ערוך

Complete the prerequisite tasks for deploying a private mobile network

  • מאמר

In this how-to guide, you'll carry out each of the tasks you need to complete before you can deploy a private mobile network using Azure Private 5G Core.

Tip

Private mobile network design requirements contains the full network design requirements for a customized network.

Tools and access

To deploy your private mobile network using Azure Private 5G Core, you need:

Get access to Azure Private 5G Core for your Azure subscription

Contact your trials engineer and ask them to register your Azure subscription for access to Azure Private 5G Core. If you don't already have a trials engineer and are interested in trialing Azure Private 5G Core, contact your Microsoft account team, or express your interest through the partner registration form.

Choose the core technology type (5G, 4G, or combined 4G and 5G)

Choose whether each site in the private mobile network should provide coverage for 5G, 4G, or combined 4G and 5G user equipment (UEs). If you're deploying multiple sites, they can each support different core technology types.

Allocate subnets and IP addresses

Azure Private 5G Core requires a management network, access network, and up to ten data networks. These networks can all be part of the same, larger network, or they can be separate. The approach you use depends on your traffic separation requirements.

For each of these networks, allocate a subnet and then identify the listed IP addresses. If you're deploying multiple sites, you need to collect this information for each site.

Depending on your networking requirements (for example, if a limited set of subnets is available), you might choose to allocate a single subnet for all of the Azure Stack Edge interfaces, marked with an asterisk (*) in the following list.

Management network

  • Network address in Classless Inter-Domain Routing (CIDR) notation.
  • Default gateway.
  • One IP address for the management port (port 2) on the Azure Stack Edge Pro 2 device.
  • Six sequential IP addresses for the Azure Kubernetes Service on Azure Stack HCI (AKS-HCI) cluster nodes.
  • One service IP address for accessing local monitoring tools for the packet core instance.
  • Network address in Classless Inter-Domain Routing (CIDR) notation.
  • Default gateway.
  • One IP address for the management port
  • Six sequential IP addresses for the Azure Kubernetes Service on Azure Stack HCI (AKS-HCI) cluster nodes.
  • One service IP address for accessing local monitoring tools for the packet core instance.

Access network

  • Network address in CIDR notation.
  • Default gateway.
  • One IP address for the control plane interface.
    • For 5G, this is the N2 interface
    • For 4G, this is the S1-MME interface.
    • For combined 4G and 5G, this is the N2/S1-MME interface.
  • One IP address for the user plane interface.
    • For 5G, this is the N3 interface
    • For 4G, this is the S1-U interface.
    • For combined 4G and 5G, this is the N3/S1-U interface.
  • One IP address for port 3 on the Azure Stack Edge Pro 2 device.
  • Network address in CIDR notation.
  • Default gateway.
  • One IP address for the control plane interface.
    • For 5G, this is the N2 interface
    • For 4G, this is the S1-MME interface.
    • For combined 4G and 5G, this is the N2/S1-MME interface.
  • One IP address for the user plane interface.
    • For 5G, this is the N3 interface
    • For 4G, this is the S1-U interface.
    • For combined 4G and 5G, this is the N3/S1-U interface.
  • One IP address for port 5 on the Azure Stack Edge Pro GPU device.

Data networks

Allocate the following IP addresses for each data network in the site:

  • Network address in CIDR notation.
  • Default gateway.
  • One IP address for the user plane interface.
    • For 5G, this is the N6 interface
    • For 4G, this is the SGi interface.
    • For combined 4G and 5G, this is the N6/SGi interface.

The following IP addresses must be used by all the data networks in the site:

  • One IP address for all data networks on port 3 on the Azure Stack Edge Pro 2 device.
  • One IP address for all data networks on port 4 on the Azure Stack Edge Pro 2 device.
  • One IP address for all data networks on port 5 on the Azure Stack Edge Pro GPU device.
  • One IP address for all data networks on port 6 on the Azure Stack Edge Pro GPU device.

VLANs

You can optionally configure your Azure Stack Edge Pro device with virtual local area network (VLAN) tags. You can use this configuration to enable layer 2 traffic separation on the N2, N3 and N6 interfaces, or their 4G equivalents. For example, you might want to separate N2 and N3 traffic (which share a port on the ASE device) or separate traffic for each connected data network.

Allocate VLAN IDs for each network as required.

Allocate user equipment (UE) IP address pools

Azure Private 5G Core supports the following IP address allocation methods for UEs.

  • Dynamic. Dynamic IP address allocation automatically assigns a new IP address to a UE each time it connects to the private mobile network.

  • Static. Static IP address allocation ensures that a UE receives the same IP address every time it connects to the private mobile network. Static IP addresses are useful when you want Internet of Things (IoT) applications to be able to consistently connect to the same device. For example, you can configure a video analysis application with the IP addresses of the cameras providing video streams. If these cameras have static IP addresses, you won't need to reconfigure the video analysis application with new IP addresses each time the cameras restart. You'll allocate static IP addresses to a UE as part of provisioning its SIM.

You can choose to support one or both of these methods for each data network in your site.

For each data network you're deploying, do the following:

  • Decide which IP address allocation methods you want to support.

  • For each method you want to support, identify an IP address pool from which IP addresses can be allocated to UEs. You must provide each IP address pool in CIDR notation.

    If you decide to support both methods for a particular data network, ensure that the IP address pools are of the same size and don't overlap.

  • Decide whether you want to enable Network Address and Port Translation (NAPT) for the data network. NAPT allows you to translate a large pool of private IP addresses for UEs to a small number of public IP addresses. The translation is performed at the point where traffic enters the data network, maximizing the utility of a limited supply of public IP addresses.

Configure Domain Name System (DNS) servers

Important

If you don't configure DNS servers for a data network, all UEs using that network will be unable to resolve domain names.

DNS allows the translation between human-readable domain names and their associated machine-readable IP addresses. Depending on your requirements, you have the following options for configuring a DNS server for your data network:

  • If you need the UEs connected to this data network to resolve domain names, you must configure one or more DNS servers. You must use a private DNS server if you need DNS resolution of internal hostnames. If you're only providing internet access to public DNS names, you can use a public or private DNS server.
  • If you don't need the UEs to perform DNS resolution, or if all UEs in the network will use their own locally configured DNS servers (instead of the DNS servers signaled to them by the packet core), you can omit this configuration.

Prepare your networks

For each site you're deploying, do the following.

  • Ensure you have at least one network switch with at least three ports available. You'll connect each Azure Stack Edge Pro device to the switch(es) in the same site as part of the instructions in Order and set up your Azure Stack Edge Pro device(s).
  • For every network where you decided not to enable NAPT (as described in Allocate user equipment (UE) IP address pools), configure the data network to route traffic destined for the UE IP address pools via the IP address you allocated to the packet core instance's user plane interface on the data network.

Configure ports for local access

The following tables contain the ports you need to open for Azure Private 5G Core local access. This includes local management access and control plane signaling.

You must set these up in addition to the ports required for Azure Stack Edge (ASE).

Azure Private 5G Core

Port ASE interface Description
TCP 443 Inbound Management (LAN) Access to local monitoring tools (packet core dashboards and distributed tracing).
5671 In/Outbound Management (LAN) Communication to Azure Event Hubs, AMQP Protocol
5672 In/Outbound Management (LAN) Communication to Azure Event Hubs, AMQP Protocol
SCTP 38412 Inbound Port 3 (Access network) Control plane access signaling (N2 interface).
Only required for 5G deployments.
SCTP 36412 Inbound Port 3 (Access network) Control plane access signaling (S1-MME interface).
Only required for 4G deployments.
UDP 2152 In/Outbound Port 3 (Access network) Access network user plane data (N3 interface for 5G, S1-U for 4G, or N3/S1-U for combined 4G and 5G).
All IP traffic Ports 3 and 4 (Data networks) Data network user plane data (N6 interface for 5G, SGi for 4G, or N6/SGi for combined 4G and 5G).
Only required on port 3 if data networks are configured on that port.

The following tables contains the ports you need to open for Azure Private 5G Core local access. This includes local management access and control plane signaling.

You must set these up in addition to the ports required for Azure Stack Edge (ASE).

Azure Private 5G Core

Port ASE interface Description
TCP 443 Inbound Management (LAN) Access to local monitoring tools (packet core dashboards and distributed tracing).
5671 In/Outbound Management (LAN) Communication to Azure Event Hubs, AMQP Protocol
5672 In/Outbound Management (LAN) Communication to Azure Event Hubs, AMQP Protocol
SCTP 38412 Inbound Port 5 (Access network) Control plane access signaling (N2 interface).
Only required for 5G deployments.
SCTP 36412 Inbound Port 5 (Access network) Control plane access signaling (S1-MME interface).
Only required for 4G deployments.
UDP 2152 In/Outbound Port 5 (Access network) Access network user plane data (N3 interface for 5G, S1-U for 4G, or N3/S1-U for combined 4G and 5G).
All IP traffic Ports 5 and 6 (Data networks) Data network user plane data (N6 interface for 5G, SGi for 4G, or N6/SGi for combined 4G and 5G)).
Only required on port 5 if data networks are configured on that port.

Port requirements for Azure Stack Edge

Port No. In/Out Port Scope Required Notes
UDP 123 (NTP) Out WAN In some cases This port is only required if you are using a local NTP server or internet-based server for ASE.
UDP 53 (DNS) Out WAN In some cases See Configure Domain Name System (DNS) servers.
TCP 5985 (WinRM) Out/In LAN Yes Required for WinRM to connect ASE via PowerShell during AP5GC deployment.
See Commission an AKS cluster.
TCP 5986 (WinRM) Out/In LAN Yes Required for WinRM to connect ASE via PowerShell during AP5GC deployment.
See Commission an AKS cluster.
UDP 67 (DHCP) Out LAN Yes
TCP 445 (SMB) In LAN No ASE for AP5GC does not require a local file server.
TCP 2049 (NFS) In LAN No ASE for AP5GC does not require a local file server.

Port requirements for IoT Edge

Port No. In/Out Port Scope Required Notes
TCP 443 (HTTPS) Out WAN No This configuration is only required when using manual scripts or Azure IoT Device Provisioning Service (DPS).

Port requirements for Kubernetes on Azure Stack Edge

Port No. In/Out Port Scope Required Notes
TCP 31000 (HTTPS) In LAN Yes Required for Kubernetes dashboard to monitor your device.
TCP 6443 (HTTPS) In LAN Yes Required for kubectl access

Outbound firewall ports required

Review and apply the firewall recommendations for the following services:

The following table contains the URL patterns for Azure Private 5G Core's outbound traffic.

URL pattern Description
https://*.azurecr.io Required to pull container images for Azure Private 5G Core workloads.
https://*.microsoftmetrics.com
https://*.hot.ingestion.msftcloudes.com		 Required for monitoring and telemetry for the Azure Private 5G Core service.

Register resource providers

To use Azure Private 5G Core, you need to register some additional resource providers with your Azure subscription.

Tip

If you do not have the Azure CLI installed, see installation instructions at How to install the Azure CLI. Alternatively, you can use the Azure Cloud Shell on the portal.

  1. Sign into the Azure CLI with a user account that is associated with the Azure tenant that you are deploying Azure Private 5G Core into:

    az login

    Tip

    See Sign in interactively for full instructions.

  2. If your account has multiple subscriptions, make sure you are in the correct one:

    az account set --subscription <subscription_id>

  3. Check the Azure CLI version:

    az version

    If the CLI version is below 2.37.0, you must upgrade your Azure CLI to a newer version. See How to update the Azure CLI.

  4. Register the following resource providers:

    az provider register --namespace Microsoft.MobileNetwork
az provider register --namespace Microsoft.HybridNetwork
az provider register --namespace Microsoft.ExtendedLocation
az provider register --namespace Microsoft.Kubernetes
az provider register --namespace Microsoft.KubernetesConfiguration

Retrieve the Object ID (OID)

You need to obtain the object ID (OID) of the custom location resource provider in your Azure tenant. You must provide this OID when you create the Kubernetes service. You can obtain the OID using the Azure CLI or the Azure Cloud Shell on the portal. You must be an owner of your Azure subscription.

  1. Sign in to the Azure CLI or Azure Cloud Shell.

  2. Retrieve the OID:

    az ad sp show --id bc313c14-388c-4e7d-a58e-70017303ee3b --query id -o tsv

This command queries the custom location and will output an OID string. Save this string for use later when you're commissioning the Azure Stack Edge device.

Order and set up your Azure Stack Edge Pro device(s)

Do the following for each site you want to add to your private mobile network. Detailed instructions for how to carry out each step are included in the Detailed instructions column where applicable.

Step No. Description Detailed instructions
1. Complete the Azure Stack Edge Pro 2 deployment checklist. Deployment checklist for your Azure Stack Edge Pro 2 device
2. Order and prepare your Azure Stack Edge Pro 2 device. Tutorial: Prepare to deploy Azure Stack Edge Pro 2
3. Rack and cable your Azure Stack Edge Pro 2 device.

When carrying out this procedure, you must ensure that the device has its ports connected as follows:

- Port 2 - management
- Port 3 - access network (and optionally, data networks)
- Port 4 - data networks		 Tutorial: Install Azure Stack Edge Pro 2
4. Connect to your Azure Stack Edge Pro 2 device using the local web UI. Tutorial: Connect to Azure Stack Edge Pro 2
5. Configure the network for your Azure Stack Edge Pro 2 device.

Note: When an ASE is used in an Azure Private 5G Core service, Port 2 is used for management rather than data. The tutorial linked assumes a generic ASE that uses Port 2 for data.

If the RAN and Packet Core are on the same subnet, you do not need to configure a gateway for Port 3 or Port 4.

In addition, you can optionally configure your Azure Stack Edge Pro device to run behind a web proxy.

Verify the outbound connections from Azure Stack Edge Pro device to the Azure Arc endpoints are opened.

Do not configure virtual switches, virtual networks or compute IPs.		 Tutorial: Configure network for Azure Stack Edge Pro 2

(Optionally) Configure web proxy for Azure Stack Edge Pro

Azure Arc Network Requirements

Azure Arc Agent Network Requirements
6. Configure a name, DNS name, and (optionally) time settings.

Do not configure an update.		 Tutorial: Configure the device settings for Azure Stack Edge Pro 2
7. Configure certificates and configure encryption-at-rest for your Azure Stack Edge Pro 2 device. After changing the certificates, you might have to reopen the local UI in a new browser window to prevent the old cached certificates from causing problems. Tutorial: Configure certificates for your Azure Stack Edge Pro 2
8. Activate your Azure Stack Edge Pro 2 device.

Do not follow the section to Deploy Workloads.		 Tutorial: Activate Azure Stack Edge Pro 2
9. Enable VM management from the Azure portal.

Enabling this immediately after activating the Azure Stack Edge Pro 2 device occasionally causes an error. Wait one minute and retry.		 Navigate to the ASE resource in the Azure portal, go to Edge services, select Virtual machines and select Enable.
10. Run the diagnostics tests for the Azure Stack Edge Pro 2 device in the local web UI, and verify they all pass.

You might see a warning about a disconnected, unused port. You should fix the issue if the warning relates to any of these ports:

- Port 2 - management
- Port 3 - access network (and optionally, data networks)
- Port 4 - data networks

For all other ports, you can ignore the warning.

If there are any errors, resolve them before continuing with the remaining steps. This includes any errors related to invalid gateways on unused ports. In this case, either delete the gateway IP address or set it to a valid gateway for the subnet.		 Run diagnostics, collect logs to troubleshoot Azure Stack Edge device issues

Important

You must ensure your Azure Stack Edge Pro 2 device is compatible with the Azure Private 5G Core version you plan to install. See Packet core and Azure Stack Edge (ASE) compatibility. If you need to upgrade your Azure Stack Edge Pro 2 device, see Update your Azure Stack Edge Pro 2.

Step No. Description Detailed instructions
1. Complete the Azure Stack Edge Pro GPU deployment checklist. Deployment checklist for your Azure Stack Edge Pro GPU device
2. Order and prepare your Azure Stack Edge Pro GPU device. Tutorial: Prepare to deploy Azure Stack Edge Pro with GPU
3. Rack and cable your Azure Stack Edge Pro GPU device.

When carrying out this procedure, you must ensure that the device has its ports connected as follows:

- Port 5 - access network (and optionally, data networks)
- Port 6 - data networks

Additionally, you must have a port connected to your management network. You can choose any port from 2 to 4.		 Tutorial: Install Azure Stack Edge Pro with GPU
4. Connect to your Azure Stack Edge Pro GPU device using the local web UI. Tutorial: Connect to Azure Stack Edge Pro with GPU
5. Configure the network for your Azure Stack Edge Pro GPU device.

Note: When an ASE is used in an Azure Private 5G Core service, Port 2 is used for management rather than data. The tutorial linked assumes a generic ASE that uses Port 2 for data.

If the RAN and Packet Core are on the same subnet, you do not need to configure a gateway for Port 5 or Port 6.

In addition, you can optionally configure your Azure Stack Edge Pro GPU device to run behind a web proxy.

Verify the outbound connections from Azure Stack Edge Pro GPU device to the Azure Arc endpoints are opened.

Do not configure virtual switches, virtual networks or compute IPs.		 Tutorial: Configure network for Azure Stack Edge Pro with GPU

(Optionally) Configure web proxy for Azure Stack Edge Pro

Azure Arc Network Requirements

Azure Arc Agent Network Requirements
6. Configure a name, DNS name, and (optionally) time settings.

Do not configure an update.		 Tutorial: Configure the device settings for Azure Stack Edge Pro with GPU
7. Configure certificates for your Azure Stack Edge Pro GPU device. After changing the certificates, you might have to reopen the local UI in a new browser window to prevent the old cached certificates from causing problems. Tutorial: Configure certificates for your Azure Stack Edge Pro with GPU
8. Activate your Azure Stack Edge Pro GPU device.

Do not follow the section to Deploy Workloads.		 Tutorial: Activate Azure Stack Edge Pro with GPU
9. Enable VM management from the Azure portal.

Enabling this immediately after activating the Azure Stack Edge Pro device occasionally causes an error. Wait one minute and retry.		 Navigate to the ASE resource in the Azure portal, go to Edge services, select Virtual machines and select Enable.
10. Run the diagnostics tests for the Azure Stack Edge Pro GPU device in the local web UI, and verify they all pass.

You might see a warning about a disconnected, unused port. You should fix the issue if the warning relates to any of these ports:

- Port 5.
- Port 6.
- The port you chose to connect to the management network in Step 3.

For all other ports, you can ignore the warning.

If there are any errors, resolve them before continuing with the remaining steps. This includes any errors related to invalid gateways on unused ports. In this case, either delete the gateway IP address or set it to a valid gateway for the subnet.		 Run diagnostics, collect logs to troubleshoot Azure Stack Edge device issues

Important

You must ensure your Azure Stack Edge Pro GPU device is compatible with the Azure Private 5G Core version you plan to install. See Packet core and Azure Stack Edge (ASE) compatibility. If you need to upgrade your Azure Stack Edge Pro GPU device, see Update your Azure Stack Edge Pro GPU.

Next steps

You can now commission the Azure Kubernetes Service (AKS) cluster on your Azure Stack Edge Pro 2 or Azure Stack Edge Pro GPU device to get it ready to deploy Azure Private 5G Core.