This chapter covers Azure Stack Hub, specifically its deployment and operation in disconnected (disconnected) environments. For the AZ-305 exam, understanding Azure Stack Hub's capabilities for edge and disconnected scenarios is critical, as it tests your ability to design hybrid solutions that meet regulatory or connectivity constraints. Approximately 5-10% of exam questions touch on Azure Stack Hub, often focusing on its differences from Azure Stack Edge and when to choose each.
Jump to a section
Imagine a remote research station in Antarctica. It has its own power supply, water treatment, and food storage—essentially self-contained. The station receives periodic supply shipments and data updates via satellite, but it must operate independently for months at a time. The station's systems are a miniature version of what a main headquarters has, but they are designed to work without a constant connection. Azure Stack Hub is like that research station: it runs a local instance of Azure services in a disconnected environment, with its own identity, storage, and compute. Just as the station must carefully manage its supplies and sync data when possible, Azure Stack Hub periodically connects to Azure for updates and support, but functions fully offline. The station's staff use local servers and databases that mirror the cloud, but they cannot access the global Azure network directly. Similarly, Azure Stack Hub provides Azure-consistent services locally, with the ability to synchronize back to Azure when connectivity is restored. The key is that the station is not just a cache—it is a fully functional base that can operate autonomously, just as Azure Stack Hub runs a full Azure stack locally without relying on a live connection to Microsoft's cloud.
What is Azure Stack Hub and Why Does It Exist?
Azure Stack Hub is an extension of Azure that brings cloud computing capabilities to on-premises environments. It is a hybrid cloud platform that enables organizations to run Azure services in their own data center, especially useful for scenarios where latency, connectivity, or regulatory compliance require local data processing. The disconnected (disconnected) mode is a key feature: Azure Stack Hub can operate without a persistent internet connection to Azure, making it ideal for remote locations, military operations, oil rigs, or any environment where connectivity is intermittent or non-existent.
How Azure Stack Hub Works Internally
Azure Stack Hub is delivered as an integrated hardware system (from Microsoft partners like Dell, HPE, or Lenovo) or as a software-only solution (Azure Stack Development Kit). It runs a hypervisor (Windows Server Hyper-V) and a set of Azure-consistent services: compute (VMs using Azure Resource Manager), storage (blob, queue, table, and disk), networking (VNETs, load balancers, VPN gateways), and identity (Azure Active Directory or Active Directory Federation Services).
In a connected environment, Azure Stack Hub syncs with Azure for billing, marketplace downloads, and updates. In a disconnected environment, it operates entirely offline. The system uses its own internal identity provider (Active Directory or AD FS) and does not require Azure AD connectivity. Marketplace items must be pre-downloaded or added via a disconnected marketplace tool. Billing is handled locally or via manual reconciliation.
Key Components, Values, Defaults, and Timers
Azure Stack Hub Scale Unit: A set of servers (typically 4-16) that form the core. Each server runs Hyper-V and contributes resources.
Stamps: Each Azure Stack Hub instance is called a stamp. A stamp is a standalone deployment.
Capacity: Minimum 8 nodes for production (4 for development).
Updates: In disconnected mode, you must download update packages manually and apply them via the admin portal or PowerShell.
Marketplace: Items must be downloaded from Azure in connected mode and then transferred to the disconnected system. Use the Get-AzStackMarketplaceItem PowerShell cmdlet.
Identity: Disconnected mode requires Active Directory or AD FS. Azure AD is not supported because it requires connectivity.
Billing: Use Capacity-based billing (pay-as-you-go is not available without connectivity).
Registration: Even disconnected systems must be registered with Azure (once) to enable licensing. This can be done via a one-time connection or using a registration token.
Configuration and Verification Commands
To check the status of an Azure Stack Hub stamp, use:
Test-AzureStackTo apply an update in disconnected mode:
Get-AzureStackUpdate -Provider | Install-AzureStackUpdate -Provider -Action Update -PackagePath <path>To view registration status:
Get-AzureStackRegistrationHow It Interacts with Related Technologies
Azure Stack Hub is often compared with Azure Stack Edge (formerly Data Box Edge). Azure Stack Edge is a hardware appliance that provides compute and storage at the edge with built-in AI capabilities, but it is designed for smaller-scale, remote deployments. Azure Stack Hub is larger and more feature-complete, providing a full Azure region on-premises. Azure Stack HCI is a different product focused on hyperconverged infrastructure without the Azure-consistent APIs.
In a disconnected scenario, Azure Stack Hub can still integrate with on-premises systems using VPN or ExpressRoute (if connectivity exists), but in full isolation, it operates as a standalone cloud.
Disconnected Deployment Steps (High-Level)
Plan capacity: Determine the number of servers and storage needed.
Install hardware: Rack and cable the servers.
Deploy Azure Stack Hub: Use the Deployment Toolkit or OEM-provided tools.
Register with Azure: Even disconnected, a one-time registration is required. Use a registration token or a temporary connection.
Configure identity: Set up AD FS or Active Directory.
Download marketplace items: In a connected environment, download items and transfer them to the disconnected system.
Apply updates: Download update packages and apply them manually.
Monitor and manage: Use the admin portal or PowerShell locally.
Important Values and Defaults
Update packages: Must be downloaded from the Azure Stack Hub update feed. Package size can be several GB.
Marketplace syndication: In disconnected mode, you must use the marketplace syndication tool to import items.
Time sync: Use a local NTP server. No external time source is required.
Certificate requirements: SSL certificates for the portal and services must be issued by a trusted CA (or internal CA).
Common Exam Traps
Trap: Azure Stack Hub requires a constant connection to Azure. Reality: It can operate fully disconnected.
Trap: Azure Stack Hub is the same as Azure Stack Edge. Reality: They are different products with different use cases.
Trap: Disconnected mode does not support any Azure services. Reality: It supports most core Azure services, but some (like Azure AD-based services) are not available.
Trap: You can use Azure AD in disconnected mode. Reality: No, you must use AD FS or Active Directory.
Summary
Azure Stack Hub in disconnected environments provides a fully functional Azure region on-premises without internet connectivity. It is ideal for regulatory, latency, or connectivity constraints. Key differences from connected mode include identity provider (AD FS vs Azure AD), marketplace item management (manual import), and billing (capacity-based). The AZ-305 exam expects you to know when to choose Azure Stack Hub over Azure Stack Edge or other hybrid solutions.
Plan capacity and hardware
Determine the number of virtual machines, storage, and networking required. Azure Stack Hub requires a minimum of 4 nodes for development and 8 for production. Each node must meet specific hardware requirements (e.g., 256 GB RAM, 12+ cores, NVMe drives). Use the Azure Stack Hub Capacity Planner tool to estimate resource needs. The hardware must be from a validated OEM partner. Plan for redundancy: at least two nodes for high availability. Also plan for future growth: you can add nodes later, but scaling out requires careful planning.
Deploy Azure Stack Hub
Use the Deployment Toolkit or OEM deployment scripts. The deployment process involves booting into a deployment environment, configuring network settings (IPs, DNS, NTP), and specifying the identity provider. For disconnected mode, choose AD FS. The deployment takes several hours. During deployment, the system installs Hyper-V, creates virtual machines for Azure Stack Hub services (e.g., Resource Manager, Storage, Compute), and configures the internal network. At the end, you will have an admin portal and a user portal.
Register with Azure
Even in disconnected mode, you must register the stamp with Azure for licensing. This can be done via a one-time connection to Azure (using a temporary internet connection) or using a registration token. The token is generated from the Azure portal and transferred to the disconnected system. Use the `Register-AzureStack` PowerShell cmdlet. Registration is valid for a specific period (usually 30 days for evaluation, renewable). Without registration, the stamp will stop functioning after the grace period.
Configure identity and certificates
Set up AD FS or Active Directory. For disconnected mode, AD FS is used to authenticate users. You must also install SSL certificates for the portal endpoints (adminportal, userportal, management, etc.). These certificates must be trusted by the clients accessing the portals. Use a public CA or an internal CA. The certificates must match the external DNS names. You can use PowerShell to apply certificates: `Set-AzStackCertificate`. Also configure DNS so that the Azure Stack Hub endpoints resolve correctly.
Download and import marketplace items
In a connected environment, download marketplace items (e.g., Windows Server images, SQL Server) using the Azure Stack Hub Marketplace Syndication tool. Transfer the downloaded files to the disconnected system via USB drive or network share. Then import them using the admin portal or PowerShell. Without this step, users will have no VM images to deploy. Note that some items require accepting license terms, which must be done during download.
Apply updates and monitor
Azure Stack Hub releases update packages periodically. In disconnected mode, download the update package from the Microsoft Update Catalog and apply it manually via the admin portal or PowerShell. Use `Get-AzureStackUpdate` to check available updates. Apply updates during maintenance windows. Monitor the health of the stamp using the admin dashboard and `Test-AzureStack`. Also configure backups: Azure Stack Hub supports backup to an external SMB share or to a local storage account.
Scenario 1: Military Base in a Remote Location
A military base in a desert region has no reliable internet connection. They need to run Azure services for logistics, communication, and data analysis. They deploy Azure Stack Hub with 12 nodes in a disconnected configuration. The base uses AD FS for local authentication. They pre-downloaded marketplace images and updates via satellite during a brief connectivity window. The system runs for months without issues. When a new update is released, they download it during a scheduled satellite connection and apply it. The key challenge was certificate management: they used an internal CA, but client devices needed to trust that CA. They also had to manually manage storage quotas and capacity. Misconfiguration of DNS caused initial portal access issues.
Scenario 2: Oil Rig in the North Sea
An oil rig uses Azure Stack Hub for real-time data processing from sensors. The rig has periodic connectivity via satellite but it is expensive and low-bandwidth. They deploy a 4-node development stack (non-production) to test workloads. They use capacity-based billing. The main problem was that the rig's environment (salt, vibration) required special hardware enclosures. They also needed to sync data to Azure when connectivity was available, using Azure Stack Hub's data sync capabilities (via Azure File Sync or custom scripts). A common mistake was assuming that Azure Stack Hub automatically syncs data; it does not—you must implement your own sync mechanism.
Scenario 3: Government Agency with Strict Data Sovereignty
A government agency cannot send data outside the country. They deploy Azure Stack Hub in a disconnected data center. They use AD FS and local storage. They must comply with regulations that require all data to remain on-premises. They use Azure Stack Hub's capacity-based billing and manually import updates. The challenge was that some Azure services (like Azure AD, Azure Monitor) are not available offline, so they had to use alternative tools (e.g., System Center for monitoring). They also needed to train IT staff on Azure Stack Hub's unique management model, which differs from traditional on-premises systems. Misconfiguration of network isolation led to a security incident where VMs could reach each other unintentionally.
What AZ-305 Tests on Azure Stack Hub (Objective 4.3)
The exam focuses on designing hybrid and edge solutions. Specifically, you need to know:
When to use Azure Stack Hub vs Azure Stack Edge vs Azure Stack HCI.
The requirements for disconnected operation (AD FS, manual updates, marketplace sync).
The difference between Azure Stack Hub and Azure (global).
How to handle identity, billing, and updates in disconnected mode.
Common Wrong Answers
"Azure Stack Hub requires constant connectivity to Azure." This is false. It can operate fully disconnected. Candidates choose this because they think all Azure services need internet.
"In disconnected mode, you can use Azure AD." False. Azure AD requires connectivity. Use AD FS.
"Azure Stack Hub automatically syncs marketplace items when connected." False. You must manually download and import them.
"Azure Stack Hub is the same as Azure Stack Edge." False. Edge is smaller, with hardware-accelerated AI, while Hub is a full cloud region.
Specific Exam Values
Minimum nodes: 8 for production, 4 for dev/test.
Identity: AD FS for disconnected, Azure AD for connected.
Billing: Capacity-based for disconnected, pay-as-you-go for connected.
Registration: Required even for disconnected.
Updates: Manual download and apply in disconnected mode.
Edge Cases
Multiple stamps: Can you connect multiple disconnected stamps? Not directly; each is standalone.
Time sync: Must use local NTP; no internet time.
Certificates: Must be valid and trusted; self-signed certificates will cause browser warnings.
Marketplace items: Some items require accepting license terms; terms must be accepted during download in connected environment.
How to Eliminate Wrong Answers
If the scenario mentions "no internet" and the answer uses Azure AD, eliminate it.
If the answer says "no registration needed," eliminate it.
If the answer suggests using Azure Stack Edge for a full data center, it's wrong (Edge is for edge, not full cloud).
If the answer says "marketplace items are automatically available," eliminate it.
Azure Stack Hub can operate fully disconnected using AD FS for identity.
Minimum 8 nodes for production, 4 for development/test.
Registration with Azure is required even for disconnected deployments.
Marketplace items must be manually downloaded and imported in disconnected mode.
Updates must be downloaded manually and applied via admin portal or PowerShell.
Azure Stack Hub is different from Azure Stack Edge; Edge is for smaller edge scenarios.
In disconnected mode, billing is capacity-based, not pay-as-you-go.
Certificates must be trusted; use internal CA or public CA.
These come up on the exam all the time. Here's how to tell them apart.
Azure Stack Hub
Full Azure region on-premises (compute, storage, networking)
Requires multiple servers (4-16 nodes) in a rack
Supports disconnected mode with AD FS
Capacity-based billing
Ideal for large-scale edge or data center
Azure Stack Edge
Single appliance with compute and storage
Hardware-accelerated AI (GPU)
Requires periodic connectivity (optional disconnected mode with limited functionality)
Pay-as-you-go or capacity billing
Ideal for remote edge with AI workloads
Mistake
Azure Stack Hub cannot function without an internet connection.
Correct
Azure Stack Hub is designed to operate fully disconnected. It runs its own identity service (AD FS), local storage, and compute. Internet is only needed for initial registration, downloading updates, and marketplace items—all of which can be done manually.
Mistake
You can use Azure Active Directory in disconnected mode.
Correct
No. Azure AD requires connectivity to Microsoft's cloud. In disconnected mode, you must use Active Directory Federation Services (AD FS) or an on-premises Active Directory. This is a key exam point.
Mistake
Azure Stack Hub automatically syncs marketplace items from Azure.
Correct
No. You must manually download marketplace items from a connected Azure Stack Hub or the Azure portal, then transfer and import them into the disconnected system. This is done via the marketplace syndication tool.
Mistake
Azure Stack Hub is the same as Azure Stack Edge.
Correct
They are different products. Azure Stack Hub provides a full Azure region on-premises with multiple nodes. Azure Stack Edge is a single appliance for edge compute with AI acceleration. The exam tests when to choose each.
Mistake
Disconnected mode does not require registration with Azure.
Correct
Registration is mandatory even for disconnected deployments. It enables licensing and telemetry (which can be disabled). Without registration, the stamp will shut down after a grace period.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, Azure Stack Hub can operate fully disconnected. However, it requires a one-time registration with Azure (which can be done via a registration token or temporary connection). After that, it runs independently. Updates and marketplace items must be manually imported.
For disconnected mode, you must use Active Directory Federation Services (AD FS) or an on-premises Active Directory. Azure AD is not supported because it requires connectivity. This is a common exam trap.
You must download marketplace items from a connected Azure Stack Hub or from the Azure portal using the Azure Stack Hub Marketplace Syndication tool. Then transfer the files to the disconnected system and import them via the admin portal or PowerShell.
Azure Stack Hub provides a full Azure region on-premises with multiple nodes, ideal for larger deployments. Azure Stack Edge is a single appliance with GPU for AI workloads, designed for smaller edge locations. Azure Stack Hub supports disconnected mode fully; Azure Stack Edge has limited disconnected capabilities.
Download the update package from the Microsoft Update Catalog or Azure Stack Hub update feed. Transfer it to the disconnected system and apply it using the admin portal (Updates blade) or PowerShell: `Install-AzureStackUpdate -Action Update -PackagePath <path>`.
No. In disconnected mode, billing is capacity-based (you pay for the hardware capacity upfront or via subscription). Pay-as-you-go requires connectivity to Azure for metering. This is a key exam distinction.
Registration is mandatory. Without registration, the stamp enters a grace period (typically 30 days) and then shuts down. You must register within that period to continue operation.
You've just covered Azure Stack Hub for Disconnected Environments — now see how well it sticks with free AZ-305 practice questions. Full explanations included, no account needed.
Done with this chapter?