 Hey, my name is Thomas Maurer and I'm here with Karim Hanif from the Azure Stack HCI team. Karim is a PM in this team and he will talk about how Azure Stack HCI is delivered as a hybrid Azure service. Hi Thomas, thank you so much for having me. My name is again like Karim Hanif. I'm a Senior Program Manager here in Microsoft and an Azure Stack HCI product team. I'm also on Twitter if you guys want to send me anything at Karim Hanif. What we're going to talk about today is a presentation that we recently created with my colleague Cosmos Darwin fairly recently. I think we showed this in a community event a couple of months ago, just a month ago maybe, and it's a very new content. Hopefully, it will help you understand the Azure Stack HCI Hybrid connectivity, how it works and we wanted to go into details, so it's going to be quite a lot of detail and internals are going to be covered. Yeah, that is really exciting. I'm sure like our audience is going to love that we can actually go out and go through and see what is actually, how is it built, how is it connected, how does different things work together. So I'm really looking forward to that. But before we start, I quickly want to ask you if you can explain a little bit maybe about Azure Stack, especially Azure Stack HCI and what it is, because we just recently announced it and it was recently when GA. So not everyone is probably familiar with it, so I would be happy if you could share a little bit for it. Yeah, sure. So this is actually covered in one of the basics of what Azure Stack HCI, it's really great to watch this Microsoft-inspired video that Cosmos has created. So this is in YouTube, you can see the link in here. But in a nutshell, it's basically, if you think about it, it's a new operating system for Microsoft, and it's Azure Stack HCI. It was built on top of Windows Server 2019 core. So it doesn't have a UI, it's very similar to there, but we added a bunch of things. We removed a lot of things so that it's optimized for your scenario. It's basically optimized for being the best host for your scenario, for your virtualization environment. Yeah, I heard this is, I think, our customer ask a lot, right? They needed the past, they used Hyper-V and Windows Server and storage spaces direct and all of that. This is basically, if I understand this correctly, this is just an operating system optimized just for the hyper-converged scenario where you team basically stripped out all of the features which are not needed in that case, and added some cool Azure stuff there and some additional functionality. So I'm really happy to see what you have there. Yeah, exactly. So imagine that it's a server that has the failover clustering, software-defined storage, and software-defined networking all together. It has, like you said, we removed a bunch of the roles, so you cannot make it an active active server, or IAS, you can't use it as a web server. It's just to reduce the attack surface as well, so it's secure. And we just wanted to make it the best host for your VMs in your environment. Okay, that is awesome. And just to add to that, maybe, one other thing is that it's actually, if you think about it, it's basically runs on your server, on your premises with your servers that you bought from your industry standards, sorry, the OEM partners. We have a lot of OEM partners, and we have a marketplace where you can shop for these servers. There's a bunch of them that was pre-built, so you can go to that marketplace, get those, and we'll have links to get to those areas at the end of the presentation. But you buy your servers, you put it on your premises, and then you connect it to the Azure, and it's a subscription service, that's the beauty of it. So it's a subscription service, you pay per core on the server, so depending on the hardware that you buy, so that's how you do it. And today, we're going to explain how this basically works in the backend. Okay, yeah, that sounds really interesting, because again, as you just said, it's deployed as an Azure service. It's not necessarily like we're in the past, I really need to pay for Windows Server, I licensed that once, and then kind of like depending on what license I needed, I installed it, and now I actually download the OS, but the whole billing and some additional features are done through Azure. And so I'm really interested in how that works and what data gets sent and all of that, so really interesting. So can you explain a little bit more about like how it's actually delivered as a hybrid service and what that means? Sure, so let me just jump to the next slide and so go through that. So first of all, there are no software licenses. So the good thing about this is that since it's an Azure service, it comes with the Azure, you don't have anything to sign, for example, you don't have any standalone legal agreement to sign or anything like this, all covered under Azure services terms. And the other good thing is that you don't have to go to your upper management and get this approved because if you have Azure licenses, this is just another service on top of Azure and it will be all built to your Azure subscription. That's the good thing. And same thing with support. So you don't have to worry about their support contracts, you don't have to worry about like getting a different, so if you have support in Azure, you can actually get support for Azure Stack HCI. And the other good thing is we will, just like any other service, we will be offering feature updates, but they will be coming automatically for a measure to you and all you need to do is just go over the update process and update it. And we will be continually updating this service and adding new features. Okay, so it's really like, it's like an Azure service. It's like I have to contract the subscription in place, I don't need to care of the versioning in that can. And I get the fantastic Azure support, which I heard I think is if I'm right and you correct me is it is a dedicated team just for Azure Stack HCI. Exactly, we spend a lot of time with our, we have a dedicated PM that is working with the support team and just for training and making sure that, and we have very close connections with them. So in case if they don't have the information they need, they connect to us very easily and we worked together as a team. Okay, so like with that obviously, there are changes a lot in terms. So how is that integrated into like the operating system itself? I'm sure there must be some magic in the background. You mean the support? No, in general, like the whole, like the whole hybrid. Oh, I see, yeah, yeah, yeah, exactly. So let me go through that. So for example, we have this like a native OS level integration with Azure. And everything that you need for this service, we already built it into Azure Stack HCI operating system. So the, and the main component that makes this possible is called HCI SVC component. So this is a service that runs on and it's an integrated service that runs on the box. And what it does, it securely stores Azure registration and connection state within the OS. It manages the projection into the Azure portal. So your Azure Stack HCI can actually show up in Azure portal. It manages the connection heartbeat, licensing, billing, certificates, diagnostics and a lot more, right? So basically this is the secret sauce that makes the hybrid connection make easy. But just to be clear, this is not an agent. So this is different than an agent, right? So in agents, usually, you need to figure it out. You need to like enable it, you need to start it, you need to troubleshoot it. This is like, you don't need to do anything for this. This is, it goes together with the OS. So if the OS is updated, this is updated. And it's a protected process. So, it's a protected process within the OS. It's also cluster aware. So if you add a node, for example, to your cluster, it automatically propagates to that node. If you remove one, it automatically cleans itself up. So it's hassle-free. Okay. Yeah, that's pretty cool that it's not a agent like you have to again deal with. We didn't want to do that. Yeah. I've seen that many, many times that hosts have like a ton of different agents on it. And especially if you would have another, adding another agent for this. Yeah, exactly. And also like, as you know, in a lot of customers, for everything that they put on their own premises service, they need to get approval. And they need to make their case so that this agent is very useful because they have their own golden image. And in order to change that, it's really hard, right? So this is not something like that. Yeah, well, awesome. Can you show us a little bit how that actually looks? Yeah, sure. So let me actually do a quick demo. And in this demo, I have Azure Stack ACI, as you can see. It's very in Windows Admin Center, by the way. And if you go down to services, you can see a bunch of services. And let's see, I just go to data application service, for example, right? So in that service, I can actually go ahead and stop it, start it, whatever. But if I search for Azure Stack ACI, I can see that service as well. And as you can see, this is for synchronizing Azure Stack ACI with Azure. But as you can see, you can stop it. You cannot restart it, you cannot pause it. This is something that you cannot do. But this is also, this is in the user's context, right? So what if you go to Windows Admin PowerShell as an administrator? And now I'm actually with the administrator. I'm looking for that service. I get the process and I try to stop it with the process ID. And as you can see, I can't even stop it as an administrator, access is denied. So that's what I mean when I mean that it's a protected service. And I can also, while I'm here, I can do get Azure Stack ACI and see that, I see my cluster and I can see that the registration is not made, it's empty. So, and that's what we're going to cover next. So how to actually register is actually the next step. Okay, so, okay, that is awesome. So you showed a couple of things. I love that. Like this is now really system protected because it's obviously an important part of the whole Azure Stack ACI system. And now you talked about the registration part, right? That was something I want to ask like, so when I set this up by default, like somewhere I need to like register it with my Azure environment, right? And you just perfectly showed that it's currently the state is not registered. So why do we actually need to register it? So good question because I just also wanted to cover it. I put a whole slide about this. Registration is very important and it's not optional. It's totally required because it's a subscription service. So we have to know, you know, if you think about it, it's like an Azure service that you buy, right? And we need to make sure that it's up to date. It's secure, it's a performant. And it's also like, we have to make sure that the billing is handled automatically in the background, the licenses are sent. So it's supported. All of those things require registration. So if you don't register it, then your system is not a valid license, it's not supported. And it will also have a reduced functionality. So you cannot create new VMs. Okay, okay, that is good to know. Perfect, but so now how do I register it? So let's say I set up my environment as you just showed me, how do I register it? So let's see. So how you register is like, there are two easy ways. And one of them is from a Windows Admin Center and the other one is through Azure PowerShell. And it's, they're both very similar because the actually the Windows Admin Center experience is actually built in on top of Azure PowerShell experience. So in both experiences, you need a couple of things. One of them is the Azure subscription ID, your region. And optionally, you can actually create it. You can name this resource or put it in a resource group. You can do that, all of those things, but it's optional, you don't have to have that. And the other very important thing is that you need to authenticate with Azure while doing this. Because if you think about it, it's very important because you're actually creating this, you're adding this subscription to your subscription and when you will get built, your support will go through that. So we need to know, you need to validate who you are in order for us to continue. Yeah, it just makes sense. Like I cannot just like assign my Azure Stack HCI to another customer and he gets built for it. That would be... Exactly. Awesome. So maybe we can just dive into a little bit more like how do you basically get this information, right? So in case you're probably a lot of you, a lot of your viewers are probably familiar with this, but just to reiterate, so in order to find the subscription ID, you need to go to patchportal.azure.com and you navigate to your subscription. It's, you can even search, there's a search bar at the top. You can search for that, your subscriptions and you basically get a list of your subscriptions and you can get a lot or you can get one. If you have one, you may have one, but in our case we have a lot because it's our test system that I took the screenshot from and you go there and you copy paste your subscription ID, it's that simple. Okay. And the next thing that you do is you get your region, right? So, and as you know, Azure is in, there are many, many data centers. There are many regions and some regions have multiple data centers in them. And we are as of general availability, we are in three regions right now. East US, which is the default by the way. So if you don't provide the region in, let's say in command or in a command line, we actually take that by default. Southeast Asia and West Europe. And we are also in 2021, want to expand to multiple regions and some of them are listed in here. But we also just to let you know, of course in Azure Stack, it's a service and we want it to be available to every region in that Azure is available. So that's the goal, but it's going to take a little bit while to get there, but that's definitely our goal. Okay. But it's not like, let's just say, I mean, it's only a registration where some metadata and billing information gets sent. So no data, like no VM gets automatically replicated to one thing. No, no, no. Yeah, we're going to cover all of that in coming slides, but no. And also like it's good to clarify that you can be anywhere in the world, right? So you don't have to be in these regions to run Azure Stack ACA. You can be anywhere in the world. It's just that the region that you select for registration should be out of this three. Just pick the closest one to you. Okay, that's basically what it is. But you can run Azure Stack ACA anywhere in the world. So you don't have to be in one of those regions. Yeah, yeah. No, that makes sense. That's good. So can you show me how to register it? Yeah, for sure. Let's go through the demo. So in order to register, first thing that you need to do is get the PowerShell module. I am actually going to show you the registration through PowerShell. You remember I mentioned two things and from Windows Admin Center or PowerShell, but I wanted to show PowerShell because I wanted to, since this is a deep dive, I wanted to show what happens at the back end. So there is a module in the PS, the PowerShell gallery. And I think it's the most popular one. It's called Azure AZ module, Azure module. And there are like multiple sub-models under that, right? So one of them is az.az.acai, and the other one is az.storage, az.appservice, blah, blah. You can have multiple, you have all these services. Ours is az.az.az.acai, but you don't have to install this. You can actually install the whole Azure module and you will get az.stack.acai anyway. Okay, awesome. And when you do that, once you do that, you know, like you basically get it on your server. And of course, one of the reasons, one of the things you may ask is, hey, you said everything that I need is built in. How come this is not part of the OS? And the reason is that this whole az module is updated every three weeks. So we don't update ours every three weeks, but the whole az Azure module updates every three weeks. And we didn't want to put something that is updated. Already it's gonna be guaranteed to be updated into the OS and built into the OS. And then have you go through, you know, like an update process. So that's why we didn't want to include it. It's easy enough to get it to the cluster. So that's why we didn't include this one in. And let me go through the demo. So what I will do is, the first thing that I'll do is I just do a get cluster and I'll see my cluster name. I'll get cluster node. I get the node names and then the az.stack.acai. I see that I'm not registered, right? So I just go to register.stack.acai and then, you know, the subscription ID. I provide the subscription ID. And then I go to dash, region, resource name. As you can see, these are optional, but I'm just gonna select region and select West Europe in this case. So, and it's basically starts the process. But now I need to authenticate. And in order to authenticate, we're gonna use device login. And I have a code here. So I copied that code, went to the Microsoft.com device login and I enter that code that I just copied. And when you do that, you just want you to then authenticate with your credentials once, and when you actually successfully authenticate, then you come back and yes, you can see everything continues running. So it will take around a minute or two, one minute or two. And once you do that, then you get a result code. And in this case, I got success. And then you can actually go and check that you do another get Azure, like I said, again, you see that I'm registered. And you can see some things like resource name, resource URI, some information as well. But the good thing is when you go to Azure, portal.azure.com, the fun thing is actually, now you can see that demo cluster is there. It says preview in here, but of course we actually took this before we released. It's not something I'm gonna say preview in your case. And you can see we renamed the resource group to your cluster's name automatically because you didn't provide it and the location. And you see some nodes and you see the nodes and you see some basic information. And this view is going to get richer and richer as we go along. But this is basically the first iteration of it. Okay, that is pretty cool. So I can now see already my Azure Stack HCI cluster. I can see, I saw, I could see the nodes and it actually shows up and I can start, like start doing a little bit of management. I could manage more cluster using Windows Admin Center, but I can also even do it in the portal now. That is awesome. Yeah, we're gonna add more and more features so that you can do a lot more from the portal. We have some experiences already, but it's gonna get better going forward. And I just wanted to show you a quick reference of what we covered, right? So as you remember, we installed the Azure module with this commandlet. And then we used the register AZ Stack HCI commandlet to register. And again, Admin Center actually uses this. If you're doing it from Admin Center, you don't have to provide all of these, but it actually uses this in the backend. And this part is mandatory. You have to provide your subscription ID. This part, resource name and resource group name is optional, but you can provide it if you want. And all the commandlets have actually the dash computer name and dash credential so that you can remotely use them if you wanted to. So for example, you can run register Azure Stack HCI from another machine if that is more convenient to you. For example, in our test environment, we have our nodes and everything, but we never hardly ever connect to them, right? We have our Windows 10 machine that we actually use as a management node and then have the Admin Center installed and we use that, right? So all of these dash computer name and dash credential in all the other commandlets, just like unregister allows you to do that and you can actually do get Azure Stack HCI from a remote machine. Okay, that is pretty cool. So this is exactly how you register the machine. So this is what me as a customer would do if I get a new Azure Stack HCI installed the nodes after cluster, I will then register it to the Azure environment. Now, since this is a deep dive session, we obviously want to know a little bit more about what is happening in the backend. Like what is actually happening while I'm doing this? Sure, so there are four main things. And let's go through them one by one. The first one is when we register, we create what we call the Azure AD App Identity. This is something that, this is an object that represents the cluster within your Azure Active Directory. It is quite important because, imagine that your on-premises cluster will do some things in your Azure tenant. For example, like upload billing information, that's the easiest example. And it has to have a permission to do that. So we need to have an identity in the context of your tenants Azure AD. So this identity is by the way, completely constrained by the normal role-based access control of Azure. And there are two permissions that we need. And as you can see in the screenshot at the bottom of the screen, they are called Azure Stack ACI billing.sync and Azure Stack ACI census.sync. So if you are a global admin in your Azure AD and you're using this, using the commandless or Windows admin centers using that on that context, then everything will be very easy. It will just go through, just like I showed you in the demo. But if not, then you need to have these permissions granted to the app identity that represents Azure Stack ACI in your tenants. So you can either have your AD admin to grant this. You can basically tell him, I need you to grant this to these two permissions. Or you can have them give you, you delegate access, you can delegate the permissions to you and you can do that from the same location. But either way, we basically need this so to allow the on-premises cluster to send anything to Azure on your behalf. So that's one important part. And the second is these certificates. So with the app identity, you established like the representation of your on-premises cluster within your Azure AD, right? But now what you need to do is you have to let the on-premises notes to trust and authenticate with Azure AD. So that's what you're basically doing with these certificates. And the public key is treated as the credentials. By the app. And the private key is securely stored in the ACI ACC service that we mentioned at the beginning on-prem. And there are two experiences that you use. One of them is to allow everything to be managed by the cluster. And by the way, this is the default experience. This is what we use internally. And this is completely secure. And we definitely recommend, this is the recommended experience. And by far it's the easiest one. And what it is is that there is one search per cluster node. It's an industry standard X509 certificate self-signed with a very long RSA key. It's generated on each node. And it expires after one year. But the good thing is the HVISVC service handles the renewal for you. So it's automatically renewed. So you don't ever have to think about the certificates generated at the time of registration. It is renewed on the fly for you. Okay, yeah, that I like. That is awesome, right? I mean, you want it to make everything easy. So, and this is like, we totally can tell you that this is, we don't see any security issues with this approach. Okay, now this is awesome because I've dealt with a lot of certificates you need to manage and renew and take care of. And downtime, right? It causes downtime. It causes like a lot of issues. And imagine this is a host that you're running, you're a lot of VMs. So you don't want that. And also the other thing is, but we know that some customers, they have a mandate, right? They have to use their own certificates. They cannot use self-signed certificate. So that's why we provide the second experience. And for that one, you just need to go to each node under certificates local machine and add the certificate from your CA. The certificate authority. And then when you register, then you can basically specify dash certificate thumbprint and provide that thumbprint in the command. There's that additional flag to do that. But of course, this is the certificate you brought in, right? So you need to maintain it. You need to make sure that, to remember to renew it when it expires. So that's the disadvantage of it. Yeah, downside of it. Yeah, yeah. No, that makes absolutely sense. Yeah, I would definitely prefer the default one, but I completely understand that some customers- Exactly, you have to do it, right? Have to do it, yeah. I mean, there's no other way. So, and then what we do is the third thing that we do is probably the most visible one is that we create an Azure resource that is provisioned by the Azure Stack ACI resource provider. And we provisioned that into the resource group in your tenant. And then you can provide that as you know. This resource has a type of Microsoft that Azure Stack ACI slash cluster. The good thing is, this is a first-class ARM object. So what that means is that you can search for it. You can participate, it participates in graph. You can organize it with tags and all of those good things, right? And the other important thing is that this is the foundation for hybrid management. So if you think about like, we have like so many scenarios coming in like freed-scale monitoring, VM cell service and much, much more. And all of these need this first-class object that can actually represent Azure Stack ACI that can participate in Azure Stack, Azure's resource manager model. And actually it is the keystone for all of this. Yeah. Now, I think what you said here, and I think a lot of people like, I mean, we went through and said basically, just very quickly, it's now a ARM object, right? But that means a lot. It's like, it basically is like Azure Arc. Like it has kind of like Azure Arc built-in to actually connect it to that full experience of as you said, like I can use tags, I can use resource groups. So if I'm aware of that, I can leverage it. It's not just like, just populate the name and just give it the string of like. And it opens up a bunch of other things that we are planning to do in the backend. That's why I'm saying that this is the foundation because if we didn't have this, then all of these scenarios that you'll see coming to Azure Stack ACI would not be possible, right? So that's why it is the foundation. And the last thing that we do after this in four out of four is we, sorry, we do a first sync, what we call a first sync and we issue the cloud license. So in Azure Stack ACI, we sync with Azure twice per day. So every 12 hours. So when it successfully syncs and also checks, by the way, during that time, if the subscription is active, meaning that your email address is current and you're paying the bills, et cetera. And then what happens is we automatically refresh these cloud issued licenses and push them to each of the nodes. And these licenses allow Azure Stack ACI to fully function. They indicate to us that this is a completely legitimate instance of an Azure Stack ACI OS, right? And but the thing that to pay attention to is that these cloud issues licenses will expire after 30 days. So, but what happens is every 12 hours, it actually automatically renews them. So it syncs every 12 hours and it renews every 12 hours. So it doesn't have to be, like it doesn't wait for 30 days to renew them, right? And it does this across all nodes. So if one new node joins, new license comes in. And if you remove a node, the license will be removed. And everything is invisible to the user. It's all in the background. But this is important because in the case that the Azure Stack ACI is in policy. But of course, there can be some cases where you network goes down or it goes offline and we didn't want anything to happen during that time. So you have 30 days grace period. So if we cannot reach, like again, like trying twice a day for 30 days, 30 consecutive days, the license will expire. Okay, okay. And you can get this and you can see this in get Azure Stack ACI commandlet. You can also see it in Windows Admin Center. So we're not hiding anything. And your basically connection status will go to a state called out of policy, which means that, like you haven't been synced for the past 30 days. So all you need to do is just fix your connection, get the cluster online again and get the licenses synced, renewed. Okay. And also the good thing is you can sync whenever you want. So let's say you fixed your connection. You don't have to wait 12 hours. There's a, you can go through the Windows Admin Center. There's a sync option through the settings tool, or you can use sync dash Azure Stack ACI commandlet. Okay. So that is pretty cool. So like even like very unlikely, but if I have a huge disaster, like my connection is gone or something like that, for like, I don't know. Let's say it's 20 days already. Everything is like I don't have any internet connectivity. What I could do basically I could set up, for example, a connection over a phone, for example, and it's worth it to sync the license so that there's no issue if I have that problem, right? Yeah. Okay. And also like we are not, that means, you know, like that you can definitely have your Azure Stack ACI in a spotty network connections, locations, you just need to make sure that the first thing happens. That's the important part that then, that's where you get your first license and it's part of the registration anyway. But then, you know, like if Azure Stack ACI loses connection, you can basically sync every 30 days and you'll be fine. Awesome. So that would also allow me, especially with forcing it. Like I'm thinking about this scenario where I take my Azure Stack ACI cluster on the road, where I then, for example, could say, okay, now sync. And then for the next two days, I'm on the road and you would work and then I could force it again. Okay. And it's consecutive 30 days, right? So if you sync anytime in between every 12 hours, the 30 days starts again. Yeah. So it's moving 30 days. Perfect. Perfect. This is awesome. So now, obviously this is a question now about connectivity. We already touched this a little bit when we have connectivity issue. What are the requirements? Yeah. Connectivity. So I actually have, you know, I prepare this as a frequent ask questions kind of a fashion. So these are the most frequent questions that we get. So first of all, the first question that we always get is does Azure Stack ACI require continuous connectivity to the cloud, right? So we just talked about it. No, you know, we can handle periods of limited or even zero connectivity, right? And what happens? So let's say you connect, you lost your connection, what happens if the connection goes down? My VM stopped running or anything? No, everything will continue to run just normally. And even, you know, like your local tools like ACVMM, Windows Admin Center, PowerShell, these are all local, right? You don't need connectivity for these. And they will continue running. So we're not going to give you any problem doing that. Yeah. So there's no dependency I need to the cloud every, like if I want to do something, I could, like as you said, still use the local tools. Exactly. And the time is 30 consecutive days. Like how long will it take? You know, how long does Azure Stack ACI will run without the connection done? It's 30 days. And so this is also very, very popular, right? Can I use Azure Stack ACI and never connect to Azure? So air gap situations where a part of the network is totally separate from the network, from internet connection. And no, you cannot use Azure Stack ACI in these scenarios. And the last one is, are there bandwidth or latency requirements? No, there's nothing like that. We are, we send very, we upload very little information to the cloud every day, kilobytes worth. And that's why we're okay, you know, like therefore it's okay to actually run in very low-banded locations like T1 lines or even cellular lines, or even like high latency lines, like satellite connections, we're totally fine. We are not sensitive to descriptions in the connection, but also we are not sensitive to the bandwidth of the connection. Okay. Okay. And of course it begs the question now, like, okay, so if that's what you need, like what do I need to do on my firewall, right? And everybody has like lots of firewalls. Now you have one on the defender firewall and then you may have your other firewalls, your perimeter firewalls. And just to be clear, you know, having access to Azure is very different than unlimited internet access. We're not talking about unlimited internet access here, right? So we just need to give access to Azure. And what we need is one way, just outbound direction access over secure 443 HTTPS port to very well-known and published and updated weekly Azure IP addresses, okay? So that's all you need. And we are part of that. So and also you can minimize the exfiltration list risk by scoping rules that allow outbound traffic very specifically in these ways. So we can, you know, like as Microsoft, we publish the list of an Azure IP addresses, like I mentioned, weekly. And Azure services all included, Azure Stack ACI is also part of that. So you can quite easily get that list and there are multiple ways of doing this and there are lots of help out there that you can do this. And you can get that list and so that's what's called like network service tags. And then apply that to your configuration, to your firewall. And you can also do like automation with the scripts and everything. And on the right-hand side, you can see the endpoints that we need. There are six of them. So we need the front door resource manager, Azure resource manager, ARC infrastructure because ARC is included in Azure Stack ACI. So you don't have to do anything to have ARC. That's how we project your cluster in Azure portal. Azure Traffic Manager, Azure Active Directory, we talked about that a lot. And optionally, that's why it has an Asterix PowerShell Gallery but it's very convenient, right? Because if you don't have access to PowerShell Gallery then you need to manually transfer the modules that we talked about to do things like registration. Okay. And just to be clear, you have to do these permissions both on the Defender Firewall and through the other firewalls or perimeter firewalls that you may have in your environment. Yeah. And one more thing is that this is coming soon. It's probably gonna be one of the first feature updates is included in 2021 is going to include this is we are actually making this easy for the Defender Firewall. We are going to automatically update it. We are going to automatically check the IP address list that I talked about, weekly IP addresses that I talked about. If anything changes in there, we are going to automatically update your Defender Firewall. So you don't have to do anything in that sense. Oh, this is really great because this is now, I mean, I would just probably today I would just probably open it and let's just let my company firewall do everything. But now with that I get even more secure because it also limits the IP addresses and stuff like that, right? Exactly. And, but of course, like this doesn't change the fact that you have, if you have a perimeter firewall, you need to, you need the automation scripts to update that yourself. So, but at least on the Defender Firewall, you're good. Yeah. So again, so we talked about network connectivity and how I need to set it up and what I actually need. Now, a lot of people now have the question and a lot of customers have the question, okay, so what about data privacy and what does Git send? Does my data, like what kind of like data goes out and do I have control and whatnot? So we've got a lot of questions. Yeah, it's a good question and it's one that is very close to me because I actually am a PM for that. So I worked on it and data privacy is very important, right? And just to let you know, it's, it might be quite surprising to many folks that I just said ACI, actually we are raising the bar for data privacy as compared to Windows Server. Because if you look at this example, for example, in Windows Server 2019, as you know, like it had the Windows elementary build into it, it's enabled by default. You can of course turn it off, but it's enabled by default and it's transmitting fair amount of data by default, right? But I'm sure you guys are very simple or your audience is very familiar with Windows Telemetry. So we took this dramatic step in Azure Stack ACI and turned the Windows Telemetry completely off. So if you look at the Azure Stack ACI, all the nodes, and if you go to the Windows Telemetry, it's set to security. And there are four levels. And I think we're going to change this into like off, required an optional three levels in the future, but right now there is off security enhanced and full, there are four levels and security is equals to off. So you don't send anything, it's the lowest level and we actually did bunch of tests like exhaust tests just to see like if you're emitting in and we turned out we are not sending anything. So it's totally off. But of course, you know, like we need some information because this is a service, this is a subscription service on your mind so that we need to make sure that the billing is sent or your services are up to date, secure and running the way they should. So we introduced the service health monitoring and service health monitoring is the difference between Windows and Azure Stack ACI. And it is quite a minimum amount of information that you would ever need to basically run it again like up to date, secure and perform it. Right. And let me just go through like what we usually get a lot of questions that again, in a frequently asked questions fashion, okay? So what do we think? We think that as I mentioned, diagnostic data, which we obviously sent the billing data, how many cores you have. And again, you know, like a basic information to be able to show you the cluster in the Azure portal, because if you go to Azure portal, you will see the VMs, you will see some information, just the basic information about the VMs and how many cores you have. So that information needs to be sent so that you can show it in Azure portal. So those are the things that we sent. And you'll see in the coming slides, we are very transparent. You want it to be 100% transparent with this information. And of course, the other question is, does my personal data stored in Azure Stack ACI and get sent to the cloud? No, definitely not. Names, metadata, configuration of contents of your VMs are not sent to the cloud. Unless you basically set up a service like Azure Site Recovery, none of these are sent to the cloud. And PII data, so is it sent to the cloud? No, the closest thing that I can think of that we have is the cluster ID that is unique information. And also the hash of your hardware ID. And again, these are needed because we need to display this information in your portal. Also, we need to track that, you know, like, because in Azure Stack ACI when you install it, you get it 30 days for free. But when you uninstall it, you shouldn't be able to install it again and get another 30 days for free. So that's how we basically track, so we need those information. And how much diagnostic data is sent to the cloud? Few kilobytes, it's not a lot at all. And how is it used? It's mainly used by engineering team to make sure that everything is running securely and properly. And data is kept in the US and we only look at the aggregated data. We never look at individual data. And just to prove my point that we're 100% transparent, these are everything that we're sending. This is it. So it all fits in one slide. And if you look at it closely, you can see that there are things like, you know, like how many crashes you had. If you had a firmware update and you had a crash, is this because of the firmware update or is it because of the, you know, like a type of drive you have? It's just this information we need. So that's why we basically, and we were, I mean, we just took this unprecedented step and show you exactly everything that you're sending. This is awesome. This is like, this will make a lot of customers very happy because then you can just basically go and say, hey, look, this is all the data. And like, especially if you're like in the IT department, you're setting up your SDK, Jack cluster. And then you need to show, for example, the security people, like the responsible people for that. You need to tell them, Mike, what is actually getting sent? And then you can just take that slide now you're showing and basically go out. Actually, they can do better than that. Let me show you how you can do better than that. They can actually see their own data themselves. So that's even better, right? Because now you're not actually showing something that is, you know, like pre-created and you know, like in my, well, in my mind, you can actually have, they can see exactly what they're sending. And again, this is for to be 100% transparent on this. And you just need to enable this event log channel, just using this top commandlet command. And then you use the getVinEvent commandlet to configure it and just to watch it, right? And here is a script that, you know, because it's not formatted in a tabular format. So you can actually use this list to see it in a very friendly way in a tabular format as well. So, and then you can send this to your security department or any interested departments, any departments that are interested in this. And you can easily see this, yeah. This is awesome, like this is like, I think this makes a lot of customers very happy. So you can actually go and say, hey, look, I can always look, if you don't trust us, like with, like what we are telling you, what it sends, you can have to look at it yourself and see what we are actually sending. This is awesome, really love that feature. So we were talked a lot about a lot of things, right? We talked about like how hybrid is built in, how to register, what happens when you register, the connectivity requirements, and a bunch of things, right? So what do you think? Like, well, where do you think this is going? This is already pretty awesome. Like a lot of stuff, which we actually helps us to like start the management out of Azure and providing that. But I'm definitely want to see more of what will be coming, what we actually, what your team is enabling us to do with that hybrid connection. As you said before, this is probably just the foundation of what you're going to deliver. Exactly. Nice, nice. And like just like you said, this is just the foundation, right? This is just the foundation, this is just the start. We're just getting started. And we, you know, as you may have already, you know, like figured out, we spent a lot of time and taught about what each component and what hybrid connection, hybrid experience should look like, right? And we did this because we want to deliver these very valuable scenarios and you'll see all of these coming like a fleece scale monitoring in Azure Portals, CERSOs, virtual machines from Azure Portal. All of those things are coming. And these are the things that customers ask us all the time, right? So that's why we had to have this foundation. You know, we wanted to bring this, you know, like we wanted to, you know, like put the thought and care to data privacy, the connectivity requirements, making it robust, making it self-managed and making sort of certificates renew themselves, the licenses take care of themselves, viral configuration can be done automatically. The support is part of Azure. So all of these things so that we have this very strong foundation so that we can deliver all of these scenarios without any problems in the future. And it's very exciting. And I think there are like a lot of exciting, a lot of scenarios that will make a lot of you excited in the future. And yeah. Absolutely. So now as we're looking forward to, there's a couple of things like fleet monitoring. I have a talk to a bunch of customers and what they have is like, they have like either branch offices, factories or like retail stores, where they actually need to have some infrastructure to run their virtual machines on top of it or their Kubernetes clusters or whatnot. And they actually need to have like kind of like, they want to have a central place to manage all of that. They don't necessarily want to build all of these VPN connections to all of these, right? They want to have a very easy way to manage these environments. And I think as you're just showing here, like fleet management monitoring in the Azure portal or self-service creation of virtual machines in the Azure portal. I mean, this is going to be really, really cool for a lot of them. Yeah. And a lot of customers, if you think about it, they all, I mean, in my experience at least, it's hybrid is, you know, they don't have everything in the cloud. Like if they do, like you say, exception, right? And it's every, all the customers, they have both. So that's why hybrid is super important, I think. Yeah. I think this is a great example. Like the whole Azure Stack HCI scenario, it really shows like one of the like best hybrid cases in general, like how you can actually take advantage of the cloud to make your on-premises environment even better, right? I mean, you can run virtualization. We did that for years using Windows Server, Hyper-V, Storage Space Direct, and you can still do that. But this brings it to the next level where you can, where you don't need to move everything to Azure, where you still can run it locally, but you can connect it to Azure and take advantage of the power of Azure and the capabilities. So this is- And just to, you know, like a lot of people will probably be aware, but if you look at the Azure Stack portfolio, you have three products, right? In one side, you have Azure Stack Hub, which is fully controlled, 100% controlled, and you buy your hardware from OEM and you get your support from there. You cannot control it, but you have your Azure and experience is very similar to Azure portal, but it's on-prem. And on the other end, you have Azure Stack Edge, which is the, you know, like at the end of your network and you have your IoT devices connect to it. So all of those, like to cover all of those scenarios. And Azure Stack ACI is in the middle. So Azure Stack ACI is something that, you know, you can actually use your own hardware and to come up with these, and to bring all these scenarios and all these experiences into play. So it's best of both worlds, I think. It's kind of like flexible. It's like, you get parts of it, like fix like the operating system, but then you obviously get the flexibility to use different hardware and also have access to it and configure it the way. And they're also verified hardware. OEMs, you know, they put it in our, if any hardware is in our catalog, then it means that the OEMs sign up on it and they support it and they purposefully built it to be this on-prem, great virtualization host for your environment. And they configure all the RAM and all, you know, IOs and everything for that purpose. Oh, that's awesome. And again, I love, completely love our hybrid story. And I think it's very much, very important to highlight that we don't have just one product which does hybrid, right? We really want to give customers the choice from different hybrid solution, depending on their needs, whatever they want to build or need to build. And so I'm sure we have now a lot of customers who actually want to have a deeper look at Azure Stack 8CI and all the things we just talked about. So if I want to know more about it, where do I go? Great. So my call to action is I have a bunch of links in here. I wanted to, I provide you guys. The first one is the product page. And in the product page, all of these links below are actually can be found in the product page. So azure.microsoft.com, products, Azure Stack, azure.stack, slash 8CI. And a couple of the links in there that I really enjoy and I used myself, one of them is evaluation guide. It's awesome. I mean, if you go there and look at it, it's in GitHub actually, it will take you to GitHub. And what it has is it uses like, you can actually, it shows you with scripts and step by step, how you can configure Azure Stack 8CI in your nested VMs. So you don't have to have on-prem resources or clusters or servers to be able to test this. So you can, and it's 30 days for free. So you get 30 days for free, you're not gonna be charged for 30 days. So you can go ahead and use that. And there are scripts you can either do step by step from the UI, or you can actually even have a bunch of PowerShell scripts. And the good thing is you can take those PowerShell scripts and use it in your own environment as well, right? So that's very nice. The learn paths are really, really good. There are like, it talks about the foundations, what you need to learn to get better at Azure Stack 8CI. And we have a bunch of information about pricing and everything of course. And then I just wanted to also call out our documentation. As PMs, we spend a lot of time with our documentation team and to make sure that they have the right information, we work very, very closely with them. And in all of these data collection, firewall configuration, everything is there. And this is the main page for documentation. So all of these will help you a lot. Awesome, this is awesome. And again, we will put all the links into the description below. And so you can just go out and click on these as well. Just feel free to check it out. I highly recommend also the learning path. I also took it myself to actually learn all the little bit of the things. So if you wanna learn more, check out Microsoft Learn. There are some great modules, not just for Azure Stack 8CI, but for a lot of other Azure topics or for even like other Microsoft topics like Dynamics or Microsoft 365. So that is awesome. So with that, I really wanna see, thank you, Kareem, for being here today. I was really a part of- Of course, my pleasure. I learned a lot, especially the data part. I think they're gonna make a lot of customers very, very happy to actually see how these things are working in the backend and what is gets sent to Azure and how do we actually deal with these log data information. So thank you very much again. And for those out there who wanna learn more about the different scenarios, about different hybrid topics you're talking about, check out our event at aka.ms slash itops talks. And you will find more sessions. You will find more about Azure Stack 8CI. For example, AKS on Azure Stack 8CI, you will find topics about Windows Server, Azure and much, much more. So thank you very much for watching and I hope you enjoyed that session. Thank you.