Manage hybrid Azure workloads using Windows Admin Center

This reference architecture illustrates how to design a hybrid Windows Admin Center solution to manage workloads that are hosted on-premises and in Microsoft Azure. This architecture includes two scenarios:

  • Windows Admin Center deployed to a virtual machine (VM) in Azure.
  • Windows Admin Center deployed to a server (physical or virtual) on-premises.

The first diagram illustrates Windows Admin Center deployed to a VM in Azure.

Deploy Windows Admin Center to a VM in Azure. Use VPN or ExpressRoute to manage on-premises VMs.

The second diagram illustrates Windows Admin Center deployed on-premises.

Deploy Windows Admin Center to a VM on-premises. Use Azure network adapter to integrate with resources in Azure.

Download a Visio file of these architectures.

Typical uses for this architecture include:

  • Organizations that want to manage individual Windows Server instances, Hyper-Converged Infrastructure or Hyper-V VMs that run on-premises and in Microsoft Azure.
  • Organizations that want to manage Windows Server instances hosted by other cloud providers.

Architecture

The architecture consists of the following components:

  • On-premises corporate network. A private local area network that runs within an organization.
  • On-premises corporate firewall. An organizational firewall configured to allow users access to the Windows Admin Center gateway when the gateway is deployed on-premises.
  • Windows VM. A Windows VM installed with the Windows Admin Center gateway that hosts web services with which users can connect.
  • Azure AD app. An app used for all points of Azure integration in Windows Admin Center, including Azure Active Directory (Azure AD) authentication to the gateway.
  • Managed nodes. Nodes managed by Windows Admin Center, which might include physical servers running Azure Stack, or Windows Server or virtual machines running Windows Server.
  • VPN or ExpressRoute. A Site-to-Site (S2S) VPN or ExpressRoute to manage nodes on-premises when Windows Admin Center is deployed in Azure.
  • Azure network adapter. An adapter for a Point-to-Site (P2S) VPN to Azure when Windows Admin Center is deployed on-premises. Windows Admin Center can automatically deploy the adapter and also create an Azure gateway.
  • Domain Name System (DNS). A DNS record that users reference to connect to the Windows Admin Center gateway.

Recommendations

The following recommendations apply for most scenarios. Follow these recommendations unless you have a specific requirement that overrides them.

Installation types

You have multiple options when deploying Windows Admin Center, including installing on a Windows 10 PC, a Windows server, or an Azure VM. The deployment type you choose will depend on your business requirements.

The on-premises installation types are:

Installation types when deploying Windows Admin Center on-premises. Deployment options depend on your business requirements.

  • Option 1: Local Client. Deploy Windows Admin Center on a Windows 10 client. This is ideal for quick deployments, testing, and improvised or small-scale scenarios.
  • Option 2: Gateway Server. Install on a designated gateway server running Windows Server 2016, Windows Server 2019, or later, and access from any client browser with connectivity to the gateway server.
  • Option 3: Managed Server. Install directly on a managed server running Windows Server 2016, Windows Server 2019, or later to enable the server to manage itself or a cluster in which the managed server is a member node. This is great for distributed branch office scenarios.
  • Option 4: Failover Cluster. Deploy in a failover cluster to enable high availability of the gateway service. This is great for production environments to ensure management service resiliency.

Because Windows Admin Center has no cloud service dependencies, some organizations might choose to deploy Windows Admin Center to an on-premises system for managing on-premises computers and then enable hybrid services over time. However, many organizations prefer to take advantage of service offerings in Azure and other cloud platforms that are integrated with Windows Admin Center.

Deploying Windows Admin Center on an Azure VM provides gateway functionality similar to Windows Server 2016 and Windows Server 2019. However, Azure also enables additional features for Azure VMs. Refer to Availability considerations for more information about the benefits of deploying Windows Admin Center to Azure VMs.

Automated deployment

Microsoft provides an .msi file that you use to deploy Windows Admin Center to an on-premises VM. The .msi file installs Windows Admin Center and automatically generates a self-signed certificate or associates an existing certificate based on your preference.

Tip

For more information about using the .msi file to deploy Windows Admin Center, refer to Install Windows Admin Center.

When implementing Windows Admin Center on an Azure VM, Microsoft provides the Deploy-Windows Admin CenterAzVM.ps1 script to automatically deploy all required resources. In this scenario, the script deploys a new Azure VM with Windows Admin Center installed and opens port 443 on the public IP address. The script can also deploy Windows Admin Center to an existing Azure VM. When running the script, you can use variables to specify the resource group, virtual network name, VM name, location, and many other options.

Important

Prior to deployment, upload the certificate to an Azure Key Vault. Alternatively, you can use the Azure portal to generate a certificate.

Tip

For more information about using the Deploy-Windows Admin CenterAzVM.ps1 script to deploy Windows Admin Center to an Azure VM, refer to Deploy Windows Admin Center in Azure.

Tip

For more information about the manual steps required to deploy Windows Admin Center to an Azure VM, refer to Deploy manually on an existing Azure virtual machine.

Topology recommendations

While you can implement Windows Admin Center on any existing or new VM that's on-premises or hosted in Azure, Microsoft recommends deploying Windows Admin Center gateway on a Windows Server 2019 Azure VM. The automated deployment option discussed earlier allows you to implement Windows Admin Center on an Azure VM more quickly while still safeguarding your environment. Instead of deploying Windows Admin Center on an on-premises VM, you can minimize the configuration changes required for an on-premises firewall and network.

Important

Managing nodes on-premises requires a connection (such as S2S VPN or ExpressRoute) from Azure to on-premises.

When deployed on-premises, you can use Windows Admin Center to build the hybrid connection to Azure. The hybrid connection, called an Azure network adapter, is a P2S VPN to Azure that allows Windows Admin Center to access hybrid cloud features. This process also automatically creates an Azure gateway for the VPN connection. For more information, refer to About Point-to-Site VPN.

Important

You must have an Azure virtual network in Azure before creating an Azure network adapter.

You should also configure the Windows Admin Center gateway for high availability. This will help ensure that management of systems and services remain available during unexpected failures. Azure provides multiple service offerings for these scenarios regardless of whether Windows Admin Center gateway is deployed to an on-premises or Azure VM. Refer to Availability Considerations for more information.

Certificate recommendations

Windows Admin Center gateway is a web-based tool that uses a Secure Sockets Layer (SSL) certificate to encrypt web traffic for administrators who are using the gateway. Windows Admin Center allows you to use an SSL certificate that a trusted third-party certification authority (CA) created from a self-signed certificate. You will receive a warning when trying to connect from a browser if you choose the latter option. As a result, we recommend that you only use self-signed certificates for test environments.

Tip

To learn how other Microsoft customers have used Windows Admin Center to improve their productivity and reduce costs, refer to Windows Admin Center Case Studies.

Administrative considerations

Deploying Windows Admin Center on a local Windows 10 client is great for quick-start tests, and ad-hoc or small-scale scenarios. However, for production scenarios with multiple administrators, we recommend Windows Server. When deployed on Windows Server, Windows Admin Center provides a centralized management hub for your server environment with additional capabilities such as smart card authentication, conditional access, and multi-factor authentication. For more information about controlling access to Windows Admin Center, refer to User Access Options with Windows Admin Center.

Availability considerations

  • You can help ensure high availability of the Windows Admin Center gateway service by deploying it in an active/passive model on a failover cluster. In this scenario, only one instance of the Windows Admin Center gateway service is active. If one of the nodes in the cluster fails, the Windows Admin Center gateway service seamlessly fails over to another node.

    Caution

    Deploying Windows Admin Center on a Windows 10 client computer doesn't provide high availability because gateway functionality isn't included with the Windows 10 deployment. Deploy the Windows Admin Center gateway to Windows Server 2016 or Windows Server 2019.

  • To help ensure high availability of Windows Admin Center data in case of a node failure, configure a Cluster Shared Volume (CSV) into which Windows Admin Center will store persistent data that all the nodes in the cluster access. You can deploy the failover cluster for Windows Admin Center gateway by using an automated deployment script. The Install-WindowsAdminCenterHA.ps1 script automatically deploys the failover cluster, configures IP addresses for the cluster service, installs Windows Admin Center gateway, configures the port number for the gateway service, and configures the web service with the appropriate certificate.

    Tip

    For more information about using the automated deployment script, refer to Deploy Windows Admin Center with high availability.

  • Deploying Windows Admin Center gateway to an Azure VM provides additional high-availability options. For example, by using availability sets you can provide VM redundancy and availability within an Azure datacenter by distributing the VMs across multiple hardware nodes. You can also use availability zones in Azure, which provide datacenter fault tolerance. Availability zones are unique physical locations that span datacenters within an Azure region. This helps ensure that Azure VMs have independent power, cooling, and networking. For more information on high availability, refer to Availability options for virtual machines in Azure and High availability and disaster recovery for IaaS apps.

Manageability considerations

  • Access to the Windows Admin Center management tool set depends on the installation type. For example, in a local client scenario, you would open the Windows Admin Center from the Start menu and connect to it from a client web browser by accessing https://localhost:6516. In other scenarios where you deploy the Windows Admin Center gateway to a Window Server, you can connect to the Windows Admin Center gateway from a client web browser by accessing the server name URL, such as https://servername.contoso.com, or the URL of the cluster name.
  • When deployed on Windows Server, Windows Admin Center provides a centralized point of management for your server environment. Windows Admin Center provides management tools for many common scenarios and tools, including:
    • Certificate management
    • Event Viewer
    • File Explorer
    • Network settings
    • Remote Desktop Connection
    • Windows PowerShell
    • Firewall management
    • Registry editing
    • Enabling and disabling roles and features
    • Managing installed apps and devices
    • Managing scheduled tasks
    • Configuring local users and groups
    • Managing Windows services
    • Managing storage
    • Managing Windows Update

For a complete list of server management capabilities, refer to Manage Servers with Windows Admin Center.

Important

Windows Admin Center doesn't replace all Remote Server Administration Tools (RSAT), such as Internet Information Services (IIS), because there is no equivalent management capability for it in Windows Admin Center.

Note

Windows Admin Center provides a subset of Server Manager features for managing Windows 10 client PCs.

  • Windows Admin Center provides support for managing failover clusters and cluster resources, managing Hyper-V VMs and virtual switches, and managing Windows Server Storage Replica. In addition to using Windows Admin Center to manage and monitor an existing Hyper-Converged Infrastructure, you can also use Windows Admin Center to deploy a new Hyper-Converged Infrastructure. By using a multistage workflow, Windows Admin Center guides you through installing features, configuring networking, creating a cluster, and deploying Storage Spaces Direct and Software-Defined Networking. For more information, refer to Manage Hyper-Converged Infrastructure with Windows Admin Center.

    Note

    You can use Windows Admin Center to manage Microsoft Hyper-V Server 2016 or Microsoft Hyper-V Server 2019 (the free Microsoft virtualization product).

  • The Azure hybrid services tool in Windows Admin Center provides a centralized location for all the integrated Azure services. You can use Azure hybrid services to protect VMs in Azure and on-premises with cloud-based backup and disaster recovery. You can also extend on-premises capacity with storage and compute in Azure, and you can simplify network connectivity to Azure. With the help of cloud-intelligent Azure management services, you can centralize monitoring, governance, configuration, and security across your applications, network, and infrastructure.

Windows Admin Center provides a centralized location of all the integrated Azure services. You can use the Azure hybrid services tool to manage the hybrid features of VMs in Azure and on-premises.

Tip

For more information on Azure integration, refer to Connecting Windows Server to Azure hybrid services.

Important

The Azure AD app requires Azure integration in Windows Admin Center.

Security considerations

  • Deploying Windows Admin Center provides your organization with a centralized management interface for your server environment. By controlling access to Windows Admin Center, you can improve the security of your management landscape.
  • Windows Admin Center provides multiple features to help secure your management platform. For starters, Windows Admin Center gateway authentication can use local groups, Active Directory Domain Services (AD DS), and cloud-based Azure AD. You can also enforce smart card authentication by specifying an additional required group for smart card-based security groups. And, by requiring Azure AD authentication for the gateway, you can use other Azure AD security features such as conditional access and Azure Multi-Factor Authentication.
  • Access to the Windows Admin Center gateway doesn't imply access to the target servers that are made visible by the gateway. To manage a target server, users must connect with credentials that grant administrator privileges on the servers they want to manage. However, some users might not need administrative access to perform their responsibilities. In this scenario, you can use role-based access control (RBAC) in Windows Admin Center to provide these users with limited access to servers rather than granting them full administrative access.

    Note

    If you deployed Local Administrator Password Solution (LAPS) in your environment, use LAPS credentials through Windows Admin Center to authenticate with a target server.

  • In Windows Admin Center, RBAC works by configuring each managed server with a Windows PowerShell Just Enough Administration endpoint. This endpoint defines the roles, including which parts of the system each role can manage and which users are assigned to the roles. When a user connects to the endpoint, RBAC creates a temporary local administrator account to manage the system on their behalf and automatically removes the account when the user stops managing the server through the Windows Admin Center. For more information, refer to Just Enough Administration.
  • Windows Admin Center also provides visibility into the management actions performed in your environment. Windows Admin Center records events by logging actions to the Microsoft-ServerManagementExperience event channel in the event log of the managed server. This allows you to audit actions that administrators perform, and helps you troubleshoot Windows Admin Center issues and review usage metrics. For more information on auditing, refer to Use event logging in Windows Admin Center to gain insight into management activities and track gateway usage.

DevOps considerations

  • Windows Admin Center was built for extensibility so that Microsoft and other developers can build tools and solutions beyond the current offerings. Windows Admin Center provides an extensible platform in which each connection type and tool is an extension that you can install, uninstall, and update individually. Microsoft offers a software development kit (SDK) that enables developers to build their own tools for Windows Admin Center.
  • You can build Windows Admin Center extensions using modern web technologies—including HTML5, CSS, Angular, TypeScript, and jQuery—to manage target servers via Windows PowerShell or Windows Management Instrumentation. You can also manage target servers, services, and devices over different protocols such as Representational State Transfer (REST) by building a Windows Admin Center gateway plugin.

    Tip

    For more information about using the SDK to develop extensions for Windows Admin Center, refer to Extensions for Windows Admin Center.

Cost considerations

  • For on-premises deployments, Windows Admin Center costs nothing beyond the cost of the Windows operating system, which requires valid Windows Server or Windows 10 licenses.
  • For Azure deployments, plan for costs associated with deploying Windows Admin Center to an Azure VM. Some of these costs might include the VM, storage, static or public IP addresses (if enabled), and any networking components required for integration with on-premises environments. In addition, you might need to plan for the cost of purchasing non-Microsoft CA certificates.