Merge pull request #17218 from MicrosoftDocs/main

2/27/2025 PM Publish

Author: Taojunshen

.openpublishing.redirection.azure-local.json

@@ -1909,6 +1909,11 @@
       "source_path": "azure-local/security-update/security-update-jan-2025.md", 
       "redirect_url": "/azure/azure-local/security-update/security-update", 
       "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/manage/trusted-launch-vm-deploy.md", 
+      "redirect_url": "/azure/azure-local/manage/trusted-launch-vm-overview", 
+      "redirect_document_id": false
     }
   ]
-}
+}

AKS-Arc/TOC.yml

@@ -146,6 +146,10 @@
     items:
     - name: Troubleshoot & known issues
       href: aks-troubleshoot.md
+    - name: Control plane configuration validation errors
+      href: control-plane-validation-errors.md
+    - name: Connectivity issues with MetalLB
+      href: load-balancer-issues.md 
     - name: K8sVersionValidation error
       href: cluster-k8s-version.md
     - name: Use diagnostic checker

AKS-Arc/configure-ssh-keys.md

@@ -1,7 +1,7 @@
 ---
 title: Configure SSH keys for a cluster in AKS enabled by Azure Arc
 description: Learn how to configure SSH keys for an AKS Arc cluster.
-ms.date: 01/10/2025
+ms.date: 02/26/2025
 ms.topic: how-to
 author: sethmanheim
 ms.author: sethm
@@ -71,16 +71,9 @@ You have three options for SSH key configuration:
 - Use an existing key stored in Azure and select from the stored keys.
 - Use an existing public key by providing the SSH public key value.
 
-## Error message
+## Error messages
 
-If you don't provide valid SSH key information during cluster creation and no SSH key exists, you receive error messages like the following:
-
-- An RSA key file or key value must be supplied to SSH Key Value.
-- Control Plane: Missing Security Keys in Cluster Configuration.
-- LinuxProfile SSH public keys should be valid and non-empty.
-- Global LinuxProfile SSH public keys should be valid and non-empty.
-
-To mitigate the issue, see [Create and manage SSH keys with the Azure CLI](/azure/virtual-machines/ssh-keys-azure-cli#generate-new-keys) to create the SSH keys. Then, see [Create Kubernetes clusters](aks-create-clusters-cli.md) for the interface you're using. If you're using the REST API, see [provisioned cluster instances](/rest/api/hybridcontainer/provisioned-cluster-instances) to create the provisioned cluster instance.
+For information about error messages that can occur when you create and deploy an AKS cluster on Azure Local, see the [Control plane configuration validation errors](control-plane-validation-errors.md) article.
 
 ## Next steps
 

AKS-Arc/control-plane-validation-errors.md

@@ -0,0 +1,53 @@
+---
+title: Control plane configuration validation errors
+description: Learn details about each control plane configuration validation error.
+author: sethmanheim
+ms.author: sethm
+ms.topic: concept-article
+ms.date: 02/26/2025
+
+---
+
+# Control plane configuration validation errors
+
+This article describes how to identify and resolve [ControlPlaneConfigurationValidation](configure-ssh-keys.md) error codes that can occur when you create and deploy an AKS cluster on Azure Local.
+
+## Symptoms
+
+When you try to create an AKS Arc cluster, you receive an error message that appears as follows:
+
+```json
+admission webhook "vhybridakscluster.kb.io" denied the request: { 
+   "result": "Failed", 
+   "validationChecks": [ 
+      { 
+         "name": "ControlPlaneConfigurationValidation", 
+         "message": "ControlPlane: Global LinuxProfile SSH public keys should be valid and non-empty. ssh: no key found", 
+         "recommendation": "Please check https://aka.ms/AKSArcValidationErrors/ControlPlaneConfigurationValidation for recommendations" 
+      } 
+   ] 
+}
+```
+
+The following section describes the error messages that you might see when you encounter the **ControlPlaneConfigurationValidation** error code.
+
+## Global LinuxProfile SSH public keys must be valid and non-empty
+
+If you don't provide valid SSH key information during Kubernetes cluster creation and no SSH key exists, you receive error messages similar to the following:
+
+- An RSA key file or key value must be supplied to SSH Key Value.
+- Control Plane: Missing Security Keys in Cluster Configuration.
+- LinuxProfile SSH public keys should be valid and non-empty.
+- Global LinuxProfile SSH public keys should be valid and non-empty.
+
+To mitigate the issue, see [Generate and store SSH keys with the Azure CLI](/azure/virtual-machines/ssh-keys-azure-cli#generate-new-keys) to create the SSH keys. Then, see [Create Kubernetes clusters](aks-create-clusters-cli.md) for the interface you're using. If you're using the REST API, see [provisioned cluster instances](/rest/api/hybridcontainer/provisioned-cluster-instances) to create the provisioned cluster instance.
+
+## Control plane count and VM size
+
+In Kubernetes, control plane nodes manage and orchestrate the cluster. They run key components such as API Server, etcd, scheduler, etc. Control plane nodes maintain cluster state, schedule workloads, and ensure high availability, often using multiple nodes for redundancy.
+
+To successfully create an AKS Arc cluster, you must specify at least one control plane node count. Also, to maintain etcd quorum, the control plane node count should be an odd number. For more information about supported count and VM SKU options, see [Scale requirements for AKS on Azure Local](scale-requirements.md#support-count-for-aks-on-azure-local).
+
+## Next steps
+
+[Troubleshoot issues in AKS enabled by Azure Arc](aks-troubleshoot.md)

AKS-Arc/docfx.json

@@ -55,7 +55,7 @@
       "feedback_product_url": "https://feedback.azure.com/d365community/forum/a2f8da29-b853-ec11-8f8e-0022481f2fe7",
       "breadcrumb_path": "/azure/aks/aksarc/breadcrumb/toc.json",
       "extendBreadcrumb": false,
-      "manager":"femila",
+      "manager":"lizross",
       "ms.service": "azure-stack",
       "recommendations": true,
       "zone_pivot_group_filename": "../azure-stack/zone-pivot-groups.json"

AKS-Arc/load-balancer-issues.md

@@ -0,0 +1,61 @@
+---
+title: Intermittent connectivity issues with MetalLB or Kubernetes services of type Load Balancer
+description: Learn how to mitigate connection issues with MetalLB or Kubernetes services of type Load Balancer.
+author: sethmanheim
+ms.author: sethm
+ms.topic: concept-article
+ms.date: 02/26/2025
+
+---
+
+# Intermittent connectivity issues with MetalLB or Kubernetes services of type Load Balancer
+
+You might sometimes experience intermittent connectivity issues when accessing a Kubernetes service of type **LoadBalancer** using the assigned external IP address. This article describes how to identify and resolve connection issues with MetalLB or Kubernetes services of type **LoadBalancer**.
+
+## Symptoms
+
+- The service is accessible sometimes, but not consistently.
+- The client experiences unexpected disconnects.
+- The external IP intermittently appears and disappears from the control plane when running `Get-VMNetworkAdapter`:
+
+  ```powershell
+  Get-VMNetworkAdapter -VMName * | select name, ipaddresses 
+
+  ...
+
+  # The external IP appears in the get-vmnetworkadapter output 
+
+  nocpip26-55bc418a-control-plane-kjqcm-nic-b607b1e0                         
+  {172.16.0.11, 172.16.0.10, ***172.16.100.0***, fe80::ec:d3ff:fe8b:1} 
+
+  # Now it's gone 
+
+  Get-VMNetworkAdapter -VMName * | select name, ipaddresses 
+
+  ...
+
+  nocpip26-55bc418a-control-plane-kjqcm-nic-b607b1e0                         
+  {172.16.0.11, 172.16.0.10, ***Now it is gone*** fe80::ec:d3ff:fe8b:1} 
+
+  # Now it's back 
+
+  Get-VMNetworkAdapter -VMName * | select name, ipaddresses
+
+  ... 
+
+  nocpip26-55bc418a-control-plane-kjqcm-nic-b607b1e0                         
+  {172.16.0.11, 172.16.0.10, ***172.16.100.0***, fe80::ec:d3ff:fe8b:1}
+  ```
+
+## Mitigation
+
+This issue was fixed in [AKS on Azure Local, version 2411](aks-whats-new-23h2.md#release-2411).
+
+If you're on an older build, please update to Azure Local, version 2411. Once you update to 2411, you can:
+
+- Create a new AKS cluster. The new AKS cluster should not have any intermittent load balancer connectivity issues.
+- [Upgrade the Kubernetes version](cluster-upgrade.md) of your existing AKS cluster to get the fix.
+
+## Next steps
+
+[Troubleshoot issues in AKS enabled by Azure Arc](aks-troubleshoot.md)

azure-local/TOC.yml

@@ -275,11 +275,11 @@ items:
 
   - name: Trusted launch for Arc VMs
     items: 
-      - name: What is Trusted Launch for Arc VMs?
+      - name: What is Trusted launch for Arc VMs?
         href: manage/trusted-launch-vm-overview.md
-      - name: Deploy Trusted Launch for Arc VMs
-        href: manage/trusted-launch-vm-deploy.md
-      - name: Manage guest state protection key
+      - name: Automatic virtual TPM state transfer
+        href: manage/trusted-launch-automatic-state-transfer.md
+      - name: Manual backup and recovery
         href: manage/trusted-launch-vm-import-key.md
 
   - name: Non Arc VMs

azure-local/deploy/single-server.md

@@ -6,7 +6,7 @@ ms.author: robess
 ms.topic: how-to
 ms.reviewer: kimlam
 ms.lastreviewed: 01/17/2023
-ms.date: 01/31/2024
+ms.date: 02/27/2025
 ---
 
 # Deploy Azure Stack HCI on a single server
@@ -23,9 +23,9 @@ Currently you can't use Windows Admin Center to deploy Azure Stack HCI on a sing
 
 ## Prerequisites
 
-- A server from the [Azure Stack HCI Catalog](https://hcicatalog.azurewebsites.net/#/catalog) that's certified for use as a single-node cluster and configured with all NVMe or all SSD drives.
+- A server from the [Azure Stack HCI Catalog](https://hcicatalog.azurewebsites.net/#/catalog) certified for use as a single-node cluster and configured with all NVMe or all SSD drives.
 - For network, hardware and other requirements, see [Azure Stack HCI network and domain requirements](../deploy/operating-system.md#determine-hardware-and-network-requirements).
-- Optionally, [install Windows Admin Center](/windows-server/manage/windows-admin-center/deploy/install) to register and manage the server once it has been deployed.
+- Optionally, [install Windows Admin Center](/windows-server/manage/windows-admin-center/deploy/install) to register and manage the server after it's deployed.
 
 ## Deploy on a single server
 
@@ -38,8 +38,10 @@ Here are the steps to install the Azure Stack HCI OS on a single server, create
     ```
 
 1. Install the Azure Stack HCI OS on your server. For more information, see [Deploy the Azure Stack HCI OS](../deploy/operating-system.md#manual-deployment) onto your server.
+
 1. Configure the server utilizing the [Server Configuration Tool](/windows-server/administration/server-core/server-core-sconfig) (SConfig).
-1. Install the required roles and features using the following command, then reboot before continuing.
+
+1. Install the required roles and features using the following command, then reboot before you continue.
 
    ```powershell
    Install-WindowsFeature -Name "BitLocker", "Data-Center-Bridging", "Failover-Clustering", "FS-FileServer", "FS-Data-Deduplication", "Hyper-V", "Hyper-V-PowerShell", "RSAT-AD-Powershell", "RSAT-Clustering-PowerShell", "NetworkATC", "Storage-Replica", -IncludeAllSubFeature -IncludeManagementTools
@@ -60,10 +62,11 @@ Here are the steps to install the Azure Stack HCI OS on a single server, create
    ```
 
    > [!NOTE]
-   > - The cluster name should not exceed 15 characters.
-   > - The `New-Cluster` command will also require the `StaticAddress` parameter if the node is not using DHCP for its IP address assignment.  This parameter should be supplied with a new, available IP address on the node's subnet.
+   > - The cluster name shouldn't exceed 15 characters.
+   > - The `New-Cluster` command requires the `StaticAddress` parameter if the node isn't using DHCP for its IP address assignment. This parameter should be supplied with a new, available IP address on the node's subnet.
 
 1. Use [PowerShell](../deploy/register-with-azure.md?tab=power-shell#register-a-cluster) or [Windows Admin Center](../deploy/register-with-azure.md?tab=windows-admin-center#register-a-cluster) to register the cluster.
+
 1. [Create volumes](/windows-server/storage/storage-spaces/create-volumes).
 
 ## Updating single-node clusters
@@ -76,16 +79,20 @@ For solution updates (such as driver and firmware updates), see your solution ve
 
 ## Change a single-node to a multi-node cluster (optional)
 
-You can add servers to your single-node cluster, also known as scaling out, though there are some manual steps you must take to properly configure Storage Spaces Direct fault domains (`FaultDomainAwarenessDefault`) in the process. These steps aren't present when adding servers to clusters with two or more servers.
+You can add servers to your single-node cluster, also known as scaling out, though there are some manual steps you must take to properly configure Storage Spaces Direct fault domains (`FaultDomainAwarenessDefault`) in the process. These steps aren't present when you add servers to clusters with two or more servers.
 
 1. Validate the cluster by specifying the existing server and the new server: [Validate an Azure Stack HCI cluster - Azure Stack HCI | Microsoft Docs](../deploy/validate.md).
+
 2. If cluster validation was successful, add the new server to the cluster: [Add or remove servers for an Azure Stack HCI cluster - Azure Stack HCI | Microsoft Docs](../manage/add-cluster.md).
+
 3. Once the server is added, change the cluster's fault domain awareness from PhysicalDisk to ScaleScaleUnit: [Inline fault domain changes](../manage/single-node-scale-out.md#inline-fault-domain-changes).
+
 4. Optionally, if more resiliency is needed, adjust the volume resiliency type from a 2-way mirror to a Nested 2-way mirror: [Single-server to two-node cluster](../manage/single-node-scale-out.md#single-server-to-two-node-cluster).
+
 5. [Set up a cluster witness](../manage/witness.md).
 
 ## Next steps
 
-- [Deploy workload – AVD](../deploy/virtual-desktop-infrastructure.md)
-- [Deploy workload – AKS-HCI](/azure-stack/aks-hci/overview)
-- [Deploy workload – Azure Arc-enabled data services](/azure/azure-arc/data/overview)
+- [Deploy workload – AVD](../deploy/virtual-desktop-infrastructure.md).
+- [Deploy workload – AKS-HCI](/azure-stack/aks-hci/overview).
+- [Deploy workload – Azure Arc-enabled data services](/azure/azure-arc/data/overview).

azure-local/manage/create-arc-virtual-machines.md

@@ -136,7 +136,33 @@ Here we create a VM that uses specific memory and processor counts on a specifie
     | **storage-path-id** |The associated storage path where the VM configuration and the data are saved.  |
     | **proxy-configuration** |Use this optional parameter to configure a proxy server for your VM. For more information, see [Create a VM with proxy configured](#create-a-vm-with-proxy-configured).  |
 
-1. Run the following command to create a VM.
+1. Run the following commands to create the applicable VM.
+
+    **To create a Trusted launch Arc VM:**
+
+    1. Specify additional flags to enable secure boot, enable virtual TPM, and choose security type. Note, when you specify security type as Trusted launch, you must enable secure boot and vTPM, otherwise Trusted launch VM creation will fail.
+
+        ```azurecli
+        az stack-hci-vm create --name $vmName --resource-group $resource_group --admin-username $userName --admin-password $password --computer-name $computerName --image $imageName --location $location --authentication-type all --nics $nicName --custom-location $customLocationID --hardware-profile memory-mb="8192" processors="4" --storage-path-id $storagePathId --enable-secure-boot true --enable-vtpm true --security-type "TrustedLaunch"
+        ```
+
+    1. Once the VM is created, to verify the security type of the VM is `Trusted launch`, do the following.
+
+    1. Run the following cmdlet (on one of the cluster nodes) to find the owner node of the VM:
+
+        ```azurecli
+        Get-ClusterGroup $vmName
+        ```
+
+    1. Run the following cmdlet on the owner node of the VM:
+
+        ```azurecli
+        (Get-VM $vmName).GuestStateIsolationType
+        ```
+
+    1. Ensure a value of `TrustedLaunch` is returned.
+
+    **To create a standard Arc VM:**
 
    ```azurecli
     az stack-hci-vm create --name $vmName --resource-group $resource_group --admin-username $userName --admin-password $password --computer-name $computerName --image $imageName --location $location --authentication-type all --nics $nicName --custom-location $customLocationID --hardware-profile memory-mb="8192" processors="4" --storage-path-id $storagePathId 
@@ -247,7 +273,7 @@ Follow these steps in Azure portal for your Azure Local.
 
         **The Virtual machine kind** is automatically set to **Azure Local**.
 
-    1. **Security type** - For the security of your VM, select **Standard** or **Trusted Launch virtual machines**. For more information on what are Trusted Launch Arc virtual machines, see [What is Trusted Launch for Azure Arc Virtual Machines?](./trusted-launch-vm-overview.md).
+    1. **Security type** - For the security of your VM, select **Standard** or **Trusted launch virtual machines**. For more information on what are Trusted launch Arc virtual machines, see [What is Trusted launch for Azure Arc Virtual Machines?](./trusted-launch-vm-overview.md).
 
    1. **Storage path** - Select the storage path for your VM image. Select **Choose automatically** to have a storage path with high availability automatically selected. Select **Choose manually** to specify a storage path to store VM images and configuration files on your Azure Local. In this case, ensure that the selected storage path has sufficient storage space.