MicrosoftDocs
diff --git a/‎articles/azure-vmware/concepts-identity.md
Lines changed: 65 additions & 0 deletions b/‎articles/azure-vmware/concepts-identity.md
Lines changed: 65 additions & 0 deletions
diff --git a/‎articles/azure-vmware/concepts-networking.md
Lines changed: 76 additions & 0 deletions b/‎articles/azure-vmware/concepts-networking.md
Lines changed: 76 additions & 0 deletions
diff --git a/‎articles/azure-vmware/concepts-private-clouds-clusters.md
Lines changed: 83 additions & 0 deletions b/‎articles/azure-vmware/concepts-private-clouds-clusters.md
Lines changed: 83 additions & 0 deletions
@@ -0,0 +1,65 @@
+---
+title: Concepts - identity and access for Azure VMware Solution by Virtustream
+description: Learn about the identity and access concepts of Azure VMware Solution by Virtustream. 
+services: 
+author: v-jetome
+
+ms.service: vmware-virtustream
+ms.topic: conceptual
+ms.date: 07/29/2019
+ms.author: v-jetome
+ms.custom: 
+
+---
+
+# Azure VMware Solution (AVS) by Virtustream identity concepts
+
+A vCenter server and NSX-T manager are provisioned when a private cloud is deployed. You use vCenter to manage virtual machine workloads and NSX-T manager to extend the private cloud software-defined network.
+
+Access and identity management use CloudAdmin group privileges for vCenter and restricted administrator rights for NSX-T manager. This policy ensures that your private cloud platform can be upgraded automatically, delivering the newest features and patches on a regular cadence. See the [private cloud upgrades concepts article][concepts-upgrades] for more details on private cloud upgrades.
+
+## vCenter access and identity
+
+Privileges in vCenter are provided through the CloudAdmin group. That group can be managed locally in vCenter, or through integration of vCenter LDAP single sign-on with Azure Active Directory. You're provided with the ability to enable that integration when you deploy a private cloud.
+
+The CloudAdmin and CloudGlobalAdmin privileges are shown in the table below.
+
+|  Privilege Set           | CloudAdmin | CloudGlobalAdmin | Comment |
+| :---                     |    :---:   |       :---:      |   :--:  |
+|  Alarms                  | A CloudAdmin user has all Alarms privileges for alarms in the Compute-ResourcePool and VMs.     |          --        |  -- |
+|  Auto Deploy	           |  --  |        --        |  Virtustream does host management.  |
+|  Certificates            |  --  |        --       |  Virtustream does certificate management.  |
+|  Content Library         | A CloudAdmin user has privileges to create and use files in a Content Library.    |         Enabled with SSO.         |  Virtustream will distribute files in the Content Library to ESXi hosts.  |
+|  Datacenter              |  --  |        --          |  Virtustream does all data center operations.  |
+|  Datastore               | Datastore.AllocateSpace, Datastore.Browse, Datastore.Config, Datastore.DeleteFile, Datastore.FileManagement, Datastore.UpdateVirtualMachineMetadata     |    --    |   -- |
+|  ESX Agent Manager       |  --  |         --       |  Virtustream does all operations.  |
+|  Folder                  |  A CloudAdmin user has all Folder privileges.     |  --  |  --  |
+|  Global                  |  Global.CancelTask, Global.GlobalTag, Global.Health, Global.LogEvent, Global.ManageCustomFields, Global.ServiceManagers, Global.SetCustomField, Global.SystemTag         |                  |    |
+|  Host                    |  Host.Hbr.HbrManagement      |        --          |  Virtustream does all other Host operations.  |
+|  InventoryService        |  InventoryService.Tagging      |        --          |  --  |
+|  Network                 |  Network.Assign    |                  |  Virtustream does all other Network operations.  |
+|  Permissions             |  --  |        --       |  Virtustream does all Permissions operations.  |
+|  Profile-driven Storage  |  --  |        --       |  Virtustream does all Profile operations.  |
+|  Resource                |  A CloudAdmin user has all Resource privileges.        |      --       | --   |
+|  Scheduled Task          |  A CloudAdmin user has all ScheduleTask privileges.   |   --   | -- |
+|  Sessions                |  Sessions.GlobalMessage, Sessions.ValidateSession      |   --   |  Virtustream does all other Sessions operations.  |
+|  Storage Views           |  StorageViews.View   |        --          |  Virtustream does all other Storage View operations (Configure Service).  |
+|  Tasks                   |  --  |  --   |  Virtustream manages extensions that manage tasks.  |
+|  vApp                    |  A CloudAdmin user has all vApp privileges.  |  --  |  --  |
+|  Virtual Machine         |  A CloudAdmin user has all VirtualMachine privileges.  |  --  |  --  |
+|  vService                |  A CloudAdmin user has all vService privileges.  |  --  |  --  |
+
+Request elevated vCenter privileges with an SR in the Azure portal.
+
+## NSX-T Manager access and identity
+
+You access NSX-T Manager using the "administrator" account. That account has full privileges and enables you to create and manage T1 routers, logical switches, and all services. The full privileges in NSX-T also provide you with access to the NSX-T T0 router. A change to the T0 router could result in degraded network performance of a private cloud. To meet support requirements, it's required that you open an SR in the Azure portal to request any changes to your NSX-T T0 router.
+  
+## Next steps
+
+The next step is to learn about [private cloud upgrade concepts][concepts-upgrades].
+
+<!-- LINKS - external -->
+
+<!-- LINKS - internal -->
+[concepts-upgrades]: ./concepts-upgrades.md
@@ -0,0 +1,76 @@
+---
+title: Concepts - network interconnectivity for Azure VMware Solution by Virtustream
+description: Learn about key aspects and use cases of networking and interconnectivity in Azure VMware Solution by Virtustream.
+services:
+author: v-jetome
+
+ms.service: vmware-virtustream
+ms.topic: conceptual
+ms.date: 7/29/2019
+ms.author: v-jetome 
+ms.custom: 
+
+---
+
+# Azure VMware Solution by Virtustream networking and interconnectivity concepts
+
+Network interconnectivity between your Azure VMware Solution (AVS) by Virtustream private clouds and on-premises environments or VNets in Azure enable you to access and use your private cloud. A few key networking and interconnectivity concepts that establish the basis of interconnectivity are described in this article.
+
+A useful perspective on interconnectivity is to consider the two types of AVS by Virtustream private cloud implementations: those with basic Azure-only interconnectivity, those with full on-premises to private cloud interconnectivity.
+
+The use cases for AVS by Virtustream private clouds include:
+- new VMware VM workloads in the cloud
+- VM workload bursting to the cloud
+- VM workload migration to the cloud
+- disaster recovery
+- consumption of Azure services
+
+ All use cases for the AVS by Virtustream service are enabled with on-premises to private cloud connectivity. The basic interconnectivity model is best suited for AVS by Virtustream evaluations or implementations that don't require access from on-premises environments.
+
+The two types of AVS by Virtustream private cloud interconnectivity are described in the sections below.  The most basic interconnectivity is "Azure VNet connectivity", and it enables you to manage and use your private cloud with only a single VNet in Azure. The interconnectivity described in "On-premises connectivity" extends the VNet connectivity to also include interconnectivity between on-premises environments and AVS by Virtustream private clouds.
+
+## Azure VNet interconnectivity
+
+The basic network interconnectivity that is established at the time of a private cloud deployment is shown in the diagram below. It depicts the logical, ExpressRoute-based networking between a VNet in Azure and a private cloud. The interconnectivity fulfills three of the primary use cases:
+- Inbound access to management networks where vCenter server and NSX-T manager are located.
+    - Accessible from VMs within your Azure subscription, not from your on-premises systems.
+- Outbound access from VMs to Azure services.
+- Inbound access and consumption of workloads running a private cloud.
+
+![Basic VNet -to- private cloud connectivity](./media/concepts/adjacency-overview-drawing-single.png)
+
+The ExpressRoute (ER) circuit in this VNet -to- private cloud scenario is established when you create a connection from a VNet in your subscription to the ExpressRoute circuit of your private cloud. The peering uses an authorization key and a circuit ID that you request in the Azure portal. The ExpressRoute connection that is established through the peering is a private, one-to-one connection between your private cloud and the VNet. You can manage your private cloud, consume workloads in your private cloud, and access Azure services over that ExpressRoute connection.
+
+When you deploy an AVS by Virtustream private cloud, a single /22 private network address space is required. This address space shouldn't overlap with address spaces used in other VNets in your subscription. Within this address space, management, provisioning, and vMotion networks are provisioned automatically. The routing is BGP-based and it's automatically provisioned and enabled by default for each private cloud deployment.
+
+When a private cloud is deployed, you are provided with the IP addresses and credentials for vCenter and NSX-T Manager. To access those management interfaces, you will create additional resources in a VNet in your subscription. The procedures for creating those resources and establishing ER private peering are provided in the tutorials.
+
+You design the private cloud logical networking and implement it with NSX-T. You use NSX-T Manager in your private cloud to create NSX-T T1 routers, logical switches, and all software-defined network services.  At least one NSX-T T1 router and a logical switch is required. These logical NSX-T devices provide interconnectivity of VM workloads to VNets in your subscription, the internet, and Azure services.
+
+## On-premises interconnectivity
+
+You can also connect on-premises environments to your AVS by Virtustream private clouds. This type of interconnectivity is an extension to the basic interconnectivity described in the previous section.
+
+![VNet and on-premises full private cloud connectivity](./media/concepts/adjacency-overview-drawing-double.png)
+
+To establish full interconnectivity to a private cloud, you use the Azure portal to enable ExpressRoute Global Reach between a private cloud ER circuit and an on-premises ER circuit. This extends the basic connectivity to include access to private clouds from on-premises environments.
+
+An on-premises to Azure VNet ER circuit is required in order to connect from on-premises environments to your private cloud in Azure. That ER circuit is in your subscription and is not part of a private cloud deployment. The on-premises ER circuit is beyond the scope of this document but if you require on-premises connectivity to your private cloud, you can use one of your existing ER circuits or purchase one in the Azure portal.
+
+Once linked with Global Reach, the two ER circuits will route network traffic between your on-premises environments and your private cloud. The on-premises to private cloud interconnectivity is shown in the following diagram. The interconnectivity represented in the diagram enables the following use cases:
+- Hot/Cold Cross-vCenter vMotion
+- On-Premise to AVS by Virtustream private cloud management access
+
+To enable full connectivity, an Authorization Key and private peering ID for Global Reach can be requested in the Azure portal. You use the key and ID to establish Global Reach between an ER circuit in your subscription and the ER circuit for your new private cloud. The [tutorial for creating a private cloud](tutorials-create-private-cloud.md) provides you with the procedures for requesting and using the key and ID.
+
+The routing requirements of the solution require you to plan private cloud network address spaces so that you avoid overlaps with other VNets and on-premises networks. A /22 network block used for each private cloud needs to be unique across your routing domains. This network block includes management and production networks in the private cloud.
+
+## Next steps 
+
+The next step is to learn about [private cloud storage concepts](concepts-storage.md).
+
+<!-- LINKS - external -->
+[enable Global Reach]: https://docs.microsoft.com/azure/expressroute/expressroute-howto-set-global-reach
+
+<!-- LINKS - internal -->
+
@@ -0,0 +1,83 @@
+---
+title: Concepts - private clouds and clusters in Azure VMware Solution (AVS) by Virtustream
+description: Learn about the key capabilities of Azure VMware software-defined data centers and vSphere clusters in VMware Solution on Azure by VMware. 
+services: 
+author: v-jetome
+
+ms.service: vmware-virtustream
+ms.topic: conceptual
+ms.date: 07/29/2019
+ms.author: v-jetome
+ms.custom: 
+
+---
+
+# Azure VMware Solution by Virtustream private cloud and cluster concepts
+
+The Azure VMware Solution (AVS) by Virtustream delivers VMware-based private clouds in Azure. The private clouds are built from clusters of dedicated bare-metal hosts and are deployed and managed through the Azure portal. Clusters in private clouds are provisioned with VMware vSphere, vCenter, vSAN, and NSX software. AVS by Virtustream private cloud hardware and software deployments are fully integrated and automated in Azure.
+
+There's a logical relationship between Azure subscriptions, AVS by Virtustream private clouds, vSAN clusters, and hosts. In the diagram, two private clouds in a single Azure subscription are shown. The private clouds represent a development and a production environment, each with their own private cloud. In each of those private clouds there are two clusters. To show the lower potential needs of a development environment, smaller clusters with lower capacity hosts are used in that environment. All of these concepts are described in the sections below.
+
+![Image of two private clouds in a customer subscription](./media/hosts-clusters-private-clouds-final.png)
+
+## Private clouds
+
+Private clouds contain vSAN clusters that are built with dedicated, bare-metal Azrure hosts. Each private cloud can have multiple clusters, all managed by the same vCenter server, and NSX-T manager. You can deploy and manage private clouds in the portal, from the CLI, or with PowerShell. As with other resources, private clouds are installed and managed from within an Azure subscription.
+
+The number of private clouds within a subscription is scalable. Initially, there's a limit of one private cloud per subscription.
+
+## Clusters
+
+You'll create at least one vSAN cluster in each private cloud. When you create a private cloud, there's one cluster by default. You can add additional clusters to a private cloud using the Azure portal or through the API. All clusters have a default size of three hosts and can be scaled from 3 to 16 hosts. The type of hosts used in a cluster must be the same type. The hosts types are described in the next section.
+
+Trial clusters are available for evaluation and they're limited to three hosts and a single trial cluster per private cloud. You can scale a trial cluster by a single host during the evaluation period.
+
+You create, delete, and scale clusters through the portal or API. You still use vSphere and NSX-T Manager to manage most other aspects of cluster configuration or operation. All local storage of each host in a cluster is under control of vSAN.
+
+## Hosts
+
+Hyper-converged, bare-metal infrastructure nodes are used AVS by Virtustream private cloud clusters. There are two types of hosts, and clusters are built using only one type of host. The RAM, CPU, and disk capacities of both types the host types is provided in the table below. 
+
+| Host Type              |             CPU             |   RAM (GB)   |  vSAN NVMe cache Tier (TB, raw)  |  vSAN SSD capacity tier (TB, raw)  |
+| :---                   |            :---:            |    :---:     |               :---:              |                :---:               |
+| High-End (HE)          |  dual Intel 18 core 2.3 GHz  |     576      |                3.2               |                15.20               |
+| General-Purpose (GP)   |  dual Intel 10 core 2.2 GHz  |     192      |                1.6               |                 7.68               |
+
+Multiple types of hosts provide you with the flexibility to match hosts and cluster specifications to workload and business requirements.
+
+Hosts that are used to build or scale clusters are allocated from an isolated pool of hosts. Those hosts have passed hardware tests and have had all data securely deleted from the flash disks. When you remove a host from a cluster, the internal disks are securely wiped and the hosts are placed into the isolated pool of hosts. When you add a host to a cluster, a sanitized host from the isolated pool is used.
+
+## VMware software versions
+
+The current software versions of the VMware software used in AVS by Virtustream private cloud clusters are:
+
+| Software              |    Version   |
+| :---                  |     :---:    |
+| VCSA / vSphere / ESXi |    6.7 U2    | 
+| ESXi                  |    6.7 U2    | 
+| vSAN                  |    6.7 U2    |
+| NSX-T                 |      2.3     |
+
+For any new cluster in a private cloud, the version of software will match what is currently running in the private cloud. For any new private cloud in a customer subscription, the latest version of the software stack is installed.
+
+The general upgrade policies and processes for the AVS by Virtustream platform software is described in the Upgrades Concepts document.
+
+## Host maintenance and lifecycle management
+
+Host maintenance and lifecycle management are done without impact on the capacity or performance of private cloud clusters. Examples of automated host maintenance include firmware upgrades and hardware repair or replacement.
+
+## Backup and restoration
+
+Private cloud vCenter and NSX-T configurations are backed up hourly. Backups are kept for three days. Restoration from a backup is requested through a Service Request in the Azure portal.
+
+## Next steps
+
+The next step is to learn [networking and interconnectivity concepts](concepts-networking.md).
+
+<!-- LINKS - internal -->
+
+<!-- LINKS - external-->
+[VCSA versions]: https://kb.vmware.com/s/article/2143838
+[ESXi versions]: https://kb.vmware.com/s/article/2143832
+[vSAN versions]: https://kb.vmware.com/s/article/2150753
+