Merge pull request #18668 from MicrosoftDocs/main

Auto Publish – main to live - 2025-08-12 22:00 UTC

Author: learn-build-service-prod[bot]

AKS-Arc/network-system-requirements.md

@@ -2,11 +2,11 @@
 title: AKS enabled by Azure Arc network requirements
 description: Learn about AKS network prerequisites.
 ms.topic: overview
-ms.date: 07/17/2025
+ms.date: 08/12/2025
 author: sethmanheim
 ms.author: sethm
 ms.reviewer: srikantsarwa
-ms.lastreviewed: 07/17/2025
+ms.lastreviewed: 08/12/2025
 ---
 
 # AKS enabled by Azure Arc network requirements
@@ -81,10 +81,10 @@ When you deploy Azure Local, you allocate a contiguous block of at least [six st
 
 | Destination Port | Destination | Source | Description | Bi-directional cross VLAN networking notes |
 |------------------|-------------|--------|-------------|----------------|
-| 22 | Logical network used for AKS Arc VMs | IP addresses in management network | Required to collect logs for troubleshooting. | If you use separate VLANs, IP addresses in management network used for Azure Local and Arc Resource Bridge need to access the AKS Arc cluster VMs on this port and vice-versa.|
-| 6443 | Logical network used for AKS Arc VMs | IP addresses in management network | Required to communicate with Kubernetes APIs. | If you use separate VLANs, IP addresses in management network used for Azure Local and Arc Resource Bridge need to access the AKS Arc cluster VMs on this port and vice-versa.|
-| 55000 | IP addresses in management network | Logical network used for AKS Arc VMs | Cloud Agent gRPC server | If you use separate VLANs, the AKS Arc VMs need to access the IP addresses in management network used for cloud agent IP and cluster IP on this port and vice-versa. |
-| 65000 | IP addresses in management network | Logical network used for AKS Arc VMs | Cloud Agent gRPC authentication | If you use separate VLANs, the AKS Arc VMs need to access the IP addresses in management network used for cloud agent IP and cluster IP on this port and vice-versa. |
+| 22 | Logical network used for AKS Arc VMs | IP addresses in management network | Required to collect logs for troubleshooting. | If you use separate VLANs, IP addresses in management network used for Azure Local and Arc Resource Bridge need to access the AKS Arc cluster VMs on this port, and vice-versa.|
+| 6443 | Logical network used for AKS Arc VMs | IP addresses in management network | Required to communicate with Kubernetes APIs. | If you use separate VLANs, IP addresses in management network used for Azure Local and Arc Resource Bridge need to access the AKS Arc cluster VMs on this port, and vice-versa.|
+| 55000 | Cluster IP address | Logical network used for AKS Arc VMs | Cloud Agent gRPC server | If you use separate VLANs, the AKS Arc VMs need to access the IP addresses in management network used for cloud agent IP and cluster IP on this port, and vice-versa. |
+| 65000 | Cluster IP address | Logical network used for AKS Arc VMs | Cloud Agent gRPC authentication | If you use separate VLANs, the AKS Arc VMs need to access the IP addresses in management network used for cloud agent IP and cluster IP on this port, and vice-versa. |
 
 ## Use Azure Arc gateway (preview) with Azure Local
 

azure-local/TOC.yml

@@ -101,13 +101,13 @@ items:
     items:
     - name: About security features
       href: concepts/security-features.md
-    - name: Download Azure Local security book
-      href: https://github.com/Azure-Samples/AzureLocal/blob/main/SecurityBook/Azure%20Local%20Security%20Book_04302025.pdf
+    - name: Azure Local security book
+      href: security-book/overview.md
   - name: Assess environment readiness
     href: manage/use-environment-checker.md
   - name: Configure advanced Active Directory settings
     href: plan/configure-custom-settings-active-directory.md 
-
+      
 - name: Deploy
   items:
   - name: Read overview

azure-local/manage/disconnected-operations-deploy.md

@@ -237,8 +237,7 @@ To prepare the first machine for the disconnected operations appliance, follow t
 1. Import the **Operations module**. Run the command as an administrator using PowerShell. Modify the path to match your folder structure.
 
     ```powershell  
-    Import-Module "$applianceConfigBasePath\OperationsModule\Azure.Local.DisconnectedOperations.psd1" -Force
-    Import-Module "$applianceConfigBasePath\OperationsModule\ExternalIdentityConfigurationModule.psm1" -Force
+    Import-Module "$applianceConfigBasePath\OperationsModule\Azure.Local.DisconnectedOperations.psd1" -Force    
 
     $mgmntCertFolderPath = "$certspath\ManagementEndpointCerts"  
     $ingressCertFolderPath = "$certspath\IngressEndpointsCerts"  
@@ -290,25 +289,27 @@ Populate the required parameters based on your deployment planning. Modify the e
 1. Populate the identity configuration object.
 
     ```powershell  
-    $oidcCertChain = Get-CertificateChainFromEndpoint -requestUri 'https://adfs.azurestack.local/adfs'
-    # Omit ldapsCertChain in this preview release
+    $oidcCertChain = Get-CertificateChainFromEndpoint -requestUri 'https://adfs.azurestack.local/adfs'    
     # $ldapsCertChain = Get-CertificateChainFromEndpoint -requestUri 'https://dc01.azurestack.local'
+
     $ldapPassword = 'RETRACTED'|ConvertTo-SecureString -AsPlainText -Force
 
     $identityParams = @{  
         Authority = "https://adfs.azurestack.local/adfs"  
-        ClientId = "7e7655c5-9bc4-45af-8345-afdf6bbe2ec1"  
+        ClientId = "<ClientId>"  
         RootOperatorUserPrincipalName = "[email protected]"  
         LdapServer = "adfs.azurestack.local"  
         LdapCredential = New-Object PSCredential -ArgumentList @("ldap", $ldapPassword)  
-        SyncGroupIdentifier = "7d67fcd5-c2f4-4948-916c-b77ea7c2712f"  
-        OidcCertChainInfo=$oidcCertChainInfo
+        OidcCertChain = $oidcCertChain
+        SyncGroupIdentifier = "<SynGroupIdentifier>"          
     }  
     $identityConfiguration = New-ApplianceExternalIdentityConfiguration @identityParams  
     ```  
 
     > [!NOTE]  
-    > `LdapsCertChainInfo` and `OidcCertChain` can be omitted completely for debugging or demo purposes. For information on how to get LdapsCertChainInfo and OidcCertChainInfo, see [PKI for disconnected operations](disconnected-operations-pki.md).
+    > `LdapsCertChainInfo` and `OidcCertChain` can be omitted completely for debugging or demo purposes. For information on how to get LdapsCertChainInfo and OidcCertChainInfo, see [PKI for disconnected operations](disconnected-operations-pki.md). In this preview release, there's an issue with the `Get-CertificateChainFromEndpoint` not being exported as intended. Use the steps in [Known issues for disconnected operations for Azure Local](disconnected-operations-known-issues.md) to mitigate this issue.
+
+    
 
     For more information, see [Identity for disconnected operations](disconnected-operations-identity.md).  
 
@@ -407,7 +408,7 @@ To configure observability, follow these steps:
 
     ```json
     {
-      "appId": "f9c68c7b-0df2-4b3a-9833-3cfb41c6f829",
+      "appId": "<AppId>",
       "displayName": "azlocalobsapp",
       "password": "<RETRACTED>",
       "tenant": "<RETRACTED>"
@@ -421,7 +422,7 @@ To configure observability, follow these steps:
     $observabilityConfiguration = New-ApplianceObservabilityConfiguration -ResourceGroupName "azure-disconnectedoperations" `
       -TenantId "<TenantID>" `
       -Location "<Location>" `
-      -SubscriptionId "<subscriptionId>" `
+      -SubscriptionId "<SubscriptionId>" `
       -ServicePrincipalId "<AppId>" `
       -ServicePrincipalSecret ("<Password>"|ConvertTo-SecureString -AsPlainText -Force)
 
@@ -485,7 +486,7 @@ Use the operator account to create an SPN for Arc initialization of each Azure L
 
     ```json  
     {  
-      "appId": "f9c68c7b-0df2-4b3a-9833-3cfb41c6f829",  
+      "appId": "<AppId>",  
       "displayName": "azlocalclusapp",  
       "password": "<RETRACTED>",  
       "tenant": "<RETRACTED>"  
@@ -520,7 +521,7 @@ To initialize each node, follow these steps. Modify where necessary to match you
     Write-Host "az login to Disconnected operations cloud"    
     az cloud set -n $applianceCloudName --only-show-errors
     Write-Host "Login using service principal"    
-    az login --service-principal --username $appId --password $clientSecret --tenant 98b8267d-e97f-426e-8b3f-7956511fd63f    
+    az login --service-principal --username $appId --password $clientSecret --tenant <TenantId>    
     # If you prefer interactive login..
     # Write-Host "Using device code login - complete the login from your browser"
     # az login --use-device-code
@@ -658,7 +659,6 @@ From a client with network access to the management endpoint, import the **Opera
 
 ```powershell  
 Import-Module "$applianceConfigBasePath\OperationsModule\Azure.Local.DisconnectedOperations.psd1" -Force
-Import-Module "$applianceConfigBasePath\OperationsModule\ExternalIdentityConfigurationModule.psm1" -Force
 
 $password = ConvertTo-SecureString 'RETRACTED' -AsPlainText -Force  
 $context = Set-DisconnectedOperationsClientContext -ManagementEndpointClientCertificatePath "${env:localappdata}\AzureLocalOpModuleDev\certs\ManagementEndpoint\ManagementEndpointClientAuth.pfx" -ManagementEndpointClientCertificatePassword $password -ManagementEndpointIpAddress "169.254.53.25"  

azure-local/manage/disconnected-operations-known-issues.md

@@ -21,10 +21,25 @@ These release notes update continuously, and we add critical issues that need a
 
 ## Known issues in the preview release
 
+###  Get-CertificateChainFromEndpoint method not found 
+There's a known issue when running `Get-CertificateChainFromEndpoint` in order to populate the OidcCertChainInfo object. 
+
+Mitigation: You need to make a modification in the OperationsModule. 
+Open the Azure.Local.DisconnectedOperations.psm1 file in notepad (or another text editor). Add the end of the file with the following
+```powershell
+Export-ModuleMember Get-CertificateChainFromEndpoint
+```
+Save the file and exit your editor. Restart your powershell session. Set the execution policy to unrestricted and import the modified OperationsModule module
+```powershell
+Set-ExeuctionPolicy Unrestricted
+Import-Module "$applianceConfigBasePath\OperationsModule\Azure.Local.DisconnectedOperations.psd1" -Force
+```
+
+
 ### Air-gapped deployment when local DNS forwards and resolves external domain requests
-There is a known issue if you try to deploy an air-gapped enviroment - in the rare condition you would have a local DNS server that is able to resolve public (Microsoft.com) endpoints. 
+There's a known issue when deploying an air-gapped environment—this happens if you’ve got a local DNS server that can resolve public endpoints like Microsoft.com.
 
-Mitigation: Disable DNS forwarding for microsoft.com and azure.com zones. The appliance should not be able to resolve these DNS endpoint and will fail if it receives an IP address. 
+Mitigation: Disable DNS forwarding for microsoft.com and azure.com zones. The appliance can't resolve these DNS endpoints and fails if it receives an IP address. 
 
 ### Azure Local deployment with Azure Keyvault
 

azure-local/manage/disconnected-operations-pki.md

@@ -314,11 +314,10 @@ Here's an example of how to populate the required parameters:
 
 ```powershell
 Import-Module "$applianceConfigBasePath\OperationsModule\Azure.Local.DisconnectedOperations.psd1" -Force
-Import-Module "$applianceConfigBasePath\OperationsModule\ExternalIdentityConfigurationModule.psm1" -Force
+
 
 $oidcCertChain = Get-CertificateChainFromEndpoint -requestUri 'https://adfs.azurestack.local/adfs'
-# Omit LDAPSCertChain in this preview releases
-# $ldapsCertChain = Get-CertificateChainFromEndpoint -requestUri 'https://dc01.azurestack.local'
+$ldapsCertChain = Get-CertificateChainFromEndpoint -requestUri 'https://dc01.azurestack.local'
 ```
 
 Here's an example of the output from Get-CertificateChainFromEndpoint

azure-local/security-book/TOC.yml

@@ -0,0 +1,17 @@
+items:
+- name: Azure Local Security Book
+  href: overview.md
+- name: Trustworthy addition
+  href: trustworthy-addition.md
+- name: Operational security
+  href: operational-security.md
+- name: Workload security
+  href: workload-security.md
+- name: Silicon-assisted security
+  href: silicon-assisted-security.md
+- name: Security foundation
+  href: security-foundation.md
+- name: Conclusion
+  href: conclusion.md
+
+

azure-local/security-book/conclusion.md

@@ -0,0 +1,31 @@
+---
+title:  Azure Local security book conclusion
+description: Conclusion for the Azure Local security book.
+author: alkohli
+ms.topic: conceptual
+ms.date: 08/11/2025
+ms.author: alkohli
+ms.reviewer: alkohli
+---
+
+# Azure Local security book conclusion
+
+[!INCLUDE [hci-applies-to-23h2](../includes/hci-applies-to-23h2.md)]
+
+We designed Azure Local so it's secure right out of the box. Further, we provide mechanisms to help the system remain secure over time. We'll continue to build on our security foundations with innovations that deliver powerful protection now and in the future.
+
+## Endnotes
+
+The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it shouldn't be interpreted to be a commitment on the part of Microsoft, and Microsoft can't guarantee the accuracy of any information presented after the date of publication.
+ 
+This paper is for informational purposes only. Microsoft makes no warranties, express or implied, in this document.
+
+## Copyrights
+ 
+Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means electronic, mechanical, photocopying, recording, or otherwise, or for any purpose, without the express written permission of Microsoft Corporation.  
+ 
+Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document doesn't give you any license to these patents, trademarks, copyrights, or other intellectual property. 
+ 
+## Related content
+
+- [Overview](overview.md)