Public Sector Disconnected

Private Cloud with

Azure Stack Hub
Author: Kevin Rabun

Microsoft Confidential 1
Table of Contents

Overview������������������������������������������������������������������������������������������������������������������������������������������������������������������3

Architecture�������������������������������������������������������������������������������������������������������������������������������������������������������������5
Infrastructure���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������5

Identity & Access Management���������������������������������������������������������������������������������������������������������������������������������������������������������������������������� 5

Administration������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������� 7

Update Management��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������� 10

Scalability���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������11

High Availability�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������� 13

Disaster Recovery����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������� 13

Multi-tenancy and Tenant Isolation������������������������������������������������������������������������������������������������������������������������������������������������������������������� 14

Security������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������ 14

Datacenter Integration������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������� 17

Data Residency����������������������������������������������������������������������������������������������������������������������������������������������������� 19

Security and Operations������������������������������������������������������������������������������������������������������������������������������������� 19

Collected diagnostic, service-generated, and support data�������������������������������������������������������������������������������������������������������������������� 19

Location of diagnostic, service-generated, and support data����������������������������������������������������������������������������������������������������������������� 19

Location of diagnostic and support tools��������������������������������������������������������������������������������������������������������������������������������������������������������20

Access to diagnostic, service-generated, and support data and tools�������������������������������������������������������������������������������������������������20

Microsoft access for law enforcement requests��������������������������������������������������������������������������������������������������������������������������������������������20

Security Clearance����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������20

Autarky������������������������������������������������������������������������������������������������������������������������������������������������������������������� 21
Service availability with disconnected operation����������������������������������������������������������������������������������������������������������������������������������������� 21

Operational degradation during disconnected operation�����������������������������������������������������������������������������������������������������������������������22

Duration of disconnected operation�����������������������������������������������������������������������������������������������������������������������������������������������������������������22

Applicable Regulations�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������22

Operational Models���������������������������������������������������������������������������������������������������������������������������������������������23

Conclusion�������������������������������������������������������������������������������������������������������������������������������������������������������������25

Microsoft Confidential 2
Overview

Note: If regulatory and operational requirements can be met by the Azure cloud or by a hybrid cloud
with Azure and Azure Stack HCI, please consider those options before Azure Stack Hub disconnected. A
disconnected Azure Stack Hub is meant to provide a subset of Azure capabilities within the datacenter,
or at a remote customer location, to meet the most stringent regulatory and operational requirements
at the expense of simplicity and scalability when compared to other Azure offerings.

Note: References throughout this document to Azure cloud is meant to encompass the commercial
public Azure cloud and sovereign clouds, where available.

Azure Stack Hub is an extension of Azure that provides a way to run apps in an on-premises
environment and deliver Azure services in your datacenter, or at a remote location. It is available
in two forms – standard Azure Stack Hub, intended for datacenter use, and Rugged Azure Stack
Hub, intended for harsh operating environments such as military theaters. Azure Stack Hub can run
disconnected from the internet, giving you full control over hardware, network access, software
updates, management access, and other operational aspects. If needed, Azure Stack Hub can be
operated by cleared personnel and can run disconnected indefinitely, such as during forward-
deployed operations where communications are limited, or during disaster response scenarios where
connectivity may be degraded or unavailable. These benefits are offset by limited functionality and
scalability compared to other Azure offerings, and more operational responsibility on the customer.

Azure Stack Hub-integrated systems are comprised of racks of 4-16 servers integrated by trusted
hardware partners and delivered straight to your datacenter or remote location. After delivery, a
solution provider will work with you to deploy the integrated system and ensure the Azure Stack
Hub solution meets your operational requirements. Azure Stack Hub integrated systems are
available in over 90 countries/regions through our hardware partners. A list of partners and where
they can deploy Azure Stack Hub solutions can be found here.

Azure Stack Hub is built on industry standard hardware and is managed using the same tools
you already use for managing Azure subscriptions. As a result, you can apply consistent DevOps
processes even when you’re disconnected from Azure.

The Azure Stack Hub architecture lets you provide Azure services while disconnected from the
internet. Because Azure Stack Hub is deployed on-premises or in remote locales, you can meet
specific regulatory, policy, and mission requirements with the flexibility of cloud-enabled apps
available in your chosen location without changing any code.

Microsoft Confidential 3
 Azure Stack Hub running disconnected is purpose built for the following scenarios:

You have security or other restrictions that require you to deploy Azure Stack Hub in an
environment that isn’t connected to the internet.

You want to block data (including usage data) from being sent to Azure
(Data Sovereignty and Residency).

You want to block data (including usage data) from leaving a geo-political boundary
(Data Sovereignty and Residency).

You have autarky requirements that necessitate all IT capabilities exist within a specific
geo-political boundary.

You want to use Azure Stack Hub purely as a private cloud solution that’s deployed to
your network, and you aren’t interested in hybrid scenarios where your Azure Stack Hub
connects to an Azure cloud.

Microsoft Confidential 4
Architecture

Infrastructure
Azure Stack Hub integrated systems are An Azure Stack Hub integrated system can
offered through a partnership of Microsoft range in size from 4-16 servers, called a scale
and hardware partners, creating a solution that unit. Integrated systems are jointly supported
offers cloud-paced innovation and computing by the hardware partner and Microsoft. The
management simplicity. Because Azure Stack diagram to the right shows an example
Hub is offered as an integrated hardware and of a scale unit.
software system, you have the flexibility and
control you need, along with the ability to Identity & Access Management
innovate based on cloud services.
For disconnected deployments of Azure Stack
Hub, you must use Active Directory Federation
Services (AD FS). Azure Stack Hub resource
providers and other apps work similarly with
AD FS or Azure AD. Azure Stack Hub includes
its own Active Directory instance and an Active
Directory Graph API. Deploying with AD FS
allows identities in an existing Active Directory
Forest to authenticate with resources in Azure
Stack Hub. This existing Active Directory Forest
requires a deployment of AD FS to allow the
creation of an AD FS federation trust.

Authentication is one part of identity. To

manage role-based access control (RBAC) in
Azure Stack Hub, the Graph component must
be configured. When access to a resource is
delegated, the Graph component looks up the
user account in the existing Active Directory
Forest using the LDAP protocol.

Microsoft Confidential 5
The existing AD FS is the account security token service (STS) that sends claims to the Azure Stack
Hub AD FS (the resource STS). In Azure Stack Hub, automation creates the claims provider trust with
the metadata endpoint for the existing AD FS.

At the existing AD FS, a relying party trust must be configured. This step isn’t done by the
automation and must be configured by the operator.

The relying party trust configuration also requires you to configure the claim transformation rules
that are provided by Microsoft.

For the Graph configuration, a service account must be provided that has “read” permission in
the existing Active Directory. This account is required as input for the automation to enable
RBAC scenarios.

For the last step, a new owner is configured for the default provider subscription. This account has
full access to all resources when signed into the Azure Stack Hub administrator portal.

Additional information on integrating AD FS with Azure Stack Hub can be found here.

Microsoft Confidential 6
 Administration
Azure Stack Hub customers can make decisions on which services
will be made available to their users. Azure Stack Hub supports a
subset of Azure services.

By default, Azure Stack Hub includes the following foundational

services when you deploy the system:
• Compute
• Storage
• Networking
• Key Vault
With these foundational services, you can offer Infrastructure-as-
a-Service (IaaS) to your users with minimal configuration.

Currently, Microsoft supports the following additional Platform-

as-a-Service (PaaS) services:
• App Service
• Azure Functions
• SQL and MySQL databases
• Event Hubs
• Kubernetes (in preview)
These services require additional configuration before you can
make them available to your users.

You can find hundreds of additional Azure Stack Hub services, VM

images, VM extensions and solution templates from Microsoft
and 3rd party vendors on the Azure Marketplace.

The IaaS and PaaS services available on Azure Stack Hub will
be available later than the service versions in Azure cloud. API
profiles specify the Azure resource provider and the API version
for Azure REST endpoints. You can create custom clients in
different languages using API profiles. Each client uses an API
profile to contact the correct resource provider and API version
for Azure Stack Hub.

Microsoft Confidential 7
You can create an app to work with Azure You’ll also need to add applications and/or
resource providers without having to know services to Azure Stack Hub Marketplace. As an
exactly which version of each resource provider Azure Stack Hub operator, you can download
API is compatible with Azure Stack Hub. Just items to Azure Stack Hub from the Marketplace
align your app to a profile and the SDK reverts and make them available to all users using
to the correct API version. For additional the Azure Stack Hub environment. The items
information about API version management you can choose are from a curated list of
with Azure Stack Hub review the article here. An Azure Marketplace items that are pre-tested
updated list of current API versions available for and supported to work with Azure Stack Hub.
Azure Stack Hub is here. Additional items are frequently added to this
list, so continue to check back for new content.
Decide which services to offer, and make those
An updated list of Azure Marketplace items
services available by creating plans, offers, and
available for Azure Stack Hub can be found
quotas. As an Azure Stack Hub operator, you
here. The list includes Microsoft and Third-Party
configure and deliver services by using offers,
offerings to improve operational efficiencies and
plans, and subscriptions. Offers contain one
reduce IT configuration overhead for common
or more plans, and each plan includes one or
use cases. It is your responsibility, as an Azure
more services, each configured with quotas.
Stack Hub operator, to verify and validate that
By creating plans and combining them into
Azure Stack Hub Marketplace solutions meet
different offers, users can subscribe to your
your specific accreditation requirements.
offers and deploy resources. This structure
lets you manage: When Azure Stack Hub is operating
disconnected, you use PowerShell and the
• Which services and resources your
marketplace syndication tool to download the
users can access.
marketplace items to a machine with internet
• The amount of resources that
connectivity. You then transfer the items to your
users can consume.
Azure Stack Hub environment. The transfer
• Which regions have access to is completed using approved processes for
the resources. your environment, with some examples being
Additional details about services, plans, offers transfer on write once media or using a Cross
and subscriptions are located here. Domain Solution (CDS) to transfer the content.
In a disconnected environment, you can’t
download marketplace items by using the
Azure Stack Hub portal.

Microsoft Confidential 8
In addition to providing services, you must do the regular duties
of an operator to keep Azure Stack Hub up and running. These
duties include the following tasks:
• Add user accounts for AD FS deployment.
• Assign role-based access control (RBAC) roles (This task isn’t
restricted to admins.)
• Monitor infrastructure health.
• Manage network and storage resources.
• Replace bad hardware. For an integrated system, there’s
a coordinated escalation and resolution process between
Microsoft and our original equipment manufacturer (OEM)
hardware partners.
If there’s an issue with deployment, patch and update, hardware
(including field replaceable units), or any hardware-branded
software, like software running on the hardware lifecycle host,
contact your OEM hardware vendor first.

For anything else, contact Microsoft Support. For example,

replace a failed disk.

A disconnected Azure Stack Hub means that you control what

information is shared with Microsoft Support and OEM vendors
during troubleshooting and support scenarios. The breadth
and depth of access to log files during support cases is at the
discretion of your Azure Stack Hub operator(s) as they engage
with Microsoft Support and OEM staff. In a disconnected scenario
external access by Microsoft and OEM staff will not exist which
ensures log files that are accessed can be reviewed and approved
before manual transfer to support organizations.

Microsoft Confidential 9
 Update Management
Full and express updates, hotfixes, as well as driver and firmware updates from the original equipment
manufacturer (OEM) all help keep Azure Stack Hub up to date. This section explains the different
types of updates, when to expect their release, and where to find more about the current release.

There are three types of update packages for integrated systems:

01 Azure Stack Hub software updates

Microsoft is responsible for the end-to-end servicing lifecycle for the Microsoft software
update packages. These packages can include the latest Windows Server security updates,
non-security updates, and Azure Stack Hub feature updates. You download these update
packages directly from Microsoft.
Each update package has a corresponding type: Full or Express.
Full update packages update the physical host operating systems in the scale unit and require a
larger maintenance window.
Express update packages are scoped and don’t update the underlying physical host
operating systems.

02 Azure Stack Hub hotfixes

Microsoft provides hotfixes for Azure Stack Hub that address a specific issue that’s often
preventive or time sensitive. Each hotfix is released with a corresponding Microsoft
Knowledge Base article that details the fixes in that package. You download and install
hotfixes just like the regular full update packages for Azure Stack Hub. Hotfixes are cumulative
and can install in minutes.
Before you update to the new major version, apply the latest hotfix in the current major version.
Starting with build 2005, when you update to a new major version (for example, 1.2005.x to
1.2008.x), the latest hotfixes (if any are available at the time of package download) in the new
major version are installed automatically. Your 2008 installation is then current with all hotfixes.
From that point forward, if a hotfix is released for 2008, you should install it.

03 OEM hardware-vendor-provided updates

Azure Stack Hub hardware partners are responsible for the end-to-end servicing lifecycle
(including guidance) for the hardware-related firmware and driver update packages. In
addition, Azure Stack Hub hardware partners own and maintain guidance for all software
and hardware on the hardware lifecycle host. The OEM hardware vendor hosts these update
packages on their own download site.

Microsoft Confidential 10
 Scalability
04 Plan for the update When you’re evaluating an Azure Stack Hub
Prepare your Azure Stack Hub to make
solution, consider the hardware configuration
the update process go as smoothly as
choices that have a direct impact on the overall
possible so that there’s minimal impact
capacity of the Azure Stack Hub cloud.
on your users. Notify your users of any
possible service outage and then follow For example, you need to make choices
the steps to prepare your instance for the regarding the CPU, memory density, storage
update. Be sure to follow all steps in the configuration, and overall solution scale or
Azure Stack Hub pre-update checklist number of servers. However, determining usable
to ensure that you’ve completed the capacity will be different than a traditional
required prerequisites for applying an virtualization solution because some capacity is
update. Also make sure to schedule an already in use. Azure Stack Hub is built to host
appropriate maintenance window for the the infrastructure or management components
update type being applied.
within the solution itself. Also, some of the
solution’s capacity is reserved to support
05 Upload and prepare the
resiliency. Resiliency is defined as the updating
update package
of the solution’s software in a way to minimize
For internet-disconnected Azure Stack
disruption of tenant workloads.
Hub environments, update packages are
imported into Azure Stack Hub storage An Azure Stack Hub solution is built as a
via the Azure Stack Hub administrator hyperconverged cluster of compute and
portal. For more steps to upload and storage. The convergence allows for the sharing
prepare the update package, see Upload of the hardware capacity in the cluster, referred
and prepare an Azure Stack Hub to as a scale unit. In Azure Stack Hub, a scale
update package. unit provides the availability and scalability of
All OEM update packages are manually resources. A scale unit consists of a set of Azure
imported into your environment. Stack Hub servers, referred to as hosts. The
infrastructure software is hosted within a set
06 Apply the update of virtual machines (VMs) and shares the same
Apply the update using the Update physical servers as the tenant VMs. All Azure
blade in the Azure Stack Hub portal. Stack Hub VMs are then managed by the scale
During the update, monitor and unit’s Windows Server clustering technologies
troubleshoot the update progress. and individual Hyper-V instances.

Microsoft Confidential 11
The scale unit simplifies the acquisition and management of
Azure Stack Hub. The scale unit also allows for the movement and
scalability of all services (tenant and infrastructure) across
Azure Stack Hub.

You can increase the overall capacity of an existing scale unit

by adding another physical computer. The physical computer
is also referred to as a scale unit node. Each new node must
have the same CPU type, memory, disk number, and size as the
nodes already present in the scale unit. Azure Stack Hub doesn’t
support removing scale unit nodes for scaling down because of
architectural limitations. It’s only possible to expand capacity by
adding nodes. The maximum size of a scale unit is 4-16 nodes.

Azure Stack Hub requires that the configuration of all servers in the
solution have the same configuration, including for example CPU
(model, cores), memory quantity, NIC and link speeds, and storage
devices. Azure Stack Hub does not support a change in CPU
models during hardware replacement or when adding a scale unit
node. A change in CPU, such as an upgrade, will require uniform
CPUs in each scale unit node and a redeployment of
Azure Stack Hub.

There is a limit on the total number of VMs that can be created.

The total number of VMs on Azure Stack Hub is 700 and 60 per
scale unit node. For example, an eight-server Azure Stack Hub
VM limit would be 480 (8 * 60). For a 12 to 16 server Azure Stack
Hub solution, the limit would be 700. This limit has been created
keeping all the compute capacity considerations in mind, such as
the resiliency reserve and the CPU virtual-to-physical ratio that an
operator would like to maintain on the stamp.

Microsoft Confidential 12
High Availability Additionally, if storage replication is required
you will need to architect for, and implement,
For connected scenarios, your VM may be
your storage replication solution manually if
subject to a reboot due to planned maintenance
an Azure cloud connection is not available.
as scheduled by the Azure Stack Hub operator.
Microsoft does provide examples of highly
For high availability of a multi-VM production
available architectures using Azure Stack
system in Azure, VMs are placed in an
Hub here and here although they need some
availability set that spreads them across multiple
modification for completely disconnected
fault domains and update domains. In the
Azure Stack Hub scenarios because Azure
smaller scale of Azure Stack Hub, a fault domain
cloud services will not be available to you in a
in an availability set is defined as a single node
completely disconnected environment.
in the scale unit.

While the infrastructure of Azure Stack Hub Disaster Recovery

is already resilient to failures, the underlying You can enable the Infrastructure Backup
technology (failover clustering) still incurs some Service from the administrator portal so that
downtime for VMs on an impacted physical Azure Stack Hub can generate infrastructure
server if there’s a hardware failure. Azure backups. The hardware partner can use these
Stack Hub supports having an availability set backups to restore your environment using
with a maximum of three fault domains to be cloud recovery in the event of a catastrophic
consistent with Azure. failure. The purpose of cloud recovery is to
ensure that your operators and users can log
Azure Stack Hub does support Availability Sets
back into the portal after recovery is complete.
running within the Azure Stack Hub stamp but
Users will have their subscriptions
that will only provide availability if a single VM
restored, including:
or nodes fails.
• Role-based access permissions and roles.
When using a disconnected Azure Stack • Original plans and offers.
Hub, high availability is your responsibility.
• Previously defined compute, storage, and
Depending on workload criticality, you may
network quotas.
require multiple Azure Stack Hubs that are
• Key Vault secrets.
disconnected from the internet and global
Azure but are reachable from your internal
networks to facilitate high availability via custom
load balancing.

Microsoft Confidential 13
However, the Infrastructure Backup applications in one subscription backing up
Service doesn’t back up IaaS VMs, network data to another datacenter and in another
configurations, and storage resources such as subscription, replicating data to the Azure cloud.
storage accounts, blobs, tables, and so on. Users Additional alternatives include using multiple
logging in after cloud recovery won’t see any of Azure Stack Hub stamps across datacenters or
these previously existing resources. Platform as backing up and restoring VMs using an external
a Service (PaaS) resources and data are also not backup solution with replication to another
backed up by the service. location. If you are interested in using the Azure
cloud as the recovery location for DR purposes
Admins and users are responsible for backing up
or you would like to review alternatives to
and restoring IaaS and PaaS resources separately
using Azure Site Recovery in DR scenarios
from the infrastructure backup processes.
there is additional information, and reference
Users that need to protect against a datacenter architectures, here.
or site outage can use another Azure Stack Hub
to provide high availability or quick recovery. Multi-tenancy and Tenant Isolation
With primary and secondary location, users can
Because multitenancy requires the use of Azure
deploy applications in an active/active or active/
Active Directory (Azure AD), multitenancy isn’t
passive configuration across two environments.
supported for disconnected deployments.
For less critical workloads, users can use capacity
in the secondary location to perform on-
Security
demand restore of applications from backup.
Security considerations, data sovereignty, and
One or more Azure Stack Hub clouds can be
compliance regulations are among the main
deployed to a datacenter or remote deployment
drivers for using hybrid and private clouds.
environment. To survive a catastrophic disaster,
Azure Stack Hub is designed for these scenarios.
deploying at least one Azure Stack Hub
This section explains the security controls in
environment in a different physical location
place for Azure Stack Hub.
ensures that you can fail over workloads and
minimize unplanned downtime. If you only Two security posture layers coexist in Azure
have one Azure Stack Hub, you should consider Stack Hub. The first layer is the Azure Stack Hub
using the Azure cloud as your recovery cloud. infrastructure, which includes the hardware
The determination of where your application components up to the Azure Resource Manager.
can run will be determined by government The first layer includes the administrator and
regulations, corporate policies, and stringent the user portals. The second layer consists of
latency requirements. You have the flexibility the workloads created, deployed, and managed
to determine the appropriate recovery location by tenants. The second layer includes items like
per application. For example, you can have virtual machines and App Services web sites.

Microsoft Confidential 14
The security posture for Azure Stack Hub is with AES-256 bit encryption. BitLocker keys are
designed to defend against modern threats persisted in an internal secret store.
and was built to meet the requirements from Data at rest encryption is a common requirement
the major compliance standards. As a result, for many of the major compliance standards (for
the security posture of the Azure Stack Hub example, PCI-DSS, FedRAMP, HIPAA). Azure Stack
infrastructure is built on two pillars: Hub enables you to meet those requirements
• Zero Trust / Assume Breach: Starting from with no extra work or configurations required.
the assumption that the system has already The Azure Stack Hub infrastructure components
been breached, focus on detecting and communicate using channels encrypted with TLS
limiting the impact of breaches versus only 1.2. Encryption certificates are self-managed by
trying to prevent attacks. the infrastructure for internal communication
between Azure Stack Hub components.
• Hardened by Default: Since the
infrastructure runs on well-defined All external infrastructure endpoints, like the
hardware and software, Azure Stack Hub REST endpoints or the Azure Stack Hub portal,
enables, configures, and validates all the support TLS 1.2 for secure communications.
security features by default. Encryption certificates, either from a third party
or your enterprise Certificate Authority, must be
Because Azure Stack Hub is delivered as an
provided for those endpoints.
integrated system, the security posture of
the Azure Stack Hub infrastructure is defined While self-signed certificates can be used for
by Microsoft. Just like in Azure, tenants are these external endpoints, Microsoft strongly
responsible for defining the security posture of advises against using them.
their tenant workloads. This section provides Azure Stack Hub infrastructure uses a multitude
foundational knowledge on the security posture of secrets, like passwords and certificates, to
of the Azure Stack Hub infrastructure. function. Most of the passwords associated with
All Azure Stack Hub infrastructure and tenant the internal service accounts are automatically
data are encrypted at rest using BitLocker. This rotated every 24 hours because they’re group
encryption protects against physical loss or theft Managed Service Accounts (gMSA), a type
of Azure Stack Hub storage components. Azure of domain account managed directly by the
Stack Hub protects user and infrastructure data internal domain controller.
at the storage subsystem level using encryption Azure Stack Hub infrastructure uses 4096-bit
at rest. By default, Azure Stack Hub’s storage RSA keys for all its internal certificates. The same
subsystem is encrypted using BitLocker. Systems key-length certificates can also be used for the
deployed before release 2002 use BitLocker external endpoints. For more information on
with 128-bit AES encryption; systems deployed secrets and certificate rotation, please refer to
starting with 2002, or newer, use BitLocker Rotate secrets in Azure Stack Hub.

Microsoft Confidential 15
 Azure Stack Hub makes use of the latest Windows Server security
features. One of them is Windows Defender Application Control
(WDAC, formerly known as Code Integrity), which provides
executables filtering and ensures that only authorized code runs
within the Azure Stack Hub infrastructure.

Authorized code is signed by either Microsoft or the OEM partner.

The signed authorized code is included in the list of allowed
software specified in a policy defined by Microsoft. In other
words, only software that has been approved to run in the Azure
Stack Hub infrastructure can be executed. Any attempt to execute
unauthorized code is blocked and an alert is generated. Azure
Stack Hub enforces both User Mode Code Integrity (UMCI) and
Hypervisor Code Integrity (HVCI).

The WDAC policy also prevents third-party agents or software

from running in the Azure Stack Hub infrastructure. For more
information on WDAC, please refer to Windows Defender
Application Control and virtualization-based protection of
code integrity.

Every component in Azure Stack Hub (both Hyper-V hosts and

virtual machines) is protected with Windows Defender Antivirus.

In disconnected scenarios, anti-malware updates are applied

as part of monthly Azure Stack Hub updates and it is your
responsibility, as an Azure Stack Hub operator, to apply them in
a timely fashion. In case a more frequent update to the Windows
Defender’s definitions is required in disconnected scenarios,
Azure Stack Hub also supports importing Windows Defender
updates and it is your responsibility, as an Azure Stack Hub
operator, to apply them based on your requirements.

Azure Stack Hub enforces Secure Boot on all the Hyper-V hosts and
infrastructure virtual machines.

Microsoft Confidential 16
Administration in Azure Stack Hub is Datacenter Integration
controlled through three entry points, each
To deploy Azure Stack Hub, you need to provide
with a specific purpose:
planning information to your solution provider
• The administrator portal provides a before deployment starts to help the process go
point-and-click experience for daily quickly and smoothly. The information required
management operations. ranges across networking, security, and identity
• Azure Resource Manager exposes all information with many important decisions that
the management operations of the may require knowledge from many different
administrator portal via a REST API, used areas and decision makers. You’ll need people
by PowerShell and Azure CLI. from multiple teams in your organization to
• For specific low-level operations (for ensure that you have all required information
example, datacenter integration or support ready before deployment. It can help to talk
scenarios), Azure Stack Hub exposes a to your hardware vendor while collecting this
PowerShell endpoint called privileged information because they might have
endpoint. This endpoint exposes only an helpful advice.
allowed set of cmdlets and is heavily audited. While researching and collecting the required
Azure Stack Hub infrastructure comes with information, you might need to make some
multiple layers of network Access Control List pre-deployment configuration changes to your
(ACL). The ACLs prevent unauthorized access network environment. These changes could
to the infrastructure components and limit include reserving IP address spaces for the
infrastructure communications to only the paths Azure Stack Hub solution as well as configuring
that are required for its functioning. your routers, switches, and firewalls to prepare
for the connectivity to the new Azure Stack
Network ACLs are enforced in three layers:
Hub solution switches. Make sure to have the
• Layer 1: Top of Rack switches subject area expert lined up to help you with
• Layer 2: Software Defined Network your planning.

• Layer 3: Host and VM operating When you evaluate an Azure Stack Hub
system firewalls solution for acquisition, you make hardware
Note: If you require an SCCA compliant configuration choices which have a direct
architecture for your Azure Stack Hub, you can impact on the overall capacity of the Azure
find automation provided by Microsoft at the Stack Hub solution. These include the classic
following GitHub project Azure/missionlz-edge: choices of CPU, memory density, storage
Mission Landing Zone for Edge Technologies configuration, and overall solution scale (for
(github.com). example, number of servers). Unlike a traditional
virtualization solution, the simple arithmetic

Microsoft Confidential 17
of these components to determine usable Azure Stack Hub is a sealed system, where
capacity doesn’t apply. The first reason is that the infrastructure is locked down both from a
Azure Stack Hub is architected to host the permissions and network perspective. Network
infrastructure or management components access control lists (ACLs) are applied to block all
within the solution itself. The second reason unauthorized incoming traffic and all unnecessary
is that some of the solution’s capacity is communications between infrastructure
reserved in support of resiliency by updating components. This system makes it difficult for
the solution’s software in a way that minimizes unauthorized users to access the system.
disruption of tenant workloads.
For daily management and operations,
The Azure Stack Hub capacity planner there’s no unrestricted admin access to the
spreadsheet helps you make informed decisions infrastructure. Azure Stack Hub operators must
for planning capacity in two ways. The first is by manage the system through the administrator
selecting a hardware offering and attempting to portal or through Azure Resource Manager (via
fit a combination of resources. The second is by PowerShell or the REST API). There’s no access
defining the workload that Azure Stack Hub is to the system by other management tools like
intended to run to view the available hardware Hyper-V Manager or Failover Cluster Manager.
SKUs that can support it. Finally, the spreadsheet To help protect the system, third-party software
is intended as a guide to help in making (for example, agents) can’t be installed inside
decisions related to Azure Stack Hub planning the components of the Azure Stack Hub
and configuration. infrastructure. Interoperability with external
management and security software occurs via
The spreadsheet isn’t intended to serve
PowerShell or the REST API.
as a substitute for your own investigation
and analysis. Microsoft makes no Contact Microsoft Support when you need a
representations or warranties, express or higher level of access for troubleshooting issues
implied, with respect to the information that aren’t resolved through alert mediation
provided within the spreadsheet. steps. Through support, there’s a method to
provide temporary full admin access to the
system for more advanced operations.

Microsoft Confidential 18
Data Residency

If you deploy Azure Stack Hub disconnected from global Azure and
from the internet, no data that is stored on the appliance is sent to
Microsoft. Azure Stack Hub is an on-premises appliance. You fully
own and control the appliance, access to the appliance, and any
data stored on the appliance. Disconnected deployment allows you
complete control over data location. For more information about
data residency, please see Data residency in Azure

Security and Operations

Collected diagnostic, service-generated,

and support data
As part of the support process, Azure Stack Hub Operators
can share diagnostic logs with Azure Stack Hub support and
engineering teams to help with troubleshooting.

Microsoft provides a tool and script for you to collect, and upload
requested diagnostic log files. Once collected, the log files are
transferred over an HTTPS protected encrypted connection to
Microsoft. Because HTTPS provides the encryption over the wire,
there’s no password needed for the encryption in transit. After
they’re received, logs are encrypted and stored until they’re
automatically deleted 90 days after the support case is closed.

Location of diagnostic, service-generated, and

support data
You can save logs to a local Server Message Block (SMB) share
when Azure Stack Hub is disconnected from Azure. This approach
allows you to retain logs and store them within your network
boundary when operating Azure Stack Hub disconnected from
global Azure and the internet.

Microsoft Confidential 19
Location of diagnostic and support tools Microsoft access for law
enforcement requests
When Azure Stack Hub is running disconnected,
all diagnostic and support tools must be brought In a disconnected Azure Stack Hub scenario,
into a network reachable by your Azure Stack Hub. Microsoft has no access to your environment
for any purpose. Therefore, we cannot produce
Access to diagnostic, service-generated, your data in response to a government or other
and support data and tools third-party request.

The Operator Access Workstation (OAW) is

Security Clearance
used to deploy a virtual machine (VM) on an
Azure Stack Hub’s--Hardware Lifecycle Host In a disconnected Azure Stack Hub scenario, you
(HLH) or any other machine that runs Microsoft decide who has access to your facility and who
Hyper-V. It does require network connectivity to serves as your Azure Stack Hub operator(s). If
the Azure Stack Hub endpoints to be used for you choose to use Help + support offered by
operator or user scenarios. Microsoft, then be aware the Microsoft staff you
communicate with may not have gone through
The OAW VM is an optional virtual machine
the same vetting process as your selected Azure
that isn’t required by Azure Stack Hub to
Stack Hub operator(s).
function. Its purpose is to provide the latest
tools to operators or user as they interact with
Azure Stack Hub.

Microsoft Confidential 20
Autarky

Service availability with disconnected operation

Azure Stack Hub supports your autarky scenarios though its ability to operate indefinitely
disconnected from Azure and the internet. Azure Stack Hub was designed to work best when
connected to Azure, so it’s important to note that there are some features and functionality that are
either impaired or completely unavailable in the disconnected mode

Feature Impact in Disconnected mode

VM deployment with DSC Impaired – DSC extension looks to the internet for the latest WMF.
extension to configure VM post
deployment
VM deployment with Docker Impaired – Docker will check the internet for the latest version and this
Extension to run Docker check will fail.
commands
Documentation links in the Azure Unavailable – Links like Give Feedback, Help, and Quickstart that use
Stack Hub Portal an internet URL won’t work.
Alert remediation/mitigation Unavailable – Any alert remediation links that use an internet URL
that references an online won’t work.
remediation guide
Marketplace – The ability to Impaired – When you deploy Azure Stack Hub in a disconnected
select and add Gallery packages mode, you can’t download marketplace items by using the Azure
directly from Azure Marketplace Stack Hub portal. However, you can use the marketplace syndication
tool to download the marketplace items to a machine that has
internet connectivity and then transfer them to your Azure Stack Hub
environment.
Using Azure AD federation Unavailable – This feature requires connectivity to Azure. AD FS with a
accounts to manage an Azure local Active Directory instance must be used instead.
Stack Hub deployment
App Services Impaired – WebApps may require internet access for updated content.
Command Line Interface (CLI) Impaired – CLI has reduced functionality for authentication and
provisioning of service principals.

Microsoft Confidential 21
 Feature Impact in Disconnected mode

Visual Studio – Cloud discovery Impaired – Cloud Discovery will either discover different clouds or
won’t work at all.
Visual Studio – AD FS Impaired – Only Visual Studio Enterprise and Visual Studio Code
support AD FS authentication.
Telemetry Unavailable – Telemetry data for Azure Stack Hub and any third-party
gallery packages that depend on telemetry data.
Certificates Unavailable – internet connectivity is required for Certificate
Revocation List (CRL) and Online Certificate Status Protocol (OSCP)
services in the context of HTTPS.
Key Vault Impaired – A common use case for Key Vault is to have an app read
secrets at runtime. For this use case, the app needs a service principal
in the directory. In Azure AD, regular users (non-admins) are by
default allowed to add service principals. In Azure AD (using AD
FS), they’re not. This impairment places a hurdle in the end-to-end
experience because one must always go through a directory admin to
add any app.

Operational degradation during disconnected operation

Azure Stack Hub can be deployed in a permanently disconnected mode without operational
degradation, provided that the Azure Stack Hub operator(s) ensure overall system health.

Duration of disconnected operation

Azure Stack Hub can be deployed in a permanently disconnected mode. However, with a
disconnected deployment, you’re limited to an Active Directory Federation Services (AD FS) identity
store and the capacity-based billing model. Because multitenancy requires the use of Azure Active
Directory (Azure AD), multitenancy isn’t supported for disconnected deployments.

Applicable Regulations
Azure Stack Hub has gone through a formal capability assessment by a third party-independent
auditing firm. As a result, documentation on how the Azure Stack Hub infrastructure meets the
applicable controls from several major compliance standards is available. The documentation isn’t a
certification of Azure Stack Hub because the standards include several personnel-related and process-
related controls. Rather, you can use this documentation to jump-start their certification process.

Microsoft Confidential 22
The assessments include the following standards:

• PCI-DSS addresses the payment card industry.

• CSA Cloud Control Matrix is a comprehensive mapping
across multiple standards, including FedRAMP Moderate,
ISO27001, HIPAA, HITRUST, ITAR, NIST SP800-53, and others.
• FedRAMP High for government agencies.
The compliance documentation can be found on the Microsoft
Service Trust Portal. The compliance guides are a protected
resource and require you to sign in with your Azure cloud
service credentials.

Operational Models

Azure Stack Hub uses the same operations model as Azure. An

Azure Stack Hub operator can deliver a variety of services and
apps to tenant users, like how Microsoft delivers Azure services to
tenant users.

You can manage Azure Stack Hub with the administrator portal,
user portal, or PowerShell. The Azure Stack Hub portals are
each backed by separate instances of Azure Resource Manager.
An Azure Stack Hub Operator uses the administrator portal to
manage Azure Stack Hub, and to do things like create tenant
offerings and maintain the health and monitor status of the
integrated system. The user portal provides a self-service
experience for consumption of cloud resources like virtual
machines (VMs), storage accounts, and web apps.

As an Azure Stack Hub operator, you can deliver VMs, web apps,
highly available SQL Server, and MySQL Server databases.

Microsoft Confidential 23
An operator can manage Azure Stack Hub with the administrator portal or PowerShell. You
can configure Azure Stack Hub to deliver services to tenants using plans, quotas, offers, and
subscriptions. Tenant users can subscribe to multiple offers. Offers can have one or more plans, and
plans can have one or more services. Operators also manage capacity and respond to alerts.

Users consume services that the operator offers. Users can provision, monitor, and manage services
that they’ve subscribed to, like web apps, storage, and VMs. Users can manage Azure Stack Hub with
the user portal or PowerShell.

Only capacity-based licensing is supported if you deploy disconnected from the internet.

Microsoft Confidential 24
Conclusion

Azure Stack Hub disconnected is designed to meet strict operational and regulatory requirements
around data sovereignty, autarky, and IT operations. However, in meeting those requirements,
sacrifices must be made in terms of overall scalability and service availability, and additional
responsibility for maintenance is assumed by the Azure Stack Hub operator(s). Only consider using
Azure Stack Hub disconnected when our Azure cloud offerings are not available to meet your
operational and regulatory requirements.

The information contained in this document represents the current view of Microsoft Corporation on the issues
discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not
be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any
information presented after the date of publication.

This white paper is for informational purposes only. Microsoft makes no warranties, express or implied, in this document.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any
purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights
covering subject matter in this document. Except as expressly provided in any written license agreement from
Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or
other intellectual property.

© 2022 Microsoft Corporation. All rights reserved.

Microsoft, list Microsoft trademarks used in your white paper alphabetically are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries.

Microsoft Confidential 25