3 min read
Created on
Azure Local - Homelab - Part 3 - Deployment and custom deployments
Intro
I could have written about how I configured my Azure Local stack from Azure portal. But I feel like a lot of guys has done that already and it is pretty straight forward. If you have read my previous part 2 article carefully, you will have all the required information to run a successful deployment first time.
All you have to do is navigate to Azure Local > Deploy Instance in the Azure portal, and follow the wizard:
Custom template deployment - Quickstart
Something really great about Azure, is the ability to deploy resources based on templates. They can be built-in from Microsoft, or custom created and uploaded (you can also use various CLI tools to deploy templates with).
Visit: https://portal.azure.com/#create/Microsoft.Template
You can try out some of the templates for Azure Stack HCI by selecting quickstart template and then search for “asurestackhci”:
Custom template deployment - my custom template
If you feel like the default quickstart templates are not the best way for you to start, you can deploy via the wizard first time to get a feel of what is going on, what resources are being deployed and so on. You can then use your first deployment to export a template.
Go to Azure Local > your stack > Deployments and then select “click here” to save the template of this deployment:
You can then visit https://portal.azure.com/#create/Microsoft.Template
And upload you own custom template:
Below is my template in full. If you are not comfortable reading JSON, I will encourage you to upload the template to the custom deployment page in Azure, because you will then get a better view:
HINT: Remember to create resource group you are deploying to first. since you should already have registered Azure Local nodes to Arc, this resource group should already exist.
HINT: I have altered some of the names in the templates - for you to be able to use my templates, you have to modify things like tenant id, and names of storage account, keyvault and secrets. Also look at node config and IP config for nodes and infrastructure. I expect you need to change these things as well. However, seeing this approach, I hope to inspire you to use template in Azure, also for Azure Local.
Storage Account
The wizard will create storage account for you and set required permissions. But when using custom template, we have to create it ourself. The storage account is used as a cloud witness for the cluster storage.
You then have to get the first access key for the storage account - this must be added to the keyvault you are going to create next.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccounts_yoursanamehere_name": {
"defaultValue": "yoursanamehere",
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2025-01-01",
"name": "[parameters('storageAccounts_yoursanamehere_name')]",
"location": "westeurope",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"allowCrossTenantReplication": false,
"minimumTlsVersion": "TLS1_2",
"allowBlobPublicAccess": false,
"networkAcls": {
"bypass": "AzureServices",
"virtualNetworkRules": [],
"ipRules": [],
"defaultAction": "Allow"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"services": {
"file": {
"keyType": "Account",
"enabled": true
},
"blob": {
"keyType": "Account",
"enabled": true
}
},
"keySource": "Microsoft.Storage"
},
"accessTier": "Hot"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2025-01-01",
"name": "[concat(parameters('storageAccounts_yoursanamehere_name'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccounts_yoursanamehere_name'))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"cors": {
"corsRules": []
},
"deleteRetentionPolicy": {
"allowPermanentDelete": false,
"enabled": false
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/fileServices",
"apiVersion": "2025-01-01",
"name": "[concat(parameters('storageAccounts_yoursanamehere_name'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccounts_yoursanamehere_name'))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"protocolSettings": {
"smb": {}
},
"cors": {
"corsRules": []
},
"shareDeleteRetentionPolicy": {
"enabled": true,
"days": 7
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/queueServices",
"apiVersion": "2025-01-01",
"name": "[concat(parameters('storageAccounts_yoursanamehere_name'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccounts_yoursanamehere_name'))]"
],
"properties": {
"cors": {
"corsRules": []
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/tableServices",
"apiVersion": "2025-01-01",
"name": "[concat(parameters('storageAccounts_yoursanamehere_name'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccounts_yoursanamehere_name'))]"
],
"properties": {
"cors": {
"corsRules": []
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2025-01-01",
"name": "[concat(parameters('storageAccounts_yoursanamehere_name'), '/default/msft-cloud-witness')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('storageAccounts_yoursanamehere_name'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccounts_yoursanamehere_name'))]"
],
"properties": {
"immutableStorageWithVersioning": {
"enabled": false
},
"defaultEncryptionScope": "$account-encryption-key",
"denyEncryptionScopeOverride": false,
"publicAccess": "None"
}
}
]
}Keyvault and secrets
You have to create a keyvault. This is used to store password for LCMUser (that you have created in Active Directory in part 2 of my series), local admin password for the nodes, and access key for the storage account. If you plan to have multiple stacks using the same keyvault, you can generate GUID and add as suffix to the secret names (this is what Wizard does for us)
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vaults_yourstackname_hcikv_name": {
"defaultValue": "yourstackname-hcikv",
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2024-12-01-preview",
"name": "[parameters('vaults_yourstackname_hcikv_name')]",
"location": "westeurope",
"properties": {
"sku": {
"family": "A",
"name": "standard"
},
"tenantId": "<-tenant-id-here->",
"accessPolicies": [],
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true,
"enableSoftDelete": true,
"softDeleteRetentionInDays": 90,
"enableRbacAuthorization": true,
"vaultUri": "[concat('https://', parameters('vaults_yourstackname_hcikv_name'), '.vault.azure.net/')]",
"provisioningState": "Succeeded",
"publicNetworkAccess": "Enabled"
}
},
{
"type": "Microsoft.KeyVault/vaults/secrets",
"apiVersion": "2024-12-01-preview",
"name": "[concat(parameters('vaults_yourstackname_hcikv_name'), '/yourstackname-AzureStackLCMUserCredential-2b2424db-d5c2-4584-9f08-aae0b8e2facc')]",
"location": "westeurope",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', parameters('vaults_yourstackname_hcikv_name'))]"
],
"properties": {
"attributes": {
"enabled": true,
"exp": 1800284724
}
}
},
{
"type": "Microsoft.KeyVault/vaults/secrets",
"apiVersion": "2024-12-01-preview",
"name": "[concat(parameters('vaults_yourstackname_hcikv_name'), '/yourstackname-LocalAdminCredential-2b2424db-d5c2-4584-9f08-aae0b8e2facc')]",
"location": "westeurope",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', parameters('vaults_yourstackname_hcikv_name'))]"
],
"properties": {
"attributes": {
"enabled": true,
"exp": 1800284724
}
}
},
{
"type": "Microsoft.KeyVault/vaults/secrets",
"apiVersion": "2024-12-01-preview",
"name": "[concat(parameters('vaults_yourstackname_hcikv_name'), '/yourstackname-WitnessStorageKey-2b2424db-d5c2-4584-9f08-aae0b8e2facc')]",
"location": "westeurope",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', parameters('vaults_yourstackname_hcikv_name'))]"
],
"properties": {
"attributes": {
"enabled": true,
"exp": 1800284725
}
}
}
]
}Azure Local stack
When you have deployed storage account, keyvault and secrets, you are ready to deploy your Azure Local Stack.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"apiVersion": {
"defaultValue": "2025-09-15-preview",
"type": "String",
"metadata": "The api version for deploying a hci cluster"
},
"name": {
"defaultValue": "azhcickj",
"type": "String",
"metadata": "The name of the hci cluster"
},
"arcNodeResourceIds": {
"defaultValue": [
"/subscriptions/<your-sub-here>/resourceGroups/rg-CKJ-AZL-LAB-westeurope/providers/Microsoft.HybridCompute/machines/AZHCI02",
"/subscriptions/<your-sub-here>/resourceGroups/rg-CKJ-AZL-LAB-westeurope/providers/Microsoft.HybridCompute/machines/azhci01"
],
"type": "Array",
"metadata": "The arc for server node Ids of the hci cluster"
},
"domainFqdn": {
"defaultValue": "az.local",
"type": "String",
"metadata": "The domain name of the active directory"
},
"namingPrefix": {
"defaultValue": "HCI01",
"type": "String",
"metadata": "The computer name prefix"
},
"adouPath": {
"defaultValue": "OU=HCI,DC=az,DC=local",
"type": "String",
"metadata": "The oU path"
},
"secretsLocation": {
"defaultValue": "https://yourkeyvaultnamehere.vault.azure.net/",
"type": "String",
"metadata": "The key vault uri"
},
"identityProvider": {
"defaultValue": "ActiveDirectory",
"type": "String",
"metadata": "The identity provider for the cluster"
},
"securityLevel": {
"defaultValue": "Customized",
"type": "String",
"metadata": "The security level data for deploying a hci cluster"
},
"driftControlEnforced": {
"defaultValue": false,
"type": "Bool",
"metadata": "The security setting driftControlEnforced data for deploying a hci cluster"
},
"credentialGuardEnforced": {
"defaultValue": false,
"type": "Bool",
"metadata": "The security setting credentialGuardEnforced data for deploying a hci cluster"
},
"smbSigningEnforced": {
"defaultValue": false,
"type": "Bool",
"metadata": "The security setting smbSigningEnforced data for deploying a hci cluster"
},
"smbClusterEncryption": {
"defaultValue": false,
"type": "Bool",
"metadata": "The security setting smbClusterEncryption data for deploying a hci cluster"
},
"bitlockerBootVolume": {
"defaultValue": false,
"type": "Bool",
"metadata": "The security setting bitlockerBootVolume data for deploying a hci cluster"
},
"bitlockerDataVolumes": {
"defaultValue": false,
"type": "Bool",
"metadata": "The security setting bitlockerDataVolumes data for deploying a hci cluster"
},
"wdacEnforced": {
"defaultValue": false,
"type": "Bool",
"metadata": "The security setting wdacEnforced data for deploying a hci cluster"
},
"streamingDataClient": {
"defaultValue": true,
"type": "Bool",
"metadata": "The metrics data for deploying a hci cluster"
},
"euLocation": {
"defaultValue": true,
"type": "Bool",
"metadata": "The location data for deploying a hci cluster"
},
"episodicDataUpload": {
"defaultValue": true,
"type": "Bool",
"metadata": "The diagnostic data for deploying a hci cluster"
},
"clusterName": {
"defaultValue": "yourclusternamehere",
"type": "String",
"metadata": "The name of the hci cluster"
},
"witnessType": {
"defaultValue": "Cloud",
"type": "String",
"metadata": "The witness type for the azure stack hci cluster"
},
"cloudAccountName": {
"defaultValue": "yourcloudaccountnamehere",
"type": "String",
"metadata": "The storage account for deploying a hci cluster"
},
"storageAccountEndpoint": {
"defaultValue": "core.windows.net",
"type": "String",
"metadata": "The storage account endpoint for deploying a hci cluster"
},
"configurationMode": {
"defaultValue": "Express",
"type": "String",
"metadata": "The volume type for deploying a hci cluster"
},
"subnetMask": {
"defaultValue": "255.255.255.0",
"type": "String",
"metadata": "The subnet mask for deploying a hci cluster"
},
"defaultGateway": {
"defaultValue": "192.168.0.1",
"type": "String",
"metadata": "The default gateway for deploying a hci cluster"
},
"startingIPAddress": {
"defaultValue": "192.168.0.230",
"type": "String",
"metadata": "The starting ip address for deploying a hci cluster"
},
"endingIPAddress": {
"defaultValue": "192.168.0.236",
"type": "String",
"metadata": "The ending ip address for deploying a hci cluster"
},
"dnsServers": {
"defaultValue": [
"192.168.0.250"
],
"type": "Array",
"metadata": "The dns servers for deploying a hci cluster"
},
"useDhcp": {
"defaultValue": true,
"type": "Bool",
"metadata": "Allows customers to use DHCP for Hosts and Cluster IPs. If not declared, the deployment will default to static IPs. When true, GW and DNS servers are not required"
},
"physicalNodesSettings": {
"defaultValue": [
{
"name": "AZHCI02",
"ipv4Address": "192.168.0.43"
},
{
"name": "azhci01",
"ipv4Address": "192.168.0.41"
}
],
"type": "Array",
"metadata": "The physical nodes settings for deploying a hci cluster"
},
"networkingType": {
"defaultValue": "switchedMultiServerDeployment",
"type": "String",
"metadata": "The networking type for deploying a hci cluster"
},
"networkingPattern": {
"defaultValue": "customConfiguration",
"type": "String",
"metadata": "The networking pattern for deploying a hci cluster"
},
"intentList": {
"defaultValue": [
{
"name": "Storage",
"trafficType": [
"Storage"
],
"adapter": [
"Storage",
"Storage2"
],
"overrideVirtualSwitchConfiguration": false,
"virtualSwitchConfigurationOverrides": {
"enableIov": "",
"loadBalancingAlgorithm": ""
},
"overrideQosPolicy": false,
"qosPolicyOverrides": {
"priorityValue8021Action_Cluster": "7",
"priorityValue8021Action_SMB": "3",
"bandwidthPercentage_SMB": "50"
},
"overrideAdapterProperty": false,
"adapterPropertyOverrides": {
"jumboPacket": "1514",
"networkDirect": "Enabled",
"networkDirectTechnology": "RoCEv2"
}
},
{
"name": "Compute",
"trafficType": [
"Compute"
],
"adapter": [
"Compute"
],
"overrideVirtualSwitchConfiguration": false,
"virtualSwitchConfigurationOverrides": {
"enableIov": "",
"loadBalancingAlgorithm": ""
},
"overrideQosPolicy": false,
"qosPolicyOverrides": {
"priorityValue8021Action_Cluster": "7",
"priorityValue8021Action_SMB": "3",
"bandwidthPercentage_SMB": "50"
},
"overrideAdapterProperty": false,
"adapterPropertyOverrides": {
"jumboPacket": "1514",
"networkDirect": "Enabled",
"networkDirectTechnology": "RoCEv2"
}
},
{
"name": "Management",
"trafficType": [
"Management"
],
"adapter": [
"MGMT"
],
"overrideVirtualSwitchConfiguration": false,
"virtualSwitchConfigurationOverrides": {
"enableIov": "",
"loadBalancingAlgorithm": ""
},
"overrideQosPolicy": false,
"qosPolicyOverrides": {
"priorityValue8021Action_Cluster": "7",
"priorityValue8021Action_SMB": "3",
"bandwidthPercentage_SMB": "50"
},
"overrideAdapterProperty": false,
"adapterPropertyOverrides": {
"jumboPacket": "1514",
"networkDirect": "Enabled",
"networkDirectTechnology": "RoCEv2"
}
}
],
"type": "Array",
"metadata": "The intent list for deploying a hci cluster"
},
"storageNetworkList": {
"defaultValue": [
{
"name": "StorageNetwork1",
"networkAdapterName": "Storage",
"vlanId": "711"
},
{
"name": "StorageNetwork2",
"networkAdapterName": "Storage2",
"vlanId": "712"
}
],
"type": "Array",
"metadata": "The storage network list for deploying a hci cluster"
},
"storageConnectivitySwitchless": {
"defaultValue": false,
"type": "Bool",
"metadata": "The storage connectivity switchless value for deploying a hci cluster"
},
"enableStorageAutoIp": {
"defaultValue": true,
"type": "Bool",
"metadata": "The storage auto ip value for deploying a hci cluster"
},
"secrets": {
"defaultValue": [
{
"secretName": "yourstacknamehere-LocalAdminCredential-2b2424db-d5c2-4584-9f08-aae0b8e2facc",
"eceSecretName": "LocalAdminCredential",
"secretLocation": "https://yourkeyvaultnamehere.vault.azure.net/secrets/yourstacknamehere-LocalAdminCredential-2b2424db-d5c2-4584-9f08-aae0b8e2facc"
},
{
"secretName": "yourstacknamehere-AzureStackLCMUserCredential-2b2424db-d5c2-4584-9f08-aae0b8e2facc",
"eceSecretName": "AzureStackLCMUserCredential",
"secretLocation": "https://yourkeyvaultnamehere.vault.azure.net/secrets/yourstacknamehere-AzureStackLCMUserCredential-2b2424db-d5c2-4584-9f08-aae0b8e2facc"
},
{
"secretName": "yourstacknamehere-WitnessStorageKey-2b2424db-d5c2-4584-9f08-aae0b8e2facc",
"eceSecretName": "WitnessStorageKey",
"secretLocation": "https://yourkeyvaultnamehere.vault.azure.net/secrets/yourstacknamehere-WitnessStorageKey-2b2424db-d5c2-4584-9f08-aae0b8e2facc"
}
],
"type": "Array",
"metadata": "The secrets name and location"
},
"customLocation": {
"defaultValue": "",
"type": "String",
"metadata": "The custom location for deploying a hci cluster"
},
"isSbeManifestPresent": {
"defaultValue": false,
"type": "Bool",
"metadata": "Boolean value determining whether sbe manifest is present or not"
},
"sbeDeploymentInfo": {
"defaultValue": {
"version": "",
"family": "",
"publisher": "",
"sbeManifestSource": "",
"sbeManifestCreationDate": null
},
"type": "Object",
"metadata": "The sbe partner information for this template"
},
"isPartnerPropertiesPresent": {
"defaultValue": false,
"type": "Bool",
"metadata": "Boolean value determining whether partner properties is present or not"
},
"partnerPropertiesInDeploymentSettings": {
"defaultValue": [],
"type": "Array",
"metadata": "The partner properties values specified"
},
"isCredentialListPresent": {
"defaultValue": false,
"type": "Bool",
"metadata": "Boolean value determining whether credential list is present or not"
},
"credentialListInDeploymentSettings": {
"defaultValue": [],
"type": "Array",
"metadata": "The credential secret name specified"
}
},
"resources": [
{
"type": "microsoft.azurestackhci/clusters/deploymentSettings",
"apiVersion": "[parameters('apiVersion')]",
"name": "[format('{0}/default', parameters('name'))]",
"properties": {
"arcNodeResourceIds": "[parameters('arcNodeResourceIds')]",
"deploymentMode": "Deploy",
"deploymentConfiguration": {
"version": "10.0.0.0",
"scaleUnits": [
{
"deploymentData": {
"securitySettings": {
"hvciProtection": true,
"drtmProtection": true,
"driftControlEnforced": "[parameters('driftControlEnforced')]",
"credentialGuardEnforced": "[parameters('credentialGuardEnforced')]",
"smbSigningEnforced": "[parameters('smbSigningEnforced')]",
"smbClusterEncryption": "[parameters('smbClusterEncryption')]",
"sideChannelMitigationEnforced": true,
"bitlockerBootVolume": "[parameters('bitlockerBootVolume')]",
"bitlockerDataVolumes": "[parameters('bitlockerDataVolumes')]",
"wdacEnforced": "[parameters('wdacEnforced')]"
},
"observability": {
"streamingDataClient": "[parameters('streamingDataClient')]",
"euLocation": "[parameters('euLocation')]",
"episodicDataUpload": "[parameters('episodicDataUpload')]"
},
"cluster": {
"name": "[parameters('clusterName')]",
"witnessType": "[parameters('witnessType')]",
"witnessPath": "",
"cloudAccountName": "[parameters('cloudAccountName')]",
"azureServiceEndpoint": "[parameters('storageAccountEndpoint')]"
},
"storage": {
"configurationMode": "[parameters('configurationMode')]"
},
"namingPrefix": "[parameters('namingPrefix')]",
"domainFqdn": "[parameters('domainFqdn')]",
"infrastructureNetwork": [
{
"subnetMask": "[parameters('subnetMask')]",
"gateway": "[parameters('defaultGateway')]",
"ipPools": [
{
"startingAddress": "[parameters('startingIPAddress')]",
"endingAddress": "[parameters('endingIPAddress')]"
}
],
"dnsServers": "[parameters('dnsServers')]",
"useDhcp": "[parameters('useDhcp')]"
}
],
"physicalNodes": [
{
"name": "AZHCI02",
"ipv4Address": "192.168.0.43"
},
{
"name": "azhci01",
"ipv4Address": "192.168.0.41"
}
],
"hostNetwork": {
"intents": "[parameters('intentList')]",
"storageNetworks": "[parameters('storageNetworkList')]",
"storageConnectivitySwitchless": "[parameters('storageConnectivitySwitchless')]",
"enableStorageAutoIp": "[parameters('enableStorageAutoIp')]"
},
"adouPath": "[parameters('adouPath')]",
"secretsLocation": "[parameters('secretsLocation')]",
"secrets": [
{
"secretName": "yourstacknamehere-LocalAdminCredential-2b2424db-d5c2-4584-9f08-aae0b8e2facc",
"eceSecretName": "LocalAdminCredential",
"secretLocation": "https://yourkeyvaultnamehere.vault.azure.net/secrets/yourstacknamehere-LocalAdminCredential-2b2424db-d5c2-4584-9f08-aae0b8e2facc"
},
{
"secretName": "yourstacknamehere-AzureStackLCMUserCredential-2b2424db-d5c2-4584-9f08-aae0b8e2facc",
"eceSecretName": "AzureStackLCMUserCredential",
"secretLocation": "https://yourkeyvaultnamehere.vault.azure.net/secrets/yourstacknamehere-AzureStackLCMUserCredential-2b2424db-d5c2-4584-9f08-aae0b8e2facc"
},
{
"secretName": "yourstacknamehere-WitnessStorageKey-2b2424db-d5c2-4584-9f08-aae0b8e2facc",
"eceSecretName": "WitnessStorageKey",
"secretLocation": "https://yourkeyvaultnamehere.vault.azure.net/secrets/yourstacknamehere-WitnessStorageKey-2b2424db-d5c2-4584-9f08-aae0b8e2facc"
}
],
"optionalServices": {
"customLocation": "[parameters('customLocation')]"
},
"identityProvider": "[parameters('identityProvider')]"
}
}
]
}
}
}
]
}Have feedback on this post?
Send me a message and I'll get back to you.
