Use a cloud distribution point in Configuration Manager

Applies to: System Center Configuration Manager (Current Branch)

Important

The implementation for sharing content from Azure has changed. Use a content-enabled cloud management gateway by enabling the option to Allow CMG to function as a cloud distribution point and serve content from Azure storage. For more information, see Modify a CMG.

You won't be able to create a traditional cloud distribution point in the future. For more information, see Removed and deprecated features.

A cloud distribution point is a Configuration Manager distribution point that is hosted as Platform-as-a-Service (PaaS) in Microsoft Azure. This service supports the following scenarios:

  • Provide software content to internet-based clients without additional on-premises infrastructure

  • Cloud-enable your content distribution system

  • Reduce the need for traditional distribution points

This article helps you learn about the cloud distribution point, plan for its use, and design your implementation. It includes the following sections:

Features and benefits

Features

The cloud distribution point supports several features that are also offered by on-premises distribution points:

  • Manage cloud distribution points individually or as members of distribution point groups

  • Use a cloud distribution point as a fallback content location

  • Supports both intranet and internet-based clients

Benefits

The cloud distribution point provides the following additional benefits:

  • The site encrypts the content before sending it to the cloud distribution point in Azure.

  • To meet changing demands for content requests by clients, manually scale the cloud service in Azure. This action doesn't require that you install and provision additional distribution points in Configuration Manager.

  • Supports content download from clients configured for other content technologies, such as Windows BranchCache and alternate content providers.

  • Starting in version 1806, use cloud distribution points as source locations for pull-distribution points.

Topology design

Deployment and operation of the cloud distribution point includes the following components:

  • A cloud service in Azure. The site distributes content to this service, which stores it in Azure cloud storage. The management point provides to clients this content location in the list of available sources as appropriate.

  • A management point site system role services client requests per normal.

  • The cloud distribution point uses a certificate-based HTTPS web service to help secure network communication with clients. Clients must trust this certificate.

Azure Resource Manager

Starting in version 1806, create a cloud distribution point using an Azure Resource Manager deployment. Azure Resource Manager is a modern platform for managing all solution resources as a single entity, called a resource group. When deploying a cloud distribution point with Azure Resource Manager, the site uses Azure Active Directory (Azure AD) to authenticate and create the necessary cloud resources. This modernized deployment doesn't require the classic Azure management certificate.

Note

This feature doesn't enable support for Azure Cloud Service Providers (CSP). The cloud distribution point deployment with Azure Resource Manager continues to use the classic cloud service, which the CSP doesn't support. For more information, see available Azure services in Azure CSP.

Starting in Configuration Manager version 1902, Azure Resource Manager is the only deployment mechanism for new instances of the cloud distribution point. Existing deployments continue to work.

In Configuration Manager version 1810 and earlier, the cloud distribution point wizard still provides the option for a classic service deployment using an Azure management certificate. To simplify the deployment and management of resources, use the Azure Resource Manager deployment model for all new cloud distribution points. If possible, redeploy existing cloud distribution points through Resource Manager.

Important

Starting in version 1810, the classic service deployment in Azure is deprecated for use in Configuration Manager. This version is the last to support creation of these Azure deployments. This functionality will be removed in the first Configuration Manager version released after July 1, 2019. Move your CMG and cloud distribution points to Azure Resource Manager deployments before this time.

Configuration Manager doesn't migrate existing classic cloud distribution points to the Azure Resource Manager deployment model. Create new cloud distribution points using Azure Resource Manager deployments, and then remove classic cloud distribution points.

Hierarchy design

Where you create the cloud distribution point depends upon which clients need to access the content. Starting in version 1806, there are three types of cloud distribution points:

  • Azure Resource Manager deployment: Create this type at a primary site or the central administration site.

  • Classic service deployment: Create this type only at a primary site.

  • The cloud management gateway can also serve content to clients. This functionality reduces the required certificates and cost of Azure VMs. For more information, see Plan for cloud management gateway.

To determine whether to include cloud distribution points in boundary groups, consider the following behaviors:

  • Internet-based clients don't rely on boundary groups. They only use internet-facing distribution points or cloud distribution points. If you're only using cloud distribution points to service these types of clients, then you don't need to include them in boundary groups.

  • If you want clients on your internal network to use a cloud distribution point, then it needs to be in the same boundary group as the clients. Clients prioritize cloud distribution points last in their list of content sources, because there's a cost associated with downloading content out of Azure. So a cloud distribution point is typically used as a fallback source for intranet-based clients. If you want a cloud-first design, then design your boundary groups to meet this business requirement. For more information, see Configure boundary groups.

Even though you install cloud distribution points in specific regions of Azure, clients aren't aware of the Azure regions. They randomly select a cloud distribution point. If you install cloud distribution points in multiple regions, and a client receives more than one in the content location list, the client might not use a cloud distribution point from the same Azure region.

Backup and recovery

When you use a cloud distribution point in your hierarchy, use the following information to help you plan for backup and recovery:

  • When you use the Backup Site Server maintenance task, Configuration Manager automatically includes the configurations for the cloud distribution point.

  • Back up and save a copy of the server authentication certificate. If you use the classic service deployment in Azure, also back up and save a copy of the Azure management certificate. When you restore the Configuration Manager primary site to a different server, you must reimport the certificates.

Requirements

  • You need an Azure subscription to host the service.

    • An Azure administrator needs to participate in the initial creation of certain components, depending upon your design. This persona doesn't require permissions in Configuration Manager.
  • The site server requires internet access to deploy and manage the cloud service.

  • When using the Azure Resource Manager deployment method, integrate Configuration Manager with Azure AD for Cloud Management. Azure AD user discovery isn't required.

  • A server authentication certificate. For more information, see the Certificates section below.

    • To reduce complexity, use a public certificate provider for the server authentication certificate. When doing so, you also need a DNS CNAME alias for clients to resolve the name of the cloud service.
  • In Configuration Manager version 1810 or earlier, if using the Azure classic deployment method, you need an Azure management certificate. For more information, see the Certificates section below.

    Tip

    Starting with Configuration Manager version 1806, use the Azure Resource Manager deployment model. It doesn't require this management certificate.

    The classic deployment method is deprecated as of version 1810.

  • Set the client setting, Allow access to cloud distribution points, to Yes in the Cloud Services group. By default, this value is set to No.

  • Client devices require internet connectivity, and must use IPv4.

Specifications

  • The cloud distribution point supports all Windows versions listed in Supported operating systems for clients and devices.

  • An administrator distributes the following types of supported software content:

    • Applications

    • Packages

    • OS upgrade packages

    • Third-party software updates

      Important

      While the Configuration Manager console doesn't block the distribution of Microsoft software updates to a cloud distribution point, you're paying Azure costs to store content that clients don't use. Internet-based clients always get Microsoft software update content from the Microsoft Update cloud service. Don't distribute Microsoft software updates to a cloud distribution point.

  • Starting in version 1806, configure a pull-distribution point to use a cloud distribution point as a source. For more information, see About source distribution points.

Deployment settings

  • When you deploy a task sequence with the option to Download content locally when needed by running task sequence, the management point doesn't include a cloud distribution point as a content location. Deploy the task sequence with the option to Download all content locally before starting task sequence for clients to use a cloud distribution point.

  • A cloud distribution point doesn't support package deployments with the option to Run program from distribution point. Use the deployment option to Download content from distribution point and run locally.

Limitations

  • You can't use a cloud distribution point for PXE or multicast-enabled deployments.

  • A cloud distribution point doesn't support App-V streaming applications.

  • You can't prestage content on a cloud distribution point. The distribution manager of the primary site that manages the cloud distribution point transfers all content.

  • You can't configure a cloud distribution point as a pull-distribution point.

Cost

Important

The following cost information is for estimating purposes only. Your environment may have other variables that affect the overall cost of using a cloud distribution point.

Configuration Manager includes the following options to help control costs and monitor data access:

  • Control and monitor the amount of content that you store in a cloud service. For more information, see Monitor cloud distribution points.

  • Configure Configuration Manager to alert you when thresholds for client downloads meet or exceed monthly limits. For more information, see Data transfer threshold alerts.

  • To help reduce the number of data transfers from cloud distribution points by clients, use one of the following peer caching technologies:

Components

A cloud distribution point uses the following Azure components, which incur charges to the Azure subscription account:

Tip

Starting in version 1806, the cloud management gateway can also serve content to clients. This functionality reduces the cost by consolidating the Azure VMs. For more information, see Cost for cloud management gateway.

Virtual machine

  • The cloud distribution point uses Azure Cloud Services as platform as a service (PaaS). This service uses virtual machines (VMs) that incur compute costs.

  • Each cloud distribution point service uses two Standard A0 VMs.

  • See the Azure pricing calculator to help determine potential costs.

    Note

    Virtual machine costs vary by region.

Outbound data transfer

  • Any dataflows into Azure are free (ingress or upload). Distributing content from the site to the cloud distribution point is uploading to Azure.

  • Charges are based on data flowing out of Azure (egress or download). Cloud distribution point dataflows out of Azure consist of the software content that clients download.

  • For more information, see Monitor cloud distribution points.

  • See the Azure bandwidth pricing details to help determine potential costs. Pricing for data transfer is tiered. The more you use, the less you pay per gigabyte.

Content storage

  • Internet-based clients get Microsoft software update content from the Microsoft Update cloud service at no charge. Don't distribute software update deployment packages with Microsoft software updates to a cloud distribution point. Otherwise, you'll incur data storage costs for content that clients never use.

  • Cloud distribution points use the following standard blob storage depending upon the deployment model:

    • An Azure Resource Manager deployment use Azure locally redundant storage (LRS). This change reduces the cost of the storage account. The classic deployment wasn't using the additional features of GRS. For more information, see Locally redundant storage.

    • A classic deployment with Configuration Manager version 1810 or earlier uses Azure geo-redundant storage (GRS). For more information, see Geo-redundant storage.

Other costs

  • Each cloud service has a dynamic IP address. Each distinct cloud distribution point uses a new dynamic IP address. Adding additional VMs per cloud service doesn't increase these addresses.

Ports and data flow

There are two primary data flows for the cloud distribution point:

  • The site server connects to Azure to set up the cloud distribution point service

  • A client connects to the cloud distribution point to download content

Site server to Azure

You don't need to open any inbound ports to your on-premises network. The site server initiates all communication with Azure and the cloud distribution point to deploy, update, and manage the cloud service. The site server needs to create outbound connections to the Microsoft cloud. This action is equivalent to installing the distribution point site system role on a specific site.

Client to cloud distribution point

You don't need to open any inbound ports to your on-premises network. Internet-based clients communicate directly with the Azure service. Clients on your internal network that use a cloud distribution point need to connect to the Microsoft cloud.

For more information on content location priority and when intranet-based clients use a cloud distribution point, see Content source priority.

When a client uses a cloud distribution point as a content location:

  1. The management point gives the client an access token along with the list of content sources. This token is valid for 24 hours, and gives the client access to the cloud distribution point.

  2. The management point responds to the client's location request with the Service FQDN of the cloud distribution point. This property is the same as the common name of the server authentication certificate.

    If you're using your domain name, for example, WallaceFalls.contoso.com, then the client first tries to resolve this FQDN. You need a CNAME alias in your domain's internet-facing DNS for clients to resolve the Azure service name, for example: WallaceFalls.cloudapp.net.

  3. The client next resolves the Azure service name, for example, WallaceFalls.cloudapp.net, to a valid IP address. This response should be handled by Azure's DNS.

  4. The client connects to the cloud distribution point. Azure load balances the connection to one of the VM instances. The client authenticates itself using the access token.

  5. The cloud distribution point authenticates the client's access token, and then gives the client the exact content location in Azure storage.

  6. If the client trusts the cloud distribution point's server authentication certificate, it connects to Azure storage to download the content.

Performance and scale

As with any distribution point design, consider the following factors:

  • Number of concurrent client connections
  • The size of the content that clients download
  • The length of time allowed to meet your business requirements

Depending upon your topology design, if clients have the option of more than one cloud distribution point for any given content, then they naturally randomize across those cloud services. If you only distribute a certain piece of content to a single cloud distribution point, and a large number of clients try to download this content at the same time, this activity puts higher load on that single cloud distribution point. Adding an additional cloud distribution point also includes a separate Azure storage service. For more information on how the client communicates with the cloud distribution point components and downloads content, see Ports and data flow.

The cloud distribution point uses two Azure VMs as the front end to the Azure storage. This default deployment meets most customer's needs. In some extreme circumstances, with a large number of concurrent client connections (for example, 150,000 clients), the processing capacity of the Azure VMs can't keep up with the client requests. You can't resize the Azure VMs used for the cloud distribution point. While you can't configure the number of VM instances for the cloud distribution point in Configuration Manager, if necessary, reconfigure the cloud service in the Azure portal. Either manually add more VM instances, or configure the service to automatically scale.

Important

When you update Configuration Manager, the site redeploys the cloud service. If you manually reconfigure the cloud service in the Azure portal, the number of instances resets to the default of two.

The Azure storage service supports 500 requests per second for a single file. Performance testing of a single cloud distribution point supported distribution of a single 100-MB file to 50,000 clients in 24 hours.

Certificates

Depending upon your cloud distribution point design, you need one or more digital certificates.

General information

Certificates for cloud distribution points support the following configurations:

  • 4096-bit key length

  • Version 3 certificates. For more information, see CNG certificates overview.

  • Starting in version 1802, when you configure Windows with the following policy: System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

  • Starting in version 1802, support for TLS 1.2. For more information, see Cryptographic controls technical reference.

Server authentication certificate

This certificate is required for all cloud distribution point deployments.

For more information, see CMG server authentication certificate, and the following subsections, as necessary:

  • CMG trusted root certificate to clients
  • Server authentication certificate issued by public provider
  • Server authentication certificate issued from enterprise PKI

The cloud distribution point uses this type of certificate in the same way as the cloud management gateway. Clients also need to trust this certificate. To reduce complexity, Microsoft recommends using a certificate issued by a public provider.

Unless you use a wildcard certificate, don't reuse the same certificate. Each instance of the cloud distribution point and cloud management gateway requires a unique server authentication certificate.

For more information on creating this certificate from a PKI, see Deploy the service certificate for cloud distribution points.

Azure management certificate

This certificate is required for classic service deployments. It isn't required for Azure Resource Manager deployments.

Important

Starting with Configuration Manager version 1806, use the Azure Resource Manager deployment model. It doesn't require this management certificate.

The classic deployment method is deprecated as of version 1810.

Starting in Configuration Manager version 1902, Azure Resource Manager is the only deployment mechanism for new instances of the cloud distribution point. This certificate isn't required in Configuration Manager version 1902 or later.

If using the Azure classic deployment method with Configuration Manager version 1810 or earlier, you need an Azure management certificate. For more information, see the Azure management certificate section of the cloud management gateway certificates article. The Configuration Manager site server uses this certificate to authenticate with Azure to create and manage the classic deployment.

To reduce complexity, use the same Azure management certificate for all classic deployments of cloud distribution points and cloud management gateways, across all Azure subscriptions and all Configuration Manager sites.

Frequently asked questions (FAQ)

Does a client need a certificate to download content from a cloud distribution point?

A client authentication certificate isn't required. The client does need to trust the server authentication certificate used by the cloud distribution point. If this certificate is issued by a public certificate provider, then most Windows devices already include trusted root certificates for these providers. If you issued a server authentication certificate from your organization's PKI, then your clients need to trust the issuing certificates in the entire chain. This chain includes the root certificate authority, and any intermediate certificate authorities. Depending upon your PKI design, this certificate can introduce additional complexity to the deployment of the cloud distribution point. To avoid this complexity, Microsoft recommends using a public certificate provider that your clients already trust.

Can my on-premises clients use a cloud distribution point?

Yes. If you want clients on your internal network to use a cloud distribution point, then it needs to be in the same boundary group as the clients. Clients prioritize cloud distribution points last in their list of content sources, because there's a cost associated with downloading content out of Azure. Thus, a cloud distribution point is typically used as a fallback source for intranet-based clients. If you want a cloud-first design, then design your boundary groups accordingly. For more information, see Configure boundary groups.

Do I need Azure ExpressRoute?

Azure ExpressRoute lets you extend your on-premises network into the Microsoft cloud. ExpressRoute, or other such virtual network connections aren't required for the Configuration Manager cloud distribution point.

If your organization uses ExpressRoute, isolate the Azure subscription for the cloud distribution point from the subscription that uses ExpressRoute. This configuration ensures that the cloud distribution point isn't accidentally connected in this manner.

Do I need to maintain the Azure virtual machines?

No maintenance is required. The design of the cloud distribution point uses Azure platform as a service (PaaS). Using the subscription you provide, Configuration Manager creates the necessary VMs, storage, and networking. Azure secures and updates the virtual machines. These VMs aren't a part of your on-premises environment, as is the case with infrastructure as a service (IaaS). The cloud distribution point is a PaaS that extends your Configuration Manager environment into the cloud. For more information, see Security advantages of a PaaS cloud service model.

Does the cloud distribution point use Azure CDN?

The Azure Content Delivery Network (CDN) is a global solution for rapidly delivering high-bandwidth content by caching the content at strategically placed physical nodes across the world. For more information, see What is Azure CDN?.

The Configuration Manager cloud distribution point currently doesn't support Azure CDN.

Next steps

Install cloud distribution points