|
| 1 | +--- |
| 2 | +title: Understand and plan your network for disconnected operations on Azure Local (preview) |
| 3 | +description: Integrate your network with disconnected operations on Azure Local (preview). |
| 4 | +ms.topic: concept-article |
| 5 | +author: ronmiab |
| 6 | +ms.author: robess |
| 7 | +ms.date: 02/06/2025 |
| 8 | +--- |
| 9 | + |
| 10 | +# Plan your network disconnected operations on Azure Local (preview) |
| 11 | + |
| 12 | +[!INCLUDE [applies-to](../includes/release-2411-1-later.md)] |
| 13 | + |
| 14 | +This article helps you integrate your network with disconnected operations on Azure Local. It outlines essential design considerations and requirements for operating in a disconnected operations environment. |
| 15 | + |
| 16 | +[!INCLUDE [IMPORTANT](../includes/disconnected-operations-preview.md)] |
| 17 | + |
| 18 | +## Understand network requirements |
| 19 | + |
| 20 | +Disconnected operations run on Azure Local, so it's important that you understand Azure Local's network requirements. Ensuring that your network meets these requirements is essential for seamless integration and optimal performance. For more detailed information, see [Physical network requirements for Azure Local](../concepts/physical-network-requirements.md). |
| 21 | + |
| 22 | +With your Azure Local deployment, there's flexibility to set up the Azure Local instance according to your specific needs. You deploy the disconnected operations as a virtual machine (VM) appliance, which integrates with the Azure Local network. This setup allows for robust and reliable operations even in environments with intermittent or no internet connectivity. |
| 23 | + |
| 24 | +## Network checklist |
| 25 | + |
| 26 | +Here's a checklist to help you plan your network for disconnected operations on Azure Local: |
| 27 | + |
| 28 | +- Review [Physical network requirements for Azure Local](../concepts/physical-network-requirements.md) |
| 29 | +- Verify [System requirements for Azure Local](../concepts/system-requirements.md) |
| 30 | +- Develop the Azure Local network plan (Disconnected operations and Azure Local): |
| 31 | + - Create the [Host network plan (intents and switches)](../concepts/host-network-requirements.md). |
| 32 | + - Reserve the management IP address pool. |
| 33 | +- Configure the network for disconnected operations (Ingress and management network): |
| 34 | + - Assign an Ingress IP within the management IP address pool subnet, ensuring it doesn't overlap with the range provided during deployment. |
| 35 | + - Ensure the container network range doesn't conflict with the external network. |
| 36 | +- Ensure the domain name system (DNS) server is accessible for disconnected operations and configure it during deployment to flow through the Ingress vNIC/IP. |
| 37 | +- Verify that the DNS server can resolve the endpoints for the Ingress IP. |
| 38 | +- Confirm that the disconnected operations appliance can reach endpoints (IP and port) through the Ingress vNIC/IP. |
| 39 | +- Ensure an identity provider is routable and accessible from the disconnected operations appliance on the management network (intent). |
| 40 | +- Configure the external network to ensure workloads outside of Azure Local can resolve and route traffic to the disconnected operations Ingress IP (port 443). |
| 41 | + |
| 42 | +## Virtual network interface cards (vNICs) and network integration |
| 43 | + |
| 44 | +The disconnected operations VM appliance uses two different vNICs that plug into the network intent. These are: |
| 45 | + |
| 46 | +- **Management vNIC** |
| 47 | +- **Ingress vNIC** |
| 48 | + |
| 49 | +You connect the vNICs to the virtual switch for management, which links to your physical network. Then, you set an IP address for the vNICs during deployment. After that, you use their interfaces for tasks like bootstrapping, troubleshooting, operations, and regular use through the Portal or CLI. |
| 50 | + |
| 51 | +:::image type="content" source="./media/disconnected-operations/network/network-overview.png" alt-text="Screenshot showing how the Appliance and users or workloads communicate with the service." lightbox=" ./media/disconnected-operations/network/network-overview.png"::: |
| 52 | + |
| 53 | +## Plan your Ingress IP |
| 54 | + |
| 55 | +When you plan your Ingress IP, you need to make sure the ingress IP is in the same subnet range as the cluster you configure later, but outside the reserved IP range itself. For example, if your cluster's subnet range is 192.168.1.0/24 and the reserved IP range is 192.168.1.1 - 192.168.1.10, you should choose an ingress IP like 192.168.1.11 or higher, ensuring it doesn't overlap with the reserved range. |
| 56 | + |
| 57 | +### IP checklist for the disconnected appliance |
| 58 | + |
| 59 | +Here's a checklist to help you plan your IP addresses for the disconnected operations appliance: |
| 60 | + |
| 61 | +- **Ingress IP**: |
| 62 | + - Connects to the management intent. |
| 63 | + - Part of the regular network path for the control plane and Azure Local capabilities. |
| 64 | + - Needs DNS resolution to the desired Fully Qualified Domain Name (FQDN). |
| 65 | + - Must be in the same subnet as the Azure Local instance, but outside the reserved range used for instance deployment. |
| 66 | + |
| 67 | +- **Management IP**: |
| 68 | + - Connects to management intent. |
| 69 | + - Any valid, unused IP on the local network. |
| 70 | + - Ensure reachability, if accessing lower management Application Programming Interfaces (APIs) from outside the cluster. |
| 71 | + |
| 72 | +> [!NOTE] |
| 73 | +> Disconnected operations has a built-in container network range that might interfere with your existing network range. If you're already using the range 10.131.19.0/24, you need to isolate this range from your disconnected operations environment. |
| 74 | +> |
| 75 | +> - Reconfiguring the built-in container network range is currently not supported. |
| 76 | +
|
| 77 | +## Unsupported features |
| 78 | + |
| 79 | +For this preview, the following features are unsupported: |
| 80 | + |
| 81 | +- Configurable Virtual Local Area Network (VLAN) for disconnected operations ingress network that enables you to add VLAN tags to ingress packets on a per-port basis. |
| 82 | +- Configurable VLAN for disconnected operations Management network that enables you to isolate management traffic from other network traffic, enhance security, and reduce interference. |
| 83 | + |
| 84 | +### Plan DNS and public key infrastructure (PKI) |
| 85 | + |
| 86 | +During deployment of disconnected operations, you need an FQDN for your appliance that resolves to the Ingress IP used. It's important to plan your DNS and PKI infrastructure before deploying disconnected operations. Additionally, consider how you want to use them to serve clients in your environment. |
| 87 | + |
| 88 | +The Ingress network has several endpoints that are based on the configured FQDN. These endpoints need to be resolvable and secure in your network. For a list of endpoints, see [PKI for disconnected operations](../manage/disconnected-operations-pki.md#ingress-endpoints). |
| 89 | + |
| 90 | +> [!NOTE] |
| 91 | +> The wildcard endpoints serve as backing services where your users dynamically create services such as Azure Key Vault or Azure Container Registry. Your infrastructure needs to resolve a wildcard for these specific endpoints. |
| 92 | +
|
| 93 | +If you plan to connect the appliance to Azure, make sure your DNS infrastructure resolves the necessary Microsoft endpoints. Allow DNS requests from the disconnected operations appliance and ensure there's a network path from disconnected operations to the Ingress network to reach the external endpoints. |
| 94 | + |
| 95 | +For more information, see [Firewall requirements for Azure Local](../concepts/firewall-requirements.md). |
| 96 | + |
| 97 | +## Running with limited connectivity |
| 98 | + |
| 99 | +You can run the appliance in limited connectivity mode. This makes getting support easier and allows logs and telemetry to be sent directly to Microsoft without an export/import job. There are some special considerations to keep in mind when running in limited connectivity mode, as the appliance needs to resolve Microsoft endpoints. |
| 100 | + |
| 101 | +The disconnected appliance only needs to resolve a subset of these endpoints for observability and diagnostics purposes. |
| 102 | + |
| 103 | +Here are the endpoints that the appliance needs to resolve: |
| 104 | + |
| 105 | +| Observability and diagnostics | Endpoint | |
| 106 | +|-------------------------------|----------| |
| 107 | +|Geneva Observability Services | gcs.prod.monitoring.core.windows.net <br></br> *.prod.warm.ingest.monitor.core.windows.net | |
| 108 | +| Azure Connected Machine Agent Managed Identity | login.windows.net <br></br> login.microsoftonline.com <br></br> pas.windows.net <br></br> management.azure.com <br></br> *.his.arc.azure.com <br></br> *.guestconfiguration.azure.com | |
0 commit comments