Create Azure Local virtual machines enabled by Azure Arc

Applies to: Hyperconverged deployments of Azure Local

This article describes how to create Azure Local virtual machines (VMs) enabled by Azure Arc, starting with the VM images that you created on your Azure Local instance. You can create Azure Local VMs by using the Azure CLI, the Azure portal, or an Azure Resource Manager template (ARM template).

About Azure Local resources

Use the Azure Local resource page for the following operations:

Create and manage Azure Local VM resources such as VM images, disks, and network interfaces.
View and access the Azure Arc resource bridge and custom location associated with the Azure Local instance.
Provision and manage VMs.

The procedure to create VMs is described later in this article.

Prerequisites

Before you create an Azure Local VM, make sure that you meet the following prerequisites.

Access to an Azure subscription with the appropriate Azure role-based access control (RBAC) role and permissions assigned. For more information, see RBAC roles for Azure Local VM management.
Access to a resource group where you want to provision the VM.
Access to one or more VM images on your Azure Local instance. You can create these VM images by using one of the following procedures:
A custom location for your Azure Local instance that you use to provision VMs. The custom location shows up on the Overview page for your Azure Local instance.

Review of Connect to Azure Local via the Azure CLI client, if you use a client to connect to your Azure Local instance.
Access to a network interface that you created on a logical network associated with your Azure Local instance. You can choose a network interface with a static IP or one with a dynamic IP allocation. For more information, see Create network interfaces for Azure Local VMs enabled by Azure Arc.

Access to an Azure subscription with the appropriate Azure role-based access control (RBAC) role and permissions assigned. For more information, see RBAC roles for Azure Local VM management.
Access to a resource group where you want to provision the VM.
Access to one or more VM images on your Azure Local instance. You can create these VM images by using one of the following procedures:
A custom location for your Azure Local instance that you use to provision VMs. The custom location shows up on the Overview page for your Azure Local instance.

Access to a logical network that you associate with the VM of your Azure Local instance. For more information, see Create a logical network.

Terraform installed and up to date on your machine. To verify your Terraform version, run the terraform -v command.

Sample output:

PS C:\Users\username\terraform-azurenn-avm-res-azurestackhci-virtualmachineinstance> terraform -v 
Terraform vi.9.8 on windows_amd64
+ provider registry.terraform.io/azure/azapi vl.15.0 
+ provider registry.terraform.io/azure/modtm V0.3.2 
+ provider registry.terraform.io/hashicorp/azurerm v3.116.0 
+ provider registry.terraform.io/hashicorp/random V3.6.3

Git installed and up to date on your machine. To verify your version of Git, run the git --version command.

Create Azure Local VMs

To create a VM on your Azure Local instance, follow these steps.

Note

Two DVD drives are created and used in Azure Local VMs during VM provisioning. The ISO files used during provisioning are removed after you successfully create the VM. However, you might see the empty drives visible for the VM.
To delete these drives in a Windows VM, use Device Manager to uninstall the drives. Depending on the flavor of Linux that you use, you can also delete them for Linux VMs.

Follow these steps on the client by running the az cli command that's connected to your Azure Local instance.

Connect to a machine on your Azure Local instance.
Sign in and enter the following command:
```
az login --use-device-code
```

Set your subscription.

az account set --subscription <Subscription ID>

Create a Windows VM

Depending on the type of network interface that you created, you can create a VM that has a network interface with a static IP or one with a dynamic IP allocation.

If you need more than one network interface with a static IP for your VM, create one or more interfaces now before you create the VM. Adding a network interface with a static IP after the VM is provisioned isn't supported.

Now create a VM that uses specific memory and processor counts on a specified storage path.

Set some parameters:

$vmName ="local-vm"
$subscription =  "<Subscription ID>"
$resource_group = "local-rg"
$customLocationName = "local-cl"
$customLocationID ="/subscriptions/$subscription/resourceGroups/$resource_group/providers/Microsoft.ExtendedLocation/customLocations/$customLocationName"
$location = "eastus"
$computerName = "mycomputer"
$userName = "local-user"
$password = "<Password for the VM>"
$imageName ="ws22server"
$nicName ="local-vnic" 
$storagePathName = "local-sp" 
$storagePathId = "/subscriptions/<Subscription ID>/resourceGroups/local-rg/providers/Microsoft.AzureStackHCI/storagecontainers/local-sp"

The parameters for VM creation are listed in the following table.

Parameters	Description
`name`	Name for the VM that you create for your Azure Local instance. Make sure to provide a name that follows the rules for Azure resources.
`admin-username`	Username for the user on the VM that you're deploying on your Azure Local instance.
`admin-password`	Password for the user on the VM that you're deploying on your Azure Local instance.
`image-name`	Name of the VM image used to provision the VM.
`location`	Azure regions as specified by the `az locations` parameter. For example, they could be `eastus` or `westeurope`.
`resource-group`	Name of the resource group where you create the VM. For ease of management, we recommend that you use the same resource group as your Azure Local instance.
`subscription`	Name or ID of the subscription where your Azure Local instance is deployed. This name or ID could be another subscription that you use for the VM on your Azure Local instance.
`custom-location`	Use this parameter to provide the custom location associated with your Azure Local instance where you create this VM.
`authentication-type`	Type of authentication to use with the VM. The accepted values are `all`, `password`, and `ssh`. The default is the password for Windows and the Secure Shell (SSH) public key for Linux. Use `all` to enable both `ssh` and `password` authentication.
`nics`	Names or the IDs of the network interfaces associated with your VM. You must have at least one network interface when you create a VM to enable guest management.
`memory-mb`	Memory in megabytes allocated to your VM. If not specified, defaults are used.
`processors`	The number of processors allocated to your VM. If not specified, defaults are used.
`storage-path-id`	The associated storage path where the VM configuration and the data are saved.
`proxy-configuration`	Use this optional parameter to configure a proxy server for your VM. For more information, see Create a VM with proxy configured.

Run the following commands to create the applicable VM:

To create a Trusted launch Azure Local VM:
1. Specify more flags to enable secure boot, enable virtual Trusted Platform Module (vTPM), and choose the security type. When you specify that security type as TrustedLaunch, you must enable secure boot and vTPM. Otherwise, TrustedLaunch VM creation fails.
```
az stack-hci-vm create --name $vmName --resource-group $resource_group --admin-username $userName --admin-password $password --computer-name $computerName --image $imageName --location $location --authentication-type all --nics $nicName --custom-location $customLocationID --hardware-profile memory-mb="8192" processors="4" --storage-path-id $storagePathId --enable-secure-boot true --enable-vtpm true --security-type "TrustedLaunch"
```
2. After the VM is created, verify that the security type of the VM is TrustedLaunch.
3. Run the following cmdlet (on one of the cluster nodes) to find the owner node of the VM:
```
Get-ClusterGroup $vmName
```
4. Run the following cmdlet on the owner node of the VM:
```
(Get-VM $vmName).GuestStateIsolationType
```
5. Ensure that a value of TrustedLaunch is returned.

To create a standard Azure Local VM:

 az stack-hci-vm create --name $vmName --resource-group $resource_group --admin-username $userName --admin-password $password --computer-name $computerName --image $imageName --location $location --authentication-type all --nics $nicName --custom-location $customLocationID --hardware-profile memory-mb="8192" processors="4" --storage-path-id $storagePathId

To create a VM with dynamic memory:

Specify more flags to create a VM with dynamic memory:

--hardware-profile vm-size="Custom" processors=1 memory-mb=1024 maximum-memory-mb=2048 minimum-memory-mb=1024 target-memory-buffer=20
Note that minimum-memory-mb is less than or equal to memory-mb, and maximum-memory-mb is greater than or equal to memory-mb.

Sample script:

az stack-hci-vm create --name "my_dynmemory" -g "my_registration" --admin-username "admin" --admin-password "" --custom-location "/subscriptions/my_subscription/resourceGroups/my_registration/providers/Microsoft.ExtendedLocation/customLocations/my_customlocation" --location "eastus2euap" --image "/subscriptions/my_subscription/resourceGroups/my_registration/microsoft.azurestackhci/marketplacegalleryimages/2022-datacenter-azure-edition-core-01" --hardware-profile vm-size="Custom" processors=1 memory-mb=1024 maximum-memory-mb=2048 minimum-memory-mb=1024 target-memory-buffer=20 --enable-agent true --nics "dynnic"

The VM is successfully created when the provisioningState parameter appears as succeeded in the output.

Note

The VM created has guest management enabled by default. If for any reason guest management fails during VM creation, follow the steps in Enable guest management on the Azure Local VM to enable it after the VM creation.

In this example, the storage path was specified by using the --storage-path-id flag. That flag ensures that the workload data (including the VM, VM image, and non-OS data disk) is placed in the specified storage path.

If the flag isn't specified, the workload (VM, VM image, and non-OS data disk) is automatically placed in a high-availability storage path.

Additional parameters for Windows Server 2012 and Windows Server 2012 R2 images

When you create a VM by using Windows Server 2012 and Windows Server 2012 R2 images, specify the following parameters to create the VM:

--enable-agent: Set this parameter to true to onboard the Azure Connected Machine Agent on VMs.
--enable-vm-config-agent: Set this parameter to false to prevent the onboarding of the VM agent on the VM from the host via the Hyper-V sockets channel. Windows Server 2012 and Windows Server 2012 R2 don't support Hyper-V sockets. In the newer image versions that support Hyper-V sockets, the VM agent is used to onboard the Azure Connected Machine Agent on VMs. For more information on Hyper-V sockets, see Make your own integration services.

Create a Linux VM

To create a Linux VM, use the same command that you used to create the Windows VM:

The gallery image you specify must be a Linux image.
The username and password you use must work with the authentication-type-all parameter.
For SSH keys, you must pass the ssh-key-values parameters along with the authentication-type-all.

Important

Setting the proxy server during VM creation is supported for Ubuntu Server VMs.

Create VM with proxy configured

Use the optional parameter proxy-configuration to configure a proxy server for your VM.

Proxy configuration for VMs is applied only to the onboarding of the Azure Connected Machine Agent and set as environment variables within the guest VM operating system. Browsers and applications on the VM referencing WinInet and netsh aren't necessarily all enabled with this proxy configuration. The WinInet and netsh parameters should be configured with the proxy settings separately.

You might need to specifically set the proxy configuration for your applications if they don't reference the environment variables set within the VM.

If you create a VM behind a proxy server, run the following command:

az stack-hci-vm create --name $vmName --resource-group $resource_group --admin-username $userName --admin-password $password --computer-name $computerName --image $imageName --location $location --authentication-type all --nics $nicName --custom-location $customLocationID --hardware-profile memory-mb="8192" processors="4" --storage-path-id $storagePathId --proxy-configuration http_proxy="<Http URL of proxy server>" https_proxy="<Https URL of proxy server>" no_proxy="<URLs which bypass proxy>" cert_file_path="<Certificate file path for your machine>"

Use the following parameters for proxy-server-configuration.

Parameters	Description
`http_proxy`	HTTP URLs for the proxy server. An example URL is `http://proxy.example.com:3128`.
`https_proxy`	HTTPS URLs for the proxy server. The server might still use an HTTP address, as shown in this example: `http://proxy.example.com:3128`.
`no_proxy`	URLs, which can bypass that proxy. Typical examples are `localhost`, `127.0.0.1`, `.svc`, `10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`, and `100.0.0.0/8`.
`cert_file_path`	Select the certificate file used to establish trust with your proxy server. An example is `C:\Users\Palomino\proxycert.crt`.

Sample command:

az stack-hci-vm create --name $vmName --resource-group $resource_group --admin-username $userName --admin-password $password --computer-name $computerName --image $imageName --location $location --authentication-type all --nics $nicName --custom-location $customLocationID --hardware-profile memory-mb="8192" processors="4" --storage-path-id $storagePathId --proxy-configuration http_proxy="http://ubuntu:ubuntu@192.168.200.200:3128" https_proxy="http://ubuntu:ubuntu@192.168.200.200:3128" no_proxy="localhost,127.0.0.1,.svc,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.0.0.0/8,s-cluster.test.contoso.com" cert_file_path="C:\ClusterStorage\UserStorage_1\server.crt"

For proxy authentication, you can pass the username and password combined in a URL, as shown in this example: "http://username:password@proxyserver.contoso.com:3128".

Create a VM with the Azure Arc gateway configured

Configure the Azure Arc gateway to reduce the number of required endpoints that are needed to provision and manage Azure Local VMs with the Azure Connected Machine Agent. Certain VM extensions can use the Azure Arc gateway to route all Azure Arc traffic from your VM through a single gateway.

For the most up-to-date list of VM extensions that are enabled through the Azure Arc gateway, see Simplify network configuration requirements with Azure Arc gateway.

To configure an Azure Arc gateway for your Azure Local VM, create a VM with guest management enabled and pass the optional --gateway-id parameter. You can use the Azure Arc gateway with or without proxy configuration. By default, only the Azure Arc traffic is redirected through the Azure Arc proxy.

If your VM applications or services are reaching the Azure endpoint, configure the proxy inside the VM to use the Azure Arc proxy. For applications that don't reference the environment variables set within the VMs, specify a proxy as needed.

Important

Traffic intended for endpoints not managed by the Azure Arc gateway is routed through the enterprise proxy or firewall.

For Windows VMs, allow the following endpoints: https://agentserviceapi.guestconfiguration.azure.com and https://<azurelocalregion>-gas.guestconfiguration.azure.com.

For Linux VMs, allow the following endpoints: https://agentserviceapi.guestconfiguration.azure.com, https://<azurelocalregion>-gas.guestconfiguration.azure.com, and https://packages.microsoft.com.

Create a VM with the Azure Arc gateway enabled behind a proxy server

Run the following command:

az stack-hci-vm create --name $vmName --resource-group $resource_group --admin-username $userName --admin-password $password --computer-name $computerName --image $imageName --location $location --authentication-type all --nics $nicName --custom-location $customLocationID --hardware-profile memory-mb="8192" processors="4" --storage-path-id $storagePathId --gateway-id $gw --proxy-configuration http_proxy="<Http URL of proxy server>" https_proxy="<Https URL of proxy server>" no_proxy="<URLs which bypass proxy>" cert_file_path="<Certificate file path for your machine>"

You can use the following parameters for proxy-server-configuration with Arc gateway.

Parameters	Description
`gateway-id`	Resource ID of your Azure Arc gateway. A gateway resource ID example is `/subscriptions/$subscription/resourceGroups/$resource_group/providers/Microsoft.HybridCompute/gateways/$gwid`.
`http_proxy`	HTTP URLs for the proxy server. An example URL is `http://proxy.example.com:3128`.
`https_proxy`	HTTPS URLs for the proxy server. The server might still use an HTTP address, as shown in this example: `http://proxy.example.com:3128`.
`no_proxy`	URLs, which can bypass the proxy. Typical examples are `localhost`, `127.0.0.1`, `.svc`, `10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`, and `100.0.0.0/8`.

Sample command:

az stack-hci-vm create --name $vmName --resource-group $resource_group --admin-username $userName --admin-password $password --computer-name $computerName --image $imageName --location $location --authentication-type all --nics $nicName --custom-location $customLocationID --hardware-profile memory-mb="8192" processors="4" --storage-path-id $storagePathId --gateway-id $gw --proxy-configuration http_proxy="http://ubuntu:ubuntu@192.168.200.200:3128" https_proxy="http://ubuntu:ubuntu@192.168.200.200:3128" no_proxy="localhost,127.0.0.1,.svc,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.0.0.0/8,s-cluster.test.contoso.com"

Create a VM with the Azure Arc gateway enabled without the proxy server

Run the following command:

az stack-hci-vm create --name $vmName --resource-group $resource_group --admin-username $userName --admin-password $password --computer-name $computerName --image $imageName --location $location --authentication-type all --nics $nicName --custom-location $customLocationID --hardware-profile memory-mb="8192" processors="4" --storage-path-id $storagePathId --gateway-id $gw

You can use the following parameters for the Azure Arc gateway.

Parameters	Description
`gateway-id`	Resource ID of your Azure Arc gateway. A gateway resource ID example is `/subscriptions/$subscription/resourceGroups/$resource_group/providers/Microsoft.HybridCompute/gateways/$gwid`.

Sample command:

az stack-hci-vm create --name $vmName --resource-group $resource_group --admin-username $userName --admin-password $password --computer-name $computerName --image $imageName --location $location --authentication-type all --nics $nicName --custom-location $customLocationID --hardware-profile memory-mb="8192" processors="4" --storage-path-id $storagePathId --gateway-id $gw

Follow these steps in the Azure portal for your Azure Local instance.

Important

Setting the proxy server during VM creation is supported for Ubuntu Server VMs.

Go to Azure Arc cluster view > Virtual machines.
From the top command bar, select + Create VM.
On the Basics tab, enter the following parameters in the Project details section.
- Subscription: The subscription is tied to the billing. Choose the subscription that you want to use to deploy this VM.
- Resource group: Create a new resource group or choose an existing resource group where you deploy all the resources associated with your VM.
In the Instance details section, enter the following parameters.
1. Virtual machine name: Enter a name for your VM. The name should follow all the naming conventions for Azure VMs.
  
  VM names should be in lowercase letters and can include hyphens and numbers.
2. Custom location: Select the custom location for your VM. The custom locations are filtered to show only those locations that are enabled for your Azure Local instance. The VM kind is automatically set to Azure Local.
3. Security type: For the security of your VM, select Standard or Trusted launch virtual machines. For more information about Trusted launch Azure Local VMs, see What is Trusted launch for Azure Local virtual machines?.
4. Storage path: Select the storage path for your VM image:
  - Choose automatically: Select this option to have a storage path with high availability automatically selected.
  - Choose manually: Select this option to specify a storage path to store VM images and configuration files on your Azure Local instance. Ensure that the selected storage path has sufficient storage space.
5. Image: Select Azure Marketplace or a customer-managed image to create the VM image:
  - If you selected a Windows image, provide a username and password for the administrator account, and then confirm the password.
  - If you selected a Linux image, along with a username and password, you also need SSH keys.
6. Virtual processor count: Specify the number of vCPUs you want to use to create the VM.
7. Memory: Specify the memory in MB for the VM that you intend to create.
8. Memory type: Specify the memory type as Static or Dynamic.
In the VM extensions section, select Enable guest management. You can install extensions on VMs where the guest management is enabled.

Add at least one network interface by using the Networking tab to finish the guest management setup.

The network interface that you enable must have a valid IP address and internet access. For more information, see Azure Local VM management networking.
In the VM proxy configuration section, select a connectivity method. This method is used to onboard the Azure Connected Machine Agent on your VM. You have two options:
- Public endpoint: For direct connection to the internet without a proxy.
- Proxy server: To connect to the internet through a proxy for your VM. You can choose to have the same proxy server as your Azure Local instance or configure a different proxy server for your VM.
  
  Proxy configuration for VMs is applied only to the onboarding of the Azure Connected Machine Agent and set as environment variables within the guest VM operating system. Browsers and applications on the VM referencing WinInet and netsh aren't necessarily all enabled with this proxy configuration. WinInet and netsh should be configured with the proxy settings separately.
  
  You might need to specifically set the proxy configuration for your applications if they don't reference the environment variables set within the VM.
If you selected Proxy server, provide the following proxy information:
- Http proxy: Enter an HTTP URL for the proxy server. An example URL is http://proxy.example.com:3128.
- Https proxy: Enter an HTTPS URL for the proxy server. The server might still use an HTTP address as shown in this example: http://proxy.example.com:3128.
- No proxy: Specify URLs to bypass the proxy. Typical examples are localhost,127.0.0.1,.svc,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16, and100.0.0.0/8.
- Certificate file: Select Browse and choose the certificate file used to establish trust with your proxy server.
  
  Note
  
  For proxy authentication, you can pass the username and password combined in a URL as shown in this example: http://username:password@proxyserver.contoso.com:3128.
Configure the Azure Arc gateway to reduce the number of required endpoints that are needed to provision and manage Azure Local VMs with the Azure Connected Machine Agent. Certain VM extensions can use the Azure Arc gateway to route all Azure Arc traffic from your VM through a single gateway. For the most up-to-date list of VM extensions enabled through Azure Arc gateway, see Simplify network configuration requirements with Azure Arc gateway.
1. From the Arc gateway dropdown, select an existing gateway or select Create new to set up a gateway.
2. If you create a new gateway, fill in the Create an Arc gateway resource pane with information on the subscription, resource group, name, location, and tags.
Set the local VM administrator account credentials used when you connect to your VM via the Remote Desktop Protocol. In the Administrator account section, enter the following parameters.
1. Specify the local VM administrator account username.
2. Specify the password and then confirm the password.
If you selected a Windows VM image, you can domain join your Windows VM. In the Domain join section, enter the following parameters:
1. Select Enable domain join.
2. Only the Active Directory domain join is supported and selected by default.
3. Enter the user principal name (UPN) of an Active Directory user who has privileges to join the VM to your domain.
  
  Important
  
  For your Active Directory instance, if your security account manager (SAM) account name and UPN are different, enter the SAM account name in the UPN field as SAMAccountName@domain.
4. Enter the password of the user account that you entered in the previous step. If you use the SAM account name in the UPN field, enter the corresponding password.
5. Specify the domain or organizational unit (OU). You can join VMs to a specific domain or to an OU and then provide the domain to join and the OU path.
  
  If the domain isn't specified, the suffix of the Active Directory domain join UPN is used by default. For example, the user guspinto@contoso.com gets the default domain name contoso.com.
(Optional): Create new disks or add more disks to the VM.
1. Select + Add new disk.
2. Provide a name and size.
3. For Provisioning type, select Static or Dynamic.
4. Storage path: Select the storage path for your VM image. Select Choose automatically to have a storage path with high availability automatically selected. Select Choose manually to specify a storage path to store VM images and configuration files on the Azure Local instance. Ensure that the selected storage path has sufficient storage space. If you select the manual option, previous storage options autopopulate the dropdown by default.
5. Select Add. The new disk appears in the list view.
(Optional): Create or add a network interface for the VM.
- If you enabled guest management, you must add at least one network interface.
- If you need more than one network interface with static IPs for your VM, create one or more interfaces now before you create the VM. Adding a network interface with static IP after the VM is provisioned isn't supported.
1. Enter a name for the network interface.
2. From the dropdown list, select the network. Based on the network that you select, you see the IPv4 type automatically populate as Static or DHCP.
3. For a static IP, for Allocation Method, select Automatic or Manual. For a manual IP, provide an IP address.
4. Select Add.
(Optional): Add tags to the VM resource if necessary.
Review all the properties of the VM.
Select Create. The process to provision the VM takes a few minutes.

To deploy the ARM template, follow these steps.

In the Azure portal, from the top search bar, search for deploy a custom template. Select Deploy a custom template from the available options.
On the Select a template tab, select Build your own template in the editor.

A blank template appears.

Replace the blank template with the template that you downloaded during the prerequisites step.

This template creates an Azure Local VM. First, a virtual network interface is created. You can optionally enable domain join and attach a virtual disk to the VM that you create. Finally, the VM is created with guest management enabled.

 {
     "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
     "contentVersion": "1.0.0.0",
     "parameters": {
         "name": {
             "type": "String",
             "metadata": {
                 "description": "The name of the Virtual Machine."
             }
         },
         "location": {
             "type": "String",
             "metadata": {
                 "description": "The Azure region where the resources will be deployed."
             }
         },
         "customLocationId": {
             "type": "String",
             "metadata": {
                 "description": "The custom location ID where the resources will be deployed."
             }
         },
         "adminUsername": {
             "type": "String",
             "metadata": {
                 "description": "The username for the administrator account of the VM."
             }
         },
         "adminPassword": {
             "type": "SecureString",
             "metadata": {
                 "description": "The password for the administrator account of the VM. This should be a secure string."
             }
         },
         "securityType": {
             "type": "String",
             "metadata": {
                 "description": "The type of security configuration for the VM."
             }
         },
         "vNicName": {
             "type": "String",
             "metadata": {
                 "description": "The name of the vNic."
             }
         },
         "privateIPAddress": {
             "type": "String",
             "metadata": {
                 "description": "The IP address for the network interface."
             }
         },
         "subnetId": {
             "type": "String",
             "metadata": {
                 "description": "The Azure Resource Manager ID of the subnet for the network interface."
             }
         },
         "vmSize": {
             "type": "String",
             "metadata": {
                 "description": "The size of the virtual machine instance. It is 'Default' by default."
             }
         },
         "enableVirtualDisk": {
             "type": "bool",
             "metadata": {
                 "description": "Enable or disable the virtual disk."
             }
         },
         "diskName": {
             "type": "String",
             "defaultValue": "",
             "metadata": {
                 "description": "The name of the virtual data disk for your VM. Required if enableVirtualDisk is true."
             }
         },
         "diskSize": {
             "type": "Int",
             "defaultValue": 0,
             "metadata": {
                 "description": "Specify the size of the additional virtual disk to be added to your VM. Required if enableVirtualDisk is true."
             }
         },
         "processors": {
             "type": "Int",
             "metadata": {
                 "description": "The number of processors for the virtual machine."
             }
         },
         "memoryMB": {
             "type": "Int",
             "metadata": {
                 "description": "The amount of memory in MB for the virtual machine."
             }
         },
         "imageReferenceId": {
             "type": "String",
             "metadata": {
                 "description": "The Azure Resource Manager ID of the image to be used for the virtual machine."
             }
         },
         "enableDomainJoin": {
             "type": "bool",
             "metadata": {
                 "description": "Enable or disable the domain join extension."
             }
         },
         "domainToJoin": {
             "type": "String",
             "defaultValue": "",
             "metadata": {
                 "description": "The domain to join. Required if enableDomainJoin is true."
             }
         },
         "orgUnitPath": {
             "type": "String",
             "defaultValue": "",
             "metadata": {
                 "description": "The Organizational Unit path. Optional, used if enableDomainJoin is true."
             }
         },
         "domainUsername": {
             "type": "String",
             "defaultValue": "",
             "metadata": {
                 "description": "The domain username. Required if enableDomainJoin is true."
             }
         },
         "domainPassword": {
             "type": "SecureString",
             "defaultValue": "",
             "metadata": {
                 "description": "The domain password. Required if enableDomainJoin is true."
             }
         }
     },
     "variables": {
         "domainJoinExtensionName": "[if(parameters('enableDomainJoin'), concat(parameters('name'),'/joindomain'), '')]",
         "virtualDiskName": "[if(parameters('enableVirtualDisk'), parameters('diskName'), '')]"
     },
     "resources": [
         {
             "type": "Microsoft.HybridCompute/machines",
             "apiVersion": "2023-03-15-preview",
             "name": "[parameters('name')]",
             "location": "[parameters('location')]",
             "kind": "HCI",
             "identity": {
                 "type": "SystemAssigned"
             }
         },
         {
             "condition": "[parameters('enableVirtualDisk')]",
             "type": "Microsoft.AzureStackHCI/virtualHardDisks",
             "apiVersion": "2023-09-01-preview",
             "name": "[variables('virtualDiskName')]",
             "location": "[parameters('location')]",
             "extendedLocation": {
                 "type": "CustomLocation",
                 "name": "[parameters('customLocationId')]"
             },
             "properties": {
                 "diskSizeGB": "[parameters('diskSize')]",
                 "dynamic": true
             }
         },
         {
             "type": "Microsoft.AzureStackHCI/networkInterfaces",
             "apiVersion": "2023-09-01-preview",
             "name": "[parameters('vNicName')]",
             "location": "[parameters('location')]",
             "extendedLocation": {
                 "type": "CustomLocation",
                 "name": "[parameters('customLocationId')]"
             },
             "properties": {
                 "ipConfigurations": [
                     {
                         "name": "[parameters('vNicName')]",
                         "properties": {
                             "privateIPAddress": "[parameters('privateIPAddress')]",
                             "subnet": {
                                 "id": "[parameters('subnetId')]"
                             }
                         }
                     }
                 ]
             }
         },
         {
             "type": "Microsoft.AzureStackHCI/VirtualMachineInstances",
             "apiVersion": "2023-09-01-preview",
             "name": "default",
             "extendedLocation": {
                 "type": "CustomLocation",
                 "name": "[parameters('customLocationId')]"            },
             "dependsOn": [
                 "[resourceId('Microsoft.HybridCompute/machines', parameters('name'))]",
                 "[resourceId('Microsoft.AzureStackHCI/networkInterfaces', parameters('vNicName'))]",
                 "[resourceid('Microsoft.AzureStackHCI/virtualHardDisks', parameters('diskName'))]"
             ],
             "properties": {
                 "osProfile": {
                     "adminUsername": "[parameters('adminUsername')]",
                     "adminPassword": "[parameters('adminPassword')]",
                     "computerName": "[parameters('name')]",
                     "windowsConfiguration": {
                         "provisionVMAgent": true,
                         "provisionVMConfigAgent": true
                     }
                 },
                 "hardwareProfile": {
                     "vmSize": "Default",
                     "processors": 4,
                     "memoryMB": 8192
                 },
                 "storageProfile": {
                     "imageReference": {
                         "id": "[parameters('imageReferenceId')]"
                     },
                     "dataDisks": [
                         {
                             "id": "[resourceid('Microsoft.AzureStackHCI/virtualHardDisks',parameters('diskName'))]"
                         }
                     ]
                 },
                 "networkProfile": {
                     "networkInterfaces": [
                         {
                             "id": "[resourceId('Microsoft.AzureStackHCI/networkInterfaces', parameters('vNicName'))]"
                         }
                     ]
                 }
             },
             "scope": "[concat('Microsoft.HybridCompute/machines/', parameters('name'))]"
         },
         {
             "condition": "[parameters('enableDomainJoin')]",
             "type": "Microsoft.HybridCompute/machines/extensions",
             "apiVersion": "2023-03-15-preview",
             "name": "[variables('domainJoinExtensionName')]",
             "location": "[parameters('location')]",
             "dependsOn": [
                 "[concat(resourceId('Microsoft.HybridCompute/machines', parameters('name')), '/providers/Microsoft.AzureStackHCI/virtualmachineinstances/default')]"
             ],
             "properties": {
                 "publisher": "Microsoft.Compute",
                 "type": "JsonADDomainExtension",
                 "typeHandlerVersion": "1.3",
                 "autoUpgradeMinorVersion": true,
                 "settings": {
                     "Name": "[parameters('domainToJoin')]",
                     "OUPath": "[parameters('orgUnitPath')]",
                     "User": "[concat(parameters('domainToJoin'), '\\', parameters('domainUsername'))]",
                     "Restart": "true",
                     "Options": "3"
                 },
                 "protectedSettings": {
                     "Password": "[parameters('domainPassword')]"
                 }
             }
         }
     ]
 }

Select Save.
The pane where you enter deployment values opens. Again, select the resource group. You can use the other default values. After you finish entering values, select Review + create
After the portal validates the template, select Create. A deployment job starts.
After the deployment finishes, you see the status of the deployment as complete and a VM is created on your Azure Local instance.

Download the sample Bicep template from the Azure quickstarts repo.
Specify parameter values to match your environment. The custom location name and logical network name parameter values should reference resources that you already created for your Azure Local instance.

Deploy the Bicep template by using the Azure CLI or Azure PowerShell.

@maxLength(15)
param name string
param location string
param vCPUCount int = 2
param memoryMB int = 8192
param adminUsername string
@description('The name of the image to use for the VM deployment. For example: winServer2022-01')
param imageName string
@description('Set to true if the referenced image is from Azure Marketplace.')
param isMarketplaceImage bool = true
@description('The name of an existing Logical Network in your HCI cluster - for example: lnet-compute-vlan240-dhcp')
param hciLogicalNetworkName string
@description('The name of the custom location to use for the deployment. This name is specified during the deployment of the Azure Stack HCI cluster and can be found on the Azure Stack HCI cluster resource Overview in the Azure portal.')
param customLocationName string
@secure()
param adminPassword string

// below parameters are used to join the VM to a domain
@description('Optional Domain name to join - specify to join the VM to domain. example: contoso.com - If left empty, ou, username and password parameters will not be evaluated in the deployment.')
param domainToJoin string = ''
@description('Optional domain organizational unit to join. example: ou=computers,dc=contoso,dc=com - Required if \'domainToJoin\' is secified.')
param domainTargetOu string = ''
@description('Optional User Name with permissions to join the domain. example: domain-joiner - Required if \'domainToJoin\' is secified.')
param domainJoinUserName string = ''
@description('Optional Password of User with permissions to join the domain. - Required if \'domainToJoin\' is secified.')
@secure()
param domainJoinPassword string = ''

//define a custom type for the dataDiskParams parameter and array of disks
type dataDiskType = {
  diskSizeGB: int
  dynamic: bool?
  //containerId: string
}
type dataDiskArrayType = dataDiskType[]

@description('The bicep array description of the dataDisks to attached to the vm. Provide an empty array for no addtional disks, or an array following the example below.')
// param dataDiskParams array = [{'diskSizeGB': 1024,'dynamic': true},{'diskSizeGB': 2048,'dynamic': false}]
param dataDiskParams dataDiskArrayType = []

var nicName = 'nic-${name}' // name of the NIC to be created
var customLocationId = resourceId('Microsoft.ExtendedLocation/customLocations', customLocationName) // full custom location ID
var imageId = isMarketplaceImage ? resourceId('microsoft.azurestackhci/marketplaceGalleryImages', imageName) : resourceId('microsoft.azurestackhci/galleryImages', imageName) // full image ID
var logicalNetworkId = resourceId('microsoft.azurestackhci/logicalnetworks', hciLogicalNetworkName) // full logical network ID

// precreate an Arc Connected Machine with an identity--used for zero-touch onboarding of the Arc VM during deployment
resource hybridComputeMachine 'Microsoft.HybridCompute/machines@2023-10-03-preview' = {
  name: name
  location: location
  kind: 'HCI'
  identity: {
    type: 'SystemAssigned'
  }
}

resource nic 'Microsoft.AzureStackHCI/networkInterfaces@2024-01-01' = {
  name: nicName
  location: location
  extendedLocation: {
    type: 'CustomLocation'
    name: customLocationId
  }
  properties: {
    ipConfigurations: [
      {
        name: 'ipconfig1'
        properties: {
          // uncomment to specify an IP, otherwise an IP address is dynamically allocated from the Logical Network's address pool or DHCP
          // privateIPAddress: 'x.x.x.x'
          subnet: {
            id: logicalNetworkId
          }
        }
      }
    ]
  }
}

resource dataDisks 'Microsoft.AzureStackHCI/virtualHardDisks@2024-01-01' = [for (disk, i) in dataDiskParams: {
  name: '${name}dataDisk${padLeft(i + 1, 2, '0')}'
  location: location
  extendedLocation: {
    type: 'CustomLocation'
    name: customLocationId
  }
  properties: {
    diskSizeGB: disk.diskSizeGB
    dynamic: disk.?dynamic // dynamic is optional
    // containerId: uncomment if you want to target a specific CSV/storage path in your HCI cluster
  }
}]

resource virtualMachine 'Microsoft.AzureStackHCI/virtualMachineInstances@2024-01-01' = {
  name: 'default' // value must be 'default' per 2023-09-01-preview
  properties: {
    hardwareProfile: {
      vmSize: 'Custom'
      processors: vCPUCount
      memoryMB: memoryMB
      // ### uncomment to use dymamic memory ###
      // dynamicMemoryConfig: {
      //   maximumMemoryMB: memoryMB
      //   minimumMemoryMB: 512
      //   targetMemoryBuffer: 20
      // }
    }
    osProfile: {
      adminUsername: adminUsername
      adminPassword: adminPassword
      computerName: name
      windowsConfiguration: {
        provisionVMAgent: true // mocguestagent
        provisionVMConfigAgent: true // azure arc connected machine agent
      }
    }
    storageProfile: {
      // vmConfigStoragePathId: specify a storage path ID to target a specific CSV/storage path in your HCI cluster
      imageReference: {
        id: imageId
      }
      dataDisks: [for (disk, i) in dataDiskParams: {
        id: resourceId('Microsoft.AzureStackHCI/virtualHardDisks', '${name}dataDisk${padLeft(i + 1, 2, '0')}')

      }]
    }

    // // Use this optional block to configure a proxy server for your VM
    // httpProxyConfig: {
    //   httpProxy: 'http://proxy.example.com:3128' // HTTP URL for proxy server.
    //   httpsProxy: 'https://proxy.example.com:3128' // HTTPS URL for proxy server.
    //   noProxy: [  // URLs, which can bypass proxy.
    //     'localhost'
    //     '127.0.0.1'
    //   ]
    //   trustedCa: '-----BEGIN CERTIFICATE-----....-----END CERTIFICATE-----' // Alternative CA cert to use for connecting to proxy servers.
    // }

    networkProfile: {
      networkInterfaces: [
        {
          id: nic.id
        }
      ]
    }
  }
  extendedLocation: {
    type: 'CustomLocation'
    name: customLocationId
  }
  scope: hybridComputeMachine

}

resource domainJoin 'Microsoft.HybridCompute/machines/extensions@2023-10-03-preview' = if (!empty(domainToJoin)) {
  parent: hybridComputeMachine
  location: location
  name: 'domainJoinExtension'
  properties: {
    publisher: 'Microsoft.Compute'
    type: 'JsonADDomainExtension'
    typeHandlerVersion: '1.3'
    autoUpgradeMinorVersion: true
    settings: {
      name: domainToJoin
      OUPath: domainTargetOu
      User: '${domainToJoin}\\${domainJoinUserName}'
      Restart: true
      Options: 3
    }
    protectedSettings: {
      Password: domainJoinPassword
    }
  }
}

You can use the Azure Verified Module that contains the Terraform template to create VMs. This module ensures that your Terraform templates meet Microsoft standards for quality, security, and operational excellence to help you seamlessly deploy and manage your VMs on Azure. With this template, you can create one or multiple VMs on your cluster.

Use the Terraform template

Download the Terraform template from the Azure Verified Module.
Go to the examples folder in the repository, and look for the following subfolders:
- default: Creates one VM instance.
- multi: Creates multiple VM instances.
Choose the appropriate folder for your deployment.
To initialize Terraform in your folder from step 2, run the terraform init command.
To apply the configuration that deploys VMs, run the terraform apply command.
After the deployment is finished, verify your VMs via the Azure portal. Go to Resources > Virtual machines.

Use managed identity to authenticate Azure Local VMs

When the VMs are created on your Azure Local instance via the Azure CLI or the Azure portal, a system-assigned managed identity is also created that lasts for the lifetime of the VMs.

The VMs on your Azure Local instance are extended from Azure Arc-enabled servers and can use system-assigned managed identity to access other Azure resources that support authentication based on Microsoft Entra ID. For example, the VMs can use a system-assigned managed identity to access Azure Key Vault.

For more information, see System-assigned managed identities and Authenticate against Azure resources with Azure Arc-enabled servers.

Feedback

Was this page helpful?

Last updated on 2026-02-04

Share via

Create Azure Local virtual machines enabled by Azure Arc

About Azure Local resources

Prerequisites

Create Azure Local VMs

Sign in and set the subscription

Create a Windows VM

Additional parameters for Windows Server 2012 and Windows Server 2012 R2 images

Create a Linux VM

Create VM with proxy configured

Create a VM with the Azure Arc gateway configured

Create a VM with the Azure Arc gateway enabled behind a proxy server

Create a VM with the Azure Arc gateway enabled without the proxy server

Use managed identity to authenticate Azure Local VMs

Related content

Feedback

Additional resources