Configure TP3 to be available on your own network / internet

With Azure Stack TP3 released I wanted it to be available on the Corp network / internet. I wrote about how to kill the BGPNAT VM after deployment and use BGP peering direct with your TOR switches from the SLB VM’s, but that seemed to hard to accomplish for to many people in their current network. So now in this blog post I am going to put the NATBGP VM in route mode after the installation of Azure Stack is finished. So instead of using outbound NAT and inbound NAT rules we need to plan the networks used in Azure Stack to be routed by the BGPNAT VM to the Corp network. Lets get started…

You might have noticed they did a good clean up job in the TP3 build. Actually, what they have done is wrapped most files in dedicated NuGet packages (.nupkg).  So when I was looking for the OneNodeCustomerConfigTemplate.xml file I had to extract it from one of the NuGet packages. From C:\CloudDeployment\NuGetStore copy Microsoft.AzureStack.Solution.Deploy.CloudDeployment.1.0.381.0.nupkg to the desktop and rename the file extension to .zip. When you open the zip file and look i the content folder you might start recognizing some folders from the TP2 deployment:



In the Configuration folder copy out the OneNodeCustomerConfigTemplate.xml and edit the networks:


If you do want to use your own switch for BGP peering with the SLB (Like we did in the TP2 public internet) also update the MuxASn and MuxPeerAsn to match your environment.

When finished copy back the XML file in the original location in the zip file.

Now go to\content\Configuration\Roles\Fabric\VirtualMachines and open the onenoderole.xml, search for 192.168.200 and replace it with [VMDC1-IpAddress]/[PrefixLength]


If you want to change the domain name Azure Stack is deployed in, copy out from Setup folder the DeploySingleNode.ps1 and edit the domain values:


When finished copy back the PS1 file in the original location in the zip file.


Now rename the zip back to nupkg and copy it back to the NuGetStore folder and copy one out of your server for future deployments.



Run your normal deployment



When the installation is finished we need to configure the BGPNAT VM in routing mode. Use this script on the Hyper-V host to accomplish that:

Now add static routes for the networks you have defined in xml file on your router in your network to forward these to the NATBGP VM. So in my case it is for HP5900 switch:

To have name resolution simplified from your Corp network just add a forwarder in your Corp DNS servers for your ‘configured external Azure Stack domain’ to the MAS-DC01 ending on IP .224 ( in my deployment)

Now you need to give the RootCA to your users who want to consume Azure Stack resources and you are good to go! You can get the RootCA certificate from the \\MAS-CA01\c$\Windows\System32\CertSrv\CertEnroll folder.

Have fun with Azure Stack in your Corp network / Internet

Spread the word. Share this post!

Mark Scholman

About the author

Mark is consultant at inovativ. Last year he is awarded with the Microsoft Azure MVP award. In his day to day job he is building clouds with Azure Stack, System Center and Powershell.

Twitter: @markscholman

  • Shawn Winters

    So if you remove the NAT and now route to the network, how do you get the AzureStack network to NAT via the MAS-BGPNAT01 gateway IP though? I can now route back and forth to the AzureStack, but without the NAT, AzureStack can’t get on the internet anymore since it was all NAT’ing via the MAS-BGPNAT01 correct?

    • Mark Scholman

      Hi, No, when you have the subnets you assigned in your Azure Stack networks known by your own NAT router they should go through the internet. Common mistake it that the subnets assigned to a new network are not known by the current network (NAT) device/router and then outbound internet wont go through…

      • Shawn Winters

        Yeah. We added those routes to the firewall and routers. Still didn’t work. I’ll have to go back and see if we missed anything. I had to manually run all those powershekl to remove the nat as the cimsession example didn’t work. Thought maybe I messed up that.

        Can you define how you broke out your subnets? It’s hard to see your screen shot example.

        • Mark Scholman

          I have defined as internal network. I use 10.1.52.X/24 for the host nic when starting initial deployment, then in the file above I used, and those are used for: Internal VIP, Management, External VIP. If you look closely at the XML file you will notice that Microsoft broke the Management subnet into couple of pieces as well for HNV, Transit, Mgt network, those all live in the Management subnet.

  • Santosh Dharamsale

    Hi All,

    I am planning to install Stack P3 but i dont have Office 365 account so my question do i really need Office 365 account or can i use my in house AD

    • Mark Scholman

      Since TP3 you can install Azure Stack in ADFS mode. That means that the AD that is being provisioned with the single node POC install is used for authentication. You can then create additional users in that forest.

      • Edgar Tolentino

        Hi Mark, if we use ADFS mode. can we install azure stack offline without internet connection? Thanks

        • Mark Scholman

          Yes that’s possible

  • Bill Scott

    Does anyone know if a PowerEdge C6220 would be supported to establish a 2 node Availability Set?
    Each node has the required drive bays with 6 each (2)SSD and (4) SAS, and meeting the CPU and Memory requirements.