Dell EMC Cloud for Microsoft Azure Stack Hub April 2020
Revision 03
Deployment Planning Guide
Abstract
This deployment planning guide helps customers and Dell Technologies engineers gather predeployment information and make important infrastructure decisions for Dell EMC Cloud for Microsoft Azure Stack Hub.
Dell Technologies Solutions
Copyright
2
Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide
The information in this publication is provided as is. Dell Inc. makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose.
Use, copying, and distribution of any software described in this publication requires an applicable software license.
Copyright © 2020 Dell Inc. or its subsidiaries. All Rights Reserved. Dell Technologies, Dell, EMC, Dell EMC and other trademarks are trademarks of Dell Inc. or its subsidiaries. Intel, the Intel logo, the Intel Inside logo and Xeon are trademarks of Intel Corporation in the U.S. and/or other countries. Other trademarks may be trademarks of their respective owners. Published in the USA 04/20 Deployment Planning Guide REV 03.
Dell Inc. believes the information in this document is accurate as of its publication date. The information is subject to change without notice.
Contents
3 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide
Contents
Overview .............................................................................................................................................4
Deployment Worksheet .....................................................................................................................4
Customer Settings tab .......................................................................................................................4
Network Settings tab .........................................................................................................................8
Border Settings tab ............................................................................................................................9
Scale Unit tab......................................................................................................................................9
Physical switch access control lists .............................................................................................15
Integration considerations ..............................................................................................................16
Appendix A. Additional Information ..............................................................................................20
Overview
4 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide
Overview
This guide helps customers and Dell Technologies engineers gather predeployment
information and make important infrastructure decisions for Dell EMC Cloud for Microsoft
Azure Stack Hub. This information is required to correctly deploy Azure Stack Hub to the
customer data center.
Dell Technologies and the authors of this document welcome your feedback on the
solution and the solution documentation. Contact the Dell Technologies Solutions team by
email or provide your comments by completing our documentation survey.
Author: MHC Engineering
Contributor: James Norton
Deployment Worksheet
Ask the Dell Technologies sales team for the Azure Stack Hub Deployment Worksheet,
which collects all the information that is needed for deployment decisions in one place.
Complete the Deployment Worksheet during the planning process before starting
deployment.
For more information about planning considerations, see Data center integration
considerations for Azure Stack Hub integrated systems.
Complete all fields in the Customer Settings, Network Settings, and Scale Unit tabs as
described in the following sections.
Customer Settings tab
Complete three sections of information under the Customer Settings tab:
• Azure Identity Store
• Customer Information
• Environment Information
For information about Azure Identity Store, see Microsoft topics including the following:
• Azure Stack Hub integrated systems connection models
• Connected deployment
• Disconnected deployment
Azure Stack Hub integrated systems connection models
For information about the connection models, see Azure Stack Hub integrated systems
connection models on the Microsoft website. This page includes the subtopic Choose a
deployment connection model.
We value your
feedback
Azure Identity
Store
Customer Settings tab
5 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide
Choose an identity store. See Choose identity store on the Microsoft website. There are
two types of identity stores to choose from:
• Azure Active Directory identity store
• Active Directory Federated Services identity store
IMPORTANT: This is a key decision point. Choosing the Azure Active Directory or Active
Directory Federated Services identity store is a one-time decision that you must make at
deployment time. You cannot change this decision later without redeploying the entire system.
Connected deployment
For information about connected deployments, see Connected deployment on the
Microsoft website.
Note: For billing model decisions, see Choose billing model. For details about the differences
between the two models, see Microsoft Azure Stack Hub packaging and pricing.
Disconnected deployment
For information about disconnected deployments, see Disconnected deployment on the
Microsoft website.
Some features and functions are impaired or unavailable in Disconnected mode, as
described in Features that are impaired or unavailable in Disconnected mode.
In the Customer Information section, you provide information to integrate Azure Stack Hub
with your organization’s IT infrastructure:
Company Name—The name of your organization.
External Domain Name—The external DNS zone for the Azure Stack Hub instance. This
value, along with the region name, is used to construct the FQDN for all external
endpoints for this Azure Stack Hub region (for example,
regionname.cloudapp.externaldomainname.com). For more information, see Azure Stack
Hub DNS namespace.
As with the region name, choose the external domain name carefully because it is used to
form all the URLs for external endpoints that your tenants will access. It cannot be
changed after you have deployed Azure Stack Hub.
IMPORTANT: This is a key decision point. Choose your region name and external domain name
with careful consideration and planning. These values form the basis of your DNS namespace,
and you cannot change them without redeploying Azure Stack Hub.
Case Study: Contoso.com
The following case study is an example deployment scenario of a fictitious company to
help illustrate values such as Region Name and External Domain Name are used.
Contoso wants to deploy Azure Stack Hub and already owns the DNS name
Contoso.com. They want to leverage this existing DNS name because their customers are
already familiar with their name and brand. Consequently, they want to use an external
Customer
Information
Customer Settings tab
6 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide
domain name for Azure Stack Hub that is a subdomain of Contoso.com. They are going to
start with a single region in their Chicago data center, and they plan to add more regions
in the future. They have chosen to call this Azure cloud “MAST” because it is simple and
they like the way that it sounds.
Contoso chooses the following values for their deployment.
Company name: Contoso
Region name: CHI
External domain name: mast.contoso.com
Using this combination of values, the Azure Stack Hub Tenant Portal URL for this
deployment would be:
https://publicportal.chi.mast.contoso.com
What if a tenant wants to create a load balancer with a public IP address for their web
application and give it a DNS name label? It is for a teamwork application, so the tenant
uses the DNS name label “Teams.” The resulting URL for the web application would be:
http://teams.chi.cloudapp.mast.contoso.com
Contoso chooses an external domain name that was a subdomain of an existing DNS
domain name. Contoso can set up a DNS delegation for that zone down to the Azure
Stack Hub DNS so that tenants can resolve these names from outside of the Azure Stack
Hub instance. Contoso could also, for example, set up a CNAME or alias for Azure Stack
Hub to point to portal.mast.contoso.com that in turn points to
portal.chi.mast.contoso.com.
In the future, depending on proximity, availability, or other business rules, when Contoso
wants to add another region in Seattle, they can set load-balancing rules to route the
portal.mast.contoso.com name to either:
• portal.chi.mast.contoso.com
• portal.sea.mast.contoso.com
Organizations can set this up differently, according to their business needs. This example
illustrates the factors to consider during your namespace planning.
Private Domain
The private domain information is used to create the internal, Active Directory integrated
DNS domain that will be used for Azure Stack Hub infrastructure services. This domain is
used for internal endpoints, service-to-service communications, infrastructure role
machine accounts, group-managed service accounts, and so on. This domain and the
endpoints in it are accessible only from the infrastructure subnet (see Network Settings
tab) and are not exposed externally to tenants.
For more information about setting up private domains, see Use Azure DNS for private
domains.
Customer Settings tab
7 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide
Region Name
This value is prepended to your External Domain Name suffix, as described in the
following section. It is used to create the FQDN of your external endpoints (for example,
regionname.cloudapp.externaldomainname.com). Even if there is only one region, you
must provide a region name consisting of only letters and numbers between 0 through 9.
IMPORTANT: This is a key decision point. Choose your region name and external domain name
with careful consideration and planning. These values form the basis of your DNS namespace,
and you cannot change them without redeploying Azure Stack Hub.
When choosing a region name, use the following rules:
• Use a region name that indicates the physical location of the Azure Stack Hub
scale units. In Azure, the region names correspond to the geographic location of
the data centers where the compute, storage, and network resources are
located (USWest, EastAsia, NorthEurope, and so on). In this way, users have
a clear idea of where their resources are physically located.
• Use a naming convention that is intuitive for your users. Data center locations
are a popular choice for region names. Ensure that your tenants can make a
good choice as to where to deploy their resources based on the region name.
• Keep the region name short. The region is prepended to your external domain
name to create the FQDN for that region.
IMPORTANT: These considerations are important even if you only have a single region. These
values cannot be changed without redeploying Azure Stack Hub.
Naming prefixes (Deployment Prefix and Physical Prefix)
During the deployment, computer names and corresponding IP assignments are
automatically generated for both physical devices as well as deployment-related items
such as management virtual machines (VMs) and Active Directory object names. In the
xxx fields, you provide two alphanumeric prefix strings up to eight characters long, which
are prepended to the automatically generated names and assignments for easy
identification. These prefixes are used with well-known suffixes to make names consistent
across all Azure Stack Hub installations and to facilitate troubleshooting and diagnostics.
It is easier to diagnose issues if you recognize the naming pattern in the trace logs.
Two options (deployment and physical prefixes) are provided because different teams
with different naming conventions often manage network devices, physical computer
devices, and service-specific VMs. They can be the same string.
• The Deployment Prefix is prepended to the infrastructure role machine names.
• The Physical Prefix is prepended to the physical switch and physical compute
node names.
The Environment Information section collects time server and DNS server information.
Time Server
Specify an IP for the time synchronization server. Although most of the components in the
infrastructure can resolve a URL, some can only support IP addresses. If you are using
Environment
Information
Network Settings tab
8 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide
the disconnected deployment option, you must specify a time server on your corporate
network that you are sure can be reached from the infrastructure network in Azure Stack
Hub. See Time Synchronization.
DNS Server(s)
Enter the DNS servers’ IP address.
Azure Stack Hub deploys its own recursive DNS servers that are part of the solutions
infrastructure. If they do not have the proper authority, these recursive DNS servers
forward DNS name queries to an upstream DNS server. This action ensures that the
authoritative resolver for that DNS name can be found, the name resolved, and the result
returned to original requester.
Azure Stack Hub DNS servers are only authoritative for the external domain name zone.
For queries for DNS names outside of the Azure Stack Hub solution, provide the IP
address of a DNS server in your environment that can either resolve these names or
forward them as appropriate.
Provide at least two entries (separated by commas) in the DNS Server(s) (upstream) field.
These entries must be IP addresses of valid DNS servers that are accessible from the
Azure Stack Hub public infrastructure network (see Network design and infrastructure in
the Appendix.) If you do not provide these entries, or if these entries are unavailable,
queries for DNS names for endpoints outside of the Azure Stack Hub (for example,
Internet endpoints like www.bing.com) will fail.
Network Settings tab
This section describes the network infrastructure for Azure Stack Hub deployment and
integration into the data center. It also describes how to use the Deployment Worksheet to
record details about important decisions that require knowledge of the network
environment. Although the configuration might vary based on the network hardware, the
requirements and concepts are the same.
The Network Settings contains has the following fields:
• Topology—The Scale Units and Total Node Count fields are automatically
populated when you fill in the fields in the Scale Unit tab.
• Switch Information—Select the hardware and firmware for the TOR and BMC
switches.
• Cloud Networks:
▪ External Subnet—Enter the external subnet IP; for example, 10.128.3.0/25.
▪ Private Subnet—Enter the private subnet IP, for example, 172.16.240.0/20.
Network is unrouted, external to stamp.
• Permit Network Addresses (optional): Networks to which access is allowed to
HLH and HLH iDRAC.
Border Settings tab
9 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide
Border Settings tab
The Border Settings tab contains the following fields:
• Border Connectivity:
▪ Routing Method—Select BGP or Static. We recommend selecting Border
Gateway Protocol (BGP) routing.
▪ Border Switch Count—We recommend that you enter 2 for redundancy
purposes. In the BGP field(s), enter the ASN(s) of the border switch(es).
To find the ASN, you can connect to the switch console to show BGP
information. For example, for a Dell EMC switch, you can enter show ip
bgp. This command displays all the BGP information including the ASN.
Scale Unit tab
Complete all the information in the Scale Unit tab. For information about the fields, see
Network Connectivity.
In the Node Count field, enter the node count for the customer’s Azure Stack Hub
specifications (4, 8, 12, or 16).
In the Scale Unit tab of the Deployment Worksheet, you must provide the following
network addresses to support the Azure Stack Hub deployment process. The deployment
team uses the Deployment Worksheet to break out the IP networks into all the smaller
networks that the system requires.
For detailed descriptions of each network, see Network design and infrastructure in the
Appendix.
In this example, we complete the Scale Unit tab of the Deployment Worksheet with the
values that are shown in the following table:
Table 1. Scale Unit tab example values
Network Value (examples)
BMC Subnet (BMC network) 10.128.0.64 /26
Infrastructure Subnet (Infrastructure network) 10.128.1.0 /24
Switch Infra Subnet (Switch infrastructure network)
10.128.0.0 /26
TOR BGP ASN 64910
After you have filled in all fields in the Scale Unit tab, run the Generate function of the
Deployment Worksheet PowerShell module (Action > Generate). The Generate function
creates two new tabs:
• Subnet Summary tab
• IP Assignments tab
IP assignments
on the
Deployment
Worksheet
Scale Unit tab
10 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide
The Subnet Summary tab shows how the supernets are split to create all the required
networks, as shown in the following table. Our example includes only a subset of the
columns on this tab. The actual result lists more details of each network.
Table 2. Subnet Summary tab example values
Association
Subnet type Name IPv4 subnet (Examples)
IPv4 addresses
CL01 other CL01-External-VIPS 10.128.3.0/24 256
Rack01 VLAN Rack01-BMCMgmt 10.128.0.64/26 64
Rack01 P2P Link P2P_Rack00/B1_To_Rack01/Tor1 10.128.0.0/30 4
Rack01 P2P Link P2P_Rack00/B1_To_Rack01/Tor2 10.128.0.4/30 4
Rack01 P2P Link P2P_Rack00/B2_To_Rack01/Tor1 10.128.0.8/30 4
Rack01 P2P Link P2P_Rack00/B2_To_Rack01/Tor2 10.128.0.12/30 4
Rack01 P2P Link P2P_Rack01/Tor1_To_Rack01/BMC 10.128.0.16/30 4
Rack01 P2P Link P2P_Rack01/Tor2_To_Rack01/BMC 10.128.0.20/30 4
Rack01 LoopBack Loopback_Rack01/Tor1 10.128.0.24/32 1
Rack01 LoopBack Loopback_Rack01/Tor2 10.128.0.25/32 1
Rack01 LoopBack Loopback_Rack01/BMC 10.128.0.26/32 1
Rack01 P2P Link P2P_Rack01/TOR1-ibgp-1_To_Rack01/TOR2-ibgp-1
10.128.0.28/30 4
Rack01 P2P Link P2P_Rack01/TOR1-ibgp-2_To_Rack01/TOR2-ibgp-2
10.128.0.32/30 4
Rack01 VLAN Rack01-SwitchMgmt 10.128.0.40/29 8
Rack01-CL01-SU01
VLAN Rack01-CL01-SU01-Infrastructure 10.128.1.0/24 256
Rack01-CL01-SU01
VLAN Rack01-CL01-SU01-Storage 172.16.240.0/25 128
Rack01-CL01-SU01
other Rack01-CL01-SU01-InternalVIPs 172.16.240.128/25 128
CL01 other CL01-Reserved-25a 172.16.241.0/25 128
CL01 other CL01-Reserved-25b 172.16.241.128/25 128
CL01 other CL01-DockerNAT 172.16.242.0/23 512
Switch infrastructure network (in Subnet Summary tab)
The switch infrastructure network is broken into multiple networks that the physical switch
infrastructure uses. This infrastructure network is different from the Azure Stack Hub
infrastructure network, which only supports the Azure Stack Hub software. The switch
infrastructure network supports only the physical switches and their interconnectivity. The
following table shows the subnets that are defined within the switch infrastructure network.
Subnet Summary
tab
Scale Unit tab
11 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide
Table 3. Switch infrastructure network subnets
Name IPv4 subnet
P2P_Rack00/B1_To_Rack01/Tor1 10.128.0.0/30
P2P_Rack00/B1_To_Rack01/Tor2 10.128.0.4/30
P2P_Rack00/B2_To_Rack01/Tor1 10.128.0.8/30
P2P_Rack00/B2_To_Rack01/Tor2 10.128.0.12/30
P2P_Rack01/Tor1_To_Rack01/BMC 10.128.0.16/30
P2P_Rack01/Tor2_To_Rack01/BMC 10.128.0.20/30
Loopback_Rack01/Tor1 10.128.0.24/32
Loopback_Rack01/Tor2 10.128.0.25/32
Loopback_Rack01/BMC 10.128.0.26/32
P2P_Rack01/TOR1-ibgp-1_To_Rack01/TOR2-ibgp-1 10.128.0.28/30
P2P_Rack01/TOR1-ibgp-2_To_Rack01/TOR2-ibgp-2 10.128.0.32/30
Rack01-SwitchMgmt 10.128.0.40/29
The network types are:
• Point-to-point (P2P)—These networks provide connectivity between all
switches. The subnet size is a /30 network for each P2P. The lowest IP is
always assigned to the upstream (North) device on the stack.
• Loopback—These /32 networks are assigned to each switch used in the rack.
The border devices are not assigned a loopback since they are not expected to
be part of the Azure Stack Hub solution.
• Switch Mgmt or Switch Management—This /29 network supports the
dedicated management interfaces of the switches in the rack. The following
table shows the IP address assignments. This table is also in the IP
Assignments tab of the Deployment Worksheet.
Table 4. Switch management network addresses
Rack: Rack1
Name: SwitchMgmt
Assigned to IPv4 address
Network 10.128.0.40
Gateway (BMC) 10.128.0.41
TOR1 10.128.0.42
TOR2 10.128.0.43
Broadcast 10.128.0.47
Scale Unit tab
12 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide
The IP Assignments tab shows how the IPs are consumed.
BMC network
The supernet for the BMC network is now a /26 network. The gateway uses the first IP
address in the network followed by the BMC devices in the rack, as shown in the following
table. The hardware lifecycle host has multiple addresses that are assigned on this
network and can be used to deploy, monitor, and support the rack. These IP addresses
are distributed into these groups: DVM, InternalAccessible, and ExternalAccessible.
Table 5. BMC network addresses
Rack: Rack1
Name: BMCMgmt
Assigned to IPv4 address
Network 10.128.0.64
Gateway 10.128.0.65
HLH-BMC 10.128.0.66
sac01-S1-N01 10.128.0.67
sac01-S1-N02 10.128.0.68
sac01-S1-N03 10.128.0.69
sac01-S1-N04 10.128.0.70
sac01-S1-N05 10.128.0.71
sac01-S1-N06 10.128.0.72
sac01-S1-N07 10.128.0.73
sac01-S1-N08 10.128.0.74
sac01-S1-N09 10.128.0.75
sac01-S1-N10 10.128.0.76
sac01-S1-N11 10.128.0.77
sac01-S1-N12 10.128.0.78
sac01-S1-N13 10.128.0.79
sac01-S1-N14 10.128.0.80
sac01-S1-N15 10.128.0.81
sac01-S1-N16 10.128.0.82
Internal1 10.128.0.108
Internal2 10.128.0.109
Internal3 10.128.0.110
Internal4 10.128.0.111
Internal5 10.128.0.112
IP Assignments
tab
Scale Unit tab
13 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide
Rack: Rack1
Name: BMCMgmt
Assigned to IPv4 address
Internal6 10.128.0.113
Internal7 10.128.0.114
Internal8 10.128.0.115
External1 10.128.0.116
External2 10.128.0.117
External3 10.128.0.118
External4 10.128.0.119
Internal9 10.128.0.120
Internal10 10.128.0.121
Internal11 10.128.0.122
Internal12 10.128.0.123
sac01-HLH-DVM00 10.128.0.125
HLH-OS 10.128.0.126
Broadcast 10.128.0.127
Storage network
The storage network is a private network and is not intended to be routed beyond the
rack. It is the first half of the private network supernet. It is used by the switches with
addresses allocated as shown in the following table, and it is not routed beyond the rack.
The gateway is the first IP address in the subnet.
The second half, which is used for the Internal VIPs, is a private pool of addresses that
the Azure Stack Hub SLB manages and is not shown on the IP Assignments tab. See the
following table. These networks support Azure Stack Hub, and the ACLs on the ToR
switches prevent these networks from being advertised and accessed outside the
solution.
Scale Unit tab
14 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide
Table 6. Storage network addresses
Rack: Rack1
Name: CL01-RG01-SU01-Storage
Assigned to IPv4 address
Network 172.16.240.0
Gateway 172.16.240.1
TOR1 172.16.240.2
TOR2 172.16.240.3
Broadcast 172.16.240.127
Infrastructure network
The infrastructure network supernet requires a /24 network and continues to be a /24 after
the Deployment Worksheet tool runs. The gateway is the first IP address in the subnet, as
shown in the following table.
Table 7. Infrastructure network addresses
Rack: Rack1
Name: CL01-RG01-SU01-Infra
Assigned to IPv4 address
Network 10.128.1.0
Gateway 10.128.1.1
TOR1 10.128.1.2
TOR2 10.128.1.3
Broadcast 10.128.1.255
Physical switch access control lists
15 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide
Physical switch access control lists
To protect the Azure Stack Hub solution, we implemented access control lists (ACLs) on
the ToR switches. The following figure shows the sources and destinations of every
network inside the Azure Stack Hub solution.
Figure 1. Solution network sources and destinations
The following table correlates the ACL references with the Azure Stack Hub networks.
Table 8. ACL references
Network ACL reference Description
BMC network BMC Mgmt Deployment VM, BMC interface, HLH server, HLH VMs.
HLH External Accessible A set of addresses that are hosted on an HLH node. The ACL denies IP access beyond the border.
HLH Internal Accessible A set of addresses that are hosted on the HLH node. They have access to IP resources beyond the border.
HLH DVM Azure Stack Hub deployment VM with access to resources on the Internet.
SwitchInfraNetwork Switch Mgmt Dedicated switch management interfaces.
ToR1/ToR2 RouterIP Loopback interface of the switch that is used for BGP peering between the SLB and switch or router.
AzureStackInfraNetwork Azure Stack Hub Infrastructure Azure Stack Hub infrastructure services and VMs; restricted network.
Azure Stack Hub Infrastructure Public
Azure Stack Hub infrastructure services that must talk to the Internet and tenants (NTP, DNS, Active Directory).
Integration considerations
16 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide
Network ACL reference Description
StorageNetwork Storage Private IPs that are not routed outside of the stamp.
Internal VIPs Private IPs that are not routed outside of the stamp.
Public-VIPS Public VIPs Tenant network address space that the network controller manages.
Public Admin VIPs Small subset of addresses in the Tenant pool that are required to talk to Internal-VIPs and Azure Stack Hub Infrastructure.
Customer network (not on Deployment Worksheet)
Customer/Internet 0.0.0.0 Customer-defined network. From the perspective of Azure Stack Hub, 0.0.0.0 is the border device.
Deny Field that the customer can update to allow additional management capabilities.
Permit Customer data center network that the customer defines.
Integration considerations
Network integration planning is important for the successful deployment, operation, and
management of an Azure Stack Hub integrated system. For more information, see border
connectivity, BGP routing, static routing, and transparent proxy.
Use a firewall device to defend Azure Stack against security threats. For Microsoft’s
recommendations about firewall integration, see Azure Stack Hub firewall integration
information.
For assistance in planning for the firewall integration, see Azure Stack Hub data center
integration - publish endpoints, which is part of the Azure Stack Hub Operator
Documentation. The article lists the inbound and outbound ports and protocols that Azure
Stack Hub requires.
Dell Technologies maintains a Deployment Worksheet that contains more extensive
firewall rules. This worksheet is provided during the planning phase of a deployment
project. For more information, contact the Project Manager who is assigned to your
deployment.
The following links contain detailed scenarios for firewall integration and best-practice
recommendations.
• Edge firewall scenario
• Enterprise/intranet/perimeter network firewall scenario
• Network Address translation (NAT)
• SSL decryption
Data center
integration
Firewall
integration
Integration considerations
17 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide
Public key infrastructure (PKI) certificates are required during Azure Stack Hub
deployments. More information about Azure Stack Hub’s PKI certificate requirements is
available at these links:
• Required customer-provided security certificates
• Mandatory certificates
• PaaS certificates (optional)
For information, see Azure Stack Hub certificates signing request generation.
Validate Azure Stack Hub PKI certificates before deployment. For more information, see
Validate Azure Stack Hub PKI certificates.
Validate Azure Stack Hub PKI certificates includes a Readiness Checker tool. Provide the
Readiness Checker tool to the customer, along with deploymentdata.json file, to
validate that the PKI certificates are suitable before deployment. Treat the PFX file and
password as sensitive information known only to the customer.
Performing certificate validation
Prepare and validate Azure Stack Hub PKI certificates for deployment as described in
Perform core services certificate validation.
Preparing certificates that the deployment script uses
As a final step, you must place all the certificates that you have prepared and validated in
directories as specified for the deployment host in the tables in Mandatory certificates and
PaaS certificates (optional).
On a host or share that will be available during deployment, create a folder named
Certificates and place the exported certificate files in the corresponding subfolders,
as specified in Mandatory certificates. The following is an example of this directory
structure:
\Certificates
\ACS\ssl.pfx\
\Admin Portal\ssl.pfx\
\ARM Admin\ssl.pfx\
\ARM Public\ssl.pfx\
\KeyVault\ssl.pfx\
\KeyVaultInternal\ssl.pfx\
\Public Portal\ssl.pfx\
\Admin Extension Host\ssl.pfx\
\Public Extension Host\ssl.pfx\
\ADFS\ssl.pfx*\
\Graph\ssl.pfx*\
The certificates that are marked with an asterisk (*) are only needed when ADFS is used
as an identity store.
Certificates
Request
certificates
Validate
certificates
before
deployment
Integration considerations
18 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide
The table below describes the endpoints and certificates that are required for the Dell
EMC OpenManage Enterprise and OpenManage Network Manager. You do not have to
copy these certificates to the Azure Stack Hub deployment folder. Instead, you must
provide these certificates during the installation of OpenManage Enterprise and
OpenManage Network Manager.
Table 9. Dell Technologies required certificates
Scope Namespace Certificate Used for
OpenManage Enterprise
<OMESRVNAME>.<customerFQDN> <OMESRVNAME>.<REGION>.<customerFQDN>
SSL Certificate with SANs
OpenManage Enterprise
OpenManage Network Manager
<OMNMSRVNAME>.<customerFQDN> <OMNMSRVNAME>.<REGION>.<customerFQDN>
SSL Certificate with SANs
OpenManage Network Manager
Obtain an Azure subscription including Active Directory before you deploy Azure Stack
Hub. You can purchase this subscription from Dell Technologies, Microsoft, or other
providers.
Dell EMC Cloud for Microsoft Azure Stack Hub comes with the required Dell Technologies
and Microsoft licenses, including:
• Azure Stack Hub—Windows Server 2016 Data Center edition is provided as
part of the Azure Stack Hub license.
• OpenManage Enterprise Configuration Manager license—OpenManage
Enterprise is designed for server lifecycle management. The OpenManage
Enterprise license is embedded in all your Azure Stack Hub servers in the
factory.
• OpenManage Network Manager license—OpenManage Network Manager is
designed for switch and networking lifecycle management. The OpenManage
Network Manager license is provided to you before deployment. Provide this
license to the Dell Technologies deployment team.
Azure Stack Hub licensing options
You can license Dell EMC Cloud for Microsoft Azure Stack Hub through “pay-as-you-use”
metering and consumption billing. Azure Stack Hub consumption includes both public and
private cloud workloads, and Microsoft aggregates the metering information for this usage
at regular intervals. The only licensing options that can be used for Azure Stack Hub
consumption billing are Enterprise Agreements (EAs) and the Cloud Solution Provider
(CSP) program. The customer or partner is responsible for the licensing of any third-party
software that is used in an Azure Stack Hub tenant.
EAs are ideal for organizations that already use an EA for other Microsoft software
programs. An EA offers complete control of the Azure subscriptions running on the Stack
solution. Azure Stack Hub usage is applied to the monetary commitment in the EA, and
support for the Azure services is provided directly from Microsoft. An EA is also the only
method to license Azure Stack Hub if the stack is intended to be run in a disconnected
mode. This capacity model requires an annual subscription.
Dell
Technologies
required
certificates
License
requirements
Integration considerations
19 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide
As an Azure CSP Direct and Indirect provider, Dell Technologies offers consumption-
based licensing on Azure Stack Hub to enterprise organizations and our channel partners.
Through CSP, Dell Technologies provides sales, provisioning, billing, and support. Dell
Technologies bills our enterprise customers on a monthly basis, but the CSP agreement
is noncontractual. Our partners using the CSP Indirect program bill their end customers
for their Azure usage in the format they choose, whether bundled with other services or
simply pass-through. For more information about Azure CSP, see Azure in CSP.
Before deploying Dell EMC Cloud for Microsoft Azure Stack Hub, customers must read
and agree to the OpenManage Network Manager/OpenManage Enterprise end-user
license agreements (EULAs).
In order to activate the Azure Stack Hub system, you must first register the product to
support full Azure Stack Hub functionality. More information about Azure Stack Hub
registration is available at these links:
• Register Azure Stack Hub with Azure.
• Renew or change registration
End-user license
agreements
Register Azure
Stack Hub
Appendix A. Additional Information
20 Dell EMC Cloud for Microsoft Azure Stack Hub Deployment Planning Guide
Appendix A. Additional Information
For information about ports and protocols, see Azure Stack Hub data center integration -
Publish endpoints.
Microsoft does not ship the Azure Stack Hub solution with a TACACS or RADIUS solution
for access control of devices such as switches and routers. The solution also does not
include a Syslog solution to capture switch logs. However, all these devices can support
those services. To help integrate with an existing TACACS, RADIUS, or Syslog server in
your environment, Dell Technologies provides an extra file with the network switch
configuration. The file enables the engineer onsite to customize the switch to the
customer’s needs.
The solution also does not support syslog forwarding.
The following links contain more information about network design and infrastructure:
• Physical network design
• Logical networks
• Network infrastructure
• BMC network (BMC Subnet)
• Private network (Storage Subnet)
• Azure Stack Hub infrastructure network
• Public VIP network
• Switch infrastructure network (Switch Infra Subnet)
• Switch management network
Ports and
protocols
AAA and log
server
configuration for
the network
environment
Network design
and
infrastructure
Top Related