Skip to main content
Version: Next

Site Assessment

Runbook Azure

DOCUMENT CATEGORY: Runbook SCOPE: Physical infrastructure evaluation PURPOSE: Assess site readiness for Azure Local deployment MASTER REFERENCE: Microsoft Learn - Azure Local Requirements

Status: Active

Overview

Site assessment is a critical discovery phase that evaluates the physical site's readiness for Azure Local deployment. This document consolidates assessment activities for:

  • Active Directory Planning - Domain architecture, DNS zones, OU structure, and service accounts
  • Enterprise Network Validation - Connectivity, firewall rules, and infrastructure verification
  • Site Network Infrastructure - VLAN planning, IP allocation, and switch configuration

All assessment outputs feed directly into variables.yml and the provisioning stages.

Assessment Approach

Complete this assessment per site before proceeding to hardware provisioning. For multi-site deployments, repeat the site-specific sections for each location.

Part 1: Active Directory Planning

Feeds: Stage 08 (Active Directory Preparation)

DNS and Active Directory Domain Information

Gather the following domain and DNS information from the customer's IT team:

FieldValueNotes
External DNS Domain________________________Public-facing domain
Internal AD Domain (FQDN)________________________e.g., Infinite azurelocal Corp.local or corp.Infinite azurelocal Corp.com
AD Domain NetBIOS Name________________________e.g., Infinite azurelocal Corp
AD Forest Functional Level☐ 2016 ☐ 2019 ☐ 2022Minimum: Windows Server 2016
AD Domain Functional Level☐ 2016 ☐ 2019 ☐ 2022Minimum: Windows Server 2016

DNS Zone Configuration

Zone TypeZone NamePurpose
Primary Forward Lookup Zone________________________Main AD-integrated zone
Azure Local Cluster Zone________________________e.g., azlocal.Infinite azurelocal Corp.com
Management Reverse Lookup________________________e.g., 100.10.10.in-addr.arpa
Production Reverse Lookup________________________e.g., 200.10.10.in-addr.arpa

DNS Delegation Approach:

ApproachDescriptionUse Case
Subdomain DelegationCreate delegated zone for Azure LocalPreferred for isolation
Conditional ForwardingForward queries to Azure Local DNSWhen delegation not possible
Full IntegrationAdd records to existing zonesSimple environments

DNS Server Configuration

SettingPrimarySecondaryNotes
DNS Server IP________________________AD-integrated recommended
DNS Forwarders________________________External resolution
Azure DNS Integration☐ Yes ☐ NoPrivate DNS zones

OU Structure for Azure Local

Define the Organizational Unit hierarchy for Azure Local objects:

DC=Infinite azurelocal Corp,DC=com
└── OU=Azure Local # Root OU for Azure Local
 ├── OU=Clusters # Cluster computer objects (CNOs, VCOs)
 │ └── OU={SiteCode} # Per-site cluster objects
 ├── OU=Servers # Cluster node computer objects
 │ └── OU={SiteCode} # Per-site server objects
 ├── OU=Service Accounts # Service accounts for Azure Local
 ├── OU=Groups # Security groups for RBAC
 └── OU=Workload VMs # Virtual machine computer objects (optional)

OU Checklist:

  • Root OU for Azure Local: OU=________________________,DC=______,DC=______
  • Cluster objects OU: OU=________________________
  • Server objects OU: OU=________________________
  • Service accounts OU: OU=________________________
  • Groups OU: OU=________________________
  • GPO application strategy documented: ☐ Yes ☐ No
  • GPO exclusions needed: ________________________

Service Accounts

Create the following service accounts before deployment:

Azure Local Deployment Account

SettingValue
Account Name________________________ (e.g., svc-azlocal-deploy)
DescriptionAzure Local cluster deployment service account
Password Policy☐ Never expires (service account) ☐ Expires: ____ days
Required Permissions
- Domain Admin (temporary, for deployment)☐ Yes ☐ No
- Enterprise Admin (multi-domain forests)☐ Yes ☐ No
- Local Administrator on nodes☐ Required
- Create computer objects in target OUs☐ Required
- Modify DNS zones☐ Required

Azure Local Lifecycle Management Account

SettingValue
Account Name________________________ (e.g., svc-azlocal-lifecycle)
DescriptionOngoing cluster management and maintenance
Password Policy☐ Never expires ☐ Expires: ____ days
Required Permissions
- Computer object creation/deletion in OUs☐ Required
- DNS record creation/deletion☐ Required
- Read/write to Cluster Name Object (CNO)☐ Required

Azure Arc Service Account (if separate)

SettingValue
Account Name________________________ (e.g., svc-arc-azlocal)
DescriptionAzure Arc agent registration and management
Required Permissions
- Local Administrator on nodes☐ Required

Group Memberships and Delegation

Service AccountDomain GroupsLocal Groups
Deployment Account________________________Local Administrators
Lifecycle Account________________________Local Administrators
Arc Account________________________Local Administrators

AD Delegation Requirements:

  • Create/delete computer objects in Azure Local OUs
  • Reset computer passwords in Azure Local OUs
  • Read/write all properties of computer objects
  • Create/delete DNS records in cluster zones
  • Delegation documentation complete: ☐ Yes ☐ No

Part 2: Enterprise Network Infrastructure Validation

Feeds: Stage 09 (Enterprise Readiness) and Stage 10 (Network Infrastructure)

Network Connectivity Requirements

Remote Access Configuration

SettingValueNotes
VPN Access Required☐ Yes ☐ NoFor Azure Local Cloud deployment access
VPN Type☐ Site-to-site ☐ Point-to-site ☐ ExpressRoute ☐ Other
VPN Concentrator/Gateway________________________IP or hostname
Authorized VPN Users/Groups________________________
VPN IP Range________________________

Outbound Internet Access

MethodConfigurationNotes
Direct InternetNo proxy requiredSimplest configuration
Proxy ServerAddress: ____________ Port: ______
Authentication: ☐ Yes ☐ No
Bypass list: ________________________
Azure Arc GatewayResource ID: ________________________For restricted networks
Azure FirewallFirewall IP: ________________________Enterprise egress

Firewall Rules for Azure Endpoints

The following endpoints must be accessible from the management VLAN (HTTPS/443 unless noted):

Azure Arc and Azure Local Core Endpoints

Endpoint CategoryFQDNsStatus
Azure Resource Managermanagement.azure.com☐ Configured ☐ Pending
Microsoft Entra IDlogin.microsoftonline.com, graph.microsoft.com☐ Configured ☐ Pending
Azure Arc*.arc.azure.com, *.arc.azure.net☐ Configured ☐ Pending
Azure Local*.azurestackhci.azure.com☐ Configured ☐ Pending
Azure Storage*.blob.core.windows.net, *.table.core.windows.net☐ Configured ☐ Pending
Azure Key Vault*.vault.azure.net☐ Configured ☐ Pending
Windows Update*.windowsupdate.com, *.update.microsoft.com☐ Configured ☐ Pending

Additional Required Endpoints

Endpoint CategoryFQDNsStatus
Azure Monitor*.ods.opinsights.azure.com, *.oms.opinsights.azure.com☐ Configured ☐ Pending
Microsoft Container Registrymcr.microsoft.com, *.data.mcr.microsoft.com☐ Configured ☐ Pending
Azure Resource Bridgeecpacr.azurecr.io, *.dp.kubernetesconfiguration.azure.com☐ Configured ☐ Pending
NTPtime.windows.com (UDP 123)☐ Configured ☐ Pending

Firewall Rule Request:

  • Firewall rule request submitted: ☐ Yes ☐ No
  • Firewall rule approval status: ☐ Approved ☐ Pending ☐ Rejected
  • Change control number: ________________________
Endpoint Reference

For the complete list of required endpoints, see Microsoft Learn - Azure Local Firewall Requirements.

NTP and DNS Reachability

NTP Configuration

SettingPrimarySecondary
NTP Server________________________________________________
NTP Source☐ time.windows.com ☐ Internal NTP ☐ Other
UDP 123 Accessible☐ Yes ☐ No
NTP Sync Test☐ Pass ☐ Fail

NTP Verification Command:

# Test NTP connectivity
w32tm /stripchart /computer:time.windows.com /samples:3 /dataonly

DNS Reachability

TestResultNotes
DNS servers reachable from management VLAN☐ Pass ☐ Fail
Internal domain resolution☐ Pass ☐ Failnslookup dc01.Infinite azurelocal Corp.com
Azure endpoint resolution☐ Pass ☐ Failnslookup management.azure.com
Reverse DNS resolution☐ Pass ☐ Fail

DNS Verification Commands:

# Test internal DNS
nslookup Infinite azurelocal Corp.com

# Test Azure endpoints (should resolve to public IPs)
nslookup management.azure.com
nslookup login.microsoftonline.com

# Test reverse DNS
nslookup 10.10.100.10

Switch Configuration

Switch Inventory

SettingSwitch 1Switch 2Notes
Switch Model________________________e.g., Dell S5248F-ON
Switch OS Version________________________OS10, DNOS, etc.
Firmware Version________________________
Management IP________________________

VLAN Configuration

  • VLANs created on switches: ☐ Yes ☐ No
  • VLAN trunking configured: ☐ Yes ☐ No
  • VLAN list verified against site requirements: ☐ Yes ☐ No
SettingValue
LACP Configured for Node Uplinks☐ Yes ☐ No
LACP Mode☐ Active ☐ Passive
Port Channel IDs________________________
Redundant Uplinks per Node☐ Yes ☐ No

RDMA and QoS Configuration

SettingStatusNotes
RDMA/RoCEv2 Enabled☐ Yes ☐ No ☐ N/ARequired for storage traffic
DCB (Data Center Bridging)☐ Yes ☐ No ☐ N/A
PFC (Priority Flow Control)☐ Yes ☐ No ☐ N/A
ETS (Enhanced Transmission Selection)☐ Yes ☐ No ☐ N/A
QoS Policy for Storage Traffic________________________

Switch Interconnects

SettingStatus
Switches Stacked☐ Yes ☐ No
ISL (Inter-Switch Link) Configured☐ Yes ☐ No
Redundant ISLs☐ Yes ☐ No

Part 3: Site Network Infrastructure

Feeds: Stage 10 (Network Infrastructure Provisioning)

VLAN Planning (Per-Site)

Define VLANs and IP ranges for this site:

VLAN IDPurposeIP RangeMaskGatewayDHCPNotes
____Management____________/24____________☐ Yes ☐ NoiDRAC, cluster mgmt
____Storage 1 (S2D)____________/24N/A☐ NoRDMA/non-routed
____Storage 2 (S2D)____________/24N/A☐ NoRDMA/non-routed
____Production VMs____________/24____________☐ Yes ☐ NoProduction workloads
____Dev/Test VMs____________/24____________☐ Yes ☐ NoDev/Test workloads
____Backup____________/24____________☐ Yes ☐ NoBackup traffic
IP Reservation

Reserve a contiguous block of 6+ management IPs for Azure Local system use:

  • Cluster management virtual IP (VIP)
  • Azure Resource Bridge IP
  • Arc VM management IPs

Site-Specific Validation:

  • Site name/ID: ________________________
  • VLANs documented in table above: ☐ Yes ☐ No
  • VLAN IDs approved by network team: ☐ Yes ☐ No
  • IP ranges do not conflict with existing networks: ☐ Verified ☐ Pending

IP Address Allocation (Per-Site)

Management Network IPs

PurposeIP AddressHostnameNotes
Cluster Management VIP________________________Cluster virtual IP
Azure Resource Bridge________________________ARB management
Reserved IP 1____________Arc VM management
Reserved IP 2____________Arc VM management
Reserved IP 3____________Future use
Reserved IP 4____________Future use

Node Management IPs

NodeHostnameManagement IPiDRAC IP
Node 1____________________________________
Node 2____________________________________
Node 3____________________________________
Node 4____________________________________

Storage Network IPs (Non-routed)

NodeStorage Adapter 1Storage Adapter 2
Node 1________________________
Node 2________________________
Node 3________________________
Node 4________________________

DNS and NTP Configuration (Per-Site)

SettingValue
Primary DNS Server________________________
Secondary DNS Server________________________
DNS Suffix________________________
Cluster DNS Name________________________ (e.g., cluster01.azlocal.Infinite azurelocal Corp.com)
Primary NTP Source________________________
Secondary NTP Source________________________
Time Zone________________________

Switch Port Assignments (Per-Site)

Document physical port mappings for each node:

Node 1 Port Mapping

InterfaceSwitchPort(s)VLAN(s)SpeedNotes
Management NIC______________1/10G
Storage NIC 1______________25/100GRDMA
Storage NIC 2______________25/100GRDMA
Compute/VM NIC______________25/100GTrunk

Node 2 Port Mapping

InterfaceSwitchPort(s)VLAN(s)SpeedNotes
Management NIC______________1/10G
Storage NIC 1______________25/100GRDMA
Storage NIC 2______________25/100GRDMA
Compute/VM NIC______________25/100GTrunk

(Repeat for additional nodes)

Part 4: Azure Tenant Discovery (Automation)

For deployments where Azure resources already exist, use automated discovery to document the current state.

Azure Tenant Discovery Process

Script: Inventory-AzureTenant.ps1 Output: discovery/azure-inventory.json

# Authenticate to target tenant
Connect-AzAccount -Tenant "{{CUSTOMER_TENANT_ID}}"

# Run discovery
.\scripts\discovery\Inventory-AzureTenant.ps1 `
 -TenantId "{{CUSTOMER_TENANT_ID}}" `
 -IncludeRBAC `
 -Verbose

What Gets Discovered

CategoryResourcesDetails Captured
IdentityManagement Groups, SubscriptionsHierarchy, state, tenant association
ComputeVMs, Disks, Availability SetsSize, OS, network config
NetworkingVNets, Subnets, NSGs, NICsAddress spaces, peering, rules
StorageStorage Accounts, File SharesSKU, encryption, endpoints
SecurityKey Vaults, Managed IdentitiesConfiguration, access policies
MonitoringLog Analytics, App InsightsWorkspace details, retention

Review and Import

# View discovery summary
$discovery = Get-Content discovery/azure-inventory.json | ConvertFrom-Json
Write-Host "Subscriptions: $($discovery.subscriptions.Count)"
Write-Host "Resource Groups: $($discovery.resource_groups.Count)"
Write-Host "VNets: $($discovery.vnets.Count)"

# Preview import (safe WhatIf)
.\scripts\discovery\Update-InfrastructureFromDiscovery.ps1 -Azure -WhatIf

# Apply import
.\scripts\discovery\Update-InfrastructureFromDiscovery.ps1 -Azure

Assessment Deliverables Checklist

Active Directory Planning (Part 1)

  • AD domain architecture and DNS zone design documented
  • OU structure for Azure Local objects approved
  • Service account requirements matrix complete (names, permissions, groups)
  • GPO application strategy defined
  • Password rotation schedule established

Enterprise Network Validation (Part 2)

  • Network connectivity validated (VPN, firewall, proxy)
  • Azure endpoint firewall rules approved and configured
  • NTP and DNS reachability confirmed
  • Switch configuration documented (VLANs, LACP, RDMA/QoS)
  • Switch firmware baseline established

Site Network Infrastructure (Part 3)

  • Per-site VLAN table finalized with IP ranges
  • IP address allocation completed (management, iDRAC, storage)
  • DNS and NTP configuration per site documented
  • Switch port mapping completed per node

Azure Tenant Discovery (Part 4)

  • Azure tenant discovery completed (if existing resources)
  • Discovery outputs reviewed and categorized
  • Relevant resources imported to variables.yml

Next Steps

After completing this site assessment:

  1. Proceed to Hardware Requirements to document hardware specifications
  2. For multi-site deployments, see Multi-Site Planning
  3. Begin implementation with Phase 08 - Active Directory