Dell EMC Cloud for Microsoft Azure Stack Hub April 2020

Revision 03

Deployment Planning Guide

Abstract

This deployment planning guide helps customers and Dell Technologies engineers gather predeployment information and make important infrastructure decisions for Dell EMC Cloud for Microsoft Azure Stack Hub.

Dell Technologies Solutions

Copyright

2

Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide

The information in this publication is provided as is. Dell Inc. makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose.

Use, copying, and distribution of any software described in this publication requires an applicable software license.

Copyright © 2020 Dell Inc. or its subsidiaries. All Rights Reserved. Dell Technologies, Dell, EMC, Dell EMC and other trademarks are trademarks of Dell Inc. or its subsidiaries. Intel, the Intel logo, the Intel Inside logo and Xeon are trademarks of Intel Corporation in the U.S. and/or other countries. Other trademarks may be trademarks of their respective owners. Published in the USA 04/20 Deployment Planning Guide REV 03.

Dell Inc. believes the information in this document is accurate as of its publication date. The information is subject to change without notice.

Contents

3 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide

Contents

Overview .............................................................................................................................................4

Deployment Worksheet .....................................................................................................................4

Customer Settings tab .......................................................................................................................4

Network Settings tab .........................................................................................................................8

Border Settings tab ............................................................................................................................9

Scale Unit tab......................................................................................................................................9

Physical switch access control lists .............................................................................................15

Integration considerations ..............................................................................................................16

Appendix A. Additional Information ..............................................................................................20

Overview

4 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide

Overview

This guide helps customers and Dell Technologies engineers gather predeployment

information and make important infrastructure decisions for Dell EMC Cloud for Microsoft

Azure Stack Hub. This information is required to correctly deploy Azure Stack Hub to the

customer data center.

Dell Technologies and the authors of this document welcome your feedback on the

solution and the solution documentation. Contact the Dell Technologies Solutions team by

email or provide your comments by completing our documentation survey.

Author: MHC Engineering

Contributor: James Norton

Deployment Worksheet

Ask the Dell Technologies sales team for the Azure Stack Hub Deployment Worksheet,

which collects all the information that is needed for deployment decisions in one place.

Complete the Deployment Worksheet during the planning process before starting

deployment.

For more information about planning considerations, see Data center integration

considerations for Azure Stack Hub integrated systems.

Complete all fields in the Customer Settings, Network Settings, and Scale Unit tabs as

described in the following sections.

Customer Settings tab

Complete three sections of information under the Customer Settings tab:

• Azure Identity Store

• Customer Information

• Environment Information

For information about Azure Identity Store, see Microsoft topics including the following:

• Azure Stack Hub integrated systems connection models

• Connected deployment

• Disconnected deployment

Azure Stack Hub integrated systems connection models

For information about the connection models, see Azure Stack Hub integrated systems

connection models on the Microsoft website. This page includes the subtopic Choose a

deployment connection model.

We value your

feedback

Azure Identity

Store

Customer Settings tab

5 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide

Choose an identity store. See Choose identity store on the Microsoft website. There are

two types of identity stores to choose from:

• Azure Active Directory identity store

• Active Directory Federated Services identity store

IMPORTANT: This is a key decision point. Choosing the Azure Active Directory or Active

Directory Federated Services identity store is a one-time decision that you must make at

deployment time. You cannot change this decision later without redeploying the entire system.

Connected deployment

For information about connected deployments, see Connected deployment on the

Microsoft website.

Note: For billing model decisions, see Choose billing model. For details about the differences

between the two models, see Microsoft Azure Stack Hub packaging and pricing.

Disconnected deployment

For information about disconnected deployments, see Disconnected deployment on the

Microsoft website.

Some features and functions are impaired or unavailable in Disconnected mode, as

described in Features that are impaired or unavailable in Disconnected mode.

In the Customer Information section, you provide information to integrate Azure Stack Hub

with your organization’s IT infrastructure:

Company Name—The name of your organization.

External Domain Name—The external DNS zone for the Azure Stack Hub instance. This

value, along with the region name, is used to construct the FQDN for all external

endpoints for this Azure Stack Hub region (for example,

regionname.cloudapp.externaldomainname.com). For more information, see Azure Stack

Hub DNS namespace.

As with the region name, choose the external domain name carefully because it is used to

form all the URLs for external endpoints that your tenants will access. It cannot be

changed after you have deployed Azure Stack Hub.

IMPORTANT: This is a key decision point. Choose your region name and external domain name

with careful consideration and planning. These values form the basis of your DNS namespace,

and you cannot change them without redeploying Azure Stack Hub.

Case Study: Contoso.com

The following case study is an example deployment scenario of a fictitious company to

help illustrate values such as Region Name and External Domain Name are used.

Contoso wants to deploy Azure Stack Hub and already owns the DNS name

Contoso.com. They want to leverage this existing DNS name because their customers are

already familiar with their name and brand. Consequently, they want to use an external

Customer

Information

Customer Settings tab

6 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide

domain name for Azure Stack Hub that is a subdomain of Contoso.com. They are going to

start with a single region in their Chicago data center, and they plan to add more regions

in the future. They have chosen to call this Azure cloud “MAST” because it is simple and

they like the way that it sounds.

Contoso chooses the following values for their deployment.

Company name: Contoso

Region name: CHI

External domain name: mast.contoso.com

Using this combination of values, the Azure Stack Hub Tenant Portal URL for this

deployment would be:

https://publicportal.chi.mast.contoso.com

What if a tenant wants to create a load balancer with a public IP address for their web

application and give it a DNS name label? It is for a teamwork application, so the tenant

uses the DNS name label “Teams.” The resulting URL for the web application would be:

http://teams.chi.cloudapp.mast.contoso.com

Contoso chooses an external domain name that was a subdomain of an existing DNS

domain name. Contoso can set up a DNS delegation for that zone down to the Azure

Stack Hub DNS so that tenants can resolve these names from outside of the Azure Stack

Hub instance. Contoso could also, for example, set up a CNAME or alias for Azure Stack

Hub to point to portal.mast.contoso.com that in turn points to

portal.chi.mast.contoso.com.

In the future, depending on proximity, availability, or other business rules, when Contoso

wants to add another region in Seattle, they can set load-balancing rules to route the

portal.mast.contoso.com name to either:

• portal.chi.mast.contoso.com

• portal.sea.mast.contoso.com

Organizations can set this up differently, according to their business needs. This example

illustrates the factors to consider during your namespace planning.

Private Domain

The private domain information is used to create the internal, Active Directory integrated

DNS domain that will be used for Azure Stack Hub infrastructure services. This domain is

used for internal endpoints, service-to-service communications, infrastructure role

machine accounts, group-managed service accounts, and so on. This domain and the

endpoints in it are accessible only from the infrastructure subnet (see Network Settings

tab) and are not exposed externally to tenants.

For more information about setting up private domains, see Use Azure DNS for private

domains.

Customer Settings tab

7 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide

Region Name

This value is prepended to your External Domain Name suffix, as described in the

following section. It is used to create the FQDN of your external endpoints (for example,

regionname.cloudapp.externaldomainname.com). Even if there is only one region, you

must provide a region name consisting of only letters and numbers between 0 through 9.

IMPORTANT: This is a key decision point. Choose your region name and external domain name

with careful consideration and planning. These values form the basis of your DNS namespace,

and you cannot change them without redeploying Azure Stack Hub.

When choosing a region name, use the following rules:

• Use a region name that indicates the physical location of the Azure Stack Hub

scale units. In Azure, the region names correspond to the geographic location of

the data centers where the compute, storage, and network resources are

located (USWest, EastAsia, NorthEurope, and so on). In this way, users have

a clear idea of where their resources are physically located.

• Use a naming convention that is intuitive for your users. Data center locations

are a popular choice for region names. Ensure that your tenants can make a

good choice as to where to deploy their resources based on the region name.

• Keep the region name short. The region is prepended to your external domain

name to create the FQDN for that region.

IMPORTANT: These considerations are important even if you only have a single region. These

values cannot be changed without redeploying Azure Stack Hub.

Naming prefixes (Deployment Prefix and Physical Prefix)

During the deployment, computer names and corresponding IP assignments are

automatically generated for both physical devices as well as deployment-related items

such as management virtual machines (VMs) and Active Directory object names. In the

xxx fields, you provide two alphanumeric prefix strings up to eight characters long, which

are prepended to the automatically generated names and assignments for easy

identification. These prefixes are used with well-known suffixes to make names consistent

across all Azure Stack Hub installations and to facilitate troubleshooting and diagnostics.

It is easier to diagnose issues if you recognize the naming pattern in the trace logs.

Two options (deployment and physical prefixes) are provided because different teams

with different naming conventions often manage network devices, physical computer

devices, and service-specific VMs. They can be the same string.

• The Deployment Prefix is prepended to the infrastructure role machine names.

• The Physical Prefix is prepended to the physical switch and physical compute

node names.

The Environment Information section collects time server and DNS server information.

Time Server

Specify an IP for the time synchronization server. Although most of the components in the

infrastructure can resolve a URL, some can only support IP addresses. If you are using

Environment

Information

Network Settings tab

8 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide

the disconnected deployment option, you must specify a time server on your corporate

network that you are sure can be reached from the infrastructure network in Azure Stack

Hub. See Time Synchronization.

DNS Server(s)

Enter the DNS servers’ IP address.

Azure Stack Hub deploys its own recursive DNS servers that are part of the solutions

infrastructure. If they do not have the proper authority, these recursive DNS servers

forward DNS name queries to an upstream DNS server. This action ensures that the

authoritative resolver for that DNS name can be found, the name resolved, and the result

returned to original requester.

Azure Stack Hub DNS servers are only authoritative for the external domain name zone.

For queries for DNS names outside of the Azure Stack Hub solution, provide the IP

address of a DNS server in your environment that can either resolve these names or

forward them as appropriate.

Provide at least two entries (separated by commas) in the DNS Server(s) (upstream) field.

These entries must be IP addresses of valid DNS servers that are accessible from the

Azure Stack Hub public infrastructure network (see Network design and infrastructure in

the Appendix.) If you do not provide these entries, or if these entries are unavailable,

queries for DNS names for endpoints outside of the Azure Stack Hub (for example,

Internet endpoints like www.bing.com) will fail.

Network Settings tab

This section describes the network infrastructure for Azure Stack Hub deployment and

integration into the data center. It also describes how to use the Deployment Worksheet to

record details about important decisions that require knowledge of the network

environment. Although the configuration might vary based on the network hardware, the

requirements and concepts are the same.

The Network Settings contains has the following fields:

• Topology—The Scale Units and Total Node Count fields are automatically

populated when you fill in the fields in the Scale Unit tab.

• Switch Information—Select the hardware and firmware for the TOR and BMC

switches.

• Cloud Networks:

▪ External Subnet—Enter the external subnet IP; for example, 10.128.3.0/25.

▪ Private Subnet—Enter the private subnet IP, for example, 172.16.240.0/20.

Network is unrouted, external to stamp.

• Permit Network Addresses (optional): Networks to which access is allowed to

HLH and HLH iDRAC.

Border Settings tab

9 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide

Border Settings tab

The Border Settings tab contains the following fields:

• Border Connectivity:

▪ Routing Method—Select BGP or Static. We recommend selecting Border

Gateway Protocol (BGP) routing.

▪ Border Switch Count—We recommend that you enter 2 for redundancy

purposes. In the BGP field(s), enter the ASN(s) of the border switch(es).

To find the ASN, you can connect to the switch console to show BGP

information. For example, for a Dell EMC switch, you can enter show ip

bgp. This command displays all the BGP information including the ASN.

Scale Unit tab

Complete all the information in the Scale Unit tab. For information about the fields, see

Network Connectivity.

In the Node Count field, enter the node count for the customer’s Azure Stack Hub

specifications (4, 8, 12, or 16).

In the Scale Unit tab of the Deployment Worksheet, you must provide the following

network addresses to support the Azure Stack Hub deployment process. The deployment

team uses the Deployment Worksheet to break out the IP networks into all the smaller

networks that the system requires.

For detailed descriptions of each network, see Network design and infrastructure in the

Appendix.

In this example, we complete the Scale Unit tab of the Deployment Worksheet with the

values that are shown in the following table:

Table 1. Scale Unit tab example values

Network Value (examples)

BMC Subnet (BMC network) 10.128.0.64 /26

Infrastructure Subnet (Infrastructure network) 10.128.1.0 /24

Switch Infra Subnet (Switch infrastructure network)

10.128.0.0 /26

TOR BGP ASN 64910

After you have filled in all fields in the Scale Unit tab, run the Generate function of the

Deployment Worksheet PowerShell module (Action > Generate). The Generate function

creates two new tabs:

• Subnet Summary tab

• IP Assignments tab

IP assignments

on the

Deployment

Worksheet

Scale Unit tab

10 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide

The Subnet Summary tab shows how the supernets are split to create all the required

networks, as shown in the following table. Our example includes only a subset of the

columns on this tab. The actual result lists more details of each network.

Table 2. Subnet Summary tab example values

Association

Subnet type Name IPv4 subnet (Examples)

IPv4 addresses

CL01 other CL01-External-VIPS 10.128.3.0/24 256

Rack01 VLAN Rack01-BMCMgmt 10.128.0.64/26 64

Rack01 P2P Link P2P_Rack00/B1_To_Rack01/Tor1 10.128.0.0/30 4

Rack01 P2P Link P2P_Rack00/B1_To_Rack01/Tor2 10.128.0.4/30 4

Rack01 P2P Link P2P_Rack00/B2_To_Rack01/Tor1 10.128.0.8/30 4

Rack01 P2P Link P2P_Rack00/B2_To_Rack01/Tor2 10.128.0.12/30 4

Rack01 P2P Link P2P_Rack01/Tor1_To_Rack01/BMC 10.128.0.16/30 4

Rack01 P2P Link P2P_Rack01/Tor2_To_Rack01/BMC 10.128.0.20/30 4

Rack01 LoopBack Loopback_Rack01/Tor1 10.128.0.24/32 1

Rack01 LoopBack Loopback_Rack01/Tor2 10.128.0.25/32 1

Rack01 LoopBack Loopback_Rack01/BMC 10.128.0.26/32 1

Rack01 P2P Link P2P_Rack01/TOR1-ibgp-1_To_Rack01/TOR2-ibgp-1

10.128.0.28/30 4

Rack01 P2P Link P2P_Rack01/TOR1-ibgp-2_To_Rack01/TOR2-ibgp-2

10.128.0.32/30 4

Rack01 VLAN Rack01-SwitchMgmt 10.128.0.40/29 8

Rack01-CL01-SU01

VLAN Rack01-CL01-SU01-Infrastructure 10.128.1.0/24 256

Rack01-CL01-SU01

VLAN Rack01-CL01-SU01-Storage 172.16.240.0/25 128

Rack01-CL01-SU01

other Rack01-CL01-SU01-InternalVIPs 172.16.240.128/25 128

CL01 other CL01-Reserved-25a 172.16.241.0/25 128

CL01 other CL01-Reserved-25b 172.16.241.128/25 128

CL01 other CL01-DockerNAT 172.16.242.0/23 512

Switch infrastructure network (in Subnet Summary tab)

The switch infrastructure network is broken into multiple networks that the physical switch

infrastructure uses. This infrastructure network is different from the Azure Stack Hub

infrastructure network, which only supports the Azure Stack Hub software. The switch

infrastructure network supports only the physical switches and their interconnectivity. The

following table shows the subnets that are defined within the switch infrastructure network.

Subnet Summary

tab

Scale Unit tab

11 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide

Table 3. Switch infrastructure network subnets

Name IPv4 subnet

P2P_Rack00/B1_To_Rack01/Tor1 10.128.0.0/30

P2P_Rack00/B1_To_Rack01/Tor2 10.128.0.4/30

P2P_Rack00/B2_To_Rack01/Tor1 10.128.0.8/30

P2P_Rack00/B2_To_Rack01/Tor2 10.128.0.12/30

P2P_Rack01/Tor1_To_Rack01/BMC 10.128.0.16/30

P2P_Rack01/Tor2_To_Rack01/BMC 10.128.0.20/30

Loopback_Rack01/Tor1 10.128.0.24/32

Loopback_Rack01/Tor2 10.128.0.25/32

Loopback_Rack01/BMC 10.128.0.26/32

P2P_Rack01/TOR1-ibgp-1_To_Rack01/TOR2-ibgp-1 10.128.0.28/30

P2P_Rack01/TOR1-ibgp-2_To_Rack01/TOR2-ibgp-2 10.128.0.32/30

Rack01-SwitchMgmt 10.128.0.40/29

The network types are:

• Point-to-point (P2P)—These networks provide connectivity between all

switches. The subnet size is a /30 network for each P2P. The lowest IP is

always assigned to the upstream (North) device on the stack.

• Loopback—These /32 networks are assigned to each switch used in the rack.

The border devices are not assigned a loopback since they are not expected to

be part of the Azure Stack Hub solution.

• Switch Mgmt or Switch Management—This /29 network supports the

dedicated management interfaces of the switches in the rack. The following

table shows the IP address assignments. This table is also in the IP

Assignments tab of the Deployment Worksheet.

Table 4. Switch management network addresses

Rack: Rack1

Name: SwitchMgmt

Assigned to IPv4 address

Network 10.128.0.40

Gateway (BMC) 10.128.0.41

TOR1 10.128.0.42

TOR2 10.128.0.43

Broadcast 10.128.0.47

Scale Unit tab

12 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide

The IP Assignments tab shows how the IPs are consumed.

BMC network

The supernet for the BMC network is now a /26 network. The gateway uses the first IP

address in the network followed by the BMC devices in the rack, as shown in the following

table. The hardware lifecycle host has multiple addresses that are assigned on this

network and can be used to deploy, monitor, and support the rack. These IP addresses

are distributed into these groups: DVM, InternalAccessible, and ExternalAccessible.

Table 5. BMC network addresses

Rack: Rack1

Name: BMCMgmt

Assigned to IPv4 address

Network 10.128.0.64

Gateway 10.128.0.65

HLH-BMC 10.128.0.66

sac01-S1-N01 10.128.0.67

sac01-S1-N02 10.128.0.68

sac01-S1-N03 10.128.0.69

sac01-S1-N04 10.128.0.70

sac01-S1-N05 10.128.0.71

sac01-S1-N06 10.128.0.72

sac01-S1-N07 10.128.0.73

sac01-S1-N08 10.128.0.74

sac01-S1-N09 10.128.0.75

sac01-S1-N10 10.128.0.76

sac01-S1-N11 10.128.0.77

sac01-S1-N12 10.128.0.78

sac01-S1-N13 10.128.0.79

sac01-S1-N14 10.128.0.80

sac01-S1-N15 10.128.0.81

sac01-S1-N16 10.128.0.82

Internal1 10.128.0.108

Internal2 10.128.0.109

Internal3 10.128.0.110

Internal4 10.128.0.111

Internal5 10.128.0.112

IP Assignments

tab

Scale Unit tab

13 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide

Rack: Rack1

Name: BMCMgmt

Assigned to IPv4 address

Internal6 10.128.0.113

Internal7 10.128.0.114

Internal8 10.128.0.115

External1 10.128.0.116

External2 10.128.0.117

External3 10.128.0.118

External4 10.128.0.119

Internal9 10.128.0.120

Internal10 10.128.0.121

Internal11 10.128.0.122

Internal12 10.128.0.123

sac01-HLH-DVM00 10.128.0.125

HLH-OS 10.128.0.126

Broadcast 10.128.0.127

Storage network

The storage network is a private network and is not intended to be routed beyond the

rack. It is the first half of the private network supernet. It is used by the switches with

addresses allocated as shown in the following table, and it is not routed beyond the rack.

The gateway is the first IP address in the subnet.

The second half, which is used for the Internal VIPs, is a private pool of addresses that

the Azure Stack Hub SLB manages and is not shown on the IP Assignments tab. See the

following table. These networks support Azure Stack Hub, and the ACLs on the ToR

switches prevent these networks from being advertised and accessed outside the

solution.

Scale Unit tab

14 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide

Table 6. Storage network addresses

Rack: Rack1

Name: CL01-RG01-SU01-Storage

Assigned to IPv4 address

Network 172.16.240.0

Gateway 172.16.240.1

TOR1 172.16.240.2

TOR2 172.16.240.3

Broadcast 172.16.240.127

Infrastructure network

The infrastructure network supernet requires a /24 network and continues to be a /24 after

the Deployment Worksheet tool runs. The gateway is the first IP address in the subnet, as

shown in the following table.

Table 7. Infrastructure network addresses

Rack: Rack1

Name: CL01-RG01-SU01-Infra

Assigned to IPv4 address

Network 10.128.1.0

Gateway 10.128.1.1

TOR1 10.128.1.2

TOR2 10.128.1.3

Broadcast 10.128.1.255

Physical switch access control lists

15 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide

Physical switch access control lists

To protect the Azure Stack Hub solution, we implemented access control lists (ACLs) on

the ToR switches. The following figure shows the sources and destinations of every

network inside the Azure Stack Hub solution.

Figure 1. Solution network sources and destinations

The following table correlates the ACL references with the Azure Stack Hub networks.

Table 8. ACL references

Network ACL reference Description

BMC network BMC Mgmt Deployment VM, BMC interface, HLH server, HLH VMs.

HLH External Accessible A set of addresses that are hosted on an HLH node. The ACL denies IP access beyond the border.

HLH Internal Accessible A set of addresses that are hosted on the HLH node. They have access to IP resources beyond the border.

HLH DVM Azure Stack Hub deployment VM with access to resources on the Internet.

SwitchInfraNetwork Switch Mgmt Dedicated switch management interfaces.

ToR1/ToR2 RouterIP Loopback interface of the switch that is used for BGP peering between the SLB and switch or router.

AzureStackInfraNetwork Azure Stack Hub Infrastructure Azure Stack Hub infrastructure services and VMs; restricted network.

Azure Stack Hub Infrastructure Public

Azure Stack Hub infrastructure services that must talk to the Internet and tenants (NTP, DNS, Active Directory).

Integration considerations

16 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide

Network ACL reference Description

StorageNetwork Storage Private IPs that are not routed outside of the stamp.

Internal VIPs Private IPs that are not routed outside of the stamp.

Public-VIPS Public VIPs Tenant network address space that the network controller manages.

Public Admin VIPs Small subset of addresses in the Tenant pool that are required to talk to Internal-VIPs and Azure Stack Hub Infrastructure.

Customer network (not on Deployment Worksheet)

Customer/Internet 0.0.0.0 Customer-defined network. From the perspective of Azure Stack Hub, 0.0.0.0 is the border device.

Deny Field that the customer can update to allow additional management capabilities.

Permit Customer data center network that the customer defines.

Integration considerations

Network integration planning is important for the successful deployment, operation, and

management of an Azure Stack Hub integrated system. For more information, see border

connectivity, BGP routing, static routing, and transparent proxy.

Use a firewall device to defend Azure Stack against security threats. For Microsoft’s

recommendations about firewall integration, see Azure Stack Hub firewall integration

information.

For assistance in planning for the firewall integration, see Azure Stack Hub data center

integration - publish endpoints, which is part of the Azure Stack Hub Operator

Documentation. The article lists the inbound and outbound ports and protocols that Azure

Stack Hub requires.

Dell Technologies maintains a Deployment Worksheet that contains more extensive

firewall rules. This worksheet is provided during the planning phase of a deployment

project. For more information, contact the Project Manager who is assigned to your

deployment.

The following links contain detailed scenarios for firewall integration and best-practice

recommendations.

• Edge firewall scenario

• Enterprise/intranet/perimeter network firewall scenario

• Network Address translation (NAT)

• SSL decryption

Data center

integration

Firewall

integration

Integration considerations

17 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide

Public key infrastructure (PKI) certificates are required during Azure Stack Hub

deployments. More information about Azure Stack Hub’s PKI certificate requirements is

available at these links:

• Required customer-provided security certificates

• Mandatory certificates

• PaaS certificates (optional)

For information, see Azure Stack Hub certificates signing request generation.

Validate Azure Stack Hub PKI certificates before deployment. For more information, see

Validate Azure Stack Hub PKI certificates.

Validate Azure Stack Hub PKI certificates includes a Readiness Checker tool. Provide the

Readiness Checker tool to the customer, along with deploymentdata.json file, to

validate that the PKI certificates are suitable before deployment. Treat the PFX file and

password as sensitive information known only to the customer.

Performing certificate validation

Prepare and validate Azure Stack Hub PKI certificates for deployment as described in

Perform core services certificate validation.

Preparing certificates that the deployment script uses

As a final step, you must place all the certificates that you have prepared and validated in

directories as specified for the deployment host in the tables in Mandatory certificates and

PaaS certificates (optional).

On a host or share that will be available during deployment, create a folder named

Certificates and place the exported certificate files in the corresponding subfolders,

as specified in Mandatory certificates. The following is an example of this directory

structure:

\Certificates

\ACS\ssl.pfx\

\Admin Portal\ssl.pfx\

\ARM Admin\ssl.pfx\

\ARM Public\ssl.pfx\

\KeyVault\ssl.pfx\

\KeyVaultInternal\ssl.pfx\

\Public Portal\ssl.pfx\

\Admin Extension Host\ssl.pfx\

\Public Extension Host\ssl.pfx\

\ADFS\ssl.pfx*\

\Graph\ssl.pfx*\

The certificates that are marked with an asterisk (*) are only needed when ADFS is used

as an identity store.

Certificates

Request

certificates

Validate

certificates

before

deployment

Integration considerations

18 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide

The table below describes the endpoints and certificates that are required for the Dell

EMC OpenManage Enterprise and OpenManage Network Manager. You do not have to

copy these certificates to the Azure Stack Hub deployment folder. Instead, you must

provide these certificates during the installation of OpenManage Enterprise and

OpenManage Network Manager.

Table 9. Dell Technologies required certificates

Scope Namespace Certificate Used for

OpenManage Enterprise

<OMESRVNAME>.<customerFQDN> <OMESRVNAME>.<REGION>.<customerFQDN>

SSL Certificate with SANs

OpenManage Enterprise

OpenManage Network Manager

<OMNMSRVNAME>.<customerFQDN> <OMNMSRVNAME>.<REGION>.<customerFQDN>

SSL Certificate with SANs

OpenManage Network Manager

Obtain an Azure subscription including Active Directory before you deploy Azure Stack

Hub. You can purchase this subscription from Dell Technologies, Microsoft, or other

providers.

Dell EMC Cloud for Microsoft Azure Stack Hub comes with the required Dell Technologies

and Microsoft licenses, including:

• Azure Stack Hub—Windows Server 2016 Data Center edition is provided as

part of the Azure Stack Hub license.

• OpenManage Enterprise Configuration Manager license—OpenManage

Enterprise is designed for server lifecycle management. The OpenManage

Enterprise license is embedded in all your Azure Stack Hub servers in the

factory.

• OpenManage Network Manager license—OpenManage Network Manager is

designed for switch and networking lifecycle management. The OpenManage

Network Manager license is provided to you before deployment. Provide this

license to the Dell Technologies deployment team.

Azure Stack Hub licensing options

You can license Dell EMC Cloud for Microsoft Azure Stack Hub through “pay-as-you-use”

metering and consumption billing. Azure Stack Hub consumption includes both public and

private cloud workloads, and Microsoft aggregates the metering information for this usage

at regular intervals. The only licensing options that can be used for Azure Stack Hub

consumption billing are Enterprise Agreements (EAs) and the Cloud Solution Provider

(CSP) program. The customer or partner is responsible for the licensing of any third-party

software that is used in an Azure Stack Hub tenant.

EAs are ideal for organizations that already use an EA for other Microsoft software

programs. An EA offers complete control of the Azure subscriptions running on the Stack

solution. Azure Stack Hub usage is applied to the monetary commitment in the EA, and

support for the Azure services is provided directly from Microsoft. An EA is also the only

method to license Azure Stack Hub if the stack is intended to be run in a disconnected

mode. This capacity model requires an annual subscription.

Dell

Technologies

required

certificates

License

requirements

Integration considerations

19 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide

As an Azure CSP Direct and Indirect provider, Dell Technologies offers consumption-

based licensing on Azure Stack Hub to enterprise organizations and our channel partners.

Through CSP, Dell Technologies provides sales, provisioning, billing, and support. Dell

Technologies bills our enterprise customers on a monthly basis, but the CSP agreement

is noncontractual. Our partners using the CSP Indirect program bill their end customers

for their Azure usage in the format they choose, whether bundled with other services or

simply pass-through. For more information about Azure CSP, see Azure in CSP.

Before deploying Dell EMC Cloud for Microsoft Azure Stack Hub, customers must read

and agree to the OpenManage Network Manager/OpenManage Enterprise end-user

license agreements (EULAs).

In order to activate the Azure Stack Hub system, you must first register the product to

support full Azure Stack Hub functionality. More information about Azure Stack Hub

registration is available at these links:

• Register Azure Stack Hub with Azure.

• Renew or change registration

End-user license

agreements

Register Azure

Stack Hub

Appendix A. Additional Information

20 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide

Appendix A. Additional Information

For information about ports and protocols, see Azure Stack Hub data center integration -

Publish endpoints.

Microsoft does not ship the Azure Stack Hub solution with a TACACS or RADIUS solution

for access control of devices such as switches and routers. The solution also does not

include a Syslog solution to capture switch logs. However, all these devices can support

those services. To help integrate with an existing TACACS, RADIUS, or Syslog server in

your environment, Dell Technologies provides an extra file with the network switch

configuration. The file enables the engineer onsite to customize the switch to the

customer’s needs.

The solution also does not support syslog forwarding.

The following links contain more information about network design and infrastructure:

• Physical network design

• Logical networks

• Network infrastructure

• BMC network (BMC Subnet)

• Private network (Storage Subnet)

• Azure Stack Hub infrastructure network

• Public VIP network

• Switch infrastructure network (Switch Infra Subnet)

• Switch management network

Ports and

protocols

AAA and log

server

configuration for

the network

environment

Network design

and

infrastructure