Contents

Azure VMware Solution

Overview
About Azure VMware Solution
Quick start
0 - Plan the deployment
1 - Deploy Azure VMware Solution
2 - Connect to on-premises
3 - Deploy and configure VMware HCX
Tutorials
1 - Network planning checklist
2 - Create a private cloud
3 - Access a private cloud
4 - Configure networking
5 - Create an NSX-T network segment
6 - Peer on-premises to private cloud
7 - Deploy and configure VMware HCX
8 - Scale a private cloud
9 - Delete a private cloud
Concepts
Private clouds and clusters
Private cloud networking and interconnectivity
Storage in private clouds
Access and identity for private clouds
vSphere role-based access control
Monitor and repair private clouds
Private cloud upgrades
How-to guides
Enable Azure VMware Solution
Save costs with a reserved instance
 Migration assessment
Manage DHCP
Deploy disaster recovery for VMs
Deploy VM via content library
Set up GitHub Enterprise Server
Public IP usage
Create an IPSec tunnel
Azure native integration
API Management
Hub and spoke
Azure Security Center
Azure Backup Server
Set up Backup Server
Back up private cloud VMs with Backup Server
Lifecycle management of VMs
Azure NetApp Files
Application Gateway
Traffic Manager
VMware solutions
Set up vRealize Operations
Deploy VMware Horizon
VMware ecosystem
Backup solutions for VMs
Resources
Troubleshooting
Open a support request for deployment failures
FAQ
Reference
Azure CLI
Azure PowerShell
 What is Azure VMware Solution?
2/11/2021 • 2 minutes to read • Edit Online

Azure VMware Solution provides you with private clouds that contain vSphere clusters, built from dedicated
bare-metal Azure infrastructure. The minimum initial deployment is three hosts, but additional hosts can be
added one at a time, up to a maximum of 16 hosts per cluster. All provisioned private clouds have vCenter
Server, vSAN, vSphere, and NSX-T. You can migrate workloads from your on-premises environments, deploy
new virtual machines (VMs), and consume Azure services from your private clouds.
Azure VMware Solution is a VMware validated solution with on-going validation and testing of enhancements
and upgrades. Microsoft manages and maintains private cloud infrastructure and software. It allows you to
focus on developing and running workloads in your private clouds.
The diagram shows the adjacency between private clouds and VNets in Azure, Azure services, and on-premises
environments. Network access from private clouds to Azure services or VNets provides SLA-driven integration
of Azure service endpoints. ExpressRoute Global Reach connects your on-premises environment to your Azure
VMware Solution private cloud.

Hosts, clusters, and private clouds

Azure VMware Solution private clouds and clusters are built from a bare-metal, hyper-converged Azure
infrastructure host. The high-end hosts have 576-GB RAM and dual Intel 18 core, 2.3-GHz processors. The HE
hosts have two vSAN diskgroups with 15.36 TB (SSD) of raw vSAN capacity tier and a 3.2 TB (NVMe) vSAN
cache tier.
New private clouds are deployed through the Azure portal or Azure CLI.

Networking
Azure VMware Solution offers a private cloud environment accessible from on-premises and Azure-based
environments or resources. Services such as Azure ExpressRoute and VPN connections deliver the connectivity.
These services require specific network address ranges and firewall ports for enabling the services.
When deploying a private cloud, private networks for management, provisioning, and vMotion get created. Use
these private networks to access vCenter and NSX-T Manager and virtual machine vMotion or deployment.
ExpressRoute Global Reach is used to connect private clouds to on-premises environments. The connection
requires a virtual network with an ExpressRoute circuit in your subscription.
Resources, such as web servers and virtual machines, are accessible to the internet through the Azure Virtual
WAN public IP functionality. By default, internet access is disabled for new private clouds. For more information,
see How to use the public IP functionality in Azure VMware Solution.
For more information, see Networking concepts.

Access and security

Azure VMware Solution private clouds use vSphere role-based access control for enhanced security. You can
integrate vSphere SSO LDAP capabilities with Azure Active Directory. For more information, see the Access and
Identity concepts.
vSAN data-at-rest encryption, by default, is enabled and is used to provide vSAN datastore security. For more
information, see Storage concepts.

Host and software lifecycle maintenance

Regular upgrades of the Azure VMware Solution private cloud and VMware software ensure the latest security,
stability, and feature sets are running in your private clouds. For more information, see Private cloud updates
and upgrades.

Monitoring your private cloud

Once Azure VMware Solution is deployed into your subscription, Azure Monitor logs are generated
automatically.
In your private cloud, you can:
Collect logs on each of your VMs.
Download and install the MMA agent on Linux and Windows VMs.
Enable the Azure diagnostics extension.
Create and run new queries.
Run the same queries you usually run on your VMs.
Monitoring patterns inside the Azure VMware Solution are similar to Azure VMs within the IaaS platform. For
more information and how-tos, see Monitoring Azure VMs with Azure Monitor.

Next steps
The next step is to learn key private cloud and cluster concepts.
 Planning the Azure VMware Solution deployment
2/11/2021 • 7 minutes to read • Edit Online

This article provides you the planning process to identify and collect data used during the deployment. As you
plan your deployment, make sure to document the information you gather for easy reference during the
deployment.
The processes of this quick start result in a production-ready environment for creating virtual machines (VMs)
and migration.

IMPORTANT
Before you create your Azure VMware Solution resource, follow the How to enable Azure VMware Solution resource
article to submit a support ticket to have your hosts allocated. Once the support team receives your request, it takes up
to five business days to confirm your request and allocate your hosts. If you have an existing Azure VMware Solution
private cloud and want more hosts allocated, you'll go through the same process.

Subscription
Identify the subscription you plan to use to deploy Azure VMware Solution. You can either create a new
subscription or reuse an existing one.

NOTE
The subscription must be associated with a Microsoft Enterprise Agreement or a Cloud Solution Provider Azure plan. For
more information, see How to enable Azure VMware Solution resource.

Resource group
Identify the resource group you want to use for your Azure VMware Solution. Generally, a resource group is
created specifically for Azure VMware Solution, but you can use an existing resource group.

Region
Identify the region you want Azure VMware Solution deployed. For more information, see the Azure Products
Available By Region Guide.

Resource name
Define the resource name you'll use during deployment. The resource name is a friendly and descriptive name
in which you title your Azure VMware Solution private cloud.

IMPORTANT
The name must not exceed 40 characters. If the name exceeds this limit, you won't be able to create public IP addresses
for use with the private cloud.

Size hosts
Identify the size hosts that you want to use when deploying Azure VMware Solution. For a complete list, see the
Azure VMware Solution private clouds and clusters documentation.

Number of hosts
Define the number of hosts that you want to deploy into the Azure VMware Solution private cloud. The
minimum number of hosts is three, and the maximum is 16 per cluster. For more information, see the Azure
VMware Solution private cloud and clusters documentation.
You can always extend the cluster later if you need to go beyond the initial deployment number.

vCenter admin password

Define the vCenter admin password. During the deployment, you'll create a vCenter admin password. The
password is to the cloudadmin@vsphere.local admin account during the vCenter build. You'll use it to sign in to
vCenter.

NSX-T admin password

Define the NSX-T admin password. During the deployment, you'll create an NSX-T admin password. The
password is assigned to the admin user in the NSX account during the NSX build. You'll use it to log into NSX-T
Manager.

IP address segment
The first step in planning the deployment is to plan out the IP segmentation. Azure VMware Solution ingests a
/22 network that you provide. Then carves it up into smaller segments and then uses those IP segments for
vCenter, VMware HCX, NSX-T, and vMotion.
Azure VMware Solution connects to your Microsoft Azure Virtual Network through an internal ExpressRoute
circuit. In most cases, it connects to your data center through ExpressRoute Global Reach.
Azure VMware Solution, your existing Azure environment, and your on-premises environment all exchange
routes (typically). That being the case, the /22 CIDR network address block you define in this step shouldn't
overlap anything you already have on-premises or Azure.
Example: 10.0.0.0/22
For more information, see the Network planning checklist.
IP address segment for virtual machine workloads
Identify an IP segment to create your first network (NSX segment) in your private cloud. In other words, you
want to create a network segment on Azure VMware Solution so you can deploy VMs onto Azure VMware
Solution.
Even if you only plan on extending L2 networks, create a network segment that will validate the environment.
Remember, any IP segments created must be unique across your Azure and on-premises footprint.
Example: 10.0.4.0/24
(Optional) Extend networks
You can extend network segments from on-premises to Azure VMware Solution, and if you do, identify those
networks now.
Keep in mind that:
If you plan to extend networks from on-premises, those networks must connect to a vSphere Distributed
Switch (vDS) in your on-premises VMware environment.
If the network(s) you wish to extend live on a vSphere Standard Switch, then they can't be extended.

Attach virtual network to Azure VMware Solution

In this step, you'll identify an ExpressRoute virtual network gateway and supporting Azure Virtual Network used
to connect the Azure VMware Solution ExpressRoute circuit. The ExpressRoute circuit facilitates connectivity to
and from the Azure VMware Solution private cloud to other Azure services, Azure resources, and on-premises
environments.
You can use an existing OR new ExpressRoute virtual network gateway.
Use an existing ExpressRoute virtual network gateway
If you use an existing ExpressRoute virtual network gateway, the Azure VMware Solution ExpressRoute circuit is
established after you deploy the private cloud. In this case, leave the Vir tual Network field blank.
Make note of which ExpressRoute virtual network gateway you'll use and continue to the next step.
Create a new ExpressRoute virtual network gateway
When you create a new ExpressRoute virtual network gateway, you can use an existing Azure Virtual Network or
create a new one.
For an existing Azure Virtual network:
1. Verify there are no pre-existing ExpressRoute virtual network gateways in the virtual network.
2. Select the existing Azure Virtual Network from the Vir tual Network list.
For a new Azure Virtual Network, you can create it in advance or during deployment. Select the Create
new link under the Vir tual Network list.
The below image shows the Create a private cloud deployment screen with the Vir tual Network field
highlighted.
 NOTE
Any virtual network that is going to be used or created may be seen by your on-premises environment and Azure
VMware Solution, so make sure whatever IP segment you use in this virtual network and subnets do not overlap.

VMware HCX Network Segments

VMware HCX is a technology bundled in with Azure VMware Solution. The primary use cases for VMware HCX
are workload migrations and disaster recovery. If you plan to do either, it's best to plan out the networking now.
Otherwise, you can skip and continue to the next step.
Four networks are needed for VMware HCX:
Management network : Typically, it's the same management network used on the vSphere cluster. At a
minimum, identify two IPs on this network segment for VMware HCX. You might need larger numbers,
depending on your deployment.
 NOTE
The method we recommend is creating a /26 network. On a /26 network, you can use up to 10 service meshes
and 60 network extenders (-1 per service mesh). You can stretch eight networks per network extender by using
Azure VMware Solution private clouds.

vMotion network : Typically, it's the same network used for vMotion on the vSphere cluster. At a
minimum, identify two IPs on this network segment for VMware HCX. You might need larger numbers,
depending on your deployment.
The vMotion network must be exposed on a distributed virtual switch or vSwitch0. If it's not, modify the
environment.

NOTE
This network can be private (not routed).

Uplink network : You want to create a new network for VMware HCX Uplink and extend it to your
vSphere cluster via a port group. At a minimum, identify two IPs on this network segment for VMware
HCX. You might need larger numbers, depending on your deployment.

NOTE
The method we recommend is creating a /26 network. On a /26 network, you can use up to 10 service meshes
and 60 network extenders (-1 per service mesh). You can stretch eight networks per network extender by using
Azure VMware Solution private clouds.

Replication network : This is optional. You want to create a new network for VMware HCX Replication
and extend that network to your vSphere cluster via a port group. At a minimum, identify two IPs on this
network segment for VMware HCX. You might need larger numbers, depending on your deployment.

NOTE
This configuration is only possible when the on-premises cluster hosts use a dedicated Replication VMkernel
network. If your on-premises cluster does not have a dedicated Replication VMkernel network defined, there is no
need to create this network.

Next steps
Now that you've gathered and documented the needed information continue to the next section to create your
Azure VMware Solution private cloud.
Deploy Azure VMware Solution
 Deploy and configure Azure VMware Solution
2/11/2021 • 7 minutes to read • Edit Online

In this article, you'll use the information from the planning section to deploy Azure VMware Solution.

IMPORTANT
If you haven't defined the information yet, go back to the planning section before continuing.

Register the resource provider

To use Azure VMware Solution, you must first register the resource provider with your subscription.
Azure CLI

az provider register -n Microsoft.AVS --subscription <your subscription ID>

Azure portal
1. Sign in to the Azure portal.
2. On the Azure portal menu, select All ser vices .
3. In the All ser vices box, enter subscription , and then select Subscriptions .
4. Select the subscription from the subscription list to view.
5. Select Resource providers and enter Microsoft.AVS into the search.
6. If the resource provider is not registered, select Register .

Deploy Azure VMware Solution

Use the information you gathered in the Planning the Azure VMware Solution deployment article:

NOTE
To deploy Azure VMware Solution, you must be at minimum contributor level in the subscription.

1. Sign in to the Azure portal.

2. Select Create a new resource . In the Search the Marketplace text box type Azure VMware Solution ,
and select Azure VMware Solution from the list. On the Azure VMware Solution window, select
Create .
3. On the Basics tab, enter values for the fields. The following table lists the properties for the fields.

F IEL D VA L UE

Subscription The subscription you plan to use for the deployment.

Resource group The resource group for your private cloud resources.
 F IEL D VA L UE

Location Select a location, such as east us .

Resource name The name of your Azure VMware Solution private cloud.

SKU Select the following SKU value: AV36

Hosts The number of hosts to add to the private cloud cluster.

The default value is 3, which can be raised or lowered
after deployment.

vCenter admin password Enter a cloud administrator password.

NSX-T manager password Enter an NSX-T administrator password.

Address block Enter an IP address block for the CIDR network for the
private cloud, for example, 10.175.0.0/22.

Vir tual Network Select a Virtual Network or create a new one for the
Azure VMware Solution private cloud.

4. Once finished, select Review + Create . On the next screen, verify the information entered. If the
information is all correct, select Create .

NOTE
This step takes roughly two hours.

5. Verify that the deployment was successful. Navigate to the resource group you created and select your
 private cloud. You'll see the status of Succeeded when the deployment has completed.

NOTE
For an end-to-end overview of this step, view the Azure VMware Solution: Deployment video.

Create the jump box

IMPORTANT
If you left the Vir tual Network option blank during the initial provisioning step on the Create a Private Cloud screen,
complete the Configure networking for your VMware private cloud tutorial before you proceed with this section.

After you deploy Azure VMware Solution, you'll create the virtual network's jump box that connects to vCenter
and NSX. Once you've configured ExpressRoute circuits and ExpressRoute Global Reach, the jump box isn't
needed. But it's handy to reach vCenter and NSX in your Azure VMware Solution.
To create a virtual machine (VM) in the virtual network that you identified or created as part of the deployment
process, follow these instructions:
1. In the resource group, select + Add then search and select Microsoft Windows 10 , and then select
Create .

2. Enter the required information in the fields, and then select Review + create .
 For more information on the fields, see the following table.

F IEL D VA L UE

Subscription Value is pre-populated with the Subscription belonging

to the Resource Group.

Resource group Value is pre-populated for the current Resource Group,

which you created in the preceding tutorial.

Vir tual machine name Enter a unique name for the VM.

Region Select the geographical location of the VM.

Availability options Leave the default value selected.

Image Select the VM image.

Size Leave the default size value.

Authentication type Select Password .

Username Enter the user name for logging on to the VM.

Password Enter the password for logging on to the VM.

Confirm password Enter the password for logging on to the VM.

Public inbound por ts Select None . If you select None, you can use JIT access
to control access to the VM only when you want to
access it.

3. Once validation passes, select Create to start the virtual machine creation process.
Connect to a virtual network with ExpressRoute
IMPORTANT
If you've already defined a virtual network in the deployment screen in Azure, then skip to the next section.

If you didn't define a virtual network in the deployment step and your intent is to connect the Azure VMware
Solution's ExpressRoute to an existing ExpressRoute Gateway, follow these steps.
1. Navigate to the private cloud you created in the Deploy vSphere Cluster in Azure tutorial. Select
Connectivity under Manage , select the ExpressRoute tab.
2. Copy the authorization key. If there isn't an authorization key, you need to create one, select + Request
an authorization key .
3. Navigate to the Virtual Network Gateway you created in the previous step and under Settings , select
Connections . On the Connections page, select + Add .
4. On the Add connection page, provide values for the fields, and select OK .

F IEL D VA L UE

Name Enter a name for the connection.

Connection type Select ExpressRoute .

Redeem authorization Ensure this box is selected.

Vir tual network gateway The Virtual Network gateway you created previously.

Authorization key Copy and paste the authorization key from the
ExpressRoute tab for your Resource Group.

Peer circuit URI Copy and paste the ExpressRoute ID from the
ExpressRoute tab for your Resource Group.
The connection between your ExpressRoute circuit and your Virtual Network is created.

Verify network routes advertised

The jump box is in the virtual network where Azure VMware Solution connects through its ExpressRoute circuit.
In Azure, go to the jump box's network interface and view the effective routes.
In the effective routes list, you should see the networks created as part of the Azure VMware Solution
deployment. You'll see multiple networks that were derived from the /22 network you defined during the
deployment step earlier in this article.

In this example, the 10.74.72.0/22 network was input during deployment derives the /24 networks. If you see
something similar, you can connect to vCenter in Azure VMware Solution.

Connect and sign in to vCenter and NSX-T

Log into the jump box you created in the earlier step. Once you've logged in, open a web browser and navigate
to and log into both vCenter and NSX-T admin console.
You can identify the vCenter, and NSX-T admin console's IP addresses and credentials in the Azure portal. Select
your private cloud and then in the Over view view, select Identity > Default .

Create a network segment on Azure VMware Solution

You use NSX-T to create new network segments in your Azure VMware Solution environment. You defined the
networks you want to create in the planning section. If you haven't defined them, go back to the planning
section before proceeding.

IMPORTANT
Make sure the CIDR network address block you defined doesn't overlap with anything in your Azure or on-premises
environments.

Follow the Create an NSX-T network segment in Azure VMware Solution tutorial to create an NSX-T network
segment in Azure VMware Solution.

Verify advertised NSX-T segment

Go back to the Verify network routes advertised step. You'll see other routes in the list representing the network
segments you created in the previous step.
For virtual machines, you'll assign the segments you created in the Create a network segment on Azure VMware
Solution step.
Because DNS is required, identify what DNS server you want to use.
If you have ExpressRoute Global Reach configured, use whatever DNS server you would use on-premises.
If you have a DNS server in Azure, use that.
If you don't have either, then use whatever DNS server your jump box is using.

NOTE
This step is to identify the DNS server, and no configurations are done in this step.

(Optional) Provide DHCP services to NSX-T network segment

If you plan to use DHCP on your NSX-T segments, continue with this section. Otherwise, skip to the Add a VM
on the NSX-T network segment section.
Now that you've created your NSX-T network segment, you can create and manage DHCP in Azure VMware
Solution in two ways:
If you're using NSX-T to host your DHCP server, you'll need to create a DHCP server and relay to that server.
If you're using a third-party external DHCP server in your network, you'll need to create DHCP relay service.
For this option, only do the relay configuration.
Add a VM on the NSX-T network segment
In your Azure VMware Solution vCenter, deploy a VM and use it to verify connectivity from your Azure VMware
Solution networks to:
The internet
Azure Virtual Networks
On-premises.
Deploy the VM as you would in any vSphere environment. Attach the VM to one of the network segments you
previously created in NSX-T.

NOTE
If you set up a DHCP server, you get your network configuration for the VM from it (don't forget to set up the scope). If
you are going to configure statically, then configure as you normally would.

Test the NSX-T segment connectivity

Log into the VM created in the previous step and verify connectivity;
1. Ping an IP on the internet.
2. In a web browser, go to an internet site.
3. Ping the jump box that sits on the Azure Virtual Network.
Azure VMware Solution is now up and running, and you've successfully established connectivity to and from
Azure Virtual Network and the internet.

Next steps
In the next section, you'll connect Azure VMware Solution to your on-premises network through ExpressRoute.
Connect Azure VMware Solution to your on-premises environment
 Connect Azure VMware Solution to your on-
premises environment
2/11/2021 • 2 minutes to read • Edit Online

In this article, you'll continue using the information gathered during planning to connect Azure VMware
Solution to your on-premises environment.
Before you begin, there are two prerequisites for connecting Azure VMware Solution to your on-premises
environment:
An ExpressRoute circuit from your on-premises environment to Azure.
A /29 non-overlapping network address block for the ExpressRoute Global Reach peering, which you defined
as part of the planning phase.

NOTE
You can connect through VPN, but that's out of scope for this quick start document.

Establish an ExpressRoute Global Reach connection

To establish on-premises connectivity to your Azure VMware Solution private cloud using ExpressRoute Global
Reach, follow the Peer on-premises environments to a private cloud tutorial.

Verify on-premises network connectivity

You should now see in your on-premises edge router where the ExpressRoute connects the NSX-T network
segments and the Azure VMware Solution management segments.

IMPORTANT
Everyone has a different environment, and some will need to allow these routes to propagate back into the on-premises
network.

Some environments have firewalls protecting the ExpressRoute circuit. If no firewalls and no route pruning
occur, ping your Azure VMware Solution vCenter server or a VM on the NSX-T segment from your on-premises
environment. Additionally, from the VM on the NSX-T segment, you can reach resources in your on-premises
environment.

Next steps
Continue to the next section to deploy and configure VMware HCX
Deploy and configure VMware HCX
 Deploy and configure VMware HCX
2/11/2021 • 12 minutes to read • Edit Online

This article shows you how to deploy and configure the on-premises VMware HCX Connector for your Azure
VMware Solution private cloud. With VMware HCX, you can migrate your VMware workloads to Azure VMware
Solution and other connected sites through various migration types. Because Azure VMware Solution deploys
and configures the HCX Cloud Manager, you must download, activate, and configure the HCX Connector in your
on-premises VMware datacenter.
VMware HCX Advanced Connector is pre-deployed in Azure VMware Solution. It supports up to three site
connections (on-premises to cloud, or cloud to cloud). If you need more than three site connections, submit a
support request to enable the VMware HCX Enterprise add-on. The add-on is currently in preview.

TIP
Although the VMware Configuration Maximum tool describes site pairs maximum to be 25 between the on-premises
Connector and Cloud Manager, the licensing limits this to three for Advanced and 10 for Enterprise Edition.

NOTE
VMware HCX Enterprise is available with Azure VMware Solution as a preview service. It's free and is subject to terms and
conditions for a preview service. After the VMware HCX Enterprise service is generally available, you'll get a 30-day notice
that billing will switch over. You'll also have the option to turn off or opt-out of the service. There is no simple downgrade
path from VMware HCX Enterprise to VMware HCX Advanced. If you decide to downgrade, you'll have to redeploy,
incurring downtime.

First, review Before you begin, Software version requirements, and the Prerequisites.
Then, we'll walk through all the necessary procedures to:
Download the VMware HCX Connector OVA.
Deploy the on-premises VMware HCX OVA (VMware HCX Connector).
Activate the VMware HCX Connector.
Pair your on-premises VMware HCX Connector with your Azure VMware Solution HCX Cloud Manager.
Configure the interconnect (network profile, compute profile, and service mesh).
Complete setup by checking the appliance status and validating that migration is possible.
After you're finished, follow the recommended next steps at the end of this article.

Before you begin

As you prepare your deployment, we recommend that you review the following VMware documentation:
VMware HCX user guide
Migrating Virtual Machines with VMware HCX
VMware HCX Deployment Considerations
VMware blog series - cloud migration
Network ports required for VMware HCX
Prerequisites
If you plan to use VMware HCX Enterprise, make sure you've requested activation through the Azure VMware
Solution support channels.
On-premises vSphere environment
Make sure that your on-premises vSphere environment (source environment) meets the minimum
requirements.
Network and ports
Azure ExpressRoute Global Reach is configured between on-premises and Azure VMware Solution SDDC
ExpressRoute circuits.
All required ports are open for communication between on-premises components and Azure VMware
Solution SDDC.
IP addresses
Four networks are needed for VMware HCX:
Management network : Typically, it's the same management network used on the vSphere cluster. At a
minimum, identify two IPs on this network segment for VMware HCX. You might need larger numbers,
depending on your deployment.

NOTE
The method we recommend is creating a /26 network. On a /26 network, you can use up to 10 service meshes
and 60 network extenders (-1 per service mesh). You can stretch eight networks per network extender by using
Azure VMware Solution private clouds.

vMotion network : Typically, it's the same network used for vMotion on the vSphere cluster. At a
minimum, identify two IPs on this network segment for VMware HCX. You might need larger numbers,
depending on your deployment.
The vMotion network must be exposed on a distributed virtual switch or vSwitch0. If it's not, modify the
environment.

NOTE
This network can be private (not routed).

Uplink network : You want to create a new network for VMware HCX Uplink and extend it to your
vSphere cluster via a port group. At a minimum, identify two IPs on this network segment for VMware
HCX. You might need larger numbers, depending on your deployment.

NOTE
The method we recommend is creating a /26 network. On a /26 network, you can use up to 10 service meshes
and 60 network extenders (-1 per service mesh). You can stretch eight networks per network extender by using
Azure VMware Solution private clouds.

Replication network : This is optional. You want to create a new network for VMware HCX Replication
and extend that network to your vSphere cluster via a port group. At a minimum, identify two IPs on this
network segment for VMware HCX. You might need larger numbers, depending on your deployment.
 NOTE
This configuration is only possible when the on-premises cluster hosts use a dedicated Replication VMkernel
network. If your on-premises cluster does not have a dedicated Replication VMkernel network defined, there is no
need to create this network.

Download the VMware HCX Connector OVA

Before you deploy the virtual appliance to your on-premises vCenter, you must download the VMware HCX
Connector OVA.
1. In the Azure portal, select the Azure VMware Solution private cloud.
2. Select Manage > Connectivity and select the HCX tab to identify the Azure VMware Solution HCX
Manager's IP address.

3. Select Manage > Identity and select vCenter admin password to identify the password.

TIP
The vCenter password was defined when you set up the private cloud. It's the same password you'll use to sign in
to Azure VMware Solution HCX Manager.
4. Open a browser window, sign in to the Azure VMware Solution HCX Manager on https://x.x.x.9 port
443 with the cloudadmin@vsphere.local user credentials
5. Select Administration > System Updates and then select Request Download Link .
6. Select the option of your choice to download the VMware HCX Connector OVA file.

Deploy the VMware HCX Connector OVA on-premises

1. In your on-premises vCenter, select an OVF template to deploy the VMware HCX Connector to your on-
premises vCenter.

TIP
You'll select the OVA file that you downloaded in the previous section.

2. Select a name and location, and select a resource or cluster where you're deploying the VMware HCX
Connector. Then review the details and required resources and select Next .
3. Review license terms. If you agree, select the required storage and network, and then select Next .
4. Select storage and select Next .
5. Select the VMware HCX management network segment you previously defined in the IP addresses
prerequisites section. Then, select Next .
6. In Customize template , enter all required information and then select Next .

7. Verify the configuration, and then select Finish to deploy the VMware HCX Connector OVA.

IMPORTANT
You will need to turn on the virtual appliance manually. After powering on, wait 10-15 minutes before proceeding
to the next step.

For an end-to-end overview of this procedure, view the Azure VMware Solution: HCX Appliance Deployment
video.

Activate VMware HCX

After you deploy the VMware HCX Connector OVA on-premises and start the appliance, you're ready to activate.
First, you need to get a license key from the Azure VMware Solution portal.
1. In the Azure VMware Solution portal, go to Manage > Connectivity , select the HCX tab, and then select
Add .
2. Use the admin credentials to sign in to the on-premises VMware HCX Manager at
https://HCXManagerIP:9443 .
 TIP
You defined the admin user password during the VMware HCX Manager OVA file deployment.

IMPORTANT
Make sure to include the 9443 port number with the VMware HCX Manager IP address.

3. In Licensing , enter your key for HCX Advanced Key and select Activate .

NOTE
VMware HCX Manager must have open internet access or a proxy configured.

4. In Datacenter Location , provide the nearest location for installing the VMware HCX Manager on-
premises. Then select Continue .
5. In System Name , modify the name or accept the default and select Continue .
6. Select Yes, Continue .
7. In Connect your vCenter , provide the FQDN or IP address of your vCenter server and the appropriate
credentials, and then select Continue .

TIP
The vCenter server is where you deployed the VMware HCX Connector in your datacenter.

8. In Configure SSO/PSC , provide the FQDN or IP address of your Platform Services Controller, and then
select Continue .

NOTE
Typically, it's the same as your vCenter FQDN or IP address.

9. Verify that the information entered is correct, and select Restar t .

NOTE
You'll experience a delay after restarting before being prompted for the next step.

After the services restart, you'll see vCenter showing as green on the screen that appears. Both vCenter and SSO
must have the appropriate configuration parameters, which should be the same as the previous screen.
For an end-to-end overview of this procedure, view the Azure VMware Solution: Activate HCX video.

IMPORTANT
Whether you're using VMware HCX Advanced or VMware HCX Enterprise, you may need to install the patch from
VMware's KB article 81558.

Configure the VMware HCX Connector

Now you're ready to add a site pairing, create a network and compute profile, and enable services such as
migration, network extension, or disaster recovery.
Add a site pairing
You can connect or pair the VMware HCX Cloud Manager in Azure VMware Solution with the VMware HCX
Connector in your datacenter.
1. Sign in to your on-premises vCenter, and under Home , select HCX .
2. Under Infrastructure , select Site Pairing , and then select the Connect To Remote Site option (in the
middle of the screen).
3. Enter the Azure VMware Solution HCX Cloud Manager URL or IP address that you noted earlier
https://x.x.x.9 , the Azure VMware Solution cloudadmin@vsphere.local username, and the password.
Then select Connect .

NOTE
To successfully establish a site pair:
Your VMware HCX Connector must be able to route to your HCX Cloud Manager IP over port 443.
Use the same password that you used to sign in to vCenter. You defined this password on the initial
deployment screen.

You'll see a screen showing that your VMware HCX Cloud Manager in Azure VMware Solution and your
on-premises VMware HCX Connector are connected (paired).
For an end-to-end overview of this procedure, view the Azure VMware Solution: HCX Site Pairing video.
Create network profiles
VMware HCX Connector deploys a subset of virtual appliances (automated) that require multiple IP segments.
When you create your network profiles, you use the IP segments you identified during the VMware HCX
Network Segments pre-deployment preparation and planning stage.
You'll create four network profiles:
Management
vMotion
Replication
Uplink
1. Under Infrastructure , select Interconnect > Multi-Site Ser vice Mesh > Network Profiles >
Create Network Profile .

2. For each network profile, select the network and port group, provide a name, and create the segment's IP
pool. Then select Create .
For an end-to-end overview of this procedure, view the Azure VMware Solution: HCX Network Profile video.
Create a compute profile
1. Under Infrastructure , select Interconnect > Compute Profiles > Create Compute Profile .

2. Enter a name for the profile and select Continue .

3. Select the services to enable, such as migration, network extension, or disaster recovery, and then select
Continue .

NOTE
Generally, nothing changes here.

4. In Select Ser vice Resources , select one or more service resources (clusters) to enable the selected
VMware HCX services.
5. When you see the clusters in your on-premises datacenter, select Continue .

6. From Select Datastore , select the datastore storage resource for deploying the VMware HCX
Interconnect appliances. Then select Continue .
When multiple resources are selected, VMware HCX uses the first resource selected until its capacity is
exhausted.
7. From Select Management Network Profile , select the management network profile that you created
in previous steps. Then select Continue .

8. From Select Uplink Network Profile , select the uplink network profile you created in the previous
procedure. Then select Continue .

9. From Select vMotion Network Profile , select the vMotion network profile that you created in prior
steps. Then select Continue .
10. From Select vSphere Replication Network Profile , select the replication network profile that you
created in prior steps. Then select Continue .

11. From Select Distributed Switches for Network Extensions , select the switches that contain the
virtual machines to be migrated to Azure VMware Solution on a layer-2 extended network. Then select
Continue .

NOTE
If you are not migrating virtual machines on layer-2 extended networks, you can skip this step.
12. Review the connection rules and select Continue .

13. Select Finish to create the compute profile.

For an end-to-end overview of this procedure, view the Azure VMware Solution: Compute Profile video.
Create a service mesh
Now it's time to configure a service mesh between on-premises and Azure VMware Solution SDDC.

NOTE
To successfully establish a service mesh with Azure VMware Solution:
Ports UDP 500/4500 are open between your on-premises VMware HCX Connector 'uplink' network profile
addresses and the Azure VMware Solution HCX Cloud 'uplink' network profile addresses.
Be sure to review the VMware HCX required ports.

1. Under Infrastructure , select Interconnect > Ser vice Mesh > Create Ser vice Mesh .
2. Review the sites that are pre-populated, and then select Continue .

NOTE
If this is your first service mesh configuration, you won't need to modify this screen.

3. Select the source and remote compute profiles from the drop-down lists, and then select Continue .
The selections define the resources where VMs can consume VMware HCX services.
 4. Review services that will be enabled, and then select Continue .
5. In Advanced Configuration - Override Uplink Network profiles , select Continue .
Uplink network profiles connect to the network through which the remote site's interconnect appliances
can be reached.
6. In Advanced Configuration - Network Extension Appliance Scale Out , review and select
Continue .
You can have up to eight VLANs per appliance, but you can deploy another appliance to add another
eight VLANs. You must also have IP space to account for the additional appliances, and it's one IP per
appliance. For more information, see VMware HCX Configuration Limits.

7. In Advanced Configuration - Traffic Engineering , review and make any modifications that you feel
are necessary, and then select Continue .
8. Review the topology preview and select Continue .
9. Enter a user-friendly name for this service mesh and select Finish to complete.
10. Select View Tasks to monitor the deployment.

When the service mesh deployment finishes successfully, you'll see the services as green.
11. Verify the service mesh's health by checking the appliance status.
12. Select Interconnect > Appliances .

For an end-to-end overview of this procedure, view the Azure VMware Solution: Service Mesh video.
(Optional) Create a network extension
If you want to extend any networks from your on-premises environment to Azure VMware Solution, follow
these steps:
1. Under Ser vices , select Network Extension > Create a Network Extension .

2. Select each of the networks you want to extend to Azure VMware Solution, and then select Next .
3. Enter the on-premises gateway IP for each of the networks you're extending, and then select Submit .

It takes a few minutes for the network extension to finish. When it does, you see the status change to
Extension complete .

For an end-to-end overview of this procedure, view the Azure VMware Solution: Network Extension video.

Next steps
If the appliance interconnect tunnel status is UP and green, you can migrate and protect Azure VMware Solution
VMs by using VMware HCX. Azure VMware Solution supports workload migrations (with or without a network
extension). You can still migrate workloads in your vSphere environment, along with on-premises creation of
networks and deployment of VMs onto those networks.
For more information on using HCX, go to the VMware technical documentation:
VMware HCX Documentation
Migrating Virtual Machines with VMware HCX
HCX required ports
 Networking planning checklist for Azure VMware
Solution
2/11/2021 • 6 minutes to read • Edit Online

Azure VMware Solution offers a VMware private cloud environment accessible for users and applications from
on-premises and Azure-based environments or resources. The connectivity is delivered through networking
services such as Azure ExpressRoute and VPN connections. It requires specific network address ranges and
firewall ports to enable the services. This article provides you with the information you need to configure your
networking to work with Azure VMware Solution properly.
In this tutorial, you'll learn about:
Virtual network and ExpressRoute circuit considerations
Routing and subnet requirements
Required network ports to communicate with the services
DHCP and DNS considerations in Azure VMware Solution

Prerequisite
Ensure that all gateways, including the ExpressRoute provider's service, support 4-byte Autonomous System
Number (ASN). Azure VMware Solution uses 4-byte public ASNs for advertising routes.

Virtual network and ExpressRoute circuit considerations

When you create a virtual network connection in your subscription, the ExpressRoute circuit gets established
through peering, uses an authorization key, and a peering ID you request in the Azure portal. The peering is a
private, one-to-one connection between your private cloud and the virtual network.

NOTE
The ExpressRoute circuit is not part of a private cloud deployment. The on-premises ExpressRoute circuit is beyond the
scope of this document. If you require on-premises connectivity to your private cloud, you can use one of your existing
ExpressRoute circuits or purchase one in the Azure portal.

When deploying a private cloud, you receive IP addresses for vCenter and NSX-T Manager. To access those
management interfaces, you'll need to create more resources in your subscription's virtual network. You can find
the procedures for creating those resources and establishing ExpressRoute private peering in the tutorials.
The private cloud logical networking comes with pre-provisioned NSX-T. A Tier-0 gateway and Tier-1 gateway is
pre-provisioned for you. You can create a segment and attach it to the existing Tier-1 gateway or attach it to a
new Tier-1 gateway that you define. NSX-T logical networking components provide East-West connectivity
between workloads and provide North-South connectivity to the internet and Azure services.

Routing and subnet considerations

The Azure VMware Solution private cloud is connected to your Azure virtual network using an Azure
ExpressRoute connection. This high bandwidth, low latency connection allows you to access services running in
your Azure subscription from your private cloud environment. The routing is Border Gateway Protocol (BGP)
based, automatically provisioned, and enabled by default for each private cloud deployment.
Azure VMware Solution private clouds require a minimum of a /22 CIDR network address block for subnets,
shown below. This network complements your on-premises networks. The address block shouldn't overlap with
address blocks used in other virtual networks in your subscription and on-premises networks. Within this
address block, management, provisioning, and vMotion networks get provisioned automatically.

NOTE
Permitted ranges for your address block are the RFC 1918 private address spaces (10.0.0.0/8, 172.16.0.0/12,
192.168.0.0/16), except for 172.17.0.0/16.

Example /22 CIDR network address block: 10.10.0.0/22

The subnets:

N ET W O RK USA GE SUB N ET EXA M P L E

Private cloud management /26 10.10.0.0/26

HCX Mgmt Migrations /26 10.10.0.64/26

Global Reach Reserved /26 10.10.0.128/26

ExpressRoute Reserved /27 10.10.0.192/27

ExpressRoute peering /27 10.10.0.224/27

ESXi Management /25 10.10.1.0/25

vMotion Network /25 10.10.1.128/25

Replication Network /25 10.10.2.0/25

vSAN /25 10.10.2.128/25

HCX Uplink /26 10.10.3.0/26

Reserved /26 10.10.3.64/26

Reserved /26 10.10.3.128/26

Reserved /26 10.10.3.192/26

Required network ports

SO URC E DEST IN AT IO N P ROTO C O L P O RT DESC RIP T IO N

Private Cloud DNS On-Premises DNS UDP 53 DNS Client - Forward

server Server requests from PC
vCenter for any on-
premises DNS
queries (check DNS
section below)
SO URC E DEST IN AT IO N P ROTO C O L P O RT DESC RIP T IO N

On-premises DNS Private Cloud DNS UDP 53 DNS Client - Forward

Server server requests from on-
premises services to
Private Cloud DNS
servers (check DNS
section below)

On-premises Private Cloud TCP(HTTP) 80 vCenter Server

network vCenter server requires port 80 for
direct HTTP
connections. Port 80
redirects requests to
HTTPS port 443. This
redirection helps if
you use
http://server
instead of
https://server .

WS-Management
(also requires port
443 to be open)

If you use a custom

Microsoft SQL
database and not the
bundled SQL Server
2008 database on
the vCenter Server,
port 80 is used by
the SQL Reporting
Services. When you
install vCenter Server,
the installer prompts
you to change the
HTTP port for the
vCenter Server.
Change the vCenter
Server HTTP port to
a custom value to
ensure a successful
installation. Microsoft
Internet Information
Services (IIS) also
uses port 80. See
Conflict Between
vCenter Server and
IIS for Port 80.
SO URC E DEST IN AT IO N P ROTO C O L P O RT DESC RIP T IO N

Private Cloud On-premises Active TCP 389 This port must be

management Directory open on the local
network and all remote
instances of vCenter
Server. This port is
the LDAP port
number for the
Directory Services for
the vCenter Server
group. The vCenter
Server system needs
to bind to port 389,
even if you aren't
joining this vCenter
Server instance to a
Linked Mode group.
If another service is
running on this port,
it might be preferable
to remove it or
change its port to a
different port. You
can run the LDAP
service on any port
from 1025 through
65535. If this
instance is serving as
the Microsoft
Windows Active
Directory, change the
port number from
389 to an available
port from 1025
through 65535. This
port is optional - for
configuring on-
premises AD as an
identity source on
the Private Cloud
vCenter.
SO URC E DEST IN AT IO N P ROTO C O L P O RT DESC RIP T IO N

On-premises Private Cloud TCP(HTTPS) 443 This port allows you

network vCenter server to access vCenter
from an on-premises
network. The default
port that the vCenter
Server system uses
to listen for
connections from the
vSphere Client. To
enable the vCenter
Server system to
receive data from the
vSphere Client, open
port 443 in the
firewall. The vCenter
Server system also
uses port 443 to
monitor data transfer
from SDK clients. This
port is also used for
the following
services: WS-
Management (also
requires port 80 to
be open). vSphere
Client access to
vSphere Update
Manager. Third-party
network
management client
connections to
vCenter Server.
Third-party network
management clients
access to hosts.

Web Browser Hybrid Cloud TCP(HTTPS) 9443 Hybrid Cloud

Manager Manager Virtual
Appliance
Management
Interface for Hybrid
Cloud Manager
system configuration.

Admin Network Hybrid Cloud SSH 22 Administrator SSH

Manager access to Hybrid
Cloud Manager.

HCM Cloud Gateway TCP(HTTPS) 8123 Send host-based

replication service
instructions to the
Hybrid Cloud
Gateway.

HCM Cloud Gateway HTTP TCP(HTTPS) 9443 Send management

instructions to the
local Hybrid Cloud
Gateway using the
REST API.
 SO URC E DEST IN AT IO N P ROTO C O L P O RT DESC RIP T IO N

Cloud Gateway L2C TCP(HTTPS) 443 Send management

instructions from
Cloud Gateway to
L2C when L2C uses
the same path as the
Hybrid Cloud
Gateway.

Cloud Gateway ESXi Hosts TCP 80,902 Management and

OVF deployment.

Cloud Gateway (local) Cloud Gateway UDP 4500 Required for IPSEC
(remote) Internet key
exchange (IKEv2) to
encapsulate
workloads for the
bidirectional tunnel.
Network Address
Translation-Traversal
(NAT-T) is also
supported.

Cloud Gateway (local) Cloud Gateway UDP 500 Required for IPSEC
(remote) Internet key
exchange (ISAKMP)
for the bidirectional
tunnel.

On-premises vCenter Private Cloud TCP 8000 vMotion of VMs

network management from on-premises
network vCenter to Private
Cloud vCenter

DHCP and DNS resolution considerations

Applications and workloads running in a private cloud environment require name resolution and DHCP services
for lookup and IP address assignments. A proper DHCP and DNS infrastructure are required to provide these
services. You can configure a virtual machine to provide these services in your private cloud environment.
Use the DHCP service built-in to NSX or use a local DHCP server in the private cloud instead of routing
broadcast DHCP traffic over the WAN back to on-premises.

Next steps
In this tutorial, you learned about the considerations and requirements for deploying an Azure VMware Solution
private cloud.
Once you have the proper networking in place, continue to the next tutorial to create your Azure VMware
Solution private cloud.
Create an Azure VMware Solution private cloud
 Tutorial: Deploy an Azure VMware Solution private
cloud in Azure
2/11/2021 • 4 minutes to read • Edit Online

Azure VMware Solution gives you the ability to deploy a vSphere cluster in Azure. The minimum initial
deployment is three hosts. Additional hosts can be added one at a time, up to a maximum of 16 hosts per
cluster.
Because Azure VMware Solution doesn't allow you to manage your private cloud with your on-premises
vCenter at launch, additional configuration is needed. These procedures and related prerequisites are covered in
this tutorial.
In this tutorial, you'll learn how to:
Create an Azure VMware Solution private cloud
Verify the private cloud deployed

Prerequisites
An Azure account with an active subscription. Create an account for free.
Appropriate administrative rights and permission to create a private cloud.
Ensure you have the appropriate networking configured as described in Tutorial: Network checklist.

Register the resource provider

To use Azure VMware Solution, you must first register the resource provider with your subscription.
Azure CLI

az provider register -n Microsoft.AVS --subscription <your subscription ID>

Azure portal
1. Sign in to the Azure portal.
2. On the Azure portal menu, select All ser vices .
3. In the All ser vices box, enter subscription , and then select Subscriptions .
4. Select the subscription from the subscription list to view.
5. Select Resource providers and enter Microsoft.AVS into the search.
6. If the resource provider is not registered, select Register .

Create a Private Cloud

You can create an Azure VMware Solution private cloud by using the Azure portal or by using the Azure CLI.
Azure portal
1. Sign in to the Azure portal.
2. Select Create a new resource . In the Search the Marketplace text box type Azure VMware Solution ,
 and select Azure VMware Solution from the list. On the Azure VMware Solution window, select
Create .
3. On the Basics tab, enter values for the fields. The following table lists the properties for the fields.

F IEL D VA L UE

Subscription The subscription you plan to use for the deployment.

Resource group The resource group for your private cloud resources.

Location Select a location, such as east us .

Resource name The name of your Azure VMware Solution private cloud.

SKU Select the following SKU value: AV36

Hosts The number of hosts to add to the private cloud cluster.

The default value is 3, which can be raised or lowered
after deployment.

vCenter admin password Enter a cloud administrator password.

NSX-T manager password Enter an NSX-T administrator password.

Address block Enter an IP address block for the CIDR network for the
private cloud, for example, 10.175.0.0/22.

Vir tual Network Select a Virtual Network or create a new one for the
Azure VMware Solution private cloud.
4. Once finished, select Review + Create . On the next screen, verify the information entered. If the
information is all correct, select Create .

NOTE
This step takes roughly two hours.

5. Verify that the deployment was successful. Navigate to the resource group you created and select your
private cloud. You'll see the status of Succeeded when the deployment has completed.

Azure CLI
Instead of the Azure portal to create an Azure VMware Solution private cloud, you can use the Azure CLI using
the Azure Cloud Shell. For a list of commands you can use with Azure VMware Solution, see Azure VMware
commands.
Open Azure Cloud Shell
Select Tr y it from the upper right corner of a code block. You can also launch Cloud Shell in a separate browser
tab by going to https://shell.azure.com/bash. Select Copy to copy the blocks of code, paste it into the Cloud
Shell, and press Enter to run it.
Create a resource group
Create a resource group with the [az group create](/cli/azure/group) command. An Azure resource group is a
logical container into which Azure resources are deployed and managed. The following example creates a
resource group named myResourceGroup in the eastus location:

az group create --name myResourceGroup --location eastus

Create a private cloud

Provide a name for the resource group and the private cloud, a location, and the size of the cluster.
 P RO P ERT Y DESC RIP T IO N

-g (Resource Group name) The name of the resource group for your private cloud
resources.

-n (Private Cloud name) The name of your Azure VMware Solution private cloud.

--location The location used for your private cloud.

--cluster-size The size of the cluster. The minimum value is 3.

--network-block The CIDR IP address network block to use for your private
cloud. The address block shouldn't overlap with address
blocks used in other virtual networks that are in your
subscription and on-premises networks.

--sku The SKU value: AV36

az vmware private-cloud create -g myResourceGroup -n myPrivateCloudName --location eastus --cluster-size 3 -

-network-block xx.xx.xx.xx/22 --sku AV36

Azure VMware commands

For a list of commands you can use with Azure VMware Solution, see Azure VMware commands.

Next steps
In this tutorial, you've learned how to:
Create an Azure VMware Solution private cloud
Verify the private cloud deployed
Delete an Azure VMware Solution private cloud
Continue to the next tutorial to learn how to create a jump box. You use the jump box to connect to your
environment so that you can manage your private cloud locally.
Access an Azure VMware Solution private cloud
 Tutorial: Access an Azure VMware Solution private
cloud
11/2/2020 • 2 minutes to read • Edit Online

Azure VMware Solution doesn't allow you to manage your private cloud with your on-premises vCenter. You'll
need to do additional setup and connection to a local vCenter instance through a jump box.
In this tutorial, you'll create a jump box in the resource group you created in the previous tutorial and sign into
vCenter. The jump box is a Windows virtual machine (VM) on the same virtual network you created. It provides
access to vCenter and NSX Manager.
In this tutorial, you learn how to:
Create a Windows virtual machine to use to connect to vCenter
Login to vCenter from your virtual machine

Create a new Windows virtual machine

1. In the resource group, select + Add then search and select Microsoft Windows 10 , and then select
Create .

2. Enter the required information in the fields, and then select Review + create .
For more information on the fields, see the following table.

F IEL D VA L UE

Subscription Value is pre-populated with the Subscription belonging

to the Resource Group.

Resource group Value is pre-populated for the current Resource Group,

which you created in the preceding tutorial.

Vir tual machine name Enter a unique name for the VM.
 F IEL D VA L UE

Region Select the geographical location of the VM.

Availability options Leave the default value selected.

Image Select the VM image.

Size Leave the default size value.

Authentication type Select Password .

Username Enter the user name for logging on to the VM.

Password Enter the password for logging on to the VM.

Confirm password Enter the password for logging on to the VM.

Public inbound por ts Select None . If you select None, you can use JIT access
to control access to the VM only when you want to
access it.

3. Once validation passes, select Create to start the virtual machine creation process.
Connect to the local vCenter of your private cloud
1. From the jump box, sign in to vSphere Client with VMware vCenter SSO using a cloud admin username
and verity that the user interface displays successfully.
2. In the Azure portal, select your private cloud and then in the Over view view, select Identity > Default .
The URLs and user credentials for private cloud vCenter and NSX-T Manager display.
3. Navigate to the VM you created in the preceding step and connect to the virtual machine.
If you need help with connecting to the VM, see connect to a virtual machine for details.
4. In the Windows VM, open a browser and navigate to the vCenter and NSX-T Manger URLs in two tabs.
5. In the vCenter tab, enter the cloudadmin@vmcp.local user credentials from the previous step.
6. In the second tab of the browser, sign in to NSX-T manager.

Next steps
In this tutorial you learned how to:
Create a Windows virtual machine to use to connect to vCenter
Login to vCenter from your virtual machine
Continue to the next tutorial to learn how to create a virtual network to set up local management for your
private cloud clusters.
Create a Virtual Network
 Tutorial: Configure networking for your VMware
private cloud in Azure
11/2/2020 • 4 minutes to read • Edit Online

An Azure VMware Solution private cloud requires an Azure Virtual Network. Because Azure VMware Solution
doesn't support your on-premises vCenter, additional steps for integration with your on-premises environment
are needed. Setting up an ExpressRoute circuit and a virtual network gateway are also required.
In this tutorial, you learn how to:
Create a virtual network
Create a virtual network gateway
Connect your ExpressRoute circuit to the gateway
Locate the URLs for vCenter and NSX Manager

Prerequisites
A virtual network that you created an Azure VMware Solution private cloud.

Create a virtual network

1. Sign in to the Azure portal.
2. Navigate to the resource group you created in the create a private cloud tutorial and select + Add to
define a new resource.
3. In the Search the Marketplace text box, type Vir tual Network . Find the Virtual Network resource and
select it.
4. On the Vir tual Network page, select Create to set up your virtual network for your private cloud.
5. On the Create Vir tual Network page, enter the details for your virtual network.
6. On the Basics tab, enter a name for the virtual network and select the appropriate region and select
Next : IP Addresses .
7. On the IP Addresses tab, under IPv4 address space , enter the address space you created in the
previous tutorial.

IMPORTANT
You must use an address space that does not overlap with the address space you used when you created your
private cloud in the preceding tutorial.

8. Select + Add subnet , and on the Add subnet page, give the subnet a name and appropriate address
range. When complete, select Add .
9. Select Review + create .
10. Verify the information and select Create . Once the deployment is complete, you'll see your virtual
network in the resource group.

Create a virtual network gateway

Now that you've created a virtual network, you'll create a virtual network gateway.
1. In your resource group, select + Add to add a new resource.
2. In the Search the Marketplace text box type, Vir tual network gateway . Find the Virtual Network
resource and select it.
3. On the Vir tual Network gateway page, select Create .
4. On the Basics tab of the Create vir tual network gateway page, provide values for the fields, and then
select Review + create .

F IEL D VA L UE

Subscription Pre-populated value with the Subscription to which the

resource group belongs.
F IEL D VA L UE

Resource group Pre-populated value for the current resource group.

Value should be the resource group you created in a
previous test.

Name Enter a unique name for the virtual network gateway.

Region Select the geographical location of the virtual network

gateway.

Gateway type Select ExpressRoute .

SKU Leave the default value: standard .

Vir tual network Select the virtual network you created previously. If you
don't see the virtual network, make sure the region of
the gateway matches the region of your virtual network.

Gateway subnet address range This value is populated when you select the virtual
network. Don't change the default value.

Public IP address Select Create new .

5. Verify that the details are correct, and select Create to start the deployment of your virtual network
gateway.
6. Once the deployment completes, move to the next section to connect your ExpressRoute connection to
the virtual network gateway containing your Azure VMware Solution private cloud.

Connect ExpressRoute to the virtual network gateway

Now that you've deployed a virtual network gateway, you'll add a connection between it and your Azure
VMware Solution private cloud.
1. Navigate to the private cloud you created in the Deploy vSphere Cluster in Azure tutorial. Select
Connectivity under Manage , select the ExpressRoute tab.
2. Copy the authorization key. If there isn't an authorization key, you need to create one, select + Request
an authorization key .
3. Navigate to the Virtual Network Gateway you created in the previous step and under Settings , select
Connections . On the Connections page, select + Add .
4. On the Add connection page, provide values for the fields, and select OK .

F IEL D VA L UE

Name Enter a name for the connection.

Connection type Select ExpressRoute .

Redeem authorization Ensure this box is selected.

Vir tual network gateway The Virtual Network gateway you created previously.

Authorization key Copy and paste the authorization key from the
ExpressRoute tab for your Resource Group.

Peer circuit URI Copy and paste the ExpressRoute ID from the
ExpressRoute tab for your Resource Group.
The connection between your ExpressRoute circuit and your Virtual Network is created.

Locate the URLs for vCenter and NSX Manager

To sign in to vCenter and NSX manager you'll need the URLs to the vCenter web client and the NSX-T manager
site.
Navigate to your Azure VMware Solution private cloud, under Manage , select Identity , here you'll find the
information needed.

Next steps
In this tutorial you learned how to:
Create a virtual network
Create a virtual network gateway
Connect your ExpressRoute circuit to the gateway
Locate the URLs for vCenter and NSX Manager
Continue to the next tutorial to learn how to create the NSX-T network segments that are used for VMs in
vCenter.
Create an NSX-T network segment
 Tutorial: Add a network segment in Azure VMware
Solution
2/11/2021 • 2 minutes to read • Edit Online

The virtual machines (VMs) created in vCenter are placed onto the network segments created in NSX-T and are
visible in vCenter.
In this tutorial, you learn how to:
Navigate in NSX-T Manager to add network segments
Add a new network segment
Observe the new network segment in vCenter

Prerequisites
An Azure VMware Solution private cloud with access to the vCenter and NSX-T Manager interfaces. For more
information, see the Configure networking tutorial.

Add a network segment

1. In NSX-T Manager, select Networking > Segments , and then select Add Segment .

2. Select Add Segment and enter a name for the segment.

3. Select the Tier1 Gateway (TNTxx-T1) as the Connected Gateway and leave the Type as Flexible.
4. Select the pre-configured overlay Transpor t Zone (TNTxx-OVERLAY-TZ) and then select Set Subnets .
5. Enter the IP address of the gateway and then select Add .

IMPORTANT
The IP address needs to be on a non-overlapping RFC1918 address block, which ensures connection to the VMs
on the new segment.

6. Select Apply and then Save .

7. Select No to decline the option to continue configuring the segment.
8. Confirm the presence of the new network segment. In this example, ls01 is the new network segment.
a. In NSX-T Manager, select Networking > Segments .

b. In vCenter, select Networking > SDDC-Datacenter .

Next steps
In this tutorial, you created a NSX-T network segment to use for VMs in vCenter.
You can now:
Create and manage DHCP for Azure VMware Solution
Create a content Library to deploy VMs in Azure VMware Solution
Peer on-premises environments to a private cloud
 Tutorial: Peer on-premises environments to a private
cloud
2/11/2021 • 3 minutes to read • Edit Online

ExpressRoute Global Reach connects your on-premises environment to your Azure VMware Solution private
cloud. The ExpressRoute Global Reach connection is established between the private cloud ExpressRoute circuit
and an existing ExpressRoute connection to your on-premises environments.
The ExpressRoute circuit you use when you configure Azure-to-private cloud networking requires you to create
and use authorization keys. You'll have already used one authorization key from the ExpressRoute circuit, and in
this tutorial, you'll create a second one to peer with your on-premises ExpressRoute circuit.
In this tutorial, you learn how to:
Create a second authorization key for circuit 2, the private cloud ExpressRoute circuit
Use either the Azure portal or the Azure CLI in a Cloud Shell method in the subscription of circuit 1 to enable
on-premises-to-private cloud ExpressRoute Global Reach peering

Before you begin

Before you enable connectivity between two ExpressRoute circuits using ExpressRoute Global Reach, review the
documentation on how to enable connectivity in different Azure subscriptions.

Prerequisites
Established connectivity to and from an Azure VMware Solution private cloud with its ExpressRoute circuit
peered with an ExpressRoute gateway in an Azure virtual network (VNet) – which is circuit 2 from peering
procedures.
A separate, functioning ExpressRoute circuit used to connect on-premises environments to Azure – which is
circuit 1 from the peering procedures' perspective.
A /29 non-overlapping network address block for the ExpressRoute Global Reach peering.
Ensure that all gateways, including the ExpressRoute provider's service, support 4-byte Autonomous System
Number (ASN). Azure VMware Solution uses 4-byte public ASNs for advertising routes.

TIP
In the context of these prerequisites, your on-premises ExpressRoute circuit is circuit 1, and your private cloud
ExpressRoute circuit is in a different subscription and labeled circuit 2.

Create an ExpressRoute authorization key in the private cloud

1. From the private cloud Over view , under Manage, select Connectivity > ExpressRoute > Request an
authorization key .
2. Enter the name for the authorization key and select Create .

Once created, the new key appears in the list of authorization keys for the private cloud.

3. Make a note of the authorization key and the ExpressRoute ID, along with the /29 address block. You'll use
them in the next step to complete the peering.

Peer private cloud to on-premises using authorization key

Now that you've created an authorization key for the private cloud ExpressRoute circuit, you can peer it with
your on-premises ExpressRoute circuit. The peering is done from the perspective of the on-premises
ExpressRoute circuit in either the Azure portal or using the Azure CLI in a Cloud Shell. With both methods, you
use the resource ID and authorization key of your private cloud ExpressRoute circuit to finish the peering.
Azure portal method
1. Sign in to the Azure portal using the same subscription as the on-premises ExpressRoute circuit.
2. From the private cloud Over view , under Manage, select Connectivity > ExpressRoute Global Reach
> Add .

3. You can create an on-premises cloud connection by doing one of these choices:
Select the ExpressRoute circuit from the list.
If you have a circuit ID, copy and paste it.
4. Select Connect . The new connection shows in the On-premises cloud connections list.

TIP
You can delete or disconnect a connection from the list by selecting More .
Azure CLI in a Cloud Shell method
We've augmented the CLI commands with specific details and examples to help you configure the ExpressRoute
Global Reach peering between on-premises environments to an Azure VMware Solution private cloud.

TIP
For brevity in the Azure CLI command output, these instructions may use a –query argument to execute a JMESPath
query to only show the required results.

1. Sign in to the Azure portal using the same subscription as the on-premises ExpressRoute circuit and open
a Cloud Shell. Leave the shell as Bash.

2. Enter the Azure CLI command to create the peering. Use your specific information and resource ID,
authorization key, and /29 CIDR network block.
The image shows an example of the command that you'll use and the output indicating a successful
peering. The example command is based on the command used in step 3 of “Enable connectivity between
ExpressRoute circuits in different Azure subscriptions".
 You can connect from on-premises environments to your private cloud over the ExpressRoute Global
Reach peering.

TIP
You can delete the peering you just created by following the Disable connectivity between your on-premises networks
instructions.

Next steps
In this tutorial, you learned how to create a second authorization key for the private cloud ExpressRoute circuit.
You also learned how to enable the on-premises-to-private cloud ExpressRoute Global Reach peering.
Continue to the next tutorial to learn how to deploy and configure VMware HCX solution for your Azure
VMware Solution private cloud.
Deploy and configure VMware HCX
 Deploy and configure VMware HCX
2/11/2021 • 12 minutes to read • Edit Online

This article shows you how to deploy and configure the on-premises VMware HCX Connector for your Azure
VMware Solution private cloud. With VMware HCX, you can migrate your VMware workloads to Azure VMware
Solution and other connected sites through various migration types. Because Azure VMware Solution deploys
and configures the HCX Cloud Manager, you must download, activate, and configure the HCX Connector in your
on-premises VMware datacenter.
VMware HCX Advanced Connector is pre-deployed in Azure VMware Solution. It supports up to three site
connections (on-premises to cloud, or cloud to cloud). If you need more than three site connections, submit a
support request to enable the VMware HCX Enterprise add-on. The add-on is currently in preview.

TIP
Although the VMware Configuration Maximum tool describes site pairs maximum to be 25 between the on-premises
Connector and Cloud Manager, the licensing limits this to three for Advanced and 10 for Enterprise Edition.

NOTE
VMware HCX Enterprise is available with Azure VMware Solution as a preview service. It's free and is subject to terms and
conditions for a preview service. After the VMware HCX Enterprise service is generally available, you'll get a 30-day notice
that billing will switch over. You'll also have the option to turn off or opt-out of the service. There is no simple downgrade
path from VMware HCX Enterprise to VMware HCX Advanced. If you decide to downgrade, you'll have to redeploy,
incurring downtime.

First, review Before you begin, Software version requirements, and the Prerequisites.
Then, we'll walk through all the necessary procedures to:
Download the VMware HCX Connector OVA.
Deploy the on-premises VMware HCX OVA (VMware HCX Connector).
Activate the VMware HCX Connector.
Pair your on-premises VMware HCX Connector with your Azure VMware Solution HCX Cloud Manager.
Configure the interconnect (network profile, compute profile, and service mesh).
Complete setup by checking the appliance status and validating that migration is possible.
After you're finished, follow the recommended next steps at the end of this article.

Before you begin

As you prepare your deployment, we recommend that you review the following VMware documentation:
VMware HCX user guide
Migrating Virtual Machines with VMware HCX
VMware HCX Deployment Considerations
VMware blog series - cloud migration
Network ports required for VMware HCX

Prerequisites
Prerequisites
If you plan to use VMware HCX Enterprise, make sure you've requested activation through the Azure VMware
Solution support channels.
On-premises vSphere environment
Make sure that your on-premises vSphere environment (source environment) meets the minimum
requirements.
Network and ports
Azure ExpressRoute Global Reach is configured between on-premises and Azure VMware Solution SDDC
ExpressRoute circuits.
All required ports are open for communication between on-premises components and Azure VMware
Solution SDDC.
IP addresses
Four networks are needed for VMware HCX:
Management network : Typically, it's the same management network used on the vSphere cluster. At a
minimum, identify two IPs on this network segment for VMware HCX. You might need larger numbers,
depending on your deployment.

NOTE
The method we recommend is creating a /26 network. On a /26 network, you can use up to 10 service meshes
and 60 network extenders (-1 per service mesh). You can stretch eight networks per network extender by using
Azure VMware Solution private clouds.

vMotion network : Typically, it's the same network used for vMotion on the vSphere cluster. At a
minimum, identify two IPs on this network segment for VMware HCX. You might need larger numbers,
depending on your deployment.
The vMotion network must be exposed on a distributed virtual switch or vSwitch0. If it's not, modify the
environment.

NOTE
This network can be private (not routed).

Uplink network : You want to create a new network for VMware HCX Uplink and extend it to your
vSphere cluster via a port group. At a minimum, identify two IPs on this network segment for VMware
HCX. You might need larger numbers, depending on your deployment.

NOTE
The method we recommend is creating a /26 network. On a /26 network, you can use up to 10 service meshes
and 60 network extenders (-1 per service mesh). You can stretch eight networks per network extender by using
Azure VMware Solution private clouds.

Replication network : This is optional. You want to create a new network for VMware HCX Replication
and extend that network to your vSphere cluster via a port group. At a minimum, identify two IPs on this
network segment for VMware HCX. You might need larger numbers, depending on your deployment.
 NOTE
This configuration is only possible when the on-premises cluster hosts use a dedicated Replication VMkernel
network. If your on-premises cluster does not have a dedicated Replication VMkernel network defined, there is no
need to create this network.

Download the VMware HCX Connector OVA

Before you deploy the virtual appliance to your on-premises vCenter, you must download the VMware HCX
Connector OVA.
1. In the Azure portal, select the Azure VMware Solution private cloud.
2. Select Manage > Connectivity and select the HCX tab to identify the Azure VMware Solution HCX
Manager's IP address.

3. Select Manage > Identity and select vCenter admin password to identify the password.

TIP
The vCenter password was defined when you set up the private cloud. It's the same password you'll use to sign in
to Azure VMware Solution HCX Manager.
4. Open a browser window, sign in to the Azure VMware Solution HCX Manager on https://x.x.x.9 port
443 with the cloudadmin@vsphere.local user credentials
5. Select Administration > System Updates and then select Request Download Link .
6. Select the option of your choice to download the VMware HCX Connector OVA file.

Deploy the VMware HCX Connector OVA on-premises

1. In your on-premises vCenter, select an OVF template to deploy the VMware HCX Connector to your on-
premises vCenter.

TIP
You'll select the OVA file that you downloaded in the previous section.

2. Select a name and location, and select a resource or cluster where you're deploying the VMware HCX
Connector. Then review the details and required resources and select Next .
3. Review license terms. If you agree, select the required storage and network, and then select Next .
4. Select storage and select Next .
5. Select the VMware HCX management network segment you previously defined in the IP addresses
prerequisites section. Then, select Next .
6. In Customize template , enter all required information and then select Next .

7. Verify the configuration, and then select Finish to deploy the VMware HCX Connector OVA.

IMPORTANT
You will need to turn on the virtual appliance manually. After powering on, wait 10-15 minutes before proceeding
to the next step.

For an end-to-end overview of this procedure, view the Azure VMware Solution: HCX Appliance Deployment
video.

Activate VMware HCX

After you deploy the VMware HCX Connector OVA on-premises and start the appliance, you're ready to activate.
First, you need to get a license key from the Azure VMware Solution portal.
1. In the Azure VMware Solution portal, go to Manage > Connectivity , select the HCX tab, and then select
Add .
2. Use the admin credentials to sign in to the on-premises VMware HCX Manager at
https://HCXManagerIP:9443 .
 TIP
You defined the admin user password during the VMware HCX Manager OVA file deployment.

IMPORTANT
Make sure to include the 9443 port number with the VMware HCX Manager IP address.

3. In Licensing , enter your key for HCX Advanced Key and select Activate .

NOTE
VMware HCX Manager must have open internet access or a proxy configured.

4. In Datacenter Location , provide the nearest location for installing the VMware HCX Manager on-
premises. Then select Continue .
5. In System Name , modify the name or accept the default and select Continue .
6. Select Yes, Continue .
7. In Connect your vCenter , provide the FQDN or IP address of your vCenter server and the appropriate
credentials, and then select Continue .

TIP
The vCenter server is where you deployed the VMware HCX Connector in your datacenter.

8. In Configure SSO/PSC , provide the FQDN or IP address of your Platform Services Controller, and then
select Continue .

NOTE
Typically, it's the same as your vCenter FQDN or IP address.

9. Verify that the information entered is correct, and select Restar t .

NOTE
You'll experience a delay after restarting before being prompted for the next step.

After the services restart, you'll see vCenter showing as green on the screen that appears. Both vCenter and SSO
must have the appropriate configuration parameters, which should be the same as the previous screen.
For an end-to-end overview of this procedure, view the Azure VMware Solution: Activate HCX video.

IMPORTANT
Whether you're using VMware HCX Advanced or VMware HCX Enterprise, you may need to install the patch from
VMware's KB article 81558.

Configure the VMware HCX Connector

Now you're ready to add a site pairing, create a network and compute profile, and enable services such as
migration, network extension, or disaster recovery.
Add a site pairing
You can connect or pair the VMware HCX Cloud Manager in Azure VMware Solution with the VMware HCX
Connector in your datacenter.
1. Sign in to your on-premises vCenter, and under Home , select HCX .
2. Under Infrastructure , select Site Pairing , and then select the Connect To Remote Site option (in the
middle of the screen).
3. Enter the Azure VMware Solution HCX Cloud Manager URL or IP address that you noted earlier
https://x.x.x.9 , the Azure VMware Solution cloudadmin@vsphere.local username, and the password.
Then select Connect .

NOTE
To successfully establish a site pair:
Your VMware HCX Connector must be able to route to your HCX Cloud Manager IP over port 443.
Use the same password that you used to sign in to vCenter. You defined this password on the initial
deployment screen.

You'll see a screen showing that your VMware HCX Cloud Manager in Azure VMware Solution and your
on-premises VMware HCX Connector are connected (paired).
For an end-to-end overview of this procedure, view the Azure VMware Solution: HCX Site Pairing video.
Create network profiles
VMware HCX Connector deploys a subset of virtual appliances (automated) that require multiple IP segments.
When you create your network profiles, you use the IP segments you identified during the VMware HCX
Network Segments pre-deployment preparation and planning stage.
You'll create four network profiles:
Management
vMotion
Replication
Uplink
1. Under Infrastructure , select Interconnect > Multi-Site Ser vice Mesh > Network Profiles >
Create Network Profile .

2. For each network profile, select the network and port group, provide a name, and create the segment's IP
pool. Then select Create .
For an end-to-end overview of this procedure, view the Azure VMware Solution: HCX Network Profile video.
Create a compute profile
1. Under Infrastructure , select Interconnect > Compute Profiles > Create Compute Profile .

2. Enter a name for the profile and select Continue .

3. Select the services to enable, such as migration, network extension, or disaster recovery, and then select
Continue .

NOTE
Generally, nothing changes here.

4. In Select Ser vice Resources , select one or more service resources (clusters) to enable the selected
VMware HCX services.
5. When you see the clusters in your on-premises datacenter, select Continue .

6. From Select Datastore , select the datastore storage resource for deploying the VMware HCX
Interconnect appliances. Then select Continue .
When multiple resources are selected, VMware HCX uses the first resource selected until its capacity is
exhausted.
7. From Select Management Network Profile , select the management network profile that you created
in previous steps. Then select Continue .

8. From Select Uplink Network Profile , select the uplink network profile you created in the previous
procedure. Then select Continue .

9. From Select vMotion Network Profile , select the vMotion network profile that you created in prior
steps. Then select Continue .
10. From Select vSphere Replication Network Profile , select the replication network profile that you
created in prior steps. Then select Continue .

11. From Select Distributed Switches for Network Extensions , select the switches that contain the
virtual machines to be migrated to Azure VMware Solution on a layer-2 extended network. Then select
Continue .

NOTE
If you are not migrating virtual machines on layer-2 extended networks, you can skip this step.
12. Review the connection rules and select Continue .

13. Select Finish to create the compute profile.

For an end-to-end overview of this procedure, view the Azure VMware Solution: Compute Profile video.
Create a service mesh
Now it's time to configure a service mesh between on-premises and Azure VMware Solution SDDC.

NOTE
To successfully establish a service mesh with Azure VMware Solution:
Ports UDP 500/4500 are open between your on-premises VMware HCX Connector 'uplink' network profile
addresses and the Azure VMware Solution HCX Cloud 'uplink' network profile addresses.
Be sure to review the VMware HCX required ports.

1. Under Infrastructure , select Interconnect > Ser vice Mesh > Create Ser vice Mesh .
2. Review the sites that are pre-populated, and then select Continue .

NOTE
If this is your first service mesh configuration, you won't need to modify this screen.

3. Select the source and remote compute profiles from the drop-down lists, and then select Continue .
The selections define the resources where VMs can consume VMware HCX services.
 4. Review services that will be enabled, and then select Continue .
5. In Advanced Configuration - Override Uplink Network profiles , select Continue .
Uplink network profiles connect to the network through which the remote site's interconnect appliances
can be reached.
6. In Advanced Configuration - Network Extension Appliance Scale Out , review and select
Continue .
You can have up to eight VLANs per appliance, but you can deploy another appliance to add another
eight VLANs. You must also have IP space to account for the additional appliances, and it's one IP per
appliance. For more information, see VMware HCX Configuration Limits.

7. In Advanced Configuration - Traffic Engineering , review and make any modifications that you feel
are necessary, and then select Continue .
8. Review the topology preview and select Continue .
9. Enter a user-friendly name for this service mesh and select Finish to complete.
10. Select View Tasks to monitor the deployment.

When the service mesh deployment finishes successfully, you'll see the services as green.
11. Verify the service mesh's health by checking the appliance status.
12. Select Interconnect > Appliances .

For an end-to-end overview of this procedure, view the Azure VMware Solution: Service Mesh video.
(Optional) Create a network extension
If you want to extend any networks from your on-premises environment to Azure VMware Solution, follow
these steps:
1. Under Ser vices , select Network Extension > Create a Network Extension .

2. Select each of the networks you want to extend to Azure VMware Solution, and then select Next .
3. Enter the on-premises gateway IP for each of the networks you're extending, and then select Submit .

It takes a few minutes for the network extension to finish. When it does, you see the status change to
Extension complete .

For an end-to-end overview of this procedure, view the Azure VMware Solution: Network Extension video.

Next steps
If the appliance interconnect tunnel status is UP and green, you can migrate and protect Azure VMware Solution
VMs by using VMware HCX. Azure VMware Solution supports workload migrations (with or without a network
extension). You can still migrate workloads in your vSphere environment, along with on-premises creation of
networks and deployment of VMs onto those networks.
For more information on using HCX, go to the VMware technical documentation:
VMware HCX Documentation
Migrating Virtual Machines with VMware HCX
HCX required ports
 Tutorial: Scale an Azure VMware Solution private
cloud
11/2/2020 • 2 minutes to read • Edit Online

To get the most out of your Azure VMware Solution private cloud experience, scale the clusters and hosts to
reflect what you need for planned workloads. You can scale the clusters and hosts in a private cloud as required
for your application workload. Performance and availability limitations for specific services should be addressed
on a case by case basis. The cluster and host limits are provided in the private cloud concept article.
In this tutorial, you'll use the Azure portal to:
Add a cluster to an existing private cloud
Add hosts to an existing cluster

Prerequisites
A private cloud to complete this tutorial. If you haven't created a private cloud, use the create a private cloud
tutorial to create one. Configure networking for your VMware private cloud in Azure to set up the required
virtual network.

Add a new cluster

1. On the overview page of an existing private cloud, under Manage , select Scale private cloud . Next,
select + Add a cluster .

2. In the Add cluster page, use the slider to select the number of hosts. Select Save .
 The deployment of the new cluster will begin.

Scale a cluster
1. On the overview page of an existing private cloud, select Scale private cloud and select the pencil icon
to edit the cluster.

2. In the Edit Cluster page, use the slider to select the number of hosts. Select Save .

The addition of hosts to the cluster will begin.

Next steps
If you require another Azure VMware Solution private cloud, create another private cloud, following the same
networking prerequisites, cluster, and host limits.
 Tutorial: Delete an Azure VMware Solution private
cloud
2/11/2021 • 2 minutes to read • Edit Online

If you have an Azure VMware Solution private cloud that you no longer need, you can delete it. The private cloud
includes an isolated network domain, one or more provisioned vSphere clusters on dedicated server hosts, and
several virtual machines (VMs). When you delete a private cloud, all of the VMs, their data, and clusters are
deleted. The dedicated hosts are securely wiped and returned to the free pool. The network domain provisioned
for the customer is also deleted.
Cau t i on

Deleting the private cloud is an irreversible operation. Once the private cloud is deleted, the data cannot be
recovered, as it terminates all running workloads and components and destroys all private cloud data and
configuration settings, including public IP addresses.

Prerequisites
If you require the VMs and their data later, make sure to back up the data before you delete the private cloud.
There's no way to recover the VMs and their data.

Delete the private cloud

1. Access the Azure VMware Solutions console in the Azure portal.
2. Select the private cloud to be deleted.
3. Enter the name of the private cloud and select Yes .

NOTE
The deletion process takes a few hours to complete.
 Azure VMware Solution private cloud and cluster
concepts
2/11/2021 • 3 minutes to read • Edit Online

The Azure VMware Solution delivers VMware-based private clouds in Azure. Private clouds contain clusters built
with dedicated, bare-metal Azure hosts. They're deployed and managed through the Azure portal, CLI, or
PowerShell. Clusters provisioned in private clouds include VMware vSphere, vCenter, vSAN, and NSX software.
Azure VMware Solution private cloud hardware and software deployments are fully integrated and automated
in Azure.
There's a logical relationship between Azure subscriptions, Azure VMware Solution private clouds, vSAN
clusters, and hosts. The diagram shows a single Azure subscription with two private clouds that represent the
development and production environment. In each of those private clouds are two clusters.
This article describes all of these concepts.

NOTE
Because of the lower potential needs of a development environment, use smaller clusters with lower capacity hosts.

Private clouds
Private clouds contain vSAN clusters built with dedicated, bare-metal Azure hosts. Each private cloud can have
multiple clusters managed by the same vCenter server and NSX-T manager. You can deploy and manage private
clouds in the portal, CLI, or PowerShell.
As with other resources, private clouds are installed and managed from within an Azure subscription. The
number of private clouds within a subscription is scalable. Initially, there's a limit of one private cloud per
subscription.

Clusters
For each private cloud created, there's one vSAN cluster by default. You can add, delete, and scale clusters using
the Azure portal or through the API. All clusters have a default size of three hosts and can scale up to 16 hosts.
The hosts used in a cluster must be the same host type.
Trial clusters are available for evaluation and limited to three hosts. There's a single trial cluster per private cloud.
You can scale a trial cluster by a single host during the evaluation period.
You use vSphere and NSX-T Manager to manage most other aspects of cluster configuration or operation. All
local storage of each host in a cluster is under the control of vSAN.

Hosts
Azure VMware Solution private cloud clusters use hyper-converged, bare-metal infrastructure hosts. The
following table shows the RAM, CPU, and disk capacities of the host.

VSA N N VM E C A C H E VSA N SSD C A PA C IT Y

H O ST T Y P E CPU RA M ( GB ) T IER ( T B , RAW ) T IER ( T B , RAW )

High-End (HE) dual Intel 18 core 2.3 576 3.2 15.20

GHz

Hosts used to build or scale clusters come from an isolated pool of hosts. Those hosts have passed hardware
tests and have had all data securely deleted.

VMware software versions

The current software versions of the VMware software used in Azure VMware Solution private cloud clusters
are:

SO F T WA RE VERSIO N

VCSA / vSphere / ESXi 6.7 U3

ESXi 6.7 U3

vSAN 6.7 U3

NSX-T 2.5

NOTE
NSX-T is the only supported version of NSX.

For any new cluster in a private cloud, the software version matches what's currently running. For any new
private cloud in a subscription, the software stack's latest version gets installed. For more information, see the
VMware software version requirements.
The private cloud software bundle upgrades keep the software within one version of the most recent software
bundle release from VMware. The private cloud software versions may differ from the most recent versions of
the individual software components (ESXi, NSX-T, vCenter, vSAN). You can find the general upgrade policies and
processes for the Azure VMware Solution platform software described in Private cloud updates and upgrades.

Host maintenance and lifecycle management

Host maintenance and lifecycle management have no impact on the private cloud clusters' capacity or
performance. Examples of automated host maintenance include firmware upgrades and hardware repair or
replacement.
Microsoft is responsible for the lifecycle management of NSX-T appliances, such as NSX-T Manager and NSX-T
Edge. They are also responsible for bootstrapping network configuration, such as creating the Tier-0 gateway
and enabling North-South routing. You're responsible for NSX-T SDN configuration. For example, network
segments, distributed firewall rules, Tier 1 gateways, and load balancers.

IMPORTANT
Do not modify the configuration of NSX-T Edge or Tier-0 Gateway, as this may result in a loss of service.

Backup and restoration

Private cloud vCenter and NSX-T configurations are on an hourly backup schedule. Backups are kept for three
days. If you need to restore from a backup, open a support request in the Azure portal to request restoration.

Next steps
Now that you've covered Azure VMware Solution private cloud concepts, you may want to learn about:
Azure VMware Solution networking and interconnectivity concepts.
Azure VMware Solution storage concepts.
How to enable Azure VMware Solution resource.
 Azure VMware Solution networking and
interconnectivity concepts
2/11/2021 • 3 minutes to read • Edit Online

Azure VMware Solution offers a private cloud environment accessible from on-premises and Azure-based
environments or resources. Services such as Azure ExpressRoute and VPN connections deliver the connectivity.
These services require specific network address ranges and firewall ports for enabling the services.
When deploying a private cloud, private networks for management, provisioning, and vMotion get created. Use
these private networks to access vCenter and NSX-T Manager and virtual machine vMotion or deployment.
ExpressRoute Global Reach is used to connect private clouds to on-premises environments. The connection
requires a virtual network with an ExpressRoute circuit in your subscription.
Resources, such as web servers and virtual machines, are accessible to the internet through the Azure Virtual
WAN public IP functionality. By default, internet access is disabled for new private clouds. For more information,
see How to use the public IP functionality in Azure VMware Solution.
A useful perspective on interconnectivity is to consider the two types of Azure VMware Solution private cloud
implementations:
1. Basic Azure-only interconnectivity lets you manage and use your private cloud with only a single
virtual network in Azure. This implementation is best suited for Azure VMware Solution evaluations or
implementations that don't require access from on-premises environments.
2. Full on-premises to private cloud interconnectivity extends the basic Azure-only implementation
to include interconnectivity between on-premises and Azure VMware Solution private clouds.
In this article, we'll cover a few key concepts that establish networking and interconnectivity, including
requirements and limitations. We’ll also cover more information the two types of Azure VMware Solution
private cloud interconnectivity implementations. This article provides you with the information you need to
know to configure your networking to work with Azure VMware Solution properly.

Azure VMware Solution private cloud use cases

The use cases for Azure VMware Solution private clouds include:
New VMware VM workloads in the cloud
VM workload bursting to the cloud (on-premises to Azure VMware Solution only)
VM workload migration to the cloud (on-premises to Azure VMware Solution only)
Disaster recovery (Azure VMware Solution to Azure VMware Solution or on-premises to Azure VMware
Solution)
Consumption of Azure services

TIP
All use cases for the Azure VMware Solution service are enabled with on-premises to private cloud connectivity.

Azure virtual network interconnectivity

In the virtual network to private cloud implementation, you can manage your Azure VMware Solution private
cloud, consume workloads in your private cloud, and access Azure services over the ExpressRoute connection.
The diagram below shows the basic network interconnectivity established at the time of a private cloud
deployment. It shows the logical, ExpressRoute-based networking between a virtual network in Azure and a
private cloud. The interconnectivity fulfills three of the primary use cases:
Inbound access to vCenter server and NSX-T manager that is accessible from VMs in your Azure subscription
and not from your on-premises systems.
Outbound access from VMs to Azure services.
Inbound access and consumption of workloads running a private cloud.

On-premises interconnectivity
In the virtual network and on-premises to full private cloud implementation, you can access your Azure VMware
Solution private clouds from on-premises environments. This implementation is an extension of the basic
implementation described in the previous section. Like the basic implementation, an ExpressRoute circuit is
required, but with this implementation, it’s used to connect from on-premises environments to your private
cloud in Azure.
The diagram below shows the on-premises to private cloud interconnectivity, which enables the following use
cases:
Hot/Cold Cross-vCenter vMotion
On-Premises to Azure VMware Solution private cloud management access

For full interconnectivity to your private cloud, enable ExpressRoute Global Reach and then request an
authorization key and private peering ID for Global Reach in the Azure portal. The authorization key and peering
ID are used to establish Global Reach between an ExpressRoute circuit in your subscription and the ExpressRoute
circuit for your new private cloud. Once linked, the two ExpressRoute circuits route network traffic between your
on-premises environments to your private cloud. For more information on the procedures to request and use
the authorization key and peering ID, see the tutorial for creating an ExpressRoute Global Reach peering to a
private cloud.

Next steps
Now that you've covered Azure VMware Solution network and interconnectivity concepts, you may want to
learn about:
Azure VMware Solution storage concepts.
Azure VMware Solution identity concepts.
How to enable Azure VMware Solution resource.
 Azure VMware Solution storage concepts
2/11/2021 • 2 minutes to read • Edit Online

Azure VMware Solution private clouds provide native, cluster-wide storage with VMware vSAN. All local storage
from each host in a cluster is used in a vSAN datastore, and data-at-rest encryption is available and enabled by
default. You can use Azure Storage resources to extend storage capabilities of your private clouds.

vSAN clusters
Local storage in each cluster host is used as part of a vSAN datastore. All diskgroups use an NVMe cache tier of
1.6 TB with the raw, per host, SSD-based capacity of 15.4 TB. The size of the raw capacity tier of a cluster is the
per host capacity times the number of hosts. For example, a four host cluster will provide 61.6-TB raw capacity
in the vSAN capacity tier.
Local storage in cluster hosts is used in cluster-wide vSAN datastore. All datastores are created as part of a
private cloud deployment and are available for use immediately. The cloudadmin user and all users in the
CloudAdmin group can manage datastores with these vSAN privileges:
Datastore.AllocateSpace
Datastore.Browse
Datastore.Config
Datastore.DeleteFile
Datastore.FileManagement
Datastore.UpdateVirtualMachineMetadata

Data-at-rest encryption
vSAN datastores use data-at-rest encryption by default. The encryption solution is KMS-based and supports
vCenter operations for key management. Keys are stored encrypted, wrapped by an Azure Key Vault master key.
When a host is removed from a cluster for any reason, data on SSDs is invalidated immediately.

Scaling
Native cluster storage capacity is scaled by adding hosts to a cluster. For clusters that use HE hosts, the raw
cluster-wide capacity is increased by 15.4 TB with each added host. Clusters that are built with GP hosts have
their raw capacity increased by 7.7 TB with each added host. In both types of clusters, hosts take about 10
minutes to be added to a cluster. For instructions on scaling clusters, see the scale private cloud tutorial.

Azure storage integration

You can use Azure storage services on workloads running in your private cloud. The Azure storage services
include Storage Accounts, Table Storage, and Blob Storage. The connection of workloads to Azure storage
services doesn't traverse the internet. This connectivity provides more security and enables you to use SLA-
based Azure storage services in your private cloud workloads.

Next steps
Now that you've covered Azure VMware Solution storage concepts, you may want to learn about:
Private cloud identity concepts.
vSphere role-based access control for Azure VMware Solution.
How to enable Azure VMware Solution resource.
 Azure VMware Solution identity concepts
2/11/2021 • 2 minutes to read • Edit Online

Azure VMware Solution private clouds are provisioned with a vCenter server and NSX-T Manager. You use
vCenter to manage virtual machine (VM) workloads. You use the NSX-T manager to extend the private cloud.
Access and identity management use CloudAdmin group privileges for vCenter and restricted administrator
rights for NSX-T Manager. It ensures that your private cloud platform upgrades automatically with the newest
features and patches. For more information, see private cloud upgrades concepts article.

vCenter access and identity

The CloudAdmin group provides the privileges in vCenter. You manage the group locally in vCenter. Another
option is through the integration of vCenter LDAP single sign-on with Azure Active Directory. You enable that
integration after you deploy your private cloud.
The table shows CloudAdmin and CloudGlobalAdmin privileges.

P RIVIL EGE SET C LO UDA DM IN C LO UDGLO B A L A DM IN C O M M EN T

Alarms A CloudAdmin user has all -- --

Alarms privileges for alarms
in the Compute-
ResourcePool and VMs.

Auto Deploy -- -- Microsoft does host

management.

Certificates -- -- Microsoft does certificate

management.

Content Library A CloudAdmin user has Enabled with SSO. Microsoft will distribute files
privileges to create and use in the Content Library to
files in a Content Library. ESXi hosts.

Datacenter -- -- Microsoft does all data

center operations.

Datastore Datastore.AllocateSpace, -- --
Datastore.Browse,
Datastore.Config,
Datastore.DeleteFile,
Datastore.FileManagement,
Datastore.UpdateVirtualMa
chineMetadata

ESX Agent Manager -- -- Microsoft does all

operations.

Folder A CloudAdmin user has all -- --

Folder privileges.
 P RIVIL EGE SET C LO UDA DM IN C LO UDGLO B A L A DM IN C O M M EN T

Global Global.CancelTask,
Global.GlobalTag,
Global.Health,
Global.LogEvent,
Global.ManageCustomField
s, Global.ServiceManagers,
Global.SetCustomField,
Global.SystemTag

Host Host.Hbr.HbrManagement -- Microsoft does all other

Host operations.

InventoryService InventoryService.Tagging -- --

Network Network.Assign Microsoft does all other

Network operations.

Permissions -- -- Microsoft does all

Permissions operations.

Profile-driven Storage -- -- Microsoft does all Profile

operations.

Resource A CloudAdmin user has all -- --

Resource privileges.

Scheduled Task A CloudAdmin user has all -- --

ScheduleTask privileges.

Sessions Sessions.GlobalMessage, -- Microsoft does all other

Sessions.ValidateSession Sessions operations.

Storage Views StorageViews.View -- Microsoft does all other

Storage View operations
(Configure Service).

Tasks -- -- Microsoft manages

extensions that manage
tasks.

vApp A CloudAdmin user has all -- --

vApp privileges.

Virtual Machine A CloudAdmin user has all -- --

VirtualMachine privileges.

vService A CloudAdmin user has all -- --

vService privileges.

NSX-T Manager access and identity

Use the "administrator" account to access NSX-T Manager. It has full privileges and lets you create and manage
T1 routers, logical switches, and all services. The privileges give you access to the NSX-T T0 router. A change to
the T0 router could result in degraded network performance or no private cloud access. Open a support request
in the Azure portal to request any changes to your NSX-T T0 router.

Next steps
Now that you've covered Azure VMware Solution access and identity concepts, you may want to learn about:
Private cloud upgrade concepts.
vSphere role-based access control for Azure VMware Solution.
How to enable Azure VMware Solution resource.
 vSphere role-based access control (vSphere RBAC)
for Azure VMware Solution
2/11/2021 • 4 minutes to read • Edit Online

In Azure VMware Solution, vCenter has a built-in local user called cloudadmin and assigned to the built-in
CloudAdmin role. The local cloudadmin user is used to set up users in AD. In general, the CloudAdmin role
creates and manages workloads in your private cloud. In Azure VMware Solution, the CloudAdmin role has
vCenter privileges that differ from other VMware cloud solutions.

NOTE
Azure VMware Solution currently doesn't offer custom roles on vCenter or the Azure VMware Solution portal.

In a vCenter and ESXi on-premises deployment, the administrator has access to the vCenter
administrator@vsphere.local account. They can also have additional Active Directory (AD) users/groups
assigned.
In an Azure VMware Solution deployment, the administrator doesn't have access to the administrator user
account. But they can assign AD users and groups to the CloudAdmin role on vCenter.
The private cloud user doesn't have access to and can't configure specific management components supported
and managed by Microsoft. For example, clusters, hosts, datastores, and distributed virtual switches.

Azure VMware Solution CloudAdmin role on vCenter

You can view the privileges granted to the Azure VMware Solution CloudAdmin role on your Azure VMware
Solution private cloud vCenter.
1. Log into the SDDC vSphere Client and go to Menu > Administration .
2. Under Access Control , select Roles .
3. From the list of roles, select CloudAdmin and then select Privileges .
The CloudAdmin role in Azure VMware Solution has the following privileges on vCenter. Refer to the VMware
product documentation for a detailed explanation of each privilege.

P RIVIL EGE DESC RIP T IO N

Alarms Acknowledge alarm

Create alarm
Disable alarm action
Modify alarm
Remove alarm
Set alarm status

Permissions Modify permissions

P RIVIL EGE DESC RIP T IO N

Content Librar y Add library item

Create a subscription for a published library
Create local library
Create subscribed library
Delete library item
Delete local library
Delete subscribed library
Delete subscription of a published library
Download files
Evict library items
Evict subscribed library
Import storage
Probe subscription information
Publish a library item to its subscribers
Publish a library to its subscribers
Read storage
Sync library item
Sync subscribed library
Type introspection
Update configuration settings
Update files
Update library
Update library item
Update local library
Update subscribed library
Update subscription of a published library
View configuration settings

Cr yptographic operations Direct access

Datastore Allocate space

Browse datastore
Configure datastore
Low-level file operations
Remove files
Update virtual machine metadata

Folder Create folder

Delete folder
Move folder
Rename folder

Global Cancel task

Global tag
Health
Log event
Manage custom attributes
Service managers
Set custom attribute
System tag

Host vSphere Replication

Manage replication
P RIVIL EGE DESC RIP T IO N

vSphere tagging Assign and unassign vSphere tag

Create vSphere tag
Create vSphere tag category
Delete vSphere tag
Delete vSphere tag category
Edit vSphere tag
Edit vSphere tag category
Modify UsedBy field for category
Modify UsedBy field for tag

Network Assign network

Resource Apply recommendation

Assign vApp to resource pool
Assign virtual machine to resource pool
Create resource pool
Migrate powered off virtual machine
Migrate powered on virtual machine
Modify resource pool
Move resource pool
Query vMotion
Remove resource pool
Rename resource pool

Scheduled task Create task

Modify task
Remove task
Run task

Sessions Message
Validate session

Profile Profile driven storage view

Storage view View

vApp Add virtual machine

Assign resource pool
Assign vApp
Clone
Create
Delete
Export
Import
Move
Power off
Power on
Rename
Suspend
Unregister
View OVF environment
vApp application configuration
vApp instance configuration
vApp managedBy configuration
vApp resource configuration

Vir tual machine Change Configuration

Acquire disk lease
 Add existing disk
P RIVIL EGE DESC RIP T IO N
Add new disk
Add or remove device
Advanced configuration
Change CPU count
Change memory
Change settings
Change swapfile placement
Change resource
Configure host USB device
Configure raw device
Configure managedBy
Display connection settings
Extend virtual disk
Modify device settings
Query fault tolerance compatibility
Query unowned files
Reload from paths
Remove disk
Rename
Reset guest information
Set annotation
Toggle disk change tracking
Toggle fork parent
Upgrade virtual machine compatibility
Edit inventory
Create from existing
Create new
Move
Register
Remove
Unregister
Guest operations
Guest operation alias modification
Guest operation alias query
Guest operation modifications
Guest operation program execution
Guest operation queries
Interaction
Answer question
Back up operation on virtual machine
Configure CD media
Configure floppy media
Connect devices
Console interaction
Create screenshot
Defragment all disks
Drag and drop
Guest operating system management by VIX API
Inject USB HID scan codes
Install VMware tools
Pause or Unpause
Perform wipe or shrink operations
Power off
Power on
Record session on virtual machine
Replay session on virtual machine
Suspend
Suspend fault tolerance
Test failover
Test restart secondary VM
Turn off fault tolerance
Turn on fault tolerance
Provisioning
Allow disk access
 Allow file access
P RIVIL EGE DESC RIP T IO N
Allow read-only disk access
Allow virtual machine download
Clone template
Clone virtual machine
Create template from virtual machine
Customize guest
Deploy template
Mark as template
Modify customization specification
Promote disks
Read customization specifications
Service configuration
Allow notifications
Allow polling of global event notifications
Manage service configuration
Modify service configuration
Query service configurations
Read service configuration
Snapshot management
Create snapshot
Remove snapshot
Rename snapshot
Revert snapshot
vSphere Replication
Configure replication
Manage replication
Monitor replication
vSer vice Create dependency
Destroy dependency
Reconfigure dependency configuration
Update dependency

Next steps
Now that you've covered the basics of vSphere role-based access control for Azure VMware Solution, you may
want to learn about:
The details of each privilege in the VMware product documentation.
How Azure VMware Solution monitors and repairs private clouds.
How to enable Azure VMware Solution resource.
 Monitor and repair Azure VMware Solution private
clouds
2/11/2021 • 2 minutes to read • Edit Online

Azure VMware Solution continuously monitors the VMware ESXi servers on an Azure VMware Solution private
cloud.

What Azure VMware Solution monitors

Azure VMware Solution monitors the following for failure conditions on the host:
Processor status
Memory status
Connection and power state
Hardware fan status
Network connectivity loss
Hardware system board status
Errors occurred on the disk(s) of a vSAN host
Hardware voltage
Hardware temperature status
Hardware power status
Storage status
Connection failure

NOTE
Azure VMware Solution tenant admins must not edit or delete the above defined VMware vCenter alarms, as these are
managed by the Azure VMware Solution control plane on vCenter. These alarms are used by Azure VMware Solution
monitoring to trigger the Azure VMware Solution host remediation process.

Azure VMware Solution host remediation

When Azure VMware Solution detects a degradation or failure on an Azure VMware Solution node on a tenant’s
private cloud, it triggers the host remediation process. Host remediation involves replacing the faulty node with
a new healthy node.
The host remediation process starts by adding a new healthy node in the cluster. Then, when possible, the faulty
host is placed in VMware vSphere maintenance mode. VMware vMotion is used to move the VMs off the faulty
host to other available servers in the cluster, potentially allowing for zero downtime live migration of workloads.
In scenarios where the faulty host can't be placed in maintenance mode, the host is removed from the cluster.

Next steps
Now that you've covered how Azure VMware Solution monitors and repairs private clouds, you may want to
learn about:
Azure VMware Solution private cloud upgrades.
How to enable Azure VMware Solution resource.
 Azure VMware Solution private cloud updates and
upgrades
2/11/2021 • 2 minutes to read • Edit Online

One of the key benefits of Azure VMware Solution private clouds is that the platform is maintained for you.
Platform maintenance includes automated updates to a VMware validated software bundle, helping to ensure
you're using the latest version of the validated Azure VMware Solution private cloud software.
Specifically, an Azure VMware Solution private cloud includes:
Dedicated bare-metal server nodes provisioned with VMware ESXi hypervisor
vCenter server for managing ESXi and vSAN
VMware NSX-T software defined networking for vSphere workload VMs
VMware vSAN datastore for vSphere workload VMs
VMware HCX for workload mobility
In addition to these components, an Azure VMware Solution private cloud includes resources in the Azure
underlay required for connectivity and to operate the private cloud. Azure VMware Solution continuously
monitors the health of both the underlay and the VMware components. When Azure VMware Solution detects a
failure, it takes action to repair the failed components.

What components get updated?

Azure VMware Solution updates the following VMware components:
vCenter Server and ESXi running on the bare-metal server nodes
vSAN
NSX-T
Azure VMware Solution also updates the software in the underlay, such as drivers, software on the network
switches, and firmware on the bare-metal nodes.

Types of updates
Azure VMware Solution applies the following types of updates to VMware components:
Patches: Security patches and bug fixes released by VMware.
Updates: Minor version updates of one or more VMware components.
Upgrades: Major version updates of one or more VMware components.
You will be notified before and after patches are applied to your private clouds. We will also work with you to
schedule a maintenance window before applying updates or upgrades to your private cloud.

VMware appliance backup

In addition to making updates, Azure VMware Solution takes a configuration backup of these VMware
components:
vCenter Server
NSX-T Manager
At times of failure, Azure VMware Solution can restore these from the configuration backup.
For more information on VMware software versions, see the private clouds and clusters concept article and the
FAQ.

Next steps
Now that you've covered the key upgrade processes and features in Azure VMware Solution, you may want to
learn about:
How to create a private cloud.
How to enable Azure VMware Solution resource.
 How to enable Azure VMware Solution resource
2/11/2021 • 4 minutes to read • Edit Online

Learn how to submit a support request to enable your Azure VMware Solution resource. You can also request
more hosts in your existing Azure VMware Solution private cloud.

Eligibility criteria
You'll need an Azure account in an Azure subscription. The Azure subscription must comply with one of the
following criteria:
A subscription under an Azure Enterprise Agreement (EA) with Microsoft.
A Cloud Solution Provider (CSP) managed subscription under an existing CSP Azure offers contract or an
Azure plan.

Enable Azure VMware Solution for EA customers

Before you create your Azure VMware Solution resource, you'll need to submit a support ticket to have your
hosts allocated. Once the support team receives your request, it takes up to five business days to confirm your
request and allocate your hosts. If you have an existing Azure VMware Solution private cloud and want more
hosts allocated, you'll go through the same process.
1. In your Azure portal, under Help + Suppor t , create a New suppor t request and provide the following
information for the ticket:
Issue type: Technical
Subscription: Select your subscription
Ser vice: All services > Azure VMware Solution
Resource: General question
Summar y: Need capacity
Problem type: Capacity Management Issues
Problem subtype: Customer Request for Additional Host Quota/Capacity
2. In the Description of the support ticket, on the Details tab, provide:
POC or Production
Region Name
Number of hosts
Any other details

NOTE
Azure VMware Solution recommends a minimum of three hosts to spin up your private cloud and for redundancy
N+1 hosts.

3. Select Review + Create to submit the request.

It will take up to five business days for a support representative to confirm your request.
 IMPORTANT
If you already have an existing Azure VMware Solution, and you are requesting additional hosts, please note that
we need five business days to allocate the hosts.

4. Before you can provision your hosts, make sure that you register the Microsoft.AVS resource provider
in the Azure portal.

az provider register -n Microsoft.AVS --subscription <your subscription ID>

For additional ways to register the resource provider, see Azure resource providers and types.

Enable Azure VMware Solution for CSP customers

CSPs must use Microsoft Partner Center to enable Azure VMware Solution for their customers. This article uses
CSP Azure plan as an example to illustrate the purchase procedure for partners.

IMPORTANT
Azure VMware Solution service does not provide a multi-tenancy required. Hosting partners requiring it are not
supported.

1. In Par tner Center , select CSP to access the Customers area.

2. Select your customer and then select Add products .

3. Select Azure plan and then select Add to car t .

4. Review and finish the general set up of the Azure plan subscription for your customer. For more
information, see Microsoft Partner Center documentation.
After configuring the Azure plan and the needed Azure RBAC permissions are in place for the subscription, you'll
engage Microsoft to enable the quota for an Azure plan subscription. Access Azure portal from Microsoft
Partner Center using Admin On Behalf Of (AOBO) procedure.
1. Sign in to Partner Center.
2. Select CSP to access the Customers area.
3. Expand customer details and select Microsoft Azure Management Por tal .
4. In Azure portal, under Help + Suppor t , create a New suppor t request and provide the following
information for the ticket:
Issue type: Technical
Subscription: Select your subscription
Ser vice: All services > Azure VMware Solution
Resource: General question
Summar y: Need capacity
Problem type: Capacity Management Issues
Problem subtype: Customer Request for Additional Host Quota/Capacity
5. In the Description of the support ticket, on the Details tab, provide:
POC or Production
Region Name
Number of hosts
Any other details
Is intended to host multiple customers?

NOTE
Azure VMware Solution recommends a minimum of three hosts to spin up your private cloud and for redundancy
N+1 hosts.

6. Select Review + Create to submit the request.

It will take up to five business days for a support representative to confirm your request.

IMPORTANT
If you already have an existing Azure VMware Solution, and you are requesting additional hosts, please note that
we need five business days to allocate the hosts.

7. If the subscription is managed by the service provider then their administration team must access Azure
portal using again Admin On Behalf Of (AOBO) procedure from Partner Center. One in Azure portal
launch a Cloud Shell instance and register the Microsoft.AVS resource provider and proceed with the
deployment of the Azure VMware Solution private cloud.

az provider register -n Microsoft.AVS --subscription <your subscription ID>

For additional ways to register the resource provider, see Azure resource providers and types.
8. If the subscription is managed directly by the customer the registration of the Microsoft.AVS resource
provider must be done by an user with enough permissions in the subscription, see Azure resource
providers and types for more details and ways to register the resource provider.

Next steps
After you enable your Azure VMware Solution resource, and you have the proper networking in place, you can
create a private cloud.
 Save costs with Azure VMware Solution
2/11/2021 • 5 minutes to read • Edit Online

When you commit to a reserved instance of Azure VMware Solution, you save money. The reservation discount
is applied automatically to the running Azure VMware Solution hosts that match the reservation scope and
attributes. A reserved instance purchase covers only the compute part of your usage and includes software
licensing costs.

Purchase restriction considerations

Reserved instances are available with some exceptions.
Clouds - Reservations are available only in the regions listed on the Products available by region page.
Insufficient quota - A reservation scoped to a single/shared subscription must have hosts quota
available in the subscription for the new reserved instance. You can create quota increase request to
resolve this issue.
Offer eligibility - You'll need an Azure Enterprise Agreement (EA) with Microsoft.
Capacity restrictions - In rare circumstances, Azure limits the purchase of new reservations for Azure
VMware Solution host SKUs because of low capacity in a region.

Buy a reservation
You can buy a reserved instance of an Azure VMware Solution host instance in the Azure portal.
You can pay for the reservation up front or with monthly payments.
These requirements apply to buying a reserved dedicated host instance:
You must be in an Owner role for at least one EA subscription or a subscription with a pay-as-you-go
rate.
For EA subscriptions, you must enable the Add Reser ved Instances option in the EA portal. If disabled,
you must be an EA Admin for the subscription to enable it.
For subscription under a Cloud Solution Provider (CSP) Azure Plan, the partner must purchase the
reserved instances in the Azure portal for the customer.
Buy reserved instances for an EA subscription
1. Sign in to the Azure portal.
2. Select All ser vices > Reser vations .
3. Select Purchase Now and then select Azure VMware Solution .
4. Enter the required fields. The selected attributes that match running Azure VMware Solution hosts qualify
for the reservation discount. Attributes include the SKU, regions (where applicable), and scope.
Reservation scope selects where the reservation savings apply.
If you have an EA agreement, you can use the Add more option to add instances quickly. The option
isn't available for other subscription types.
 F IEL D DESC RIP T IO N

Subscription The subscription used to pay for the reservation. The

payment method on the subscription is charged the
costs for the reservation. The subscription type must be
an enterprise agreement (offer numbers: MS-AZR-0017P
or MS-AZR-0148P), Microsoft Customer Agreement, or
an individual subscription with pay-as-you-go rates
(offer numbers: MS-AZR-0003P or MS-AZR-0023P). The
charges are deducted from the Azure Prepayment
(previously called monetary commitment) balance, if
available, or charged as overage. For a subscription with
pay-as-you-go rates, the charges are billed to the
subscription's credit card or an invoice payment method.

Scope The reservation's scope can cover one subscription or

multiple subscriptions (shared scope). If you select:
Single resource group scope - Applies the
reservation discount to the matching resources in
the selected resource group only.
Single subscription scope - Applies the
reservation discount to the matching resources in
the selected subscription.
Shared scope - Applies the reservation discount
to matching resources in eligible subscriptions
that are in the billing context. For EA customers,
the billing context is the enrollment. For
individual subscriptions with pay-as-you-go
rates, the billing scope is all eligible subscriptions
created by the account administrator.

Region The Azure region that's covered by the reservation.

Host Size AV36

Term One year or three years.

Quantity The number of instances to purchase within the

reservation. The quantity is the number of running Azure
VMware Solution hosts that can get the billing discount.

Buy reserved instances for a CSP subscription

CSPs that want to purchase reserved instances for their customers must use the Admin On Behalf Of (AOBO)
procedure from the Partner Center documentation. For more information, view the Admin on behalf of (AOBO)
video.
1. Sign in to Partner Center.
2. Select CSP to access the Customers area.
3. Expand customer details and select Microsoft Azure Management Por tal .
4. In the Azure portal, select All ser vices > Reser vations .
5. Select Purchase Now and then select Azure VMware Solution .

6. Enter the required fields. The selected attributes that match running Azure VMware Solution hosts qualify
for the reservation discount. Attributes include the SKU, regions (where applicable), and scope.
Reservation scope selects where the reservation savings apply.

F IEL D DESC RIP T IO N

Subscription The subscription used to pay for the reservation. The

payment method on the subscription is charged the
costs for the reservation. The subscription type must be
an eligible one, which in this case is a CSP subscription
 F IEL D DESC RIP T IO N

Scope The reservation's scope can cover one subscription or

multiple subscriptions (shared scope). If you select:
Single resource group scope - Applies the
reservation discount to the matching resources in
the selected resource group only.
Single subscription scope - Applies the
reservation discount to the matching resources in
the selected subscription.
Shared scope - Applies the reservation discount
to matching resources in eligible subscriptions
that are in the billing context. For EA customers,
the billing context is the enrollment. For
individual subscriptions with pay-as-you-go
rates, the billing scope is all eligible subscriptions
created by the account administrator.

Region The Azure region that's covered by the reservation.

Host Size AV36

Term One year or three years.

Quantity The number of instances to purchase within the

reservation. The quantity is the number of running Azure
VMware Solution hosts that can get the billing discount.

To learn more on how to view the purchased reservations for your customer, see View Azure reservations as a
Cloud Solution Provider (CSP) article.

Usage data and reservation usage

Your usage that gets a reservation discount has an effective price of zero. You can see which Azure VMware
Solution instance received the reservation discount for each reservation.
For more information about how reservation discounts appear in usage data:
For EA customers, see Understand Azure reservation usage for your Enterprise enrollment
For individual subscriptions, see Understand Azure reservation usage for your Pay-As-You-Go subscription

Change a reservation after purchase

You can make these changes to a reservation after purchase:
Update reservation scope
Instance size flexibility (if applicable)
Ownership
You can also split a reservation into smaller chunks or merge reservations. None of the changes cause a new
commercial transaction or change the end date of the reservation.
For details about CSP-managed reservations, see Sell Microsoft Azure reservations to customers using Partner
Center, the Azure portal, or APIs.
 NOTE
Once you've purchased your reservation, you won't be able to make these types of changes directly:
An existing reservation’s region
SKU
Quantity
Duration
However, you can exchange a reservation if you want to make changes.

Cancel, exchange, or refund reservations

You can cancel, exchange, or refund reservations with certain limitations. For more information, see Self-service
exchanges and refunds for Azure Reservations.
CSPs can cancel, exchange, or refund reservations, with certain limitations, purchased for their customer. For
more information, see Manage, cancel, exchange, or refund Microsoft Azure reservations for customers.

Next steps
Now that you've covered buying a reserved instance of Azure VMware Solution, you may want to learn about:
Creating an Azure VMware Solution assessment.
Managing DHCP for Azure VMware Solution.
Lifecycle management of Azure VMware Solution VMs.
 Create an Azure VMware Solution (AVS) assessment
2/11/2021 • 6 minutes to read • Edit Online

This article describes how to create an Azure VMware Solution (AVS) assessment for on-premises VMware VMs
with Azure Migrate: Server Assessment.
Azure Migrate helps you to migrate to Azure. Azure Migrate provides a centralized hub to track discovery,
assessment, and migration of on-premises infrastructure, applications, and data to Azure. The hub provides
Azure tools for assessment and migration, as well as third-party independent software vendor (ISV) offerings.

Before you start

Make sure you've created an Azure Migrate project.
If you've already created a project, make sure you've added the Azure Migrate: Server Assessment tool.
To create an assessment, you need to set up an Azure Migrate appliance for VMware, which discovers the on-
premises machines, and sends metadata and performance data to Azure Migrate: Server Assessment. Learn
more.
You could also import the server metadata in comma-separated values (CSV) format.

Azure VMware Solution (AVS) Assessment overview

There are two types of assessments you can create using Azure Migrate: Server Assessment.

A SSESSM EN T T Y P E DETA IL S

Azure VM Assessments to migrate your on-premises servers to Azure

virtual machines.

You can assess your on-premises VMware VMs, Hyper-V

VMs, and physical servers for migration to Azure using this
assessment type.Learn more

Azure VMware Solution (AVS) Assessments to migrate your on-premises servers to Azure
VMware Solution (AVS).

You can assess your on-premises VMware VMs for migration

to Azure VMware Solution (AVS) using this assessment
type.Learn more

NOTE
Azure VMware Solution (AVS) assessment is currently in preview and can be created for VMware VMs only.

There are two types of sizing criteria that you can use to create Azure VMware Solution (AVS) assessments:

A SSESSM EN T DETA IL S DATA

 A SSESSM EN T DETA IL S DATA

Performance-based Assessments based on collected Recommended Node size : Based on

performance data of on-premises VMs. CPU and memory utilization data
along with node type, storage type,
and FTT setting that you select for the
assessment.

As on-premises Assessments based on on-premises Recommended Node size : Based on

sizing. the on-premises VM size along with
the node type, storage type, and FTT
setting that you select for the
assessment.

Run an Azure VMware Solution (AVS) assessment

Run an Azure VMware Solution (AVS) assessment as follows:
1. Review the best practices for creating assessments.
2. In the Ser vers tab, in Azure Migrate: Ser ver Assessment tile, click Assess .

3. In Assess ser vers , select the assessment type as "Azure VMware Solution (AVS)", select the discovery
source.
4. Click Edit to review the assessment properties.

5. In Select machines to assess > Assessment name > specify a name for the assessment.
6. In Select or create a group > select Create New and specify a group name. A group gathers one or
more VMs together for assessment.
 7. In Add machines to the group , select VMs to add to the group.
8. Click next to Review + create assessment to review the assessment details.
9. Click Create Assessment to create the group, and run the assessment.
10. After the assessment is created, view it in Ser vers > Azure Migrate: Ser ver Assessment >
Assessments .
11. Click Expor t assessment , to download it as an Excel file.

Review an Azure VMware Solution (AVS) assessment

An Azure VMware Solution (AVS) assessment describes:
Azure VMware Solution (AVS) readiness : Whether the on-premises VMs are suitable for migration to
Azure VMware Solution (AVS).
Number of AVS nodes : Estimated number of AVS nodes required to run the VMs.
Utilization across AVS nodes : Projected CPU, memory, and storage utilization across all nodes.
Utilization includes up front factoring in the following cluster management overheads such as the
vCenter Server, NSX Manager (large), NSX Edge, if HCX is deployed also the HCX Manager and IX
appliance consuming ~ 44vCPU (11 CPU), 75GB of RAM and 722GB of storage before compression
and deduplication.
Memory, dedupe and compression are currently set to 100% utilization for memory and 1.5 dedupe
and compression which will be a user defined input in coming releases further allowing user to fine
tune their required sizing.
Monthly cost estimation : The estimated monthly costs for all Azure VMware Solution (AVS) nodes
running the on-premises VMs.
View an assessment
1. In Migration goals > Ser vers , click Assessments in Azure Migrate: Ser ver Assessment .
2. In Assessments , click on an assessment to open it.
Review Azure VMware Solution (AVS ) readiness
1. In Azure readiness , verify whether VMs are ready for migration to AVS.
2. Review the VM status:
Ready for AVS : The machine can be migrated as-is to Azure (AVS) without any changes. It will start in
AVS with full AVS support.
Ready with conditions : The VM might have compatibility issues with the current vSphere version as
well as requiring possibly VMware tools and or other settings before full functionality from the VM
can be achieved in AVS.
Not ready for AVS : The VM will not start in AVS. For example, if the on-premises VMware VM has an
external device attached such as a cd-rom the VMotion operation will fail (if using VMware VMotion).
Readiness unknown : Azure Migrate couldn't determine the readiness of the machine because of
insufficient metadata collected from the on-premises environment.
3. Review the Suggested tool:
VMware HCX or Enterprise : For VMware machines, VMWare Hybrid Cloud Extension (HCX)
solution is the suggested migration tool to migrate your on-premises workload to your Azure
VMware Solution (AVS) private cloud. Learn More.
Unknown : For machines imported via a CSV file, the default migration tool is unknown. Though for
VMware machines, it is suggested to use the VMware Hybrid Cloud Extension (HCX) solution.
4. Click on an AVS readiness status. You can view VM readiness details, and drill down to see VM details,
including compute, storage, and network settings.
Review cost details
This view shows the estimated cost of running VMs in Azure VMware Solution (AVS).
1. Review the monthly total costs. Costs are aggregated for all VMs in the assessed group.
Cost estimates are based on the number of AVS nodes required considering the resource
requirements of all the VMs in total.
As the pricing for Azure VMware Solution (AVS) is per node, the total cost does not have compute cost
and storage cost distribution.
The cost estimation is for running the on-premises VMs in AVS. Azure Migrate Server Assessment
doesn't consider PaaS or SaaS costs.
2. You can review monthly storage cost estimates. This view shows aggregated storage costs for the
assessed group, split over different types of storage disks.
3. You can drill down to see details for specific VMs.
Review confidence rating
When you run performance-based assessments, a confidence rating is assigned to the assessment.

A rating from 1-star (lowest) to 5-star (highest) is awarded.

The confidence rating helps you estimate the reliability of the size recommendations provided by the
assessment.
The confidence rating is based on the availability of data points needed to compute the assessment.
For performance-based sizing, AVS assessments in Server Assessment need the utilization data for CPU and
VM memory. The following performance data is collected but not used in sizing recommendations for AVS
assessments:
The disk IOPS and throughput data for every disk attached to the VM.
The network I/O to handle performance-based sizing for each network adapter attached to a VM.
Confidence ratings for an assessment are as follows.

DATA P O IN T AVA IL A B IL IT Y C O N F IDEN C E RAT IN G

0%-20% 1 Star

21%-40% 2 Star

41%-60% 3 Star

61%-80% 4 Star

81%-100% 5 Star

Learn more about performance data

Next steps
Learn how to use dependency mapping to create high confidence groups.
Learn more about how AVS assessments are calculated.
 Manage DHCP for Azure VMware Solution
2/11/2021 • 3 minutes to read • Edit Online

Applications and workloads running in a private cloud environment require DHCP services for IP address
assignments. This article shows you how to create and manage DHCP in Azure VMware Solution in two ways:
If you're using NSX-T to host your DHCP server, you'll need to create a DHCP server and relay to that
server. When you create the DHCP server, you'll also add a network segment and specify the DHCP IP
address range.
If you're using a third-party external DHCP server in your network, you'll need to create DHCP relay
service. When you create a relay to a DHCP server, whether using NSX-T or a third-party to host your
DHCP server, you'll need to specify the DHCP IP address range.

IMPORTANT
DHCP does not work for virtual machines (VMs) on the VMware HCX L2 stretch network when the DHCP server is in the
on-premises datacenter. NSX, by default, blocks all DHCP requests from traversing the L2 stretch. For the solution, see the
Send DHCP requests to the on-premises DHCP server procedure.

Create a DHCP server

If you want to use NSX-T to host your DHCP server, you'll create a DHCP server. Then you'll add a network
segment and specify the DHCP IP address range.
1. In NSX-T Manager, select Networking > DHCP , and then select Add Ser ver .
2. Select DHCP for the Ser ver Type , provide the server name and IP address, and then select Save .

3. Select Tier 1 Gateways , select the vertical ellipsis on the Tier-1 gateway, and then select Edit .
4. Select No IP Allocation Set to add a subnet.

5. For Type , select DHCP Local Ser ver .

6. For the DHCP Ser ver , select Default DHCP , and then select Save .
7. Select Save again and then select Close Editing .
Add a network segment
1. In NSX-T Manager, select Networking > Segments , and then select Add Segment .
2. Select Add Segment and enter a name for the segment.
3. Select the Tier1 Gateway (TNTxx-T1) as the Connected Gateway and leave the Type as Flexible.
4. Select the pre-configured overlay Transpor t Zone (TNTxx-OVERLAY-TZ) and then select Set Subnets .

5. Enter the IP address of the gateway and then select Add .

 IMPORTANT
The IP address needs to be on a non-overlapping RFC1918 address block, which ensures connection to the VMs
on the new segment.

6. Select Apply and then Save .

7. Select No to decline the option to continue configuring the segment.

8. Confirm the presence of the new network segment. In this example, ls01 is the new network segment.
a. In NSX-T Manager, select Networking > Segments .
 b. In vCenter, select Networking > SDDC-Datacenter .

Create DHCP relay service

If you want to use a third-party external DHCP server, you'll need to create a DHCP relay service. You'll also
specify the DHCP IP address range in NSX-T Manager.
1. In NSX-T Manager, select Networking > DHCP , and then select Add Ser ver .
2. Select DHCP Relay for the Ser ver Type , provide the server name and IP address, and then select Save .
3. Select Tier 1 Gateways , select the vertical ellipsis on the Tier-1 gateway, and then select Edit .

4. Select No IP Allocation Set to define the IP address allocation.

5. For Type , select DHCP Ser ver .
6. For the DHCP Ser ver , select DHCP Relay , and then select Save .
7. Select Save again and then select Close Editing .

Specify the DHCP IP address range

1. In NSX-T Manager, select Networking > Segments .
2. Select the vertical ellipsis on the segment name and select Edit .
3. Select Set Subnets to specify the DHCP IP address for the subnet.

4. Modify the gateway IP address if needed, and enter the DHCP range IP.

5. Select Apply , and then Save . The segment is assigned a DHCP server pool.
Send DHCP requests to the on-premises DHCP server
If you want to send DHCP requests from your Azure VMware Solution VMs on the L2 extended segment to the
on-premises DHCP server, you'll create a security segment profile.
1. Sign in to your on-premises vCenter, and under Home , select HCX .
2. Select Network Extension under Ser vices .
3. Select the network extension you want to support DHCP requests from Azure VMware Solution to on-
premises.
4. Take note of the destination network name.

5. In the Azure VMware Solution NSX-T Manager, select Networking > Segments > Segment Profiles .
6. Select Add Segment Profile and then Segment Security .
 7. Provide a name and a tag, and then set the BPDU Filter toggle to ON and all the DHCP toggles to OFF.

8. Remove all the MAC addresses, if any, under the BPDU Filter Allow List . Then select Save .

9. Under Networking > Segments > Segments , in the search area, enter the definition network name.

10. Select the vertical ellipsis on the segment name and select Edit .
11. Change the Segment Security to the segment profile you created earlier.

Next steps
Learn more about Host maintenance and lifecycle management.
 Complete disaster recovery of virtual machines
using Azure VMware Solution
11/2/2020 • 4 minutes to read • Edit Online

This article contains the process to complete disaster recovery of your virtual machines (VMs) with VMware
HCX solution and using an Azure VMware Solution private cloud as the recovery or target site.
VMware HCX provides various operations that provide fine control and granularity in replication policies.
Available Operations include:
Reverse – After a disaster has occurred. Reverse helps make Site B the source site and Site A, where the
protected VM now lives.
Pause – Pause the current replication policy associated with the VM selected.
Resume - Resume the current replication policy associated with the VM selected.
Remove - Remove the current replication policy associated with the VM selected.
Sync Now – Out of bound sync source VM to the protected VM.
This guide covers the following replication scenarios:
Protect a VM or a group of VMs.
Complete a Test Recover of a VM or a group of VMs.
Recover a VM or a group of VMs.
Reverse Protection of a VM or a group of VMs.

Protect VMs
1. Log into vSphere Client on the source site and access HCX plugin .

2. Enter the Disaster Recover y area and select PROTECT VMS .

3. Select the Source and the Remote sites. The Remote site in this case should be the Azure VMware
Solution private cloud.

4. If needed, select the Default replication options:

Enable Compression: Recommended for low throughput scenarios.
Enable Quiescence: Pauses the VM to ensure a consistent copy is synced to the remote site.
Destination Storage: Remote datastore for the protected VMs, and in an Azure VMware Solution
private cloud, which should be the vSAN datastore.
Compute Container : Remote vSphere Cluster or Resource Pool.
Destination Folder : Remote destination folder, which is optional, and if no folder is selected, the
VMs are placed directly under the selected cluster.
RPO: Synchronization interval between the source VM and the protected VM. It can be anywhere
from 5 minutes to 24 hours.
Snapshot inter val: Interval between snapshots.
Number of Snapshots: Total number of snapshots within the configured snapshot interval.
5. Select one or more VMs from the list and configure the replication options as needed.
By default, the VMs inherit the Global Settings Policy configured in the Default replication options. For
each network interface in the selected VM, configure the remote Network Por t Group and select Finish
to start the protection process.

6. Monitor the process for each of the selected VMs in the same disaster recovery area.

7. After the VM has been protected, you can view the different snapshots in the Snapshots tab.

The yellow triangle means the snapshots and the virtual machines haven't been tested in a Test Recovery
operation.
There are key differences between a VM that is powered off and one powered on. The image shows the
syncing process for a powered-on VM. It starts the syncing process until it finishes the first snapshot,
which is a full copy of the VM, and then completes the next ones in the configured interval. It syncs a copy
for a powered off VM, and then the VM appears as inactive, and protection operation shows as
completed. When the VM is powered on, it starts the syncing process to the remote site.

Complete a test recover of VMs

1. Log into vSphere Client on the remote site, which is the Azure VMware Solution private cloud.
2. Within the HCX plugin , in the Disaster Recovery area, select the vertical ellipses on any VM to display
the operations menu and then select Test Recover VM .

3. Select the options for the test and the snapshot you want to use to test different states of the VM.

4. After selecting Test , the recovery operation begins.

5. When finished, you can check the new VM in the Azure VMware Solution private cloud vCenter.

6. After testing has been done on the VM or any application running on it, do a cleanup to delete the test
instance.
Recover VMs
1. Log into vSphere Client on the remote site, which is the Azure VMware Solution private cloud, and
access the HCX plugin .
For the recovery scenario, a group of VMs used for this example.
2. Select the VM to be recovered from the list, open the ACTIONS menu, and select Recover VMs .

3. Configure the recovery options for each instance and select Recover to start the recovery operation.
4. After the recovery operation is completed, the new VMs appear in the remote vCenter Server inventory.

Complete a reverse replication on VMs

1. Log into vSphere Client on your Azure VMware Solution private cloud, and access HCX plugin .

NOTE
Ensure the original VMs on the source site are powered off before you start the reverse replication. The operation
fails if the VMs aren't powered off.

2. From the list, select the VMs to be replicated back to the source site, open the ACTIONS menu, and select
Reverse .
3. Select Reverse to start the replication.
4. Monitor on the details section of each VM.

Disaster recovery plan automation

VMware HCX currently doesn't have a built-in mechanism to create and automate a disaster recovery plan.
However, VMware HCX provides a set of REST APIs, including APIs for the Disaster Recovery operation. The API
specification can be accessed within VMware HCX Manager in the URL.
These APIs cover the following operations in Disaster Recovery.
Protect
Recover
Test Recover
Planned Recover
Reverse
Query
Test Cleanup
Pause
Resume
Remove Protection
Reconfigure
An example of a recover operation payload in JSON is shown below.

"replicationId": "string",

"needPowerOn": true,

"instanceId": "string",

"source": {

"endpointType": "string",

"endpointId": "string",

"endpointName": "string",

"resourceType": "string",

"resourceId": "string",

"resourceName": "string"

},

"destination": {

"endpointType": "string",

"endpointId": "string",

"endpointName": "string",

"resourceType": "string",

"resourceId": "string",

"resourceName": "string"

},

"placement": [

"containerType": "string",

"containerId": "string"

],

"resourceId": "string",

"forcePowerOff": true,

"isTest": true,

"forcePowerOffAfterTimeout": true,

"isPlanned": true

}
 ]

With these APIs, you can build a custom mechanism to automate a disaster recovery plan's creation and
execution.
 Create a content library to deploy VMs in Azure
VMware Solution
2/11/2021 • 2 minutes to read • Edit Online

A content library stores and manages content in the form of library items. A single library item consists of one
or more files you use to deploy virtual machines (VMs).
In this article, we'll walk through the procedure for creating a content library. Then we'll walk through deploying
a VM using an ISO image from the content library.

Prerequisites
An NSX-T logical switch segment and a managed DHCP service are required to complete this tutorial. For more
information, see the How to manage DHCP in Azure VMware Solution article.

Create a content library

1. From the on-premises vSphere Client, select Menu > Content Libraries .

2. Select the Add button to create a new content library.

3. Specify a name and confirm the IP address of the vCenter server and select Next .

4. Select the Local content librar y and select Next .

5. Select the datastore that will store your content library, and then select Next .

6. Review and verify the content library settings, and then select Finish .
Upload an ISO image to the content library
Now that the content library has been created, you can add an ISO image to deploy a VM to a private cloud
cluster.
1. From the vSphere Client, select Menu > Content Libraries .
2. Right-click the content library you want to use for the new ISO and select Impor t Item .
3. Import a library item for the Source by doing one of the following, and then select Impor t :
a. Select URL and provide a URL to download an ISO.
b. Select Local File to upload from your local system.

TIP
Optional, you can define a custom item name and notes for the Destination.

4. Open the library and select the Other Types tab to verify that your ISO was uploaded successfully.

Deploy a VM to a private cloud cluster

1. From the vSphere Client, select Menu > Hosts and Clusters .
2. In the left panel, expand the tree and select a cluster.
3. Select Actions > New Vir tual Machine .
4. Go through the wizard and modify the settings you want.
5. Select New CD/DVD Drive > Client Device > Content Librar y ISO File .
6. Select the ISO uploaded in the previous section and then select OK .
7. Select the Connect check box so the ISO is mounted at power-on time.
8. Select New Network > Select dropdown > Browse .
 9. Select the logical switch (segment) and select OK .
10. Modify any other hardware settings and select Next .
11. Verify the settings and select Finish .

Next steps
Now that you've covered creating a content library to deploy VMs in Azure VMware Solution, you may want to
learn about:
Deploying and configuring VMware HCX to migrate VM workloads to your private cloud.
Lifecycle management of Azure VMware Solution VMs.
 Set up GitHub Enterprise Server on your Azure
VMware Solution private cloud
2/11/2021 • 7 minutes to read • Edit Online

In this article, we walk through the steps to set up GitHub Enterprise Server, the "on-premises" version of
GitHub.com, on your Azure VMware Solution private cloud. The scenario covered in this walk-through is for a
GitHub Enterprise Server instance capable of serving up to 3,000 developers running up to 25 jobs per minute
on GitHub Actions. It includes the setup of (at time of writing) preview features, such as GitHub Actions. To
customize the setup for your particular needs, review the requirements listed in Installing GitHub Enterprise
Server on VMware.

Before you begin

GitHub Enterprise Server requires a valid license key. You may sign up for a trial license. If you are looking to
extend the capabilities of GitHub Enterprise Server via an integration, you may qualify for a free five-seat
developer license. Apply for this license through GitHub's Partner Program.

Installing GitHub Enterprise Server on VMware

Download the current release of GitHub Enterprise Server for VMware ESXi/vSphere (OVA) and deploy the OVA
template you downloaded.
Provide a recognizable name for your new virtual machine, such as GitHubEnterpriseServer. You don't need to
include the release details in the VM name, as these details become stale when the instance is upgraded. Select
all the defaults for now (we'll edit these details shortly) and wait for the OVA to be imported.
Once imported, adjust the hardware configuration based on your needs. In our example scenario, we'll need the
following configuration.

STA N DA RD SET UP + " B ETA F EAT URES"

RESO URC E STA N DA RD SET UP ( A C T IO N S)

vCPUs 4 8

Memory 32 GB 61 GB

Attached storage 250 GB 300 GB

Root storage 200 GB 200 GB

However, your needs may vary. Refer to the guidance on hardware considerations in Installing GitHub Enterprise
Server on VMware. Also see Adding CPU or memory resources for VMware to customize the hardware
configuration based on your situation.

Configuring the GitHub Enterprise Server instance

After the newly provisioned virtual machine (VM) has powered on, configure it via your browser. You'll be
required to upload your license file and set a management console password. Be sure to write down this
password somewhere safe.

We recommend to at least take the following steps:

1. Upload a public SSH key to the management console, so that you can access the administrative shell via
SSH.
2. Configure TLS on your instance so that you can use a certificate that is signed by a trusted certificate
authority.
Apply your settings. While the instance restarts, you can continue with the next step, Configuring Blob
Storage for GitHub Actions .

Once the instance restarts, create a new admin account on the instance. Be sure to make a note of this user's
password as well.
Other configuration steps
To harden your instance for production use, the following optional setup steps are recommended:
1. Configure high availability for protection against:
Software crashes (OS or application level)
Hardware failures (storage, CPU, RAM, and so on)
Virtualization host system failures
Logically or physically severed network
2. Configure backup-utilities, providing versioned snapshots for disaster recovery, hosted in availability that
is separate from the primary instance.
3. Setup subdomain isolation, using a valid TLS certificate, to mitigate cross-site scripting and other related
vulnerabilities.

Configuring blob storage for GitHub Actions

NOTE
GitHub Actions is currently available as a limited beta on GitHub Enterprise Server release 2.22.

External blob storage is necessary to enable GitHub Actions on GitHub Enterprise Server (currently available as
a "beta" feature). This external blob storage is used by Actions to store artifacts and logs. Actions on GitHub
Enterprise Server supports Azure Blob Storage as a storage provider (and some others). So we'll provision a
new Azure storage account with a storage account type of BlobStorage:

Once the deployment of the new BlobStorage resource has completed, copy and make a note of the connection
string (available under Access keys). We'll need this string shortly.

Setting up the GitHub Actions runner

NOTE
GitHub Actions is currently available as a limited beta on GitHub Enterprise Server release 2.22.

At this point, you should have an instance of GitHub Enterprise Server running, with an administrator account
created. You should also have external blob storage that GitHub Actions will use for persistence.
Now let's create somewhere for GitHub Actions to run; again, we'll use Azure VMware Solution.
First, let's provision a new VM on the cluster. We'll base our VM on a recent release of Ubuntu Server.
Once the VM is created, power it up and connect to it via SSH.
Next, install the Actions runner application, which runs a job from a GitHub Actions workflow. Identify and
download the most current Linux x64 release of the Actions runner, either from the releases page or by running
the following quick script. This script requires both curl and jq to be present on your VM.
LATEST\_RELEASE\_ASSET\_URL=$( curl https://api.github.com/repos/actions/runner/releases/latest | \

jq -r '.assets | .[] | select(.name | match("actions-runner-linux-arm64")) | .url' )

DOWNLOAD\_URL=$( curl $LATEST\_RELEASE\_ASSET\_URL | \

jq -r '.browser\_download\_url' )

curl -OL $DOWNLOAD\_URL

You should now have a file locally on your VM, actions-runner-linux-arm64-*.tar.gz. Extract this tarball locally:
tar xzf actions-runner-linux-arm64-\*.tar.gz

This extraction unpacks a few files locally, including a config.sh and run.sh script, which we'll come back to
shortly.

Enabling GitHub Actions

NOTE
GitHub Actions is currently available as a limited beta on GitHub Enterprise Server release 2.22.

Nearly there! Let's configure and enable GitHub Actions on the GitHub Enterprise Server instance. We'll need to
access the GitHub Enterprise Server instance's administrative shell over SSH, and then run the following
commands:
# set an environment variable containing your Blob storage connection string

export CONNECTION\_STRING="<your connection string from the blob storage step>"

# configure actions storage

ghe-config secrets.actions.storage.blob-provider azure

ghe-config secrets.actions.storage.azure.connection-string "$CONNECTION\_STRING"

# apply these settings

ghe-config-apply

# execute a precheck, this install additional software required by Actions on GitHub Enterprise Server

ghe-actions-precheck -p azure -cs "$CONNECTION\_STRING"

# enable actions, and re-apply the config

ghe-config app.actions.enabled true

ghe-config-apply

Next run:
ghe-actions-check -s blob
You should see output: "Blob Storage is healthy".
Now that GitHub Actions is configured, enable it for your users. Sign in to your GitHub Enterprise Server
instance as an administrator, and select the in the upper right corner of any page. In the left sidebar, select
Enterprise over view , then Policies , Actions , and select the option to enable Actions for all
organizations .
Next, configure your runner from the Self-hosted runners tab. Select Add new and then New runner from
the drop-down.
On the next page, you'll be presented with a set of commands to run, we just need to copy the command to
configure the runner, for instance:
./config.sh --url https://10.1.1.26/enterprises/octo-org --token AAAAAA5RHF34QLYBDCHWLJC7L73MA

Copy the config.sh command and paste it into a session on your Actions runner (created previously).

Use the run.sh command to run the runner:

To make this runner available to organizations in your enterprise, edit its organization access:
Here we will make it available to all organizations, but you can also limit access to a subset of organizations, and
even to specific repositories.

(Optional) Configuring GitHub Connect

Although this step is optional, we recommend it if you plan to consume open-source actions available on
GitHub.com. It allows you to build on the work of others by referencing these reusable actions in your
workflows.
To enable GitHub Connect, follow the steps in Enabling automatic access to GitHub.com actions using GitHub
Connect.
Once GitHub Connect is enabled, select the Ser ver to use actions from GitHub.com in workflow runs
option.

Setting up and running your first workflow

Now that Actions and GitHub Connect is set up, let's put all this work to good use. Here's an example workflow
that references the excellent octokit/request-action, allowing us to "script" GitHub through interactions using the
GitHub API, powered by GitHub Actions.
In this basic workflow, we'll use octokit/request-action to just open an issue on GitHub using the API.
 NOTE
GitHub.com hosts the action, but when it runs on GitHub Enterprise Server, it automatically uses the GitHub Enterprise
Server API.

If you chose to not enable GitHub Connect, you can use the following alternative workflow.

Navigate to a repo on your instance, and add the above workflow as: .github/workflows/hello-world.yml
In the Actions tab for your repo, wait for the workflow to execute.

You can also watch it being processed by the runner.

If everything ran successfully, you should see a new issue in your repo, entitled "Hello world."
Congratulations! You just completed your first Actions workflow on GitHub Enterprise Server, running on your
Azure VMware Solution private cloud.
In this article, we set up a new instance of GitHub Enterprise Server, the self-hosted equivalent of GitHub.com, on
top of your Azure VMware Solution private cloud. This instance includes support for GitHub Actions and uses
Azure Blob Storage for persistence of logs and artifacts. But we are just scratching the surface of what you can
do with GitHub Actions. Check out the list of Actions on GitHub's Marketplace, or create your own.

Next steps
Now that you've seen how to set up GitHub Enterprise Server on your Azure VMware Solution private cloud,
you may want to learn about:
Getting started with GitHub Actions.
Joining the beta program.
Administration of GitHub Enterprise Server.
 How to use the public IP functionality in Azure
VMware Solution
2/11/2021 • 3 minutes to read • Edit Online

Public IP is a new feature in Azure VMware Solution connectivity. It makes resources, such as web servers,
virtual machines (VMs), and hosts accessible through a public network.
You enable public internet access in two ways.
Applications can be hosted and published under the Application Gateway load balancer for HTTP/HTTPS
traffic.
Published through public IP features in Azure Virtual WAN.
As a part of Azure VMware Solution private cloud deployment, upon enabling public IP functionality, the
required components with automation get created and enabled:
Virtual WAN
Virtual WAN hub with ExpressRoute connectivity
Azure Firewall services with public IP
This article details how you can use the public IP functionality in Virtual WAN.

Prerequisites
Azure VMware Solution environment
A webserver running in Azure VMware Solution environment.
A new non-overlapping IP range for the Virtual WAN hub deployment, typically a /24 .

Reference architecture
The architecture diagram shows a web server hosted in the Azure VMware Solution environment and
configured with RFC1918 private IP addresses. The web service is made available to the internet through Virtual
WAN public IP functionality. Public IP is typically a destination NAT translated in Azure Firewall. With DNAT rules,
firewall policy translates public IP address requests to a private address (webserver) with a port.
User requests hit the firewall on a public IP that, in turn, is translated to private IP using DNAT rules in the Azure
Firewall. The firewall checks the NAT table, and if the request matches an entry, it forwards the traffic to the
translated address and port in the Azure VMware Solution environment.
The web server receives the request and replies with the requested information or page to the firewall, and then
the firewall forwards the information to the user on the public IP address.

Test case
In this scenario, you'll publish the IIS webserver to the internet. Use the public IP feature in Azure VMware
Solution to publish the website on a public IP address. You'll also configure NAT rules on the firewall and access
Azure VMware Solution resource (VMs with a web server) with public IP.

Deploy Virtual WAN

1. Sign in to the Azure portal and then search for and select Azure VMware Solution .
2. Select the Azure VMware Solution private cloud.

3. Under Manage , select Connectivity .

4. Select the Public IP tab and then select Configure .

5. Accept the default values or change them, and then select Create .
Virtual WAN resource group
Virtual WAN name
Virtual hub address block (using new non-overlapping IP range)
Number of public IPs (1-100)
It takes about one hour to complete the deployment of all components. This deployment only has to occur once
to support all future public IPs for this Azure VMware Solution environment.

TIP
You can monitor the status from the Notification area.

View and add public IP addresses

We can check and add more public IP addresses by following the below steps.
1. In the Azure portal, search for and select Firewall .
2. Select a deployed firewall and then select Visit Azure Firewall Manager to configure and manage
this firewall .

3. Select Secured vir tual hubs and, from the list, select a virtual hub.
4. On the virtual hub page, select Public IP configuration , and to add more public IP address, then select
Add .

5. Provide the number of IPs required and select Add .

Create firewall policies

Once all components are deployed, you can see them in the added Resource group. The next step is to add a
firewall policy.
1. In the Azure portal, search for and select Firewall .
2. Select a deployed firewall and then select Visit Azure Firewall Manager to configure and manage
 this firewall .

3. Select Azure Firewall Policies and then select Create Azure Firewall Policy .

4. Under the Basics tab, provide the required details and select Next: DNS Settings .
5. Under the DNS tab, select Disable , and then select Next: Rules .
6. Select Add a rule collection , provide the below details, and select Add and then select Next: Threat
intelligence .
Name
Rules collection Type - DNAT
Priority
Rule collection Action – Allow
Name of rule
Source Type- IPaddress
Source - *
Protocol – TCP
Destination port – 80
Destination Type – IP Address
Destination – Public IP Address
Translated address – Azure VMware Solution Web Ser ver private IP Address
Translated port - Azure VMware Solution Web Ser ver por t
7. Leave the default value, and then select Next: Hubs .
8. Select Associate vir tual hub .
9. Select a hub from the list and select Add .
10. Select Next: Tags .
11. (Optional) Create name and value pairs to categorize your resources.
12. Select Next: Review + create and then select Create .

Limitations
You can have 100 public IPs per SDDCs.

Next steps
Now that you've covered how to use the public IP functionality in Azure VMware Solution, you may want to
learn about:
Using public IP addresses with Azure Virtual WAN.
Creating an IPSec tunnel into Azure VMware Solution.
 Create an IPSec tunnel into Azure VMware Solution
2/11/2021 • 5 minutes to read • Edit Online

In this article, we'll go through the steps to establish a VPN (IPsec IKEv1 and IKEv2) site-to-site tunnel
terminating in the Microsoft Azure Virtual WAN hub. We'll create an Azure Virtual WAN hub and a VPN gateway
with a public IP address attached to it. Then we'll create an Azure ExpressRoute gateway and establish an Azure
VMware Solution endpoint. We'll also go over the details of enabling a policy-based VPN on-premises setup.

Topology

The Azure Virtual hub contains the Azure VMware Solution ExpressRoute gateway and the site-to-site VPN
gateway. It connects an on-premise VPN device with an Azure VMware Solution endpoint.

Before you begin

To create the site-to-site VPN tunnel, you'll need to create a public-facing IP address terminating on an on-
premises VPN device.

Create a Virtual WAN hub

1. In the Azure portal, search on Vir tual WANS . Select +Add . The Create WAN page opens.
2. Enter the required fields on the Create WAN page and then select Review + Create .

F IEL D VA L UE

Subscription Value is pre-populated with the subscription belonging

to the resource group.

Resource group The Virtual WAN is a global resource and isn't confined
to a specific region.

Resource group location To create the Virtual WAN hub, you need to set a
location for the resource group.

Name
 F IEL D VA L UE

Type Select Standard , which will allow more than just the
VPN gateway traffic.

3. In the Azure portal, select the Virtual WAN you created in the previous step, select Create vir tual hub ,
enter the required fields, and then select Next: Site to site .

F IEL D VA L UE

Region Selecting a region is required from a management

perspective.

Name

Hub private address space Enter the subnet using a /24 (minimum).
4. On the Site-to-site tab, define the site-to-site gateway by setting the aggregate throughput from the
Gateway scale units drop-down.

TIP
One scale unit = 500 Mbps. The scale units are in pairs for redundancy, each supporting 500 Mbps.

5. On the ExpressRoute tab, create an ExpressRoute gateway.

TIP
A scale unit value is 2 Gbps.

It takes approximately 30 minutes to create each hub.

Create a VPN site

1. In Recent resources in the Azure portal, select the virtual WAN you created in the previous section.
2. In the Over view of the virtual hub, select Connectivity > VPN (Site-to-site) , and then select Create
new VPN site .
3. On the Basics tab, enter the required fields and then select Next : Links .

F IEL D VA L UE

Region The same region you specified in the previous section.

Name

Device vendor

Border Gateway Protocol Set to Enable to ensure both Azure VMware Solution
and the on-premises servers advertise their routes
across the tunnel. If disabled, the subnets that need to
be advertised must be manually maintained. If subnets
are missed, HCX will fail to form the service mesh. For
more information, see About BGP with Azure VPN
Gateway.

Private address space Enter the on-premises CIDR block. It's used to route all
traffic bound for on-premises across the tunnel. The
CIDR block is only required if you don't enable BGP.

Connect to

4. On the Links tab, fill in the required fields and select Review + create . Specifying link and provider
names allow you to distinguish between any number of gateways that may eventually be created as part
of the hub. BGP and autonomous system number (ASN) must be unique inside your organization.

(Optional) Defining a VPN site for policy-based VPN site-to-site

tunnels
This section applies only to policy-based VPNs. Policy-based (or static, route-based) VPN setups are driven by
on-premise VPN device capabilities in most cases. They require on-premise and Azure VMware Solution
networks to be specified. For Azure VMware Solution with an Azure Virtual WAN hub, you can't select any
network. Instead, you have to specify all relevant on-premise and Azure VMware Solution Virtual WAN hub
ranges. These hub ranges are used to specify the encryption domain of the policy base VPN tunnel on-premise
endpoint. The Azure VMware Solution side only requires the policy-based traffic selector indicator to be enabled.
1. In the Azure portal, go to your Virtual WAN hub site; under Connectivity , select VPN (Site to site) .
2. Select your VPN site name and then the ellipsis (...) at the far right; then select edit VPN connection to
this hub .

3. Edit the connection between the VPN site and the hub, and then select Save .
Internet Protocol Security (IPSec), select Custom .
Use policy-based traffic selector, select Enable
Specify the details for IKE Phase 1 and IKE Phase 2(ipsec) .

Your traffic selectors or subnets that are part of the policy-based encryption domain should be:
 The virtual WAN hub /24
The Azure VMware Solution private cloud /22
The connected Azure virtual network (if present)

Connect your VPN site to the hub

1. Check the box next to your VPN site name (see preceding VPN Site to site screenshot) and then select
Connect VPN sites . In the Pre-shared key field, enter the key previously defined for the on-premise
endpoint. If you don't have a previously defined key, you can leave this field blank and a key will be
automatically generated for you.
Only enable Propagate Default Route if you're deploying a firewall in the hub and it is the next hop for
connections through that tunnel.
Select Connect . A connection status screen will show the status of the tunnel creation.
2. Go to the Virtual WAN overview. Open the VPN site page and download the VPN configuration file to
apply it to the on-premises endpoint.
3. Now we'll patch the Azure VMware Solution ExpressRoute into the Virtual WAN hub. (This step requires
first creating your private cloud.)
Go to the Connectivity section of Azure VMware Solution private cloud. On the ExpressRoute tab,
select + Request an authorization key . Name it and select Create . (It may take about 30 seconds to
create the key.) Copy the ExpressRoute ID and the authorization key.

NOTE
The authorization key will disappear after some time, so copy it as soon as it appears.

4. Next, we'll link Azure VMware Solution and the VPN gateway together in the Virtual WAN hub. In the
Azure portal, open the Virtual WAN you created earlier. Select the created Virtual WAN hub and then
select ExpressRoute in the left pane. Select + Redeem authorization key .
 Paste the authorization key into the Authorization key field and the ExpressRoute ID into the Peer circuit
URI field. Make sure to select Automatically associate this ExpressRoute circuit with the hub.
Select Add to establish the link.
5. To test your connection, Create an NSX-T segment and provision a VM on the network. Test by pinging
both the on-premise and Azure VMware Solution endpoints.
 API Management to publish and protect APIs
running on Azure VMware Solution-based VMs
2/11/2021 • 2 minutes to read • Edit Online

Microsoft Azure API Management lets you securely publish to internal or external consumers. Only the
Developer and Premium SKUs allow for Azure Virtual Network integration to publish APIs running on Azure
VMware Solution workloads. Both SKUs securely enable the connectivity between API Management service and
the backend.

NOTE
The Developer SKU is intended for development and testing while the Premium SKU is for production deployments.

The API Management configuration is the same for backend services that run on top of Azure VMware Solution
virtual machines (VMs) and on-premises. For both deployments, API Management configures the virtual IP (VIP)
on the load balancer as the backend endpoint when the backend server is placed behind an NSX Load Balancer
on the Azure VMware Solution.

External deployment
An external deployment publishes APIs consumed by external users using a public endpoint. Developers and
DevOps engineers can manage APIs through the Azure portal or PowerShell, and the API Management
developer portal.
The external deployment diagram shows the entire process and the actors involved (shown at the top). The
actors are:
Administrator(s): Represents the admin or DevOps team, which manages Azure VMware Solution
through the Azure portal and automation mechanisms like PowerShell or Azure DevOps.
Users: Represents the exposed APIs' consumers and represent both users and services consuming the
APIs.
The traffic flow goes through API Management instance, which abstracts the backend services, plugged into the
Hub virtual network. The ExpressRoute Gateway routes the traffic to the ExpressRoute Global Reach channel and
reaches an NSX Load Balancer distributing the incoming traffic to the different backend services instances.
API Management has an Azure Public API, and activating Azure DDOS Protection Service is recommended.
Internal deployment
An internal deployment publishes APIs consumed by internal users or systems. DevOps team and API
developers use the same management tools and developer portal as in the external deployment.
Internal deployments can be done with Azure Application Gateway to create a public and secure endpoint for
the API. The gateway's capabilities are used to create a hybrid deployment that enables different scenarios.
Use the same API Management resource for consumption by both internal and external consumers.
Have a single API Management resource with a subset of APIs defined and available for external
consumers.
Provide an easy way to switch access to API Management from the public internet on and off.
The deployment diagram below shows consumers that can be internal or external, with each type accessing the
same or different APIs.
In an internal deployment, APIs get exposed to the same API Management instance. In front of API Management,
Application Gateway gets deployed with Azure Web Application Firewall (WAF) capability activated. Also
deployed, a set of HTTP listeners and rules to filter the traffic, exposing only a subset of the backend services
running on Azure VMware Solution.
Internal traffic routes through ExpressRoute Gateway to Azure Firewall and then to API Management,
directly or through traffic rules.
External traffic enters Azure through Application Gateway, which uses the external protection layer for API
Management.
 Integrate Azure VMware Solution in a hub and
spoke architecture
2/11/2021 • 6 minutes to read • Edit Online

This article provides recommendations for integrating an Azure VMware Solution deployment in an existing or a
new Hub and Spoke architecture on Azure.
The Hub and Spoke scenario assume a hybrid cloud environment with workloads on:
Native Azure using IaaS or PaaS services
Azure VMware Solution
vSphere on-premises

Architecture
The Hub is an Azure Virtual Network that acts as a central point of connectivity to your on-premises and Azure
VMware Solution private cloud. The Spokes are virtual networks peered with the Hub to enable cross-virtual
network communication.
Traffic between the on-premises datacenter, Azure VMware Solution private cloud, and the Hub goes through
Azure ExpressRoute connections. Spoke virtual networks usually contain IaaS based workloads but can have
PaaS services like App Service Environment, which has direct integration with Virtual Network, or other PaaS
services with Azure Private Link enabled.

IMPORTANT
You can use an existing ExpressRoute Gateway to connect to Azure VMware Solution as long as it does not exceed the
limit of four ExpressRoute circuits per virtual network. However, to access Azure VMware Solution from on-premises
through ExpressRoute, you must have ExpressRoute Global Reach since the ExpressRoute gateway does not provide
transitive routing between its connected circuits.

The diagram shows an example of a Hub and Spoke deployment in Azure connected to on-premises and Azure
VMware Solution through ExpressRoute Global Reach.
The architecture has the following main components:
On-premises site: Customer on-premises datacenter(s) connected to Azure through an ExpressRoute
connection.
Azure VMware Solution private cloud: Azure VMware Solution SDDC formed by one or more
vSphere clusters, each one with a maximum of 16 hosts.
ExpressRoute gateway: Enables the communication between Azure VMware Solution private cloud,
shared services on Hub virtual network, and workloads running on Spoke virtual networks.
ExpressRoute Global Reach: Enables the connectivity between on-premises and Azure VMware
Solution private cloud. The connectivity between Azure VMware Solution and the Azure fabric is through
ExpressRoute Global Reach only. You can't select any option beyond ExpressRoute Fast Path. ExpressRoute
Direct isn't supported.
S2S VPN considerations: For Azure VMware Solution production deployments, Azure S2S VPN isn't
supported due to network requirements for VMware HCX. However, you can use it for a PoC deployment.
Hub vir tual network : Acts as the central point of connectivity to your on-premises network and Azure
VMware Solution private cloud.
Spoke vir tual network
IaaS Spoke: An IaaS spoke hosts Azure IaaS based workloads, including VM availability sets and
virtual machine scale sets, and the corresponding network components.
PaaS Spoke: A PaaS Spoke hosts Azure PaaS services using private addressing thanks to Private
Endpoint and Private Link.
Azure Firewall: Acts as the central piece to segment traffic between the Spokes and Azure VMware
Solution.
Application Gateway: Exposes and protects web apps that run either on Azure IaaS/PaaS or Azure
VMware Solution virtual machines (VMs). It integrates with other services like API Management.
Network and security considerations
ExpressRoute connections enable traffic to flow between on-premises, Azure VMware Solution, and the Azure
network fabric. Azure VMware Solution uses ExpressRoute Global Reach to implement this connectivity.
Because an ExpressRoute gateway doesn't provide transitive routing between its connected circuits, on-premises
connectivity also must use ExpressRoute Global Reach to communicate between the on-premises vSphere
environment and Azure VMware Solution.
On-premises to Azure VMware Solution traffic flow

Azure VMware Solution to Hub VNET traffic flow

For more information on Azure VMware Solution networking and connectivity concepts, see the Azure VMware
Solution product documentation.
Traffic segmentation
Azure Firewall is the Hub and Spoke topology's central piece, deployed on the Hub virtual network. Use Azure
Firewall or another Azure supported network virtual appliance to establish traffic rules and segment the
communication between the different spokes and Azure VMware Solution workloads.
Create route tables to direct the traffic to Azure Firewall. For the Spoke virtual networks, create a route that sets
the default route to the internal interface of Azure Firewall. This way, when a workload in the Virtual Network
needs to reach the Azure VMware Solution address space, the firewall can evaluate it and apply the
corresponding traffic rule to either allow or deny it.

IMPORTANT
A route with address prefix 0.0.0.0/0 on the GatewaySubnet setting is not supported.

Set routes for specific networks on the corresponding route table. For example, routes to reach Azure VMware
Solution management and workloads IP prefixes from the spoke workloads and the other way around.

A second level of traffic segmentation using the network security groups within the Spokes and the Hub to
create a more granular traffic policy.

NOTE
Traffic from on-premises to Azure VMware Solution: Traffic between on-premises workloads, either vSphere-based
or others, are enabled by Global Reach, but the traffic doesn't go through Azure Firewall on the hub. In this scenario, you
must implement traffic segmentation mechanisms, either on-premises or in Azure VMware Solution.

Application Gateway
Azure Application Gateway V1 and V2 have been tested with web apps that run on Azure VMware Solution VMs
as a backend pool. Application Gateway is currently the only supported method to expose web apps running on
Azure VMware Solution VMs to the internet. It can also expose the apps to internal users securely.
For more information, see the Azure VMware Solution-specific article on Application Gateway.
Jump box and Azure Bastion
Access Azure VMware Solution environment with a jump box, which is a Windows 10 or Windows Server VM
deployed in the shared service subnet within the Hub virtual network.

IMPORTANT
Azure Bastion is the service recommended to connect to the jump box to prevent exposing Azure VMware Solution to the
internet. You cannot use Azure Bastion to connect to Azure VMware Solution VMs since they are not Azure IaaS objects.

As a security best practice, deploy Microsoft Azure Bastion service within the Hub virtual network. Azure Bastion
provides seamless RDP and SSH access to VMs deployed on Azure without the need to provision public IP
addresses to those resources. Once you provision the Azure Bastion service, you can access the selected VM
from the Azure portal. After establishing the connection, a new tab opens, showing the jump box desktop, and
from that desktop, you can access the Azure VMware Solution private cloud management plane.

IMPORTANT
Do not give a public IP address to the jump box VM or expose 3389/TCP port to the public internet.
Azure DNS resolution considerations
For Azure DNS resolution, there are two options available:
Use the domain controllers deployed on the Hub (described in Identity considerations) as name servers.
Deploy and configure an Azure DNS private zone.
The best approach is to combine both to provide reliable name resolution for Azure VMware Solution, on-
premises, and Azure.
As a general design recommendation, use the existing Azure DNS infrastructure (in this case, Active Directory-
integrated DNS) deployed onto at least two Azure VMs deployed in the Hub virtual network and configured in
the Spoke virtual networks to use those Azure DNS servers in the DNS settings.
You can use Azure Private DNS, where the Azure Private DNS zone links to the virtual network. The DNS servers
are used as hybrid resolvers with conditional forwarding to on-premises or Azure VMware Solution running
DNS using customer Azure Private DNS infrastructure.
To automatically manage the DNS records' lifecycle for the VMs deployed within the Spoke virtual networks,
enable autoregistration. When enabled, the maximum number of private DNS zones is only one. If disabled, then
the maximum number is 1000.
On-premises and Azure VMware Solution servers can be configured with conditional forwarders to resolver
VMs in Azure for the Azure Private DNS zone.
Identity considerations
For identity purposes, the best approach is to deploy at least one domain controller on the Hub. Use two shared
service subnets in zone-distributed fashion or a VM availability set. For more information on extending your on-
premises Active Directory (AD) domain to Azure, see Azure Architecture Center.
Additionally, deploy another domain controller on the Azure VMware Solution side to act as identity and DNS
source within the vSphere environment.
As a recommended best practice, integrate AD domain with Azure Active Directory.
 Protect your Azure VMware Solution VMs with
Azure Security Center integration
2/11/2021 • 6 minutes to read • Edit Online

Azure native security tools provide a secure infrastructure for a hybrid environment of Azure, Azure VMware
Solution, and on-premises virtual machines (VMs). This article shows you how to set up Azure tools for hybrid
environment security. You'll use various tools to identify and address different types of threats.

Azure native services

Here is a quick summary of each Azure native service:
Log Analytics workspace: Log Analytics workspace is a unique environment to store log data. Each
workspace has its own data repository and configuration. Data sources and solutions are configured to store
their data in a specific workspace.
Azure Security Center : Azure Security Center is a unified infrastructure security management system. It
strengthens the security posture of the data centers, and provides advanced threat protection across the
hybrid workloads in the cloud or on premises.
Azure Sentinel: Azure Sentinel is a cloud-native, security information event management (SIEM) and
security orchestration automated response (SOAR) solution. It provides intelligent security analytics and
threat intelligence across an environment. It is a single solution for alert detection, threat visibility, proactive
hunting, and threat response.

Topology

The Log Analytics agent enables collection of log data from Azure, Azure VMware Solution, and on-premises
VMs. The log data is sent to Azure Monitor Logs and is stored in a Log Analytics workspace. You can deploy the
Log Analytics agent using Arc enabled servers VM extensions support for new and existing VMs.
Once the logs are collected by the Log Analytics workspace, you can configure the Log Analytics workspace with
Azure Security Center. Azure Security Center will assess the vulnerability status of Azure VMware Solution VMs
and raise an alert for any critical vulnerability. For instance, it assesses missing operating system patches,
security misconfigurations, and endpoint protection.
You can configure the Log Analytics workspace with Azure Sentinel for alert detection, threat visibility, proactive
hunting, and threat response. In the preceding diagram, Azure Security Center is connected to Azure Sentinel
using Azure Security Center connector. Azure Security Center will forward the environment vulnerability to
Azure Sentinel to create an incident and map with other threats. You can also create the scheduled rules query to
detect unwanted activity and convert it to the incidents.

Benefits
Azure native services can be used for hybrid environment security in Azure, Azure VMware Solution, and on-
premises services.
Using a Log Analytics workspace, you can collect the data or the logs to a single point and present the same
data to different Azure native services.
Azure Security Center offers a number of features, including:
File integrity monitoring
Fileless attack detection
Operating system patch assessment
Security misconfigurations assessment
Endpoint protection assessment
Azure Sentinel allows you to:
Collect data at cloud scale across all users, devices, applications, and infrastructure, both on premises
and in multiple clouds.
Detect previously undetected threats.
Investigate threats with artificial intelligence and hunt for suspicious activities at scale.
Respond to incidents rapidly with built-in orchestration and automation of common tasks.

Create a Log Analytics workspace

You will need a Log Analytics workspace to collect data from various sources. For more information, see Create a
Log Analytics workspace from the Azure portal.

Deploy Security Center and configure Azure VMware Solution VMs

Azure Security Center is a pre-configured tool and does not require deployment. In the Azure portal, search for
Security Center and select it.
Enable Azure Defender
Azure Defender extends Azure Security Center's advanced threat protection across your hybrid workloads both
on premises and in the cloud. So to protect your Azure VMware Solution VMs, you will need to enable Azure
Defender.
1. In Security Center, select Getting star ted .
2. Select the Upgrade tab and then select your subscription or workspace.
3. Select Upgrade to enable Azure Defender.

Add Azure VMware Solution VMs to Security Center

1. In the Azure portal, search on Azure Arc and select it.
2. Under Resources, select Ser vers and then +Add .

3. Select Generate script .

4. On the Prerequisites tab, select Next .

5. On the Resource details tab, fill in the following details:
Subscription
Resource group
Region
Operating system
Proxy Server details
Then select Next: Tags .
6. On the Tags tab, select Next .
7. On the Download and run script tab, select Download .
8. Specify your operating system and run the script on your Azure VMware Solution VM.

View recommendations and passed assessments

1. In Azure Security Center, select Inventor y from the left pane.
2. For Resource type, select Ser vers - Azure Arc .
3. Select the name of your resource. A page opens showing the security health details of your resource.
4. Under Recommendation list , select the Recommendations , Passed assessments , and Unavailable
assessments tabs to view these details.

Deploy an Azure Sentinel workspace

Azure Sentinel is built on top of a Log Analytics workspace. Your first step in onboarding Azure Sentinel is to
select the Log Analytics workspace you wish to use for that purpose.
1. In the Azure portal, search for Azure Sentinel , and select it.
2. On the Azure Sentinel workspaces page, select +Add .
3. Select the Log Analytics workspace and select Add .

Enable data collector for security events on Azure VMware Solution

VMs
Now you're ready to connect Azure Sentinel with your data sources, in this case, security events.
1. On the Azure Sentinel workspaces page, select the configured workspace.
2. Under Configuration, select Data connectors .
3. Under the Connector Name column, select Security Events from the list, and then select Open
 connector page .
4. On the connector page, select the events you wish to stream and then select Apply Changes .

Connect Azure Sentinel with Azure Security Center

1. On the Azure Sentinel workspace page, select the configured workspace.
2. Under Configuration, select Data connectors .
3. Select Azure Security Center from the list and then select Open connector page .

4. Select Connect to connect the Azure Security Center with Azure Sentinel.
5. Enable Create incident to generate an incident for Azure Security Center.

Create rules to identify security threats

After connecting data sources to Azure Sentinel, you can create rules to generate alerts based on detected
threats. In the following example, we'll create a rule to identify attempts to sign in to Windows server with the
wrong password.
1. On the Azure Sentinel overview page, under Configurations, select Analytics .
2. Under Configurations, select Analytics .
3. Select +Create and on the drop-down, select Scheduled quer y rule .
4. On the General tab, enter the required information.
Name
Description
 Tactics
Severity
Status
Select Next: Set rule logic > .
5. On the Set rule logic tab, enter the required information.
Rule query (here showing our example query)

SecurityEvent
|where Activity startswith '4625'
|summarize count () by IpAddress,Computer
|where count_ > 3

Map entities
Query scheduling
Alert threshold
Event grouping
Suppression
Select Next .
6. On the Incident settings tab, enable Create incidents from aler ts triggered by this analytics
rule and select Next: Automated response > .

7. Select Next: Review > .

8. On the Review and create tab, review the information and select Create .
After the third failed attempt to sign in to Windows server, the created rule triggers an incident for every
unsuccessful attempt.
View generated alerts
You can view generated incidents with Azure Sentinel. You can also assign incidents and close them once they're
resolved, all from within Azure Sentinel.
1. Go to the Azure Sentinel overview page.
2. Under Threat Management, select Incidents .
3. Select an incident. You can then assign the incident to a team for resolution.

After resolving the issue, you can close it.

Hunt security threats with queries

You can create queries or use the available pre-defined query in Azure Sentinel to identify threats in your
environment. The following steps run a pre-defined query.
1. Go to the Azure Sentinel overview page.
2. Under Threat management, select Hunting . A list of pre-defined queries is displayed.
3. Select a query and then select Run Quer y .
4. Select View Results to check the results.
Create a new query
1. Under Threat management, select Hunting and then +New Quer y .
2. Fill in the following information to create a custom query.
Name
Description
Custom query
Enter Mapping
Tactics
3. Select Create . You can then select the created query, Run Quer y , and View Results .

Next steps
Now that you've covered how to protect your Azure VMware Solution VMs, you may want to learn about:
Using the Azure Defender dashboard.
Advanced multistage attack detection in Azure Sentinel.
Lifecycle management of Azure VMware Solution VMs.
 Set up Azure Backup Server for Azure VMware
Solution
2/11/2021 • 15 minutes to read • Edit Online

Azure Backup Server contributes to your business continuity and disaster recovery (BCDR) strategy. With Azure
VMware Solution, you can only configure a virtual machine (VM)-level backup using Azure Backup Server.
Azure Backup Server can store backup data to:
Disk : For short-term storage, Azure Backup Server backs up data to disk pools.
Azure : For both short-term and long-term storage off-premises, Azure Backup Server data stored in disk
pools can be backed up to the Microsoft Azure cloud by using Azure Backup.
Use Azure Backup Server to restore data to the source or an alternate location. That way, if the original data is
unavailable because of planned or unexpected issues, you can restore data to an alternate location.
This article helps you prepare your Azure VMware Solution environment to back up VMs by using Azure Backup
Server. We walk you through the steps to:
Determine the recommended VM disk type and size to use.
Create a Recovery Services vault that stores the recovery points.
Set the storage replication for a Recovery Services vault.
Add storage to Azure Backup Server.

Supported VMware features

Agentless backup: Azure Backup Server doesn't require an agent to be installed on the vCenter or ESXi
server to back up the VM. Instead, just provide the IP address or fully qualified domain name (FQDN) and the
sign-in credentials used to authenticate the VMware server with Azure Backup Server.
Cloud-integrated backup: Azure Backup Server protects workloads to disk and the cloud. The backup and
recovery workflow of Azure Backup Server helps you manage long-term retention and offsite backup.
Detect and protect VMs managed by vCenter : Azure Backup Server detects and protects VMs deployed
on a vCenter or ESXi server. Azure Backup Server also detects VMs managed by vCenter so that you can
protect large deployments.
Folder-level auto protection: vCenter lets you organize your VMs in VM folders. Azure Backup Server
detects these folders. You can use it to protect VMs at the folder level, including all subfolders. When
protecting folders, Azure Backup Server protects the VMs in that folder and protects VMs added later. Azure
Backup Server detects new VMs daily, protecting them automatically. As you organize your VMs in recursive
folders, Azure Backup Server automatically detects and protects the new VMs deployed in the recursive
folders.
Azure Backup Ser ver continues to protect vMotioned VMs within the cluster : As VMs are
vMotioned for load balancing within the cluster, Azure Backup Server automatically detects and continues
VM protection.
Recover necessar y files faster : Azure Backup Server can recover files or folders from a Windows VM
without recovering the entire VM.

Limitations
Update Rollup 1 for Azure Backup Server v3 must be installed.
 You can't back up user snapshots before the first Azure Backup Server backup. After Azure Backup Server
finishes the first backup, then you can back up user snapshots.
Azure Backup Server can't protect VMware VMs with pass-through disks and physical raw device mappings
(pRDMs).
Azure Backup Server can't detect or protect VMware vApps.
To set up Azure Backup Server for Azure VMware Solution, you must finish the following steps:
Set up the prerequisites and environment.
Create a Recovery Services vault.
Download and install Azure Backup Server.
Add storage to Azure Backup Server.
Deployment architecture
Azure Backup Server is deployed as an Azure infrastructure as a service (IaaS) VM to protect Azure VMware
Solution VMs.

Prerequisites for the Azure Backup Server environment

Consider the recommendations in this section when you install Azure Backup Server in your Azure environment.
Azure Virtual Network
Ensure that you configure networking for your VMware private cloud in Azure.
Determine the size of the VM
Follow the instructions in the Create your first Windows VM in the Azure portal tutorial. You'll create the VM in
the virtual network, which you created in the previous step. Start with a gallery image of Windows Server 2019
Datacenter to run the Azure Backup Server.
The table summarizes the maximum number of protected workloads for each Azure Backup Server VM size. The
information is based on internal performance and scale tests with canonical values for the workload size and
churn. The actual workload size can be larger but should be accommodated by the disks attached to the Azure
Backup Server VM.
 M A XIM UM AVERA GE
P ROT EC T ED AVERA GE W O RK LO A D M IN IM UM REC O M M EN DED REC O M M EN DED
W O RK LO A DS W O RK LO A D SIZ E C H URN ( DA ILY ) STO RA GE IO P S DISK T Y P E/ SIZ E VM SIZ E

20 100 GB Net 5% churn 2,000 Standard HDD (8 A4V2

TB or above size
per disk)

40 150 GB Net 10% churn 4,500 Premium SSD* (1 DS3_V2

TB or above size
per disk)

60 200 GB Net 10% churn 10,500 Premium SSD* (8 DS3_V2

TB or above size
per disk)

*To get the required IOPs, use minimum recommended- or higher-size disks. Smaller-size disks offer lower IOPs.

NOTE
Azure Backup Server is designed to run on a dedicated, single-purpose server. You can't install Azure Backup Server on a
computer that:
Runs as a domain controller.
Has the Application Server role installed.
Is a System Center Operations Manager management server.
Runs Exchange Server.
Is a node of a cluster.

Disks and storage

Azure Backup Server requires disks for installation.

REQ UIREM EN T REC O M M EN DED SIZ E

Azure Backup Server installation Installation location: 3 GB

Database files drive: 900 MB
System drive: 1 GB for SQL Server installation

You'll also need space for Azure Backup Server to copy the
file catalog to a temporary installation location when you
archive.

Disk for storage pool Two to three times the protected data size.
(Uses basic volumes, can't be on a dynamic disk) For detailed storage calculation, see DPM Capacity Planner.

To learn how to attach a new managed data disk to an existing Azure VM, see Attach a managed data disk to a
Windows VM by using the Azure portal.

NOTE
A single Azure Backup Server has a soft limit of 120 TB for the storage pool.

Store backup data on local disk and in Azure

Storing backup data in Azure reduces backup infrastructure on the Azure Backup Server VM. For operational
recovery (backup), Azure Backup Server stores backup data on Azure disks attached to the VM. After the disks
and storage space are attached to the VM, Azure Backup Server manages the storage for you. The amount of
storage depends on the number and size of disks attached to each Azure VM. Each size of the Azure VM has a
maximum number of disks that can be attached. For example, A2 is four disks, A3 is eight disks, and A4 is 16
disks. Again, the size and number of disks determine the total backup storage pool capacity.

IMPORTANT
You should not retain operational recovery data on Azure Backup Server-attached disks for more than five days. If data is
more than five days old, store it in a Recovery Services vault.

To store backup data in Azure, create or use a Recovery Services vault. When you prepare to back up the Azure
Backup Server workload, you configure the Recovery Services vault. Once configured, each time an online
backup job runs, a recovery point gets created in the vault. Each Recovery Services vault holds up to 9,999
recovery points. Depending on the number of recovery points created and how long kept, you can keep backup
data for many years. For example, you could create monthly recovery points and keep them for five years.

IMPORTANT
Whether you send backup data to Azure or keep it locally, you must register Azure Backup Server with a Recovery
Services vault.

Scale deployment
If you want to scale your deployment, you have the following options:
Scale up : Increase the size of the Azure Backup Server VM from A series to DS3 series, and increase the local
storage.
Offload data : Send older data to Azure and keep only the newest data on the storage attached to the Azure
Backup Server machine.
Scale out : Add more Azure Backup Server machines to protect the workloads.
.NET Framework
The VM must have .NET Framework 3.5 SP1 or higher installed.
Join a domain
The Azure Backup Server VM must be joined to a domain. A domain user with administrator privileges on the
VM must install Azure Backup Server.
Azure Backup Server deployed in an Azure VM can back up workloads on the VMs in Azure VMware Solution.
The workloads should be in the same domain to enable the backup operation.

Create a Recovery Services vault

A Recovery Services vault is a storage entity that stores the recovery points created over time. It also contains
backup policies that are associated with protected items.
1. Sign in to your subscription in the Azure portal.
2. On the left menu, select All ser vices .
3. In the All ser vices dialog box, enter Recover y Ser vices and select Recover y Ser vices vaults from
the list.

The list of Recovery Services vaults in the subscription appears.

4. On the Recover y Ser vices vaults dashboard, select Add .

The Recover y Ser vices vault dialog box opens.

5. Enter values for the Name , Subscription , Resource group , and Location .

Name : Enter a friendly name to identify the vault. The name must be unique to the Azure subscription.
Specify a name that has at least two but not more than 50 characters. The name must start with a
letter and consist only of letters, numbers, and hyphens.
Subscription : Choose the subscription to use. If you're a member of only one subscription, you'll see
that name. If you're not sure which subscription to use, use the default (suggested) subscription. There
 are multiple choices only if your work or school account is associated with more than one Azure
subscription.
Resource group : Use an existing resource group or create a new one. To see the list of available
resource groups in your subscription, select Use existing , and then select a resource from the drop-
down list. To create a new resource group, select Create new and enter the name.
Location : Select the geographic region for the vault. To create a vault to protect Azure VMware
Solution virtual machines, the vault must be in the same region as the Azure VMware Solution private
cloud.
6. When you're ready to create the Recovery Services vault, select Create .

It can take a while to create the Recovery Services vault. Monitor the status notifications in the
Notifications area in the upper-right corner of the portal. After creating your vault, it's visible in the list
of Recovery Services vaults. If you don't see your vault, select Refresh .

Set storage replication

The storage replication option lets you choose between geo-redundant storage (the default) and locally
redundant storage. Geo-redundant storage copies the data in your storage account to a secondary region,
making your data durable. Locally redundant storage is a cheaper option that isn't as durable. To learn more
about geo-redundant and locally redundant storage options, see Azure Storage redundancy.

IMPORTANT
Changing the setting of Storage replication type Locally-redundant/Geo-redundant for a Recovery Services vault
must be done before you configure backups in the vault. After you configure backups, the option to modify it is disabled,
and you can't change the storage replication type.

1. From Recover y Ser vices vaults , select the new vault.

2. Under Settings , select Proper ties . Under Backup Configuration , select Update .
3. Select the storage replication type, and select Save .

Download and install the software package

Follow the steps in this section to download, extract, and install the software package.
Download the software package
1. Sign in to the Azure portal.
2. If you already have a Recovery Services vault open, continue to the next step. If you don't have a
Recovery Services vault open, and you're in the Azure portal, on the main menu, select Browse .
a. In the list of resources enter Recover y Ser vices .
b. As you begin typing, the list filters based on your input. When you see Recover y Ser vices
 vaults , select it.

3. From the list of Recovery Services vaults, select a vault.

The selected vault dashboard opens.
 The Settings option opens by default. If closed, select Settings to open it.

4. Select Backup to open the Getting Star ted wizard.

5. In the window that opens:
a. From the Where is your workload running? menu, select On-Premises .

b. From the What do you want to back up? menu, select the workloads you want to protect by
using Azure Backup Server.
c. Select Prepare Infrastructure to download and install Azure Backup Server and the vault
credentials.
6. In the Prepare infrastructure window that opens:
a. Select the Download link to install Azure Backup Server.
b. Select Already downloaded or using the latest Azure Backup Ser ver installation and then
Download to download the vault credentials. You'll use these credentials when you register the
Azure Backup Server to the Recovery Services vault. The links take you to the Download Center,
where you download the software package.

7. On the download page, select all the files and select Next .

NOTE
You must download all the files to the same folder. Because the download size of the files together is greater than
3 GB, it might take up to 60 minutes for the download to complete.
Extract the software package
If you downloaded the software package to a different server, copy the files to the VM you created to deploy
Azure Backup Server.

WARNING
At least 4 GB of free space is required to extract the setup files.

1. After you've downloaded all the files, double-click MicrosoftAzureBackupInstaller.exe to open the
Microsoft Azure Backup setup wizard, and then select Next .
2. Select the location to extract the files to and select Next .
3. Select Extract to begin the extraction process.

4. Once extracted, select the option to Execute setup.exe and then select Finish .

TIP
You can also locate the setup.exe file from the folder where you extracted the software package.

Install the software package

1. On the setup window under Install , select Microsoft Azure Backup to open the setup wizard.
2. On the Welcome screen, select Next to continue to the Prerequisite Checks page.
3. Select Check Again to determine if the hardware and software meet the prerequisites for Azure Backup
Server. If met successfully, select Next .

4. The Azure Backup Server installation package comes bundled with the appropriate SQL Server binaries
that are needed. When you start a new Azure Backup Server installation, select the Install new Instance
of SQL Ser ver with this Setup option. Then select Check and Install .
 NOTE
If you want to use your own SQL Server instance, the supported SQL Server versions are SQL Server 2014 SP1 or
higher, 2016, and 2017. All SQL Server versions should be Standard or Enterprise 64-bit. The instance used by
Azure Backup Server must be local only; it can't be remote. If you use an existing SQL Server instance for Azure
Backup Server, the setup only supports the use of named instances of SQL Server.

If a failure occurs with a recommendation to restart the machine, do so, and select Check Again . For any
SQL Server configuration issues, reconfigure SQL Server according to the SQL Server guidelines. Then
retry to install or upgrade Azure Backup Server using the existing instance of SQL Server.
Manual configuration
When you use your own SQL Server instance, make sure you add builtin\Administrators to the sysadmin
role to the master database's sysadmin role.
Configure repor ting ser vices with SQL Ser ver 2017
If you use your instance of SQL Server 2017, you must configure SQL Server 2017 Reporting Services
(SSRS) manually. After configuring SSRS, make sure to set the IsInitialized property of SSRS to True .
When set to True , Azure Backup Server assumes that SSRS is already configured and skips the SSRS
configuration.
To check the SSRS configuration status, run:
 $configset =Get-WmiObject –namespace
"root\Microsoft\SqlServer\ReportServer\RS_SSRS\v14\Admin" -class
MSReportServer_ConfigurationSetting -ComputerName localhost

$configset.IsInitialized

Use the following values for SSRS configuration:

Ser vice Account : Use built-in account should be Network Ser vice .
Web Ser vice URL : Vir tual Director y should be Repor tSer ver_<SQLInstanceName> .
Database : DatabaseName should be Repor tSer ver$<SQLInstanceName> .
Web Por tal URL : Vir tual Director y should be Repor ts_<SQLInstanceName> .
Learn more about SSRS configuration.

NOTE
Microsoft Online Services Terms (OST) governs the licensing for SQL Server used as the database for Azure Backup
Server. According to OST, only use SQL Server bundled with Azure Backup Server as the database for Azure
Backup Server.

5. After the installation is successful, select Next .

6. Provide a location for installing Microsoft Azure Backup Server files, and select Next .

NOTE
The scratch location is required for backup to Azure. Ensure the scratch location is at least 5% of the data planned
for backing up to the cloud. For disk protection, separate disks need configuring after the installation finishes. For
more information about storage pools, see Configure storage pools and disk storage.
7. Provide a strong password for restricted local user accounts, and select Next .

8. Select whether you want to use Microsoft Update to check for updates, and select Next .
 NOTE
We recommend having Windows Update redirect to Microsoft Update, which offers security and important
updates for Windows and other products like Azure Backup Server.

9. Review the Summar y of Settings , and select Install .

The installation happens in phases.
The first phase installs the Microsoft Azure Recovery Services Agent.
The second phase checks for internet connectivity. If available, you can continue with the installation. If
not available, you must provide proxy details to connect to the internet.
The final phase checks the prerequisite software. If not installed, any missing software gets installed
along with the Microsoft Azure Recovery Services Agent.
10. Select Browse to locate your vault credentials to register the machine to the Recovery Services vault, and
then select Next .
11. Select a passphrase to encrypt or decrypt the data sent between Azure and your premises.

TIP
You can automatically generate a passphrase or provide your minimum 16-character passphrase.

12. Enter the location to save the passphrase, and then select Next to register the server.
 IMPORTANT
Save the passphrase to a safe location other than the local server. We strongly recommend using the Azure Key
Vault to store the passphrase.

After the Microsoft Azure Recovery Services Agent setup finishes, the installation step moves on to the
installation and configuration of SQL Server and the Azure Backup Server components.

13. After the installation step finishes, select Close .

Install Update Rollup 1
Installing the Update Rollup 1 for Azure Backup Server v3 is mandatory before you can protect the workloads.
You can find the bug fixes and installation instructions in the knowledge base article.

Add storage to Azure Backup Server

Azure Backup Server v3 supports Modern Backup Storage that offers:
Storage savings of 50%.
Backups that are three times faster.
More efficient storage.
Workload-aware storage.
Volumes in Azure Backup Server
Add the data disks with the Azure Backup Server VM's required storage capacity if not already added.
Azure Backup Server v3 only accepts storage volumes. When you add a volume, Azure Backup Server formats
the volume to Resilient File System (ReFS), which Modern Backup Storage requires.
Add volumes to Azure Backup Server disk storage
1. In the Management pane, rescan the storage and then select Add .
2. Select from the available volumes to add to the storage pool.
3. After you add the available volumes, give them a friendly name to help you manage them.
4. Select OK to format these volumes to ReFS so that Azure Backup Server can use Modern Backup Storage
benefits.

Next steps
Now that you've covered how to set up Azure Backup Server for Azure VMware Solution, you may want to learn
about:
Configuring backups for your Azure VMware Solution VMs.
Protecting your Azure VMware Solution VMs with Azure Security Center integration.
 Back up Azure VMware Solution VMs with Azure
Backup Server
2/11/2021 • 12 minutes to read • Edit Online

In this article, we'll back up VMware virtual machines (VMs) running on Azure VMware Solution with Azure
Backup Server. First, thoroughly go through Set up Microsoft Azure Backup Server for Azure VMware Solution.
Then, we'll walk through all of the necessary procedures to:
Set up a secure channel so that Azure Backup Server can communicate with VMware servers over HTTPS.
Add the account credentials to Azure Backup Server.
Add the vCenter to Azure Backup Server.
Set up a protection group that contains the VMware VMs you want to back up, specify backup settings, and
schedule the backup.

Create a secure connection to the vCenter server

By default, Azure Backup Server communicates with VMware servers over HTTPS. To set up the HTTPS
connection, download the VMware certificate authority (CA) certificate and import it on the Azure Backup
Server.
Set up the certificate
1. In the browser, on the Azure Backup Server machine, enter the vSphere Web Client URL.

NOTE
If the VMware Getting Star ted page doesn't appear, verify the connection and browser proxy settings and try
again.

2. On the VMware Getting Star ted page, select Download trusted root CA cer tificates .

3. Save the download.zip file to the Azure Backup Server machine, and then extract its contents to the
cer ts folder, which contains the:
 Root certificate file with an extension that begins with a numbered sequence like .0 and .1.
CRL file with an extension that begins with a sequence like .r0 or .r1.
4. In the cer ts folder, right-click the root certificate file and select Rename to change the extension to .cr t .
The file icon changes to one that represents a root certificate.
5. Right-click the root certificate, and select Install Cer tificate .
6. In the Cer tificate Impor t Wizard , select Local Machine as the destination for the certificate, and
select Next .

NOTE
If asked, confirm that you want to allow changes to the computer.

7. Select Place all cer tificates in the following store , and select Browse to choose the certificate store.

8. Select Trusted Root Cer tification Authorities as the destination folder, and select OK .
 9. Review the settings, and select Finish to start importing the certificate.

10. After the certificate import is confirmed, sign in to the vCenter server to confirm that your connection is
secure.
Enable TLS 1.2 on Azure Backup Server
VMware 6.7 onwards had TLS enabled as the communication protocol.
1. Copy the following registry settings, and paste them into Notepad. Then save the file as TLS.REG without
the .txt extension.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727]

"SystemDefaultTlsVersions"=dword:00000001

"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]

"SystemDefaultTlsVersions"=dword:00000001

"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]

"SystemDefaultTlsVersions"=dword:00000001

"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]

"SystemDefaultTlsVersions"=dword:00000001

"SchUseStrongCrypto"=dword:00000001
2. Right-click the TLS.REG file, and select Merge or Open to add the settings to the registry.

Add the account on Azure Backup Server

1. Open Azure Backup Server, and in the Azure Backup Server console, select Management > Production
Ser vers > Manage VMware .

2. In the Manage Credentials dialog box, select Add .

3. In the Add Credential dialog box, enter a name and a description for the new credential. Specify the
user name and password you defined on the VMware server.

NOTE
If the VMware server and Azure Backup Server aren't in the same domain, specify the domain in the User name
box.
4. Select Add to add the new credential.

Add the vCenter server to Azure Backup Server

1. In the Azure Backup Server console, select Management > Production Ser vers > Add .

2. Select VMware Ser vers , and select Next .

3. Specify the IP address of the vCenter.

4. In the SSL Por t box, enter the port used to communicate with the vCenter.

TIP
Port 443 is the default port, but you can change it if your vCenter listens on a different port.

5. In the Specify Credential box, select the credential that you created in the previous section.
6. Select Add to add the vCenter to the servers list, and select Next .
7. On the Summar y page, select Add to add the vCenter to Azure Backup Server.
The new server gets added immediately. vCenter doesn't need an agent.

8. On the Finish page, review the settings, and then select Close .
 You see the vCenter server listed under Production Ser ver with:
Type as VMware Ser ver
Agent Status as OK
If you see Agent Status as Unknown , select Refresh .

Configure a protection group

Protection groups gather multiple VMs and apply the same data retention and backup settings to all VMs in the
group.
1. In the Azure Backup Server console, select Protection > New .
2. On the Create New Protection Group wizard welcome page, select Next .

3. On the Select Protection Group Type page, select Ser vers , and then select Next . The Select Group
Members page appears.
4. On the Select Group Members page, select the VMs (or VM folders) that you want to back up, and then
select Next .
 NOTE
When you select a folder or VMs, folders inside that folder are also selected for backup. You can uncheck folders or
VMs you don't want to back up. If a VM or folder is already being backed up, you can't select it, which ensures
duplicate recovery points aren't created for a VM.

5. On the Select Data Protection Method page, enter a name for the protection group and protection
settings.
6. Set the short-term protection to Disk , enable online protection, and then select Next .
7. Specify how long you want to keep data backed up to disk.
Retention range : The number of days that disk recovery points are kept.
Express Full Backup : How often disk recovery points are taken. To change the times or dates when
short-term backups occur, select Modify .

8. On the Review Disk Storage Allocation page, review the disk space provided for the VM backups.
The recommended disk allocations are based on the retention range you specified, the type of
workload, and the size of the protected data. Make any changes required, and then select Next .
Data size: Size of the data in the protection group.
Disk space: Recommended amount of disk space for the protection group. If you want to modify this
setting, select space lightly larger than the amount you estimate each data source grows.
Storage pool details: Shows the status of the storage pool, which includes total and remaining disk
size.
 NOTE
In some scenarios, the data size reported is higher than the actual VM size. We're aware of the issue and currently
investigating it.

9. On the Choose Replica Creation Method page, indicate how you want to take the initial backup, and
select Next .
The default is Automatically over the network and Now . If you use the default, specify an off-peak
time. If you choose Later , specify a day and time.
For large amounts of data or less-than-optimal network conditions, consider replicating the data
offline by using removable media.

10. For Consistency check options , select how and when to automate the consistency checks and select
Next .
You can run consistency checks when replica data becomes inconsistent, or on a set schedule.
 If you don't want to configure automatic consistency checks, you can run a manual check by right-
clicking the protection group Perform Consistency Check .
11. On the Specify Online Protection Data page, select the VMs or VM folders that you want to back up,
and then select Next .

TIP
You can select the members individually or choose Select All to choose all members.

12. On the Specify Online Backup Schedule page, indicate how often you want to back up data from local
storage to Azure.
Cloud recovery points for the data to get generated according to the schedule.
After the recovery point gets generated, it's then transferred to the Recovery Services vault in Azure.

13. On the Specify Online Retention Policy page, indicate how long you want to keep the recovery points
created from the backups to Azure.
There's no time limit for how long you can keep data in Azure.
The only limit is that you can't have more than 9,999 recovery points per protected instance. In this
example, the protected instance is the VMware server.
14. On the Summar y page, review the settings and then select Create Group .

Monitor with the Azure Backup Server console

After you configure the protection group to back up Azure VMware Solution VMs, you can monitor the status of
the backup job and alert by using the Azure Backup Server console. Here's what you can monitor.
In the Monitoring task area:
Under Aler ts , you can monitor errors, warnings, and general information. You can view active and
inactive alerts and set up email notifications.
Under Jobs , you can view jobs started by Azure Backup Server for a specific protected data source or
protection group. You can follow job progress or check resources consumed by jobs.
 In the Protection task area, you can check the status of volumes and shares in the protection group. You can
also check configuration settings such as recovery settings, disk allocation, and the backup schedule.
In the Management task area, you can view the Disks, Online , and Agents tabs to check the status of
disks in the storage pool, registration to Azure, and deployed DPM agent status.

Restore VMware virtual machines

In the Azure Backup Server Administrator Console, there are two ways to find recoverable data. You can search
or browse. When you recover data, you might or might not want to restore data or a VM to the same location.
For this reason, Azure Backup Server supports three recovery options for VMware VM backups:
Original location recover y (OLR) : Use OLR to restore a protected VM to its original location. You can
restore a VM to its original location only if no disks were added or deleted since the backup occurred. If disks
were added or deleted, you must use alternate location recovery.
Alternate location recover y (ALR) : Use when the original VM is missing, or you don't want to disturb the
original VM. Provide the location of an ESXi host, resource pool, folder, and the storage datastore and path. To
help differentiate the restored VM from the original VM, Azure Backup Server appends "-Recovered" to the
name of the VM.
Individual file location recover y (ILR) : If the protected VM is a Windows Server VM, individual files or
folders inside the VM can be recovered by using the ILR capability of Azure Backup Server. To recover
individual files, see the procedure later in this article. Restoring an individual file from a VM is available only
for Windows VM and disk recovery points.
Restore a recovery point
1. In the Azure Backup Server Administrator Console, select the Recover y view.
2. Using the Browse pane, browse or filter to find the VM you want to recover. After you select a VM or
folder, the **Recovery points for pane display the available recovery points.
3. In the Recover y points for pane, select a date when a recovery point was taken. Calendar dates in bold
have available recovery points. Alternately, you can right-click the VM and select Show all recover y
points and then select the recovery point from the list.

NOTE
For short-term protection, select a disk-based recovery point for faster recovery. After short-term recovery points
expire, you see only Online recovery points to recover.

4. Before recovering from an online recovery point, ensure the staging location contains enough free space
to house the full uncompressed size of the VM you want to recover. The staging location can be viewed or
changed by running the Configure Subscription Settings Wizard .
5. Select Recover to open the Recover y Wizard .

6. Select Next to go to the Specify Recover y Options screen. Select Next again to go to the Select
 Recover y Type screen.

NOTE
VMware workloads don't support enabling network bandwidth throttling.

7. On the Select Recover y Type page, either recover to the original instance or a new location.
If you choose Recover to original instance , you don't need to make any more choices in the wizard.
The data for the original instance is used.
If you choose Recover as vir tual machine on any host , then on the Specify Destination screen,
provide the information for ESXi Host , Resource Pool , Folder , and Path .

8. On the Summar y page, review your settings and select Recover to start the recovery process.
The Recover y status screen shows the progression of the recovery operation.
Restore an individual file from a VM
You can restore individual files from a protected VM recovery point. This feature is only available for Windows
Server VMs. Restoring individual files is similar to restoring the entire VM, except you browse into the VMDK
and find the files you want before you start the recovery process.

NOTE
Restoring an individual file from a VM is available only for Windows VM and disk recovery points.

1. In the Azure Backup Server Administrator Console, select the Recover y view.
2. Using the Browse pane, browse or filter to find the VM you want to recover. After you select a VM or
folder, the **Recovery points for pane display the available recovery points.
3. In the Recover y points for pane, use the calendar to select the date that contains the wanted recovery
points. Depending on how the backup policy was configured, dates can have more than one recovery
point.
4. After you select the day when the recovery point was taken, make sure you choose the correct Recover y
time .

NOTE
If the selected date has multiple recovery points, choose your recovery point by selecting it in the Recover y time
drop-down menu.

After you choose the recovery point, the list of recoverable items appears in the Path pane.
5. To find the files you want to recover, in the Path pane, double-click the item in the Recoverable Item
column to open it. Then select the file or folders you want to recover. To select multiple items, select the
Ctrl key while you select each item. Use the Path pane to search the list of files or folders that appear in
the Recoverable Item column.

NOTE
Search list below doesn't search into subfolders. To search through subfolders, double-click the folder. Use the
Up button to move from a child folder into the parent folder. You can select multiple items (files and folders), but
they must be in the same parent folder. You can't recover items from multiple folders in the same recovery job.
 6. When you've selected the items for recovery, in the Administrator Console tool ribbon, select Recover to
open the Recover y Wizard . In the Recover y Wizard , the Review Recover y Selection screen shows
the selected items to be recovered.
7. On the Specify Recover y Options screen, do one of the following steps:
Select Modify to enable network bandwidth throttling. In the Throttle dialog box, select Enable
network bandwidth usage throttling to turn it on. Once enabled, configure the Settings and
Work Schedule .
Select Next to leave network throttling disabled.
8. On the Select Recover y Type screen, select Next . You can only recover your files or folders to a
network folder.
9. On the Specify Destination screen, select Browse to find a network location for your files or folders.
Azure Backup Server creates a folder where all recovered items are copied. The folder name has the
prefix MABS_day-month-year. When you select a location for the recovered files or folder, the details for
that location are provided.

10. On the Specify Recover y Options screen, choose which security setting to apply. You can opt to modify
the network bandwidth usage throttling, but throttling is disabled by default. Also, SAN Recover y and
Notification aren't enabled.
11. On the Summar y screen, review your settings and select Recover to start the recovery process. The
Recover y status screen shows the progression of the recovery operation.
Next steps
Now that you've covered backing up your Azure VMware Solution VMs with Azure Backup Server, you may
want to learn about:
Troubleshooting when setting up backups in Azure Backup Server.
Lifecycle management of Azure VMware Solution VMs.
 Lifecycle management of Azure VMware Solution
VMs
2/11/2021 • 5 minutes to read • Edit Online

Microsoft Azure native tools allow you to monitor and manage your virtual machines (VMs) in the Azure
environment. Yet they also allow you to monitor and manage your VMs on Azure VMware Solution and your
on-premises VMs. In this overview, we'll look at the integrated monitoring architecture Azure offers, and how
you can use its native tools to manage your Azure VMware Solution VMs throughout their lifecycle.

Benefits
Azure native services can be used to manage your VMs in a hybrid environment (Azure, Azure VMware
Solution, and on-premises).
Integrated monitoring and visibility of your Azure, Azure VMware Solution, and on-premises VMs.
With Azure Update Management in Azure Automation, you can manage operating system updates for both
your Windows and Linux machines.
Azure Security Center provides advanced threat protection, including:
File integrity monitoring
Fileless security alerts
Operating system patch assessment
Security misconfigurations assessment
Endpoint protection assessment
Easily deploy the Log Analytics agent using Azure Arc enabled servers VM extension support for new and
existing VMs.
Your Log Analytics workspace in Azure Monitor enables log collection and performance counter collection
using the Log Analytics agent or extensions. Collect data and logs to a single point and present that data to
different Azure native services.
Added benefits of Azure Monitor include:
Seamless monitoring
Better infrastructure visibility
Instant notifications
Automatic resolution
Cost efficiency

Integrated Azure monitoring architecture

The following diagram shows the integrated monitoring architecture for Azure VMware Solution VMs.
Before you start
If you are new to Azure or unfamiliar with any of the services previously mentioned, review the following
articles:
Automation account authentication overview
Designing your Azure Monitor Logs deployment and Azure Monitor
Planning and Supported platforms for Azure Security Center
Enable Azure Monitor for VMs overview
What is Azure Arc enabled servers? and What is Azure Arc enabled Kubernetes?
Update Management overview

Integrating and deploying Azure native services

Enable Azure Update Management
Azure Update Management in Azure Automation manages operating system updates for your Windows and
Linux machines in a hybrid environment. It monitors patching compliance and forwards patching deviation
alerts to Azure Monitor for remediation. Azure Update Management must connect to your Log Analytics
workspace to use stored data to assess the status of updates on your VMs.
1. Before you can add Log Analytics to Azure Update Management, you first need to Create an Azure
Automation account. If you prefer to create your account using a template, see Create an Automation
account using an Azure Resource Manager template.
2. Log Analytics workspace enables log collection and performance counter collection using the Log
Analytics agent or extensions. To create your Log Analytics workspace, see Create a Log Analytics
workspace in the Azure portal. If you prefer, you can also create a workspace via CLI, PowerShell, or Azure
Resource Manager template.
3. To enable Azure Update Management for your VMs, see Enable Update Management from an
Automation account. In the process, you will link your Log Analytics workspace with your automation
 account.
4. Once you've added VMs to Azure Update Management, you can Deploy updates on VMs and review
results.
Enable Azure Security Center
Azure Security Center provides advanced threat protection across your hybrid workloads in the cloud and on
premises. It will assess the vulnerability of Azure VMware Solution VMs and raise alerts as needed. These
security alerts can be forwarded to Azure Monitor for resolution.
Azure Security Center does not require deployment. For more information, see a list of Supported features for
virtual machines.
1. To add Azure VMware Solution VMs and non-Azure VMs to Security Center, see Quickstart: Setting up
Azure Security Center.
2. After adding Azure VMware Solution VMs or VMs from a non-Azure environment, enable Azure Defender
in Security Center. Security Center will assess the VMs for potential security issues. It also provides
recommendations in the Overview tab. For more information, see Security recommendations in Azure
Security Center.
3. You can define security policies in Azure Security Center. For information on configuring your security
policies, see Working with security policies.
Onboard VMs to Azure Arc enabled servers
Azure Arc extends Azure management to any infrastructure, including Azure VMware Solution, on-premises, or
other cloud platforms.
For information on enabling Azure Arc enabled servers for multiple Windows or Linux VMs, see Connect
hybrid machines to Azure at scale.
Onboard hybrid Kubernetes clusters with Arc enabled Kubernetes
You can attach a Kubernetes cluster hosted in your Azure VMware Solution environment using Azure Arc
enabled Kubernetes.
For more information, see Create an Azure Arc-enabled onboarding Service Principal.
Deploy the Log Analytics agent
Azure VMware Solution VMs can be monitored through the Log Analytics agent (also referred to as Microsoft
Monitoring Agent (MMA) or OMS Linux agent). You already created a Log Analytics workspace while enabling
Azure Automation Update Management.
Deploy the Log Analytics agent by using Azure Arc enabled servers VM extension support.
Enable Azure Monitor
Azure Monitor is a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud
and on-premises environments. It requires no deployment. With Azure Monitor, you can monitor guest
operating system performance and discover and map application dependencies for Azure VMware Solution or
on-premises VMs.
Azure Monitor allows you to collect data from different sources to monitor and analyze. For more
information, see Sources of monitoring data for Azure Monitor.
Collect different types of data for analysis, visualization, and alerting. For more information, see Azure
Monitor data platform.
To configure Azure Monitor with your Log Analytics workspace, see Configure Log Analytics workspace
for Azure Monitor for VMs.
 You can create alert rules to identify issues in your environment, like high use of resources, missing
patches, low disk space, and heartbeat of your VMs. You can also set an automated response to detected
events by sending an alert to IT Service Management (ITSM) tools. Alert detection notification can also be
sent via email. To create such rules, see:
Create, view, and manage metric alerts using Azure Monitor.
Create, view, and manage log alerts using Azure Monitor.
Action rules to set automated actions and notifications.
Connect Azure to ITSM tools using IT Service Management Connector.

Next steps
Now that you've covered using Azure's native tools to manage your Azure VMware Solution VMs throughout
their lifecycle, you may want to learn about:
Protecting your Azure VMware Solution VMs with Azure Security Center.
Setting up Azure Backup Server for Azure VMware Solution.
Integrating Azure VMware Solution in a hub and spoke architecture.
 Azure NetApp Files with Azure VMware Solution
2/11/2021 • 3 minutes to read • Edit Online

In this article, we'll walk through the steps of integrating Azure NetApp Files with Azure VMware Solution-based
workloads. The guest operating system will run inside virtual machines (VMs) accessing Azure NetApp Files
volumes.

Azure NetApp Files overview

Azure NetApp Files is an Azure service for migration and running the most demanding enterprise file-workloads
in the cloud: databases, SAP, and high-performance computing applications, with no code changes.
Features
(Services where Azure NetApp Files are used.)
Active Director y connections : Azure NetApp Files supports Active Directory Domain Services and
Azure Active Directory Domain Services.
Share Protocol : Azure NetApp Files supports Server Message Block (SMB) and Network File System
(NFS) protocols. This support means the volumes can be mounted on the Linux client and can be mapped
on Windows client.
Azure VMware Solution : Azure NetApp Files shares can be mounted from VMs that are created in the
Azure VMware Solution environment.
Azure NetApp Files is available in many Azure regions and supports cross-region replication. For information on
Azure NetApp Files configuration methods, see Storage hierarchy of Azure NetApp Files.

Reference architecture
The following diagram illustrates a connection via Azure ExpressRoute to an Azure VMware Solution private
cloud. The Azure VMware Solution environment accesses the Azure NetApp Files share mounted on Azure
VMware Solution VMs.
This article covers instructions to set up, test, and verify the Azure NetApp Files volume as a file share for Azure
VMware Solution VMs. In this scenario, we've used the NFS protocol. Azure NetApp Files and Azure VMware
Solution are created in the same Azure region.

Prerequisites
Azure subscription with Azure NetApp Files enabled
Subnet for Azure NetApp Files
Linux VM on Azure VMware Solution
Windows VMs on Azure VMware Solution

Regions supported
List of supported regions can be found at Azure Products by Region.

Verify pre-configured Azure NetApp Files

Follow the step-by-step instructions in the following articles to create and Mount Azure NetApp Files volumes
onto Azure VMware Solution VMs.
Create a NetApp account
Set up a capacity pool
Create an SMB volume for Azure NetApp Files
Create an NFS volume for Azure NetApp Files
Delegate a subnet to Azure NetApp Files
The following steps include verification of the pre-configured Azure NetApp Files created in Azure on Azure
NetApp Files Premium service level.
1. In the Azure portal, under STORAGE , select Azure NetApp Files . A list of your configured Azure
NetApp Files will show.
2. Select a configured NetApp Files account to view its settings. For example, select Contoso-anf2 .
3. Select Capacity pools to verify the configured pool.

The Capacity pools page opens showing the capacity and service level. In this example, the storage pool is
configured as 4 TiB with a Premium service level.
4. Select Volumes to view volumes created under the capacity pool. (See preceding screenshot.)
5. Select a volume to view its configuration.

A window opens showing the configuration details of the volume.

 You can see that anfvolume has a size of 200 GiB and is in capacity pool anfpool1. It's exported as an NFS
file share via 10.22.3.4:/ANFVOLUME. One private IP from the Azure Virtual Network (VNet) was created
for Azure NetApp Files and the NFS path to mount on the VM.
To learn about Azure NetApp Files volume performance by size or "Quota," see Performance
considerations for Azure NetApp Files.

Verify pre-configured Azure VMware Solution VM share mapping

To make your Azure NetApp Files share accessible to your Azure VMware Solution VM, you'll need to
understand SMB and NFS share mapping. Only after configuring the SMB or NFS volumes, can you mount them
as documented here.
SMB share: Create an Active Directory connection before deploying an SMB volume. The specified
domain controllers must be accessible by the delegated subnet of Azure NetApp Files for a successful
connection. Once the Active Directory is configured within the Azure NetApp Files account, it will appear
as a selectable item while creating SMB volumes.
NFS share: Azure NetApp Files contributes to creating the volumes using NFS or dual protocol (NFS and
SMB). A volume's capacity consumption counts against its pool's provisioned capacity. NFS can be
mounted to the Linux server by using the command lines or /etc/fstab entries.

Use Cases of Azure NetApp Files with Azure VMware Solution

The following are just a few compelling Azure NetApp Files use cases.
Horizon profile management
Citrix profile management
Remote Desktop Services profile management
File shares on Azure VMware Solution

Next steps
Now that you've covered integrating Azure NetApp Files with your Azure VMware Solution workloads, you may
want to learn about:
Resource limits for Azure NetApp Files.
Guidelines for Azure NetApp Files network planning.
Cross-region replication of Azure NetApp Files volumes.
FAQs about Azure NetApp Files.
 Use Azure Application Gateway to protect your web
apps on Azure VMware Solution
2/11/2021 • 5 minutes to read • Edit Online

Azure Application Gateway is a layer 7 web traffic load balancer that lets you manage traffic to your web
applications. It's offered in both Azure VMware Solution v1.0 and v2.0. Both versions tested with web apps
running on Azure VMware Solution.
The capabilities include:
Cookie-based session affinity
URL-based routing
Web Application Firewall (WAF)
For a complete list of features, see Azure Application Gateway features.
This article shows you how to use Application Gateway in front of a web server farm to protect a web app
running on Azure VMware Solution.

Topology
The diagram shows how Application Gateway is used to protect Azure IaaS virtual machines (VMs), Azure virtual
machine scale sets, or on-premises servers. Application Gateway treats Azure VMware Solution VMs as on-
premises servers.

IMPORTANT
Azure Application Gateway is currently the only supported method to expose web apps running on Azure VMware
Solution VMs.

The diagram shows the testing scenario used to validate the Application Gateway with Azure VMware Solution
web applications.
The Application Gateway instance is deployed on the hub in a dedicated subnet. It has an Azure public IP
address. Activating Standard DDoS protection for the virtual network is recommended. The web server is hosted
on an Azure VMware Solution private cloud behind NSX T0 and T1 routers. Azure VMware Solution uses
ExpressRoute Global Reach to enable communication with the hub and on-premises systems.

Prerequisites
An Azure account with an active subscription.
An Azure VMware Solution private cloud deployed and running.

Deployment and configuration

1. In the Azure portal, search for Application Gateway and select Create application gateway .
2. Provide the basic details as in the following figure; then select Next: Frontends> .
3. Choose the frontend IP address type. For public, choose an existing public IP address or create a new one.
Select Next: Backends> .
 NOTE
Only standard and Web Application Firewall (WAF) SKUs are supported for private frontends.

4. Add a backend pool of the VMs that run on Azure VMware Solution infrastructure. Provide the details of
web servers that run on the Azure VMware Solution private cloud and select Add . Then select Next:
Configuration> .
5. On the Configuration tab, select Add a routing rule .
6. On the Listener tab, provide the details for the listener. If HTTPS is selected, you must provide a
certificate, either from a PFX file or an existing Azure Key Vault certificate.
7. Select the Backend targets tab and select the backend pool previously created. For the HTTP settings
field, select Add new .
8. Configure the parameters for the HTTP settings. Select Add .
9. If you want to configure path-based rules, select Add multiple targets to create a path-based rule .
10. Add a path-based rule and select Add . Repeat to add more path-based rules.
11. When you have finished adding path-based rules, select Add again; then select Next: Tags> .
12. Add tags and then select Next: Review + Create> .
13. A validation will run on your Application Gateway; if it's successful, select Create to deploy.

Configuration examples
Now we'll configure Application Gateway with Azure VMware Solution VMs as backend pools for the following
use cases:
Hosting multiple sites
Routing by URL
Hosting multiple sites
This procedure shows you how to define backend address pools using VMs running on an Azure VMware
Solution private cloud on an existing application gateway.

NOTE
This procedure assumes you have multiple domains, so we'll use examples of www.contoso.com and www.fabrikam.com.

1. In your private cloud, create two different pools of VMs. One represents Contoso and the second
Fabrikam.
 We've used Windows Server 2016 with the Internet Information Services (IIS) role installed. Once the
VMs are installed, run the following PowerShell commands to configure IIS on each of the VMs.

Install-WindowsFeature -Name Web-Server

Add-Content -Path C:\inetpub\wwwroot\Default.htm -Value $($env:computername)

2. In an existing application gateway instance, select Backend pools from the left menu, select Add , and
enter the new pools' details. Select Add in the right pane.

3. In the Listeners section, create a new listener for each website. Enter the details for each listener and
select Add .
4. On the left, select HTTP settings and select Add in the left pane. Fill in the details to create a new HTTP
setting and select Save .
5. Create the rules in the Rules section of the left menu. Associate each rule with the corresponding listener.
Select Add .
6. Configure the corresponding backend pool and HTTP settings. Select Add .
7. Test the connection. Open your preferred browser and navigate to the different websites hosted on your
Azure VMware Solution environment, for example, http://www.fabrikam.com.

Routing by URL
The following steps define backend address pools using VMs running on an Azure VMware Solution private
cloud. The private cloud is on an existing application gateway. You then create routing rules that make sure web
traffic arrives at the appropriate servers in the pools.
1. In your private cloud, create a virtual machine pool to represent the web farm.
 Windows Server 2016 with IIS role installed has been used to illustrate this tutorial. Once the VMs are
installed, run the following PowerShell commands to configure IIS for each VM tutorial.
The first virtual machine, contoso-web-01, will host the main website.

Install-WindowsFeature -Name Web-Server

Add-Content -Path C:\inetpub\wwwroot\Default.htm -Value $($env:computername)

The second virtual machine, contoso-web-02, will host the images site.

Install-WindowsFeature -Name Web-Server

New-Item -Path "C:\inetpub\wwwroot\" -Name "images" -ItemType "directory"
Add-Content -Path C:\inetpub\wwwroot\images\test.htm -Value $($env:computername)

The third virtual machine, contoso-web-03, will host the video site.

Install-WindowsFeature -Name Web-Server

New-Item -Path "C:\inetpub\wwwroot\" -Name "video" -ItemType "directory"
Add-Content -Path C:\inetpub\wwwroot\video\test.htm -Value $($env:computername)

2. Add three new backend pools in an existing application gateway instance.

a. Select Backend pools from the left menu.
b. Select Add and enter the details of the first pool, contoso-web .
c. Add one VM as the target.
d. Select Add .
 e. Repeat this process for contoso-images and contoso-video , adding one unique VM as the target.

3. In the Listeners section, create a new listener of type Basic using port 8080.
4. On the left navigation, select HTTP settings and select Add in the left pane. Fill in the details to create a
new HTTP setting and select Save .

5. Create the rules in the Rules section of the left menu. Associate each rule with the previously created
listener. Then configure the main backend pool and HTTP settings. Select Add .
6. Test the configuration. Access the application gateway on the Azure portal and copy the public IP address
in the Over view section.
a. Open a new browser window and enter the URL http://<app-gw-ip-address>:8080 .

b. Change the URL to http://<app-gw-ip-address>:8080/images/test.htm .

c. Change the URL again to http://<app-gw-ip-address>:8080/video/test.htm .

Next Steps
Now that you've covered using Application Gateway to protect a web app running on Azure VMware Solution,
you may want to learn about:
Configuring Azure Application Gateway for different scenarios.
Deploying Traffic Manager to balance Azure VMware Solution workloads.
Integrating Azure NetApp Files with Azure VMware Solution-based workloads.
 Deploy Traffic Manager to balance Azure VMware
Solution workloads
2/11/2021 • 3 minutes to read • Edit Online

This article walks through the steps of how to integrate Azure Traffic Manager with Azure VMware Solution. The
integration balances application workloads across multiple endpoints. This article also walks through the steps
of how to configure Traffic Manager to direct traffic between three Azure Application Gateway spanning several
Azure VMware Solution regions.
The gateways have Azure VMware Solution virtual machines (VMs) configured as backend pool members to
load balance the incoming layer 7 requests. For more information, see Use Azure Application Gateway to protect
your web apps on Azure VMware Solution
The diagram shows how Traffic Manager provides load balancing for the applications at the DNS level between
regional endpoints. The gateways have backend pool members configured as IIS Servers and referenced as
Azure VMware Solution external endpoints. Connection over the virtual network between the two private cloud
regions uses an ExpressRoute gateway.

Before you begin, first review the Prerequisites and then we'll walk through the procedures to:
Verify configuration of your application gateways and the NSX-T segment
Create your Traffic Manager profile
Add external endpoints into your Traffic Manager profile

Prerequisites
Three VMs configured as Microsoft IIS Servers running in different Azure VMware Solution regions:
West US
 West Europe
East US (on-premises)
An application gateway with external endpoints in the Azure VMware Solution regions mentioned above.
Host with internet connectivity for verification.
An NSX-T network segment created in Azure VMware Solution.

Verify your application gateways configuration

The following steps verify the configuration of your application gateways.
1. In the Azure portal, select Application gateways to view a list of your current application gateways:
AVS-GW-WUS
AVS-GW-EUS (on-premises)
AVS-GW-WEU

2. Select one of your previously deployed application gateways.

A window opens showing various information on the application gateway.

3. Select Backend pools to verify the configuration of one of the backend pools. You see one VM backend
pool member configured as a web server with an IP address of 172.29.1.10.
4. Verify the configuration of the other application gateways and backend pool members.

Verify the NSX-T segment configuration

The following steps verify the configuration of the NSX-T segment in the Azure VMware Solution environment.
1. Select Segments to view your configured segments. You see Contoso-segment1 connected to Contoso-
T01 gateway, a Tier-1 flexible router.

2. Select Tier-1 Gateways to see a list of Tier-1 gateways with the number of linked segments.
3. Select the segment linked to Contoso-T01. A window opens showing the logical interface configured on
the Tier-01 router. It serves as a gateway to the backend pool member VM connected to the segment.
4. In the vSphere client, select the VM to view its details.

NOTE
Its IP address matches VM backend pool member configured as a web server from the preceding section:
172.29.1.10.

5. Select the VM, then select ACTIONS > Edit Settings to verify connection to the NSX-T segment.

Create your Traffic Manager profile

1. Sign in to the Azure portal. Under Azure Ser vices > Networking , select Traffic Manager profiles .
2. Select + Add to create a new Traffic Manager profile.
3. Provide the following information and then select Create :
Profile name
Routing method (use weighted
Subscription
Resource group

Add external endpoints into the Traffic Manager profile

1. Select the Traffic Manager profile from the search results pane, select Endpoints , and then + Add .
2. For each of the external endpoints in the different regions, enter the required details and then select Add :
Type
Name
Fully Qualified domain name (FQDN) or IP
Weight (assign a weight of 1 to each endpoint).
Once created, all three shows in the Traffic Manager profile. The monitor status of all three must be
Online .
3. Select Over view and copy the URL under DNS Name .

4. Paste the DNS name URL in a browser. The screenshot shows traffic directing to the West Europe region.

5. Refresh your browser. The screenshot shows traffic directing to another set of backend pool members in
the West US region.

6. Refresh your browser again. The screenshot shows traffic directing to the final set of backend pool
members on-premises.
Next steps
Now that you've covered integrating Azure Traffic Manager with Azure VMware Solution, you may want to learn
about:
Using Azure Application Gateway on Azure VMware Solution.
Traffic Manager routing methods.
Combining load-balancing services in Azure.
Measuring Traffic Manager performance.
 Set up vRealize Operations for Azure VMware
Solution
2/11/2021 • 3 minutes to read • Edit Online

vRealize Operations Manager is an operations management platform that allows VMware infrastructure
administrators to monitor system resources. These system resources could be application-level or infrastructure
level (both physical and virtual) objects. Most VMware administrators have used vRealize Operations to monitor
and manage the VMware private cloud components – vCenter, ESXi, NSX-T, vSAN, and VMware HCX. Each
provisioned Azure VMware Solution private cloud includes a dedicated vCenter, NSX-T, vSAN, and HCX
deployment.
Thoroughly review Before you begin and Prerequisites first. Then, we'll walk you through the two typical
deployment topologies:
On-premises vRealize Operations managing Azure VMware Solution deployment
vRealize Operations running on Azure VMware Solution deployment

Before you begin

Review the vRealize Operations Manager product documentation to learn more about deploying vRealize
Operations.
Review the basic Azure VMware Solution Software-Defined Datacenter (SDDC) tutorial series.
Optionally, review the vRealize Operations Remote Controller product documentation for the on-premises
vRealize Operations managing Azure VMware Solution deployment option.

Prerequisites
vRealize Operations Manager installed.
A VPN or an Azure ExpressRoute configured between on-premises and Azure VMware Solution SDDC.
An Azure VMware Solution private cloud has been deployed in Azure.

On-premises vRealize Operations managing Azure VMware Solution

deployment
Most customers have an existing on-premise deployment of vRealize Operations to manage one or more on-
premise vCenters domains. When they provision an Azure VMware Solution private cloud, they connect their
on-premises environment with their private cloud using an Azure ExpressRoute or a Layer 3 VPN solution.
To extend the vRealize Operations capabilities to the Azure VMware Solution private cloud, you create an
adapter instance for the private cloud resources. It collects data from the Azure VMware Solution private cloud
and brings it into on-premises vRealize Operations. The on-premises vRealize Operations Manager instance can
directly connect to the vCenter and NSX-T manager on Azure VMware Solution. Optionally, you can deploy a
vRealize Operations Remote Collector on the Azure VMware Solution private cloud. The collector compresses
and encrypts the data collected from the private cloud before it's sent over the ExpressRoute or VPN network to
the vRealize Operations Manager running on-premise.

TIP
Refer to the VMware documentation for step-by-step guide for installing vRealize Operations Manager.

vRealize Operations running on Azure VMware Solution deployment

Another option is to deploy an instance of vRealize Operations Manager on a vSphere cluster in the private
cloud.

IMPORTANT
This option isn't currently supported by VMware.
Once the instance has been deployed, you can configure vRealize Operations to collect data from vCenter, ESXi,
NSX-T, vSAN, and HCX.

Known limitations
The cloudadmin@vsphere.local user in Azure VMware Solution has limited privileges. Virtual machines
(VMs) on Azure VMware Solution doesn't support in-guest memory collection using VMware tools. Active
and consumed memory utilization continues to work in this case.
Workload optimization for host-based business intent doesn't work because Azure VMware Solutions
manage cluster configurations, including DRS settings.
Workload optimization for the cross-cluster placement within the SDDC using the cluster-based business
intent is fully supported with vRealize Operations Manager 8.0 and onwards. However, workload
optimization isn't aware of resource pools and places the VMs at the cluster level. A user can manually
correct it in the Azure VMware Solution vCenter Server interface.
You can't sign in to vRealize Operations Manager using your Azure VMware Solution vCenter Server
credentials.
Azure VMware Solution doesn't support the vRealize Operations Manager plugin.
When you connect the Azure VMware Solution vCenter to vRealize Operations Manager using a vCenter Server
Cloud Account, you'll see a warning:

The warning occurs because the cloudadmin@vsphere.local user in Azure VMware Solution doesn't have
sufficient privileges to do all vCenter Server actions required for registration. However, the privileges are
sufficient for the adapter instance to do data collection, as seen below:

For more information, see Privileges Required for Configuring a vCenter Adapter Instance.
 Deploy Horizon on Azure VMware Solution
2/11/2021 • 11 minutes to read • Edit Online

NOTE
This document focuses on the VMware Horizon product, formerly known as Horizon 7. Horizon is a different solution than
Horizon Cloud on Azure, although there are some shared components. Key advantages of the Azure VMware Solution
include both a more straightforward sizing method and the integration of VMware Cloud Foundation management into
the Azure portal.

VMware Horizon®, a virtual desktop and applications platform, run in the data center and provides simple and
centralized management. It delivers virtual desktops and applications on any device, anywhere. Horizon lets you
create and broker connections to Windows and Linux virtual desktops, Remote Desktop Server (RDS) hosted
applications, desktops, and physical machines.
Here, we focus specifically on deploying Horizon on Azure VMware Solution. For general information on
VMware Horizon, refer to the Horizon production documentation:
What is VMware Horizon?
Learn more about VMware Horizon
Horizon Reference Architecture
With Horizon's introduction on Azure VMware Solution, there are now two Virtual Desktop Infrastructure (VDI)
solutions on the Azure platform. The following diagram summarizes the key differences at a high level.

Horizon 2006 and later versions on the Horizon 8 release line supports both on-premises deployment and
Azure VMware Solution deployment. There are a few Horizon features that are supported on-premises but not
on Azure VMware Solution. Additional products in the Horizon ecosystem are also supported. For for
information, see feature parity and interoperability.

Deploy Horizon in a hybrid cloud

You can deploy Horizon in a hybrid cloud environment when you use Horizon Cloud Pod Architecture (CPA) to
interconnect on-premises and Azure datacenters. CPA scales up your deployment, builds a hybrid cloud, and
provides redundancy for Business Continuity and Disaster Recovery. For more information, see Expanding
Existing Horizon 7 Environments.

IMPORTANT
CPA is not a stretched deployment; each Horizon pod is distinct, and all Connection Servers that belong to each of the
individual pods are required to be located in a single location and run on the same broadcast domain from a network
perspective.

Like on-premises or private data center, Horizon can be deployed in an Azure VMware Solution private cloud.
We'll discuss key differences in deploying Horizon on-premises and on Azure VMware Solution in the following
sections.
The Azure private cloud is conceptually the same as the VMware SDDC, a term typically used in Horizon
documentation. The rest of this document uses the terms Azure private cloud and VMware SDDC
interchangeable.
The Horizon Cloud Connector is required for Horizon on Azure VMware Solution to manage subscription
licenses. Cloud Connector can be deployed in Azure Virtual Network alongside Horizon Connection Servers.

IMPORTANT
Horizon Control Plane support for Horizon on Azure VMware Solution is not yet available. Be sure to download the VHD
version of Horizon Cloud Connector.

vCenter Cloud Admin role

Since Azure VMware Solution is an SDDC service and Azure manages the lifecycle of the SDDC on Azure
VMware Solution, the vCenter permission model on Azure VMware Solution is limited by design.
Customers are required to use the Cloud Admin role, which has a limited set of vCenter permissions. The
Horizon product was modified to work with the Cloud Admin role on Azure VMware Solution, specifically:
Instant clone provisioning was modified to run on Azure VMware Solution.
A specific vSAN policy (VMware_Horizon) was created on Azure VMware Solution to work with Horizon,
which must be available and used in the SDDCs deployed for Horizon.
vSphere Content-Based Read Cache (CBRC), also known as View Storage Accelerator, is disabled when
running on the Azure VMware Solution.

IMPORTANT
CBRC must not be turned back on.

NOTE
Azure VMware Solution automatically configures specific Horizon settings as long as you deploy Horizon 2006 (aka
Horizon 8) and above on the Horizon 8 branch and select the Azure option in the Horizon Connection Server installer.

Horizon on Azure VMware Solution deployment architecture

A typical Horizon architecture design uses a pod and block strategy. A block is a single vCenter, while multiple
blocks combined make a pod. A Horizon pod is a unit of organization determined by Horizon scalability limits.
Each Horizon pod has a separate management portal, and so a standard design practice is to minimize the
number of pods.
Every cloud has its own network connectivity scheme. Combined with VMware SDDC networking / NSX Edge,
the Azure VMware Solution network connectivity presents unique requirements for deploying Horizon that is
different from on-premises.
Each Azure private cloud and SDDC can handle 4,000 desktop or application sessions, assuming:
The workload traffic aligns with the LoginVSI task worker profile.
Only protocol traffic is considered, no user data.
NSX Edge is configured to be large.

NOTE
Your workload profile and needs may be different, and therefore results may vary based on your use case. User Data
volumes may lower scale limits in the context of your workload. Size and plan your deployment accordingly. For more
information, see the sizing guidelines in the Size Azure VMware Solution hosts for Horizon deployments section.

Given the Azure private cloud and SDDC max limit, we recommend a deployment architecture where the
Horizon Connection Servers and VMware Unified Access Gateways (UAGs) are running inside the Azure Virtual
Network. It effectively turns each Azure private cloud and SDDC into a block. In turn, maximizing the scalability
of Horizon running on Azure VMware Solution.
The connection from Azure Virtual Network to the Azure private clouds / SDDCs should be configured with
ExpressRoute FastPath. The following diagram shows a basic Horizon pod deployment.

Network connectivity to scale Horizon on Azure VMware Solution

This section lays out the network architecture at a high level with some common deployment examples to help
you scale Horizon on Azure VMware Solution. The focus is specifically on critical networking elements.
Single Horizon pod on Azure VMware Solution

A single Horizon pod is the most straight forward deployment scenario because you deploy just one Horizon
pod in the US East region. Since each private cloud and SDDC is estimated to handle 4,000 desktop sessions,
you deploy the maximum Horizon pod size. You can plan the deployment of up to three private clouds/SDDCs.
With the Horizon infrastructure virtual machines (VMs) deployed in Azure Virtual Network, you can reach the
12,000 sessions per Horizon pod. The connection between each private cloud and SDDC to the Azure Virtual
Network is ExpressRoute Fast Path. No east-west traffic between private clouds is needed.
Key assumptions for this basic deployment example include that:
You don't have an on-premises Horizon pod that you want to connect to this new pod using Cloud Pod
Architecture (CPA).
End users connect to their virtual desktops through the internet (vs. connecting via an on-premises data
center).
You connect your AD domain controller in Azure Virtual Network with your on-premises AD through VPN or
ExpressRoute circuit.
A variation on the basic example might be to support connectivity for on-premises resources. For example,
users access desktops and generate virtual desktop application traffic or connect to an on-premises Horizon pod
using CPA.
The diagram shows how to support connectivity for on-premises resources. To connect to your corporate
network to the Azure Virtual Network, you'll need an ExpressRoute circuit. You'll also need to connect your
corporate network with each of the private cloud and SDDCs using ExpressRoute Global Reach. It allows the
connectivity from the SDDC to the ExpressRoute circuit and on-premises resources.
Multiple Horizon pods on Azure VMware Solution across multiple regions
Another scenario is scaling Horizon across multiple pods. In this scenario, you deploy two Horizon pods in two
different regions and federate them using CPA. It's similar to the network configuration in the previous example,
but with some additional cross-regional links.
You'll connect the Azure Virtual Network in each region to the private clouds/SDDCs in the other region. It
allows Horizon connection servers part of the CPA federation to connect to all desktops under management.
Adding additional private clouds/SDDCs to this configuration would allow you to scale to 24,000 sessions
overall.
The same principles apply if you deploy two Horizon pods in the same region. Make sure to deploy the second
Horizon pod in a separate Azure Virtual Network. Just like the single pod example, you can connect your
corporate network and on-premises pod to this multi-pod/region example using ExpressRoute and Global
Reach.
Size Azure VMware Solution hosts for Horizon deployments
Horizon's sizing methodology on a host running in Azure VMware Solution is simpler than Horizon on-
premises. That's because the Azure VMware Solution host is standardized. Exact host sizing helps determine the
number of hosts needed to support your VDI requirements. It's central to determining the cost-per-desktop.
Sizing tables
Specific vCPU/vRAM requirements for Horizon virtual desktops depend on the customer’s specific workload
profile. Work with your MSFT and VMware sales team to help determine your vCPU/vRAM requirements for
your virtual desktops.

V
R
V A
C M
P P IN
U E S
P R T 10 20 30 40 50 60 70 80 90 10 20 30 40 50 60 64
E V A 0 0 0 0 0 0 0 0 0 00 00 00 00 00 00 00
R M N V V V V V V V V V V V V V V V V
V (G C M M M M M M M M M M M M M M M M
M B) E S S S S S S S S S S S S S S S S

2 3. A 3 3 4 4 5 6 6 7 8 9 1 2 3 4 4 5
5 V 7 5 3 1 9 3
S

2 4 A 3 3 4 5 6 6 7 8 9 9 1 2 3 4 5 5
V 8 6 4 2 1 4
S

2 6 A 3 4 5 6 7 9 1 1 1 1 2 3 5 6 7 7
V 0 1 2 3 6 8 1 2 5 9
S

2 8 A 3 5 6 8 9 1 1 1 1 1 3 5 6 8 1 1
V 1 2 4 6 8 4 1 7 4 0 0
S 0 6
 V
R
V A
C M
P P IN
U E S
P R T 10 20 30 40 50 60 70 80 90 10 20 30 40 50 60 64
E V A 0 0 0 0 0 0 0 0 0 00 00 00 00 00 00 00
R M N V V V V V V V V V V V V V V V V
V (G C M M M M M M M M M M M M M M M M
M B) E S S S S S S S S S S S S S S S S

2 1 A 4 6 9 1 1 1 1 2 2 2 5 7 1 1 1 1
2 V 1 3 6 9 1 3 6 1 5 0 2 4 5
S 0 4 9 8

2 1 A 5 8 1 1 1 2 2 2 3 3 6 1 1 1 1 2
6 V 1 4 8 1 4 7 0 4 7 0 3 6 9 1
S 0 3 5 8 1

4 3. A 3 3 4 5 6 7 8 9 1 1 2 3 4 5 6 7
5 V 0 1 2 3 4 5 6 0
S

4 4 A 3 3 4 5 6 7 8 9 1 1 2 3 4 5 6 7
V 0 1 2 3 4 5 6 0
S

4 6 A 3 4 5 6 7 9 1 1 1 1 2 3 5 6 7 7
V 0 1 2 3 6 8 1 2 5 9
S

4 8 A 3 5 6 8 9 1 1 1 1 1 3 5 6 8 1 1
V 1 2 4 6 8 4 1 7 4 0 0
S 0 6

4 1 A 4 6 9 1 1 1 1 2 2 2 5 7 1 1 1 1
2 V 1 3 6 9 1 3 6 1 5 0 2 4 5
S 0 4 9 8

4 1 A 5 8 1 1 1 2 2 2 3 3 6 1 1 1 1 2
6 V 1 4 8 1 4 7 0 4 7 0 3 6 9 1
S 0 3 5 8 1

6 3. A 3 4 5 6 7 9 1 1 1 1 2 4 5 6 8 8
5 V 0 1 3 4 7 1 4 8 1 6
S

6 4 A 3 4 5 6 7 9 1 1 1 1 2 4 5 6 8 8
V 0 1 3 4 7 1 4 8 1 6
S

6 6 A 3 4 5 6 7 9 1 1 1 1 2 4 5 6 8 8
V 0 1 3 4 7 1 4 8 1 6
S

6 8 A 3 5 6 8 9 1 1 1 1 1 3 5 6 8 1 1
V 1 2 4 6 8 4 1 7 4 0 0
S 0 6
 V
R
V A
C M
P P IN
U E S
P R T 10 20 30 40 50 60 70 80 90 10 20 30 40 50 60 64
E V A 0 0 0 0 0 0 0 0 0 00 00 00 00 00 00 00
R M N V V V V V V V V V V V V V V V V
V (G C M M M M M M M M M M M M M M M M
M B) E S S S S S S S S S S S S S S S S

6 1 A 4 6 9 1 1 1 1 2 2 2 5 7 1 1 1 1
2 V 1 3 6 9 1 3 6 1 5 0 2 4 5
S 0 4 9 8

6 1 A 5 8 1 1 1 2 2 2 3 3 6 1 1 1 1 2
6 V 1 4 8 1 4 7 0 4 7 0 3 6 9 1
S 0 3 5 8 1

8 3. A 3 4 6 7 9 1 1 1 1 1 3 4 6 8 9 1
5 V 0 2 4 5 7 3 9 6 2 8 0
S 5

8 4 A 3 4 6 7 9 1 1 1 1 1 3 4 6 8 9 1
V 0 2 4 5 7 3 9 6 2 8 0
S 5

8 6 A 3 4 6 7 9 1 1 1 1 1 3 4 6 8 9 1
V 0 2 4 5 7 3 9 6 2 8 0
S 5

8 8 A 3 5 6 8 9 1 1 1 1 1 3 5 6 8 1 1
V 1 2 4 6 8 4 1 7 4 0 0
S 0 6

8 1 A 4 6 9 1 1 1 1 2 2 2 5 7 1 1 1 1
2 V 1 3 6 9 1 3 6 1 5 0 2 4 5
S 0 4 9 8

8 1 A 5 8 1 1 1 2 2 2 3 3 6 1 1 1 1 2
6 V 1 4 8 1 4 7 0 4 7 0 3 6 9 1
S 0 3 5 8 1

Horizon sizing inputs

Here's what you'll need to gather for your planned workload:
Number of concurrent desktops
Required vCPU per desktop
Required vRAM per desktop
Required storage per desktop
In general, VDI deployments are either CPU or RAM constrained, which determines the host size. Let's take the
following example for a LoginVSI Knowledge Worker type of workload, validated with performance testing:
2,000 concurrent desktop deployment
2vCPU per desktop.
 4-GB vRAM per desktop.
50 GB of storage per desktop
For this example, the total number of hosts factors out to 18, yielding a VM-per-host density of 111.

IMPORTANT
Customer workloads will vary from this example of a LoginVSI Knowledge Worker. As a part of planning your deployment,
work with your VMware EUC SEs for your specific sizing and performance needs. Be sure to run your own performance
testing using the actual, planned workload before finalizing host sizing and adjust accordingly.

Horizon on Azure VMware Solution licensing

There are four components to the overall costs of running Horizon on Azure VMware Solution.
Azure VMware Solution Capacity Cost
For information on the pricing, see the Azure VMware Solution pricing page
Horizon Licensing Cost
There are two available licenses for use with the Azure VMware Solution, which can be either Concurrent User
(CCU) or Named User (NU):
Horizon Subscription License
Horizon Universal Subscription License
If only deploying Horizon on Azure VMware Solution for the foreseeable future, then use the Horizon
Subscription License as it is a lower cost.
If deployed on Azure VMware Solution and on-premises, as with a disaster recovery use case, choose the
Horizon Universal Subscription License. It includes a vSphere license for on-premises deployment, so it has a
higher cost.
Work with your VMware EUC sales team to determine the Horizon licensing cost based on your needs.
Azure Instance Types
To understand the Azure virtual machine sizes which will be required for the Horizon Infrastructure please refer
to VMware's guidelines which can be found here.

Next steps
To learn more about VMware Horizon on Azure VMware Solution, read the VMware Horizon FAQ.
 Backup solutions for Azure VMware Solution virtual
machines (VMs)
2/11/2021 • 2 minutes to read • Edit Online

A key principle of Azure VMware Solution is to enable you to continue to use your investments and your
favorite VMware solutions running on Azure. Independent software vendor (ISV) technology support, validated
with Azure VMware Solution, is an important part of this strategy.
Our backup partners have industry-leading backup and restore solutions in VMware-based environments.
Customers have widely adopted these solutions for their on-premises deployments. Now these partners have
extended their solutions to Azure VMware Solution, using Azure to provide a backup repository and a storage
target for long-term retention and archival.
Backup network traffic between Azure VMware Solution VMs and the backup repository in Azure travels over a
high-bandwidth, low-latency link. Replication traffic across regions travels over the internal Azure backplane
network, which lowers bandwidth costs for users.
You can find more information on these backup solutions here:
Commvault
Veritas
Veeam
 Open a support request for an Azure VMware
Solution deployment or provisioning failure
2/11/2021 • 3 minutes to read • Edit Online

This article shows you how to open a support request and provide key information for an Azure VMware
Solution deployment or provisioning failure.
When you have a failure on your private cloud, you need to open a support request in the Azure portal. To open
a support request, first get some key information in the Azure portal:
Correlation ID
Azure ExpressRoute circuit ID
Error messages

Get the correlation ID

When you create a private cloud or any resource in Azure, a correlation ID for the resource is automatically
generated for the resource. Include the private cloud correlation ID in your support request to more quickly
open and resolve the request.
In the Azure portal, you can get the correlation ID for a resource in two ways:
Over view pane
Deployment logs
Get the correlation ID from the resource overview
Here's an example of the operation details of a failed private cloud deployment, with the correlation ID selected:

To access deployment results in a private cloud Over view pane:

1. In the Azure portal, select your private cloud.
2. In the left menu, select Over view .
After a deployment is initiated, the results of the deployment are shown in the private cloud Over view pane.
Copy and save the private cloud deployment correlation ID to include in the service request.
Get the correlation ID from the deployment log
You can get the correlation ID for a failed deployment by searching the deployment activity log in the Azure
portal.
To access the deployment log:
1. In the Azure portal, select your private cloud, and then select the notifications icon.

2. In the Notifications pane, select More events in the activity log :

3. To find the failed deployment and its correlation ID, search for the name of the resource or other
information that you used to create the resource.
The following example shows search results for a private cloud resource named pc03.

4. In the search results in the Activity log pane, select the operation name of the failed deployment.
5. In the Create or update a PrivateCloud pane, select the JSON tab, and then look for correlationId in
the log that is shown. Copy the correlationId value to include it in your support request.

Copy error messages

To help resolve your deployment issue, include any error messages that are shown in the Azure portal. Select a
warning message to see a summary of errors:
To copy the error message, select the copy icon. Save the copied message to include in your support request.

Get the ExpressRoute ID (URI)

Perhaps you're trying to scale or peer an existing private cloud with the private cloud ExpressRoute circuit, and it
fails. In that scenario, you need the ExpressRoute ID to include in your support request.
To copy the ExpressRoute ID:
1. In the Azure portal, select your private cloud.
2. In the left menu, under Manage , select Connectivity .
3. In the right pane, select the ExpressRoute tab.
4. Select the copy icon for ExpressRoute ID and save the value to use in your support request.
Pre-validation failures
If your private cloud pre-validation check failed (before deployment), a correlation ID won't have been
generated. In this scenario, you can provide the following information in your support request:
Error and failure messages. These messages can be helpful in many failures, for example, for quota-related
issues. It's important to copy these messages and include them in the support request, as described in this
article.
Information you used to create the Azure VMware Solution private cloud, including:
Location
Resource group
Resource name

Create your support request

For general information about creating a support request, see How to create an Azure support request.
To create a support request for an Azure VMware Solution deployment or provisioning failure:
1. In the Azure portal, select the Help icon, and then select New suppor t request .
2. Enter or select the required information:
a. On the Basics tab:
a. For Problem type , select Configuration and Setup Issues .
b. For Problem subtype , select Provision a private cloud .
b. On the Details tab:
a. Enter or select the required information.
b. Paste your Correlation ID or ExpressRoute ID where this information is requested. If you
don't see a specific text box for these values, paste them in the Provide details about the
issue text box.
c. Paste any error details, including the error or failure messages you copied, in the Provide details
about the issue text box.
3. Review your entries, and then select Create to create your support request.