
Assumptions (Customer-Managed, Not Deployed by This Runbook)
The following are customer responsibilities and are assumed to be in place. They are not configured as part of the Azure Local deployment:
- MFA — Enabled for all administrative accounts accessing the Azure portal (customer tenant policy)
- Conditional Access — Policies configured per customer security requirements (requires Entra ID P2)
- HTTPS inspection disabled — Along the entire networking path for Azure Local management traffic (see Section 5)
Configured During Deployment (Not Prerequisites)
The following security components are created during the implementation, not beforehand:
| Component | Deployed In | Reference |
|---|---|---|
| Azure Key Vault | Part 2: Azure Foundation — Phase 04 | Task 08: Key Vault |
| PIM & Conditional Access | Part 2: Azure Foundation — Phase 05 | Task 01: PIM & Conditional Access (optional, requires Entra ID P2) |
| Defender for Cloud | Part 5: Operational Foundations — Phase 02 | Monitoring & Observability |
| Azure Policy assignments | Part 5: Operational Foundations — Phase 02 | Azure Security Benchmark, Defender for Servers, required tags |
| Backup & DR | Part 5: Operational Foundations — Phase 03 | Phase 03: Backup & DR |
| Security monitoring & alerting | Part 5: Operational Foundations — Phase 02 | Azure Monitor, alert rules, OMIMSWAC |
7. Validation Checklist
Use this checklist to verify all prerequisites before proceeding to implementation.
☐ Planning Phase
- Discovery checklist completed and approved
- Site assessment completed and approved
- Naming standards documented and approved
- Landing zone strategy documented and approved
-
variables.ymlpopulated with environment values
☐ Hardware Validation
- All servers racked, powered, and cabled
- iDRAC/BMC accessible for all servers
- Network connectivity verified (management interfaces)
- Hardware specifications meet Azure Local system requirements
- Firmware/BIOS versions current per OEM solution builder extension
- Storage controllers in HBA/passthrough mode (RAID not supported)
- Minimum 2 data drives per node for Storage Spaces Direct
☐ Software Validation
- Azure CLI installed and authenticated
- Azure PowerShell modules installed
- GitLab access configured
- PowerShell execution policy allows scripts
- Windows Admin Center installed (optional — required only for Dell OMIMSWAC hardware monitoring)
☐ Azure Validation
- Subscription active with sufficient quota
- 10 required RBAC roles assigned to deployment account (see Section 4)
- All 12 required resource providers registered (see Section 4)
- Azure Arc prerequisites met (TLS 1.2, Windows firewall disabled/configured, proxy configured if applicable)
☐ Network Validation
- Outbound HTTPS (443) access confirmed from all nodes
- DNS resolution working for all nodes
- NTP synchronization configured
- Firewall/proxy rules allow required Azure endpoints (see Section 5)
- HTTPS inspection disabled along the entire networking path
- Static IPs allocated: management, storage VLANs, and 6+ contiguous management IPs for Azure services
- Physical switches configured (VLANs, MTU 9174 for storage, IEEE 802.1Q/Qbb/Qaz)
☐ Security & Identity Validation
- Microsoft Entra ID tenant active and associated with the Azure subscription
- Active Directory domain functional with DNS resolution
- LCM deployment user account created with required permissions
- Local administrator credentials set identically across all cluster nodes
- MFA enabled for administrative accounts (customer responsibility)
Supported Builds
- This runbook targets Azure Local 24H2 (Build 2601)
- Always verify latest guidance in Microsoft Azure Local documentation
- Check Azure Local release notes for latest features and fixes
References
Microsoft Documentation
- Azure Local Overview
- Azure Local Network Requirements
- Azure Local System Requirements
- Azure Arc Gateway
- Azure Local Firewall Requirements
- Azure Local Deployment Prerequisites
Planning Documents
Implementation Documents
Internal Standards
- Variable Management Standard
- PowerShell Organization Standard
- Scripting Framework
Next Steps
Once all prerequisites are validated:
- Proceed to Authentication → Configure deployment credentials
- Begin Implementation → Start with Part 2: Azure Foundation (Landing Zones, RBAC, Management Infrastructure)
- Monitor Progress → Use validation checklists in each stage
- Document Issues → Update this document if new prerequisites are discovered
🚨 Do not proceed to implementation until all prerequisites are met and validated.
Navigation
| Previous | Up | Next |
|---|---|---|
| Key Inputs and Variables | Implementation Guide | Authentication |
Version Control
- Created: 2026-01-15 by Azure Local Cloudnology Team
- Last Updated: 2026-03-02 by Azure Local Cloudnology Team
- Version: 2.0.0
- Tags: azure-local, prerequisites, requirements
- Keywords: prerequisites, assumptions, requirements
- Author: Azure Local Cloudnology Team