AzureLocal
diff --git a/‎docs/azure-services/bcdr-on-azure-local.md‎
Lines changed: 65 additions & 0 deletions b/‎docs/azure-services/bcdr-on-azure-local.md‎
Lines changed: 65 additions & 0 deletions
diff --git a/‎docs/azure-services/cost-management-on-azure-local.md‎
Lines changed: 62 additions & 0 deletions b/‎docs/azure-services/cost-management-on-azure-local.md‎
Lines changed: 62 additions & 0 deletions
diff --git a/‎docs/azure-services/custom-images-on-azure-local.md‎
Lines changed: 73 additions & 0 deletions b/‎docs/azure-services/custom-images-on-azure-local.md‎
Lines changed: 73 additions & 0 deletions
diff --git a/‎docs/azure-services/governance-on-azure-local.md‎
Lines changed: 68 additions & 0 deletions b/‎docs/azure-services/governance-on-azure-local.md‎
Lines changed: 68 additions & 0 deletions
diff --git a/‎docs/azure-services/hydration-on-azure-local.md‎
Lines changed: 70 additions & 0 deletions b/‎docs/azure-services/hydration-on-azure-local.md‎
Lines changed: 70 additions & 0 deletions
@@ -0,0 +1,65 @@
+---
+title: Business Continuity and Disaster Recovery on Azure Local
+sidebar_position: 15
+---
+
+# Business Continuity and Disaster Recovery on Azure Local
+
+The Azure Local BCDR solution provides automated backup and disaster recovery configuration for workloads running on Azure Local clusters. It integrates Azure Site Recovery (ASR), Azure Backup, and stretch cluster capabilities to meet RPO/RTO requirements for mission-critical on-premises workloads.
+
+## Service Details
+
+### What It Enables
+
+Azure Local clusters run business-critical workloads that require protection against both node-level failures (covered by clustering) and site-level disasters (covered by BCDR). This solution automates the replication configuration, failover runbooks, and backup schedules needed to meet enterprise recovery objectives.
+
+### Key Use Cases
+
+- **VM replication with ASR** — Replicate Azure Arc VMs to Azure for site-level disaster recovery
+- **Azure Backup integration** — Backup VMs, SQL databases, and file shares to Azure Backup vault
+- **Stretch cluster** — Active-active or active-passive Azure Local stretch clusters across two sites
+- **Failover runbooks** — Automated ASR recovery plans for ordered workload failover
+- **BCDR testing** — Non-disruptive failover tests with automated validation
+
+### Architecture
+
+```
+Primary Site (Azure Local Cluster)
+     │
+     ├──▶ Azure Site Recovery Agent ──▶ Azure (Replication Target)
+     │                                      │
+     │                                      └──▶ Recovery Services Vault
+     │                                               │
+     ├──▶ Azure Backup Agent ──────────────▶ Backup Vault (same or different region)
+     │
+     └──▶ Stretch Cluster (optional)
+              │
+              └──▶ Secondary Site (Azure Local Cluster 2)
+```
+
+## Supported Features
+
+- Azure Site Recovery for VM replication to Azure
+- Azure Backup for VM, SQL, and file share protection
+- Recovery Services Vault management and policy configuration
+- ASR recovery plans with ordered failover sequencing
+- Stretch cluster configuration (Active-Active / Active-Passive)
+- Automated BCDR drill scheduling and reporting
+- RPO/RTO dashboard and health alerting
+
+## Deployment Notes
+
+- ASR requires connectivity from Azure Local nodes to Azure
+- Backup vault and recovery vault can be co-located or in separate regions for geo-redundancy
+- Refer to the [azurelocal-bcdr](https://github.com/AzureLocal/azurelocal-bcdr) repo for deployment scripts and runbooks
+
+## Resources
+
+- **Repository**: [azurelocal-bcdr](https://github.com/AzureLocal/azurelocal-bcdr)
+- **Microsoft Docs**: [BCDR for Azure Local](https://learn.microsoft.com/en-us/azure/azure-local/manage/azure-site-recovery)
+- **Azure Site Recovery**: [Overview](https://learn.microsoft.com/en-us/azure/site-recovery/site-recovery-overview)
+- **Azure Backup**: [Overview](https://learn.microsoft.com/en-us/azure/backup/backup-overview)
+
+:::note Work in Progress
+This page is a placeholder. Full documentation is tracked in [azurelocal-bcdr](https://github.com/AzureLocal/azurelocal-bcdr).
+:::
@@ -0,0 +1,62 @@
+---
+title: Cost Management and Chargeback on Azure Local
+sidebar_position: 16
+---
+
+# Cost Management and Chargeback on Azure Local
+
+The Azure Local Cost Management solution provides showback and chargeback reporting for workloads running on Azure Local clusters. It integrates Azure Cost Management, Arc-enabled billing telemetry, and custom reporting to give organizations visibility into per-workload, per-team, and per-project infrastructure costs.
+
+## Service Details
+
+### What It Enables
+
+Azure Local clusters consume infrastructure resources that need to be tracked and allocated back to the teams or projects using them. This solution automates cost data collection, enriches it with resource tagging, and produces chargeback reports consumable by finance and FinOps teams.
+
+### Key Use Cases
+
+- **Showback reporting** — Visibility into resource consumption per team, project, or business unit without billing
+- **Chargeback** — Formal cost allocation back to cost centers based on actual resource usage
+- **Tag governance** — Enforce consistent resource tagging across all Azure Local workloads for accurate cost attribution
+- **Budget alerting** — Notify teams when projected costs approach defined budgets
+- **Arc billing integration** — Leverage Azure Arc-enabled resource billing for unified cost view across cloud and on-premises
+
+### Architecture
+
+```
+Azure Local Cluster
+     │
+     ├──▶ Azure Arc (resource enrollment)
+     │         │
+     │         └──▶ Azure Cost Management ──▶ Cost Analysis + Budgets
+     │
+     ├──▶ Resource Tags (workload/team/project)
+     │
+     └──▶ Custom Cost Reports ──▶ Power BI / CSV Export ──▶ Finance Teams
+```
+
+## Supported Features
+
+- Arc-enabled resource cost visibility in Azure Cost Management
+- Resource tagging policy enforcement for cost attribution
+- Budget creation and alert configuration per team/project
+- Automated showback report generation (daily/weekly/monthly)
+- Power BI dashboard templates for cost visualization
+- Chargeback export to CSV/Excel for finance integration
+- Multi-tenant cost view across multiple Azure Local clusters
+
+## Deployment Notes
+
+- Requires Arc enrollment of all resources to be tracked
+- Cost data is available ~24 hours after resource deployment
+- Refer to the [azurelocal-cost](https://github.com/AzureLocal/azurelocal-cost) repo for report templates and deployment scripts
+
+## Resources
+
+- **Repository**: [azurelocal-cost](https://github.com/AzureLocal/azurelocal-cost)
+- **Microsoft Docs**: [Azure Cost Management overview](https://learn.microsoft.com/en-us/azure/cost-management-billing/cost-management-billing-overview)
+- **Azure Arc billing**: [Arc-enabled billing](https://learn.microsoft.com/en-us/azure/azure-local/conceptual-billing)
+
+:::note Work in Progress
+This page is a placeholder. Full documentation is tracked in [azurelocal-cost](https://github.com/AzureLocal/azurelocal-cost).
+:::
@@ -0,0 +1,73 @@
+---
+title: Custom VM Images on Azure Local
+sidebar_position: 20
+---
+
+# Custom VM Images on Azure Local
+
+The Azure Local Custom Images solution provides an automated pipeline for building, validating, and publishing hardened VM images to Azure Local clusters. It uses Azure Image Builder (or Packer) to produce VHDX-format golden images with pre-installed agents, security baselines, and organizational configurations baked in — ensuring that every new VM starts from a trusted, consistent baseline.
+
+## Service Details
+
+### What It Enables
+
+Rather than deploying generic OS images and then configuring VMs post-deployment, the custom images solution produces pre-hardened, pre-configured image artifacts that can be used directly for provisioning. This reduces deployment time, eliminates configuration drift, and ensures security baselines are enforced from day one.
+
+### Key Use Cases
+
+- **Golden image pipeline** — Automated image build pipeline producing versioned VHDX artifacts
+- **Security hardening** — Apply CIS benchmarks, Windows Server security baselines, and organizational policies at image build time
+- **Agent pre-installation** — Bake in Azure Monitor Agent, Arc Connected Machine Agent, and custom tooling
+- **Image versioning** — Maintain a library of versioned images with changelog tracking
+- **Multi-OS support** — Build images for Windows Server 2022, 2019, and Linux (Ubuntu, RHEL)
+- **Azure Local gallery** — Publish images to the Azure Local image gallery for self-service VM provisioning
+
+### Architecture
+
+```
+Image Build Pipeline
+     │
+     ├── Source: Marketplace OS image or ISO
+     │
+     ├── Customization Layer:
+     │   ├── Windows Updates / Patching
+     │   ├── Security hardening (CIS / Azure Security Benchmark)
+     │   ├── Agent installation (AMA, Arc Agent, custom tooling)
+     │   └── Organizational configuration (DNS, NTP, certificates)
+     │
+     ├── Validation:
+     │   ├── Pester tests (Windows) / InSpec (Linux)
+     │   └── Security scan (SCAP / Defender)
+     │
+     └── Publish:
+         ├── Azure Local Image Gallery (VHDX artifact)
+         └── Version catalog with changelog
+```
+
+## Supported Features
+
+- Automated image build pipeline (Azure Image Builder or HashiCorp Packer)
+- CIS Level 1/2 hardening for Windows Server and Linux
+- Pre-installed Azure Monitor Agent and Arc Connected Machine Agent
+- Image versioning with semantic version tagging
+- Pester / InSpec validation test suites
+- Azure Local image gallery integration
+- Multi-OS support: Windows Server 2019/2022, Ubuntu 20.04/22.04, RHEL 8/9
+- Integration with azurelocal-toolkit variable registry for consistent configuration
+
+## Deployment Notes
+
+- Azure Image Builder requires an Azure subscription with Image Builder service registered
+- Packer-based pipeline can run on-premises without Azure Image Builder dependency
+- Published VHDX images must be imported into the Azure Local image gallery before use
+- Refer to the [azurelocal-custom-images](https://github.com/AzureLocal/azurelocal-custom-images) repo for pipeline definitions and image specs
+
+## Resources
+
+- **Repository**: [azurelocal-custom-images](https://github.com/AzureLocal/azurelocal-custom-images)
+- **Microsoft Docs**: [Custom images for Azure Local](https://learn.microsoft.com/en-us/azure/azure-local/manage/virtual-machine-image-local-share)
+- **Azure Image Builder**: [Overview](https://learn.microsoft.com/en-us/azure/virtual-machines/image-builder-overview)
+
+:::note Work in Progress
+This page is a placeholder. Full documentation is tracked in [azurelocal-custom-images](https://github.com/AzureLocal/azurelocal-custom-images).
+:::
@@ -0,0 +1,68 @@
+---
+title: Governance and Compliance on Azure Local
+sidebar_position: 17
+---
+
+# Governance and Compliance on Azure Local
+
+The Azure Local Governance solution automates policy enforcement, security baseline application, and compliance reporting for Azure Local clusters and Arc-enrolled workloads. It leverages Azure Policy, Microsoft Defender for Cloud, and Azure Security Benchmark to ensure consistent governance across on-premises and hybrid environments.
+
+## Service Details
+
+### What It Enables
+
+Enterprises running Azure Local need the same governance controls they apply in Azure — resource locking, policy assignments, RBAC boundaries, and compliance dashboards — extended to on-premises clusters. This solution automates governance at the cluster, host, and VM level through Arc.
+
+### Key Use Cases
+
+- **Azure Policy** — Assign and audit policies across all Arc-enrolled Azure Local resources
+- **Security baselines** — Apply Azure Security Benchmark and CIS hardening to cluster nodes and VMs
+- **RBAC governance** — Enforce role-based access control boundaries for cluster administration and workload management
+- **Compliance reporting** — Automated compliance status reports against industry frameworks (CIS, NIST, ISO 27001)
+- **Resource locks** — Prevent accidental deletion of critical cluster components
+- **Defender for Cloud** — Enable security posture management and threat detection for Arc-enrolled VMs
+
+### Architecture
+
+```
+Azure Arc
+     │
+     ├──▶ Azure Policy (assignments → audit/enforce)
+     │         │
+     │         ├──▶ Cluster Nodes (OS configuration, update compliance)
+     │         └──▶ Arc VMs (security baseline, network policies)
+     │
+     ├──▶ Microsoft Defender for Cloud
+     │         │
+     │         └──▶ Secure Score + Recommendations
+     │
+     └──▶ RBAC / Entra ID ──▶ Subscription / Resource Group scopes
+```
+
+## Supported Features
+
+- Azure Policy initiatives for Azure Local (custom + built-in)
+- Security baseline deployment via Azure Policy Guest Configuration
+- Microsoft Defender for Cloud integration (Arc-enabled servers)
+- Azure Security Benchmark compliance mapping
+- RBAC role assignments automation (custom roles for cluster operators)
+- Resource lock deployment for critical components
+- Compliance report export (PDF/CSV) for audit teams
+- Microsoft Sentinel integration for SIEM log forwarding
+
+## Deployment Notes
+
+- Requires Arc enrollment of all cluster nodes and managed VMs
+- Azure Policy assignment may have up to 30-minute enforcement delay
+- Refer to the [azurelocal-governance](https://github.com/AzureLocal/azurelocal-governance) repo for policy definitions and deployment scripts
+
+## Resources
+
+- **Repository**: [azurelocal-governance](https://github.com/AzureLocal/azurelocal-governance)
+- **Microsoft Docs**: [Governance overview for Azure Local](https://learn.microsoft.com/en-us/azure/azure-local/manage/manage-arc-virtual-machines)
+- **Azure Policy**: [Overview](https://learn.microsoft.com/en-us/azure/governance/policy/overview)
+- **Defender for Cloud**: [Arc support](https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction)
+
+:::note Work in Progress
+This page is a placeholder. Full documentation is tracked in [azurelocal-governance](https://github.com/AzureLocal/azurelocal-governance).
+:::
@@ -0,0 +1,70 @@
+---
+title: Server Hydration on Azure Local
+sidebar_position: 18
+---
+
+# Server Hydration on Azure Local
+
+The Azure Local Hydration solution automates the end-to-end provisioning of new Azure Local clusters from bare-metal hardware — from BIOS/firmware configuration through OS deployment, cluster formation, Arc registration, and initial workload readiness. It eliminates the manual steps that traditionally make Azure Local deployments slow and error-prone.
+
+## Service Details
+
+### What It Enables
+
+"Hydration" refers to the process of taking bare-metal hardware and fully configuring it to a known, production-ready state. This solution automates the entire lifecycle from initial OS installation through Azure Arc registration, removing the need for manual node-by-node configuration.
+
+### Key Use Cases
+
+- **Bare-metal to cluster** — Automated path from raw hardware to a fully configured, Arc-registered Azure Local cluster
+- **BIOS/firmware configuration** — Standardized iDRAC/iLO configuration for consistent hardware settings across all nodes
+- **OS deployment** — Scripted Windows Server deployment with consistent partition layouts and driver packages
+- **Cluster formation** — Automated WSFC creation, networking, and Storage Spaces Direct configuration
+- **Arc registration** — Automatic enrollment of all cluster nodes and resources into Azure Arc
+- **Repeatable builds** — Idempotent provisioning scripts for consistent cluster rebuilds
+
+### Architecture
+
+```
+Bare Metal Hardware
+     │
+     ├── Step 1: BIOS/Firmware Configuration (iDRAC/iLO)
+     │
+     ├── Step 2: OS Deployment (WinPE / PXE boot / scripted WIM)
+     │
+     ├── Step 3: Network Configuration (storage, mgmt, compute VLANs)
+     │
+     ├── Step 4: Cluster Formation (WSFC + Storage Spaces Direct)
+     │
+     ├── Step 5: Azure Arc Registration (nodes + resources)
+     │
+     └── Step 6: Baseline Configuration (updates, monitoring agents, policy)
+
+Result: Production-ready Azure Local cluster
+```
+
+## Supported Features
+
+- BIOS/iDRAC/iLO configuration templates (Dell, HPE, Lenovo)
+- WIM-based OS deployment with answer file automation
+- Network switch configuration validation
+- Automated cluster creation and validation
+- Storage Spaces Direct pool and volume initialization
+- Azure Arc registration for all nodes
+- Post-deployment health validation checks
+- Integration with azurelocal-toolkit variable registry
+
+## Deployment Notes
+
+- Hardware vendor BMC access required for firmware configuration steps
+- Network infrastructure (DHCP, DNS, PXE) must be pre-configured
+- Refer to the [azurelocal-hydration](https://github.com/AzureLocal/azurelocal-hydration) repo for deployment scripts and hardware profiles
+
+## Resources
+
+- **Repository**: [azurelocal-hydration](https://github.com/AzureLocal/azurelocal-hydration)
+- **Microsoft Docs**: [Deploy Azure Local](https://learn.microsoft.com/en-us/azure/azure-local/deploy/deployment-introduction)
+- **Arc Registration**: [Connect machines to Arc](https://learn.microsoft.com/en-us/azure/azure-arc/servers/onboard-portal)
+
+:::note Work in Progress
+This page is a placeholder. Full documentation is tracked in [azurelocal-hydration](https://github.com/AzureLocal/azurelocal-hydration).
+:::