Azure Local Disconnected Mode Operations
Table of Contents
- What is Disconnected Mode?
- When Disconnected Mode is Necessary
- Feature Limitations vs. Connected Mode
- Periodic Synchronization Strategy
- Management Without Continuous Cloud Connection
- Security in Disconnected Scenarios
- Challenges and Mitigation Strategies
- Customer Use Cases - Disconnected Mode
- Best Practices
- Comparison: When to Choose Disconnected Mode
- Next Steps
What is Disconnected Mode?
Disconnected Mode enables Azure Local clusters to operate completely independently without continuous connectivity to Microsoft Azure or the internet. This mode is designed for air-gapped environments, classified networks, and scenarios where data must remain completely isolated.
graph TB
subgraph AirGap[π Air-Gapped Environment - No External Connectivity]
subgraph Local[On-Premises Infrastructure]
Cluster[Azure Local Cluster<br/>Fully Autonomous]
WAC[Windows Admin Center<br/>Local Management]
VMs[Virtual Machines]
Storage[Storage Spaces Direct]
Backup[Local Backup]
end
Admin[Administrator] --> WAC
WAC --> Cluster
Cluster --> VMs
Cluster --> Storage
VMs --> Backup
style Local fill:#FFF4E6,stroke:#FF8C00,stroke-width:3px,color:#000
end
Azure[Azure Cloud<br/>β No Connection]
Internet[Internet<br/>β No Access]
style AirGap fill:#F8F8F8,stroke:#D13438,stroke-width:3px,stroke-dasharray: 5 5,color:#000
style Azure fill:#E8F4FD,stroke:#999,stroke-width:1px,stroke-dasharray: 3 3,color:#999
style Internet fill:#F3E8FF,stroke:#999,stroke-width:1px,stroke-dasharray: 3 3,color:#999
style Storage fill:#D4E9D7,stroke:#107C10,stroke-width:2px,color:#000
Key Characteristics
Connectivity:
- No continuous Azure connectivity required
- Optional periodic connectivity for updates
- Can be completely air-gapped indefinitely
- All management functions available locally
Management:
- Windows Admin Center for local management
- PowerShell for automation and scripting
- No Azure portal access
- All operations are on-premises
Operations:
- Fully autonomous cluster operation
- No dependency on cloud services
- Local backup and DR solutions
- Manual update deployment
- Complete operational sovereignty
β Back to Azure Local Overview
When Disconnected Mode is Necessary
Air-Gapped Requirements
Definition: An air-gapped environment has no physical or logical connection to external networks, including the internet.
Common Scenarios:
- Classified Government Networks: Defense, intelligence, national security
- Secure Research Facilities: Sensitive R&D, weapons research, national labs
- Critical Infrastructure: Power plants, water treatment, nuclear facilities
- Financial Trading Floors: High-frequency trading systems
- Healthcare Isolated Networks: Psychiatric facilities, research hospitals
Compliance Drivers:
- ITAR (International Traffic in Arms Regulations)
- National security requirements
- Top Secret/SCI classifications
- SCIF (Sensitive Compartmented Information Facility)
- Critical infrastructure protection regulations
Restricted Network Scenarios
Disconnected Mode is also appropriate for:
Highly Regulated Industries:
- Banking core systems (SOX, PCI-DSS)
- Healthcare clinical systems (HIPAA)
- Government citizen data (privacy laws)
- Legal case management (attorney-client privilege)
Operational Requirements:
- Zero tolerance for internet dependency
- Complete control over all data flows
- No external communication allowed
- Isolation from corporate networks
Threat Models:
- Protection against advanced persistent threats (APT)
- Prevention of data exfiltration
- Protection against supply chain attacks
- Insider threat mitigation
Geographic and Infrastructure Challenges
Remote Locations:
- Oil rigs and offshore platforms
- Remote military bases
- Polar research stations
- Ships and submarines
- Mining operations
Unreliable Connectivity:
- Locations with frequent outages
- High-latency satellite connections
- Bandwidth-constrained environments
- Networks with unpredictable availability
Cost and Licensing Considerations
Some organizations choose Disconnected Mode to:
- Avoid cloud service costs
- Reduce WAN bandwidth requirements
- Simplify licensing compliance
- Minimize external dependencies
Feature Limitations vs. Connected Mode
Not Available in Disconnected Mode
Azure Integration:
- β Azure portal management
- β Azure Arc registration
- β Azure Monitor integration
- β Azure Backup to cloud
- β Azure Site Recovery
- β Azure Security Center
- β Azure Policy enforcement
- β Azure Update Manager
Hybrid Services:
- β Azure Virtual Desktop (cloud-managed)
- β Azure IoT Hub integration
- β Azure Machine Learning cloud training
- β Azure AD authentication (cloud-only)
- β Automatic updates from Microsoft
Observability:
- β Centralized monitoring across clusters
- β Cloud-based log analytics
- β Cross-cluster dashboards
- β Azure-based alerting
Available in Disconnected Mode
Core Capabilities:
- β All VM workloads
- β Storage Spaces Direct
- β Software-defined networking
- β Hyper-V and AKS
- β High availability and failover
- β Local backup solutions
- β GPU acceleration
- β Edge AI/ML workloads
Management:
- β Windows Admin Center (local)
- β PowerShell automation
- β Local Active Directory
- β Group Policy
- β Local RBAC
- β Event log monitoring
- β Performance monitoring
Security:
- β BitLocker encryption
- β Secure Boot and TPM
- β Network isolation
- β Local firewall
- β Windows Defender
- β Local security policies
Comparison Table:
| Feature | Connected Mode | Disconnected Mode |
|---|---|---|
| VM Workloads | β Full | β Full |
| Storage Performance | β Full | β Full |
| Networking | β Full | β Full |
| High Availability | β Yes | β Yes |
| Azure Portal | β Yes | β No |
| Azure Monitor | β Yes | β No (local only) |
| Cloud Backup | β Yes | β No |
| Auto Updates | β Yes | β Manual only |
| Cost | π‘ Higher | π’ Lower |
| Complexity | π’ Lower | π‘ Higher |
| Air-gap Support | β No | β Yes |
Periodic Synchronization Strategy
Even in Disconnected Mode, periodic synchronization can be beneficial when security policies permit.
Sync Options
Option 1: Periodic Network Connection
- Connect to internet/Azure on schedule (e.g., monthly)
- Download updates and telemetry
- Sync configuration changes
- Disconnect after sync complete
Frequency:
- Monthly (most common)
- Quarterly (for very restrictive environments)
- On-demand (when specific updates needed)
Option 2: Air-Gapped Transfer
- Download updates to external media
- Physical transfer to disconnected environment
- Apply updates locally
- No network connection required
Process:
- Use connected system to download updates
- Copy to USB drive or portable hard drive
- Security scan media before import
- Transfer to disconnected environment
- Import and apply updates
- Document transfer in audit log
Option 3: One-Way Data Diode
- Hardware-enforced unidirectional data flow
- Allows updates in, prevents data out
- Used in high-security environments
- Expensive but provides maximum assurance
What to Synchronize
Updates:
- Windows Server cumulative updates
- Azure Local platform updates
- Security patches
- Driver and firmware updates
Telemetry (Optional):
- Health and diagnostic data
- Performance metrics
- Fault reports
- For vendor support purposes
Configuration:
- Policy updates
- Certificate renewals
- License activations
Data Consistency Approaches
Between Sync Periods:
Baseline Configuration:
- Establish approved configuration baseline
- Document any deviations
- Review during next sync
- Restore compliance if needed
Change Control:
- Strict change management process
- Document all changes
- Review and approve before implementation
- Audit regularly
Drift Detection:
- Regular configuration audits
- Compare against baseline
- Identify unauthorized changes
- Remediate before next sync
Management Without Continuous Cloud Connection
Windows Admin Center
Primary Management Interface:
Capabilities:
- Full cluster management
- VM lifecycle operations
- Storage configuration
- Network management
- Performance monitoring
- Update deployment
- Certificate management
Access Methods:
- Installed on management workstation
- Installed on cluster nodes (gateway mode)
- Remote access via RDP/VPN
- High availability deployment
Advantages:
- Rich graphical interface
- No cloud dependency
- Real-time operations
- Comprehensive feature set
Reference: Windows Admin Center
PowerShell Management
Comprehensive Automation:
Common Tasks:
# Cluster management
Get-ClusterNode
Get-ClusterResource
Get-ClusterSharedVolume
# VM operations
Get-VM
New-VM -Name "AppServer01" -MemoryStartupBytes 8GB -VHDPath "C:\VMs\App01.vhdx"
Start-VM -Name "AppServer01"
# Storage management
Get-StoragePool
Get-Volume
New-Volume -FriendlyName "Data01" -Size 1TB -ResiliencySettingName "Mirror"
# Network management
Get-VMSwitch
New-VMSwitch -Name "ExternalSwitch" -NetAdapterName "Ethernet"
# Health monitoring
Get-HealthFault
Get-StorageJob
Automation Scripts:
- Scheduled health checks
- Backup automation
- Report generation
- Configuration validation
Local Monitoring and Alerting
Event-Based Monitoring:
Windows Event Logs:
- System logs for cluster events
- Application logs for workloads
- Security logs for auditing
- Forwarding to SIEM (if available)
Performance Monitor:
- Real-time performance metrics
- Historical data collection
- Custom counters and alerts
- Performance baselines
Health Service:
- Built-in Azure Local health monitoring
- Predictive failure detection
- Storage capacity alerts
- Performance degradation detection
Custom Monitoring Solutions:
- SCOM (System Center Operations Manager)
- Nagios, Zabbix, Prometheus
- Custom PowerShell scripts
- Email/SMS alerting
Update Management
Manual Update Process:
Monthly Update Cycle:
- Preparation (Week 1):
- Review Microsoft security bulletin
- Download updates to test environment
- Test in non-production cluster
- Document results
- Change Control (Week 2):
- Submit change request
- Get approval from stakeholders
- Schedule maintenance window
- Communicate to users
- Deployment (Week 3):
- Backup cluster configuration
- Run Cluster-Aware Updating (CAU)
- Monitor deployment progress
- Validate after each node
- Validation (Week 4):
- Full cluster health check
- Application testing
- Performance validation
- Document completion
Emergency Patching:
- Expedited process for critical security patches
- Out-of-band deployment
- Shortened testing cycle
- Enhanced monitoring post-deployment
Security in Disconnected Scenarios
Enhanced Security Posture
Disconnected Mode provides inherent security advantages:
Attack Surface Reduction:
- No internet-facing services
- No inbound connections from external networks
- Eliminates entire classes of attacks
- Reduced vulnerability to zero-day exploits
Data Exfiltration Prevention:
- Physical air-gap prevents data leakage
- No path for malware to βphone homeβ
- Insider threats limited to physical access
- Command and control (C2) channels blocked
Supply Chain Protection:
- Controlled update process
- Verification of all imported code
- Malicious update prevention
- Reduced risk of compromised dependencies
Security Hardening
Baseline Security:
Operating System:
- CIS Benchmark Level 2
- STIG (Security Technical Implementation Guide)
- Minimal installation
- Disabled unnecessary services
- Regular vulnerability scanning
Network Security:
- Host-based firewall enabled
- Network segmentation (VLANs)
- Strict access control lists
- Intrusion detection systems (IDS)
- No wireless networks
Access Controls:
- Multi-factor authentication (MFA)
- Privileged access management (PAM)
- Just-in-time admin access
- Regular access reviews
- Separation of duties
Physical Security
Critical for disconnected environments:
Hardware Security:
- Locked racks and enclosures
- Tamper-evident seals
- Serial number tracking
- Secure disposal procedures
- No unauthorized devices
Facility Security:
- Badge access control
- Video surveillance
- Security guards
- Visitor logs and escorts
- Mantraps and dual authentication
Media Security:
- Secure storage for update media
- Chain of custody for transfers
- Media sanitization procedures
- Encrypted storage
- Regular media inventory
Compliance and Auditing
Audit Logging:
- Comprehensive event logging
- Log forwarding to SIEM
- Tamper-proof log storage
- Regular log review
- Long-term retention (7+ years)
Compliance Frameworks:
- NIST 800-53 (government)
- ITAR (defense industry)
- HIPAA (healthcare)
- PCI-DSS (payment cards)
- ISO 27001 (information security)
Regular Audits:
- Quarterly security assessments
- Annual penetration testing
- Configuration audits
- Access reviews
- Vulnerability scanning
Documentation:
- System security plan (SSP)
- Security controls documentation
- Risk assessment
- Incident response plan
- Business continuity plan
Challenges and Mitigation Strategies
Challenge 1: Manual Update Management
Problem:
- Time-consuming process
- Risk of human error
- Delayed patch deployment
- Testing overhead
Mitigation Strategies:
- Establish documented procedures
- Automate with PowerShell where possible
- Maintain test environment
- Use CAU for orchestration
- Schedule regular update cycles
- Prioritize critical security patches
Challenge 2: Limited Observability
Problem:
- No centralized monitoring across clusters
- Manual log collection
- Difficult to correlate events
- Reactive rather than proactive
Mitigation Strategies:
- Deploy local SIEM solution
- Implement automated health checks
- Use PowerShell for regular reporting
- Establish performance baselines
- Create custom dashboards in Windows Admin Center
- Document normal operational patterns
Challenge 3: Backup Complexity
Problem:
- No cloud-based backup
- Local infrastructure required
- Offsite protection challenges
- Recovery time objectives
Mitigation Strategies:
- Deploy secondary Azure Local cluster for local DR
- Use traditional backup solutions (Veeam, Commvault)
- Replicate to secure offsite facility
- Regular restore testing
- Automate backup monitoring
- Implement backup verification
Challenge 4: Troubleshooting Without Cloud Support
Problem:
- No Azure support diagnostics
- Limited remote support options
- Extended resolution times
Mitigation Strategies:
- Build strong internal expertise
- Maintain comprehensive documentation
- Establish peer support networks
- Use Microsoft Premier Support effectively
- Collect diagnostic data for offline analysis
- Create detailed runbooks
Challenge 5: Certificate Management
Problem:
- Certificates expire without internet access
- Renewal process is manual
- Risk of expired certificates causing outages
Mitigation Strategies:
- Implement internal Certificate Authority (CA)
- Automate certificate monitoring
- Alert 90 days before expiration
- Document renewal procedures
- Test certificate renewal process
- Use longer validity periods (where allowed)
Challenge 6: Software Licensing
Problem:
- Activation and licensing verification
- Volume licensing management
- Offline activation requirements
Mitigation Strategies:
- Use Volume Licensing (VL) with KMS
- Implement local Key Management Service
- Document activation procedures
- Plan for periodic re-activation
- Maintain license documentation
- Work with Microsoft licensing team
Customer Use Cases - Disconnected Mode
Use Case 1: Defense Agency Classified Network
Scenario:
- Top Secret/SCI classified network
- Complete air-gap required (no internet)
- 500+ VMs across 8-node cluster
- Mission-critical intelligence applications
- Zero tolerance for data spillage
Disconnected Mode Implementation:
- No Azure connectivity ever
- Windows Admin Center for management
- Manual quarterly updates via secure media
- Local backup to secondary cluster
- Physical security controls
- Comprehensive audit logging
Results:
- β 100% compliance with security requirements
- β Complete operational sovereignty
- β No risk of data exfiltration
- β 99.9% uptime for 3 years
- β Passed all security audits
- β Zero security incidents
Key Learnings:
- Quarterly updates sufficient for security
- Local expertise critical for operations
- Documentation and runbooks essential
- Regular testing of DR procedures mandatory
Use Case 2: Nuclear Power Plant Control Systems
Scenario:
- Nuclear power generation facility
- Critical infrastructure protection requirements
- Real-time SCADA and control systems
- Air-gapped from corporate and internet
- NRC (Nuclear Regulatory Commission) compliance
Disconnected Mode Implementation:
- Completely isolated network
- 4-node cluster for redundancy
- Local management only
- Monthly updates via secure process
- Dedicated operations team
- Offline backup and DR
Results:
- β NRC compliance maintained
- β Zero unplanned downtime
- β Protection against cyber threats
- β Rapid response to operational needs
- β Complete audit trail
- β Successful disaster recovery tests
Key Learnings:
- Physical security as important as cyber
- Change control critical for safety
- Regular training for operations staff
- Simulate failure scenarios regularly
Use Case 3: Financial High-Frequency Trading
Scenario:
- Trading floor with HFT algorithms
- Sub-millisecond latency requirement
- Isolated from corporate network
- Proprietary algorithms (IP protection)
- SEC regulatory requirements
Disconnected Mode Implementation:
- Isolated VLAN segment
- No internet or corporate connectivity during market hours
- 2-node cluster with GPU acceleration
- After-hours sync for updates
- Real-time risk monitoring (local)
- Comprehensive audit logging
Results:
- β Sub-500 microsecond latency
- β Zero IP leakage incidents
- β SEC compliance maintained
- β 99.99% uptime during market hours
- β Protected proprietary algorithms
- β Successful regulatory audits
Key Learnings:
- Network isolation critical for latency
- After-hours maintenance window sufficient
- Local monitoring essential for trading
- Disaster recovery must be seconds, not minutes
Use Case 4: Pharmaceutical Research Laboratory
Scenario:
- Drug discovery research
- Sensitive compound data (IP protection)
- FDA compliance requirements
- Collaboration with external partners (limited)
- High-performance computing for simulations
Disconnected Mode Implementation:
- Air-gapped research network
- 8-node cluster with GPU nodes
- Data import via secure transfer process
- Local AI/ML model training
- Monthly external sync for approved data
- Comprehensive data classification
Results:
- β Complete IP protection (zero breaches)
- β FDA 21 CFR Part 11 compliance
- β 50% faster drug discovery cycle
- β Successful collaboration with partners
- β Data sovereignty maintained
- β Audit-ready documentation
Key Learnings:
- Data classification essential
- Secure data transfer process critical
- GPU acceleration enables faster research
- Periodic sync sufficient for collaboration
Use Case 5: Remote Mining Operation
Scenario:
- Remote mining site in Australia outback
- No reliable internet connectivity
- Operations cannot stop for connectivity
- Safety-critical monitoring systems
- 200+ VMs for various systems
Disconnected Mode Implementation:
- Complete offline operation
- Satellite link for emergency only
- 4-node cluster
- Local management team
- Quarterly updates via physical media
- Diesel generators for power
Results:
- β Zero downtime due to connectivity
- β Continuous mining operations
- β Safety systems always available
- β Cost savings (no WAN costs)
- β Autonomous operations
- β Improved operational efficiency
Key Learnings:
- Disconnected mode enables remote operations
- Local expertise required for maintenance
- Power and cooling more challenging than connectivity
- Regular maintenance schedule critical
Best Practices
Planning and Design
1. Comprehensive Baseline:
- Document approved configuration
- Create detailed architecture diagrams
- Establish security baselines
- Define operational procedures
- Document all dependencies
2. Test Environment:
- Mirror production configuration
- Test all updates before deployment
- Practice DR scenarios
- Validate backup/restore
- Document test results
3. Change Management:
- Formal change control process
- Risk assessment for all changes
- Approval workflow
- Rollback procedures
- Post-implementation review
Operational Practices
1. Regular Health Checks:
- Daily automated health reports
- Weekly performance review
- Monthly capacity planning
- Quarterly security scans
- Annual full audit
2. Documentation:
- Keep all documentation current
- Maintain runbooks for common tasks
- Document all configuration changes
- Create troubleshooting guides
- Regular documentation review
3. Training:
- Train multiple staff members
- Cross-train for redundancy
- Regular knowledge refresh
- Simulate failure scenarios
- Document lessons learned
4. Backup and DR:
- Daily backups (automated)
- Weekly full backups
- Offsite backup copies
- Monthly DR tests
- Documented recovery procedures
Security Practices
1. Defense in Depth:
- Multiple security layers
- Network segmentation
- Least privilege access
- Regular security assessments
- Continuous monitoring
2. Access Control:
- Strong authentication (MFA)
- Regular access reviews
- Privileged access management
- Session recording
- Audit all access
3. Physical Security:
- Locked data center
- Video surveillance
- Badge access
- Visitor escorts
- Equipment inventory
4. Incident Response:
- Documented IR plan
- Regular IR drills
- Contact information current
- Escalation procedures
- Post-incident review
Comparison: When to Choose Disconnected Mode
Choose Disconnected Mode If:
β Strong Yes:
- Air-gap requirement (regulatory or policy)
- Classified or top-secret data
- Critical infrastructure protection
- Zero tolerance for internet dependency
- Complete operational sovereignty required
- Protection against advanced persistent threats
β οΈ Consider Carefully:
- Staff expertise to manage without cloud support
- Budget for local infrastructure (backup, monitoring)
- Change management discipline
- Physical security capabilities
- Compliance requirements justify the complexity
Choose Connected Mode If:
β Better Choice:
- No air-gap requirement
- Centralized management desired
- Cloud backup and DR beneficial
- Limited local IT staff
- Multiple clusters to manage
- Cost optimization via cloud services
Hybrid Approach:
β Best of Both:
- Start in Connected Mode for deployment and validation
- Switch to Disconnected Mode for production
- Periodic sync (monthly/quarterly)
- Emergency reconnect capability
- Balance sovereignty with manageability
Next Steps
Continue Learning:
Back to:
External Resources:
Last Updated: October 2025