Azure Stack HCI Deployment

Since Microsoft announced the release of Azure Stack HCI in 2020 I’ve been eager to get hold of a couple of nodes.

Now you may be wondering. hasn’t Azure Stack HCI been around since 2019? Well yes, sort of. In 2019 Azure stack HCI was still running Windows Server 2019 at its core. The latest 2020 release includes a new OS which can be found here.

So, what is Azure Stack HCI? Its a hyperconverged offering from Microsoft and its OEM partners, which allows you to run your servers in your own datacentres, but also extend your datacentre into Azure with features such as:

  • Azure Backup
  • Azure Policy
  • Azure Site Recovery
  • Azure Monitor
  • Azure Security Centre
  • Azure Automation
  • Azure Support
  • Azure Network Adapter

For companies who are thinking of moving into Azure but are still a little nervous and still want to use their current management tools such as Windows Admin Centre then this is a great first step.

Switchless Storage

One of the things I like about the Azure Stack HCI deployment is the various configuration options. For larger organizations you can have management over 1GbE, VM traffic over dedicated 10GbE and storage over its own dedicated 10GbE ports, however for smaller environments, up to 4 nodes in a cluster, it can be configured to utilize the 1GbE ports for management and VM traffic, and storage can still utilize the 10GbE ports by direct connection.

In an ideal world you would want VM traffic over the 10GbE ports especially in larger environments, however in smaller environments you could get away with the 1GbE ports.

As part of a recent 2 node cluster deployment I had 2 x Dell AX640 nodes, with an additional dual port Qlogic FastLinQ 41262 card in each node directly connected to each other for storage traffic. Managment and VM traffic were configured on the 1GbE ports.

One important thing to note, if you are going to be using management and VM traffic over the same NIC’s is to ensure the native trunk port is the management VLAN.

Operating System and Drivers

The nodes should be shipped with the OS and drivers pre installed, however if they aren’t, or you need to reinstall the OS, you can download the OS here. You will also have to download the drivers from the hardware manufacturer, make sure you download the drivers for Azure Stack HCI OS, as these may be different than the Windows Server 2019 drivers.

I wont go through the OS or driver installation as these are pretty standard for any server, for the Dell I mounted the OS via the IDRAC, completed the installation, then mounted the driver ISO, and installed it via PowerShell.

Deployment Requirements

For the deployment there are a few things worth noting.

  • Management IP’s for the nodes.
  • DNS IP addresses
  • Windows Admin Center installed on a server
  • Azure subscription to register the Azure HCI Stack
  • Cluster witness for 2 node cluster, we will use an Azure storage account for the cluster witness.

Deployment Guide

For the actual deployment I followed Microsoft deployment guide which can be found here. There are a couple of things worth pointing out.

If you are utilizing the direct connect method as above, when you get to the virtual switch creation in section 7 of the guide, select one virtual switch for compute and storage.

When defining the network in section 2.5, you should receive a request to enable Credential Security Service Provider (CredSSP), if you select no, or don’t receive the request then this section will fail.

CredSSP troubleshooting steps can be found here.

The SDN section optional depending on your requirement, once the initial setup is compete you should get the following confirmation.

Connecting Azure Stack HCI to Azure

In order to register the cluster with Azure, you will first need to register Windows Admin Center with Azure. Once complete you can register the cluster:

Open Windows Admin Center and select Settings from the very bottom of the Tools menu at the left. Then select Azure Stack HCI registration from the bottom of the Settings menu. If your cluster has not yet been registered with Azure, then Registration status will say Not registered. Click the Register button to proceed. You can also select Register this cluster from the Windows Admin Center dashboard.

Additional information on registering the cluster with Azure can be found here.

Additional Information

In order to run Azure stack HCI there are a few bits of information which are worth knowing.

  • Unlike in Azure you will need to provide all OS licenses for your workloads.
  • Each server in the cluster is required to connect back to Azure endpoints at least one every 30 days.
  • In order to utilize the Azure features, Microsoft do charge you £8/physical core per month (UK Regions), additional information can be found here
  • The current version of Azure Stack HCI is 20H2. Public preview of 21H2 is available.
  • Azure Arc integration is currently only available on version 21H2
  • Azure Stack HCI documentation can be found here

Overall Impressions

As mentioned previously I do like Azure Stack HCI, how easy it is to setup and integrate with Azure. If you are looking to build an hybrid cloud environment then its certainly worth a shout.

Azure File Sync for a Hybrid Environment

I’ve configured Azure File Sync in my home lab quite a few times, and the setup is pretty straightforward. By default Azure File Sync will send data over the internet, which although it is encrypted (if you have set it up) is not ideal. Below is a step by step guide in setting up Azure File Sync with private endpoints and to ensure the data flows over a VPN.

In the following scenario we already have the following setup:

  • VPN from on-premise into Azure
  • Storage account to and Azure file
  • Subnet for the Private Link Endpoints
  • Storage account to and Azure file share
  • On-Premise file share

Storage Sync Service

First we need to create a Storage Sync Service, which in itself is a little strange as you need to go to the marketplace and its called Azure File Sync:

Click create, and add the resource group, stroage sync service name and region, add any tags and create:

Add a sync group, this will contain the cloud endpoint (File share) and server endpoint (on -premise file server). Give the sync group and name and select the storage account and file share created previously, and click create.

Once the sync group has been created, you will notice the cloud endpoint has already been created.

Before installing the server endpoint we are going to create the Private Link Endpoints, which will associate an IP address with the storage account and each of the File Sync services..

At the top of the screen type Private Link Center, once the page loads, click on the Private Endpoints on the left hand side.

We will be adding 2 Private endpoints, one for the storage account and one for the storage sync service. For the first you add the resource group, name and region.

Next we need to add the resource type, resource and target sub-resource. In the below screenshot you can see I have selected Microsoft.Storage/storageAccounts as the resource type. It is important to make sure you select the correct storage account and target sub-resource.

On te configuration page, select the VNet and subnet which will contain the Private Endpoint IP addresses.

Once you have added any tags you can click create.

Next is to create another Private endpoint for the Storage Sync Service,. The steps are the same as above except on the resource page you select Microsoft.StorageSync/storaageSyncService as the resource type, select the Storage Sync Service as the resource and AFS as the target sub-resource.

Before moving to the server endpoints we have two last steps, first is to obtain the FQDN and IP address for the storage endpoint and each of the Storage Sync Service services. The best place to get these is to Private DNS Zones:

First we will get the Storage private endpoint FQDN and IP address. Click on Privatelink.file.core.windows.net, and then the storage account name:

Take a note of the name and IP address:

Do the same for the Private Link Endpoint services, note there will be 4 of these, so make sure you capture the name and IP details of each one.

Before adding the details captured above as DNS entries you need to remove “privatelink” from the FQDN.

Before:

  • acuksstorage001.privatelink.file.core.windows.net 10.0.1.4
  • ac-uks-storagesyncservmanagement.uksouth.privatelink.afs.azure.net 10.0.1.5
  • ac-uks-storagesyncservmonitoring.uksouth.privatelink.afs.azure.net 10.0.1.8
  • ac-uks-storagesyncservsyncp.uksouth.privatelink.afs.azure.net 10.0.1.6
  • ac-uks-storagesyncservsyncs.uksouth.privatelink.afs.azure.net 10.0.1.7

After:

  • acuksstorage001.file.core.windows.net 10.0.1.4
  • ac-uks-storagesyncservmanagement.uksouth.afs.azure.net 10.0.1.5
  • ac-uks-storagesyncservmonitoring.uksouth.afs.azure.net 10.0.1.8
  • ac-uks-storagesyncservsyncp.uksouth.afs.azure.net 10.0.1.6
  • ac-uks-storagesyncservsyncs.uksouth.afs.azure.net 10.0.1.7

We can now go to the storage account, networking and Private endpoint to ensure the Private Endpoint has been created.

Going to the Firewall and Virtual Networks on the storage account, select “Selected Networks” but do not add any networks.

Lastly step is to run the following script in Azure Powershell which forces all traffic over the VPN and not the internet, replacing the resource group name and Storage Sync Service in the top 2 lines.

$storageSyncServiceResourceGroupName = "<storage-sync-service-resource-group>"
$storageSyncServiceName = "<storage-sync-service>"

$storageSyncService = Get-AzResource `
        -ResourceGroupName $storageSyncServiceResourceGroupName `
        -ResourceName $storageSyncServiceName `
        -ResourceType "Microsoft.StorageSync/storageSyncServices"

$storageSyncService.Properties.incomingTrafficPolicy = "AllowVirtualNetworksOnly"
$storageSyncService = $storageSyncService | Set-AzResource -Confirm:$false -Force -UsePatchSemantics

Finally on to the Server Endpoint. Download the FileSync agent from here, and run the installer. During the installation you can select automatic updates, and a proxy if required. Once the installation is complete, log in with your Azure credentials.

Select the Azure Subscription, Resource Group and Storage Sync Service created previously.

Final step is to go back to the Storage Sync Service in Azure, and to the Sync group. Select Add Server Endpoint at the top of the screen.

Add the registered server, share path and cloud tiering requirements.

Once its finished processing, the health should turn green, and thats it all done.

Setting up File Sync to run over a VPN/ExpressRoute does take a bit of configuration, but its well worth it to ensure the data is not synced over the internet.

Below is some additional Microsoft documentation.

Deploy Azure File Sync

Planning for an Azure File Sync Deployment

Azure File Sync Networking Considerations

Azure Private Endpoint DNS Configuration

Troubleshoot Azure File Sync