Summary: How to setup vCenter 6.5 in Azure.
Date: Around 2017
Refactor: 29 April 2025: Checked links and formatting.

After installing a Active Directory Domain Controller in Azure and setting up a Setup a Point To Site VPN to Azure it's time for something else. On the Windows 10 client I installed a couple of ESXi 6.5 hosts so of course I want to manage them with vCenter. But since I lack the serious resource requirements of vCenter on my Windows 10 laptop I decided to run the vCenter in Azure. Why? Because I can… Or at least, because I want to.

Note: Even though you could use parts of this manual as a howto on various subjects do not consider this a manual for a production environment. While trying to set this up I encountered many difficulties and in the end I did not fully complete on my original goal. It was however fun to do and I learned I lot while doing this so if that is your goal please continue and have fun.

• Log on to the https://portal.azure.com with your credentials
• Click on +New:
  

• Search for Windows Server 2016 Datacenter and select it from the search results
• On the deployment blade, make sure Resource Manager is selected, and click Create
• Configure the basic settings and click OK:
  

• Now because vCenter is quite a demanding application (see requirements below) I selected the D2_V2 standard. This one is equipped with 2 cores, 7 GB RAM and 100 GB local SSD.
  • UPDATE: I need at least 8 GB of RAM so later on I changed the size of the VM to A4_V2, which has 4 cores, 8 GB RAM but no SSD.
• Configure your optional features. I decided to reuse my virtual network and storage account which I already created here, and click OK:
  

• Check your summary and click OK if you're satisfied.
• Wait for your deployment to finish

Note that this will make your RDP connection get lost if you connect directly through Azure. You can also start a remote desktop connection from another server (like this)
Note2: From the next day forward I could connect to the server directly again. Maybe I was just a little impatient.

First we need to set the Domain Controller configured here as the DNS server for the vCenter server and set the correct DNS settings:

• Log on to the freshly deployed server
• Start Server Manager → Local Server
• Click on the IPv4 settings:
  

• Right-click the configured network connection and select properties
• Select the “Internet Protocol Version 4 (TCP/IPv4)” item and click properties:
  

• Enter the DNS server addresses. As I only have one domain controller I choose to use the current DNS server that was assigned to my server (cmd.exe & ipconfig /all) as the alternate DNS server:
  

• Click on OK and then Close to save the settings

It is a requirement for vCenter that the correct DNS records are set for the vCenter server. The name of the server and the DNS record need to match exactly:

• Log on to the Domain Controller / DNS server
• Start Server Manager → Tools → DNS
• Create a new A record in the shift.local forward zone and don't forget to check the “Create associated pointer (PTR) record” checkbox:
  

• Click Add Host, OK on the popup and Done to close the windows.

A freshly deployed server is always a standalone, so we need to make this server a member of the domain:

• Log on to the freshly deployed server
• Start Server Manager → Local Server
• Click on WORKGROUP:
  

• Click on Change to change the domain:
  

• Fill in the domain name and click OK:
  

• On the Windows Security popup enter Domain Credentials to add the server to the domain:
  

• Click OK on the Welcome to the shift.local domain popup window
• Close all windows and restart the server

READ THIS CAREFULLY: Now if you follow this tutorial for your home lab continue, but if you are looking to deploy a production deployment please read this carefully. I will install a single vCenter server, meaning that I will host both the Platform Controller and vCenter service onto one server. That is supported (although I don't think it's supported to run it in Azure) but only for small deployments. If you have a bigger environment than a couple of hosts and a few dozen VMs check here for the supported topologies for vCenter 6.5. I actually did a different deployment (two locations, much bigger) a little time ago with vSphere 6/vCenter 6/SRM6: vSphere 6 and SRM 6 Installation and Configuration.

Installation software: VMware-VIM-all-6.5.0-4602587.iso

It's always a good idea to run a specific service under a designated service account. On the domain controller create a account considering these requirements:

• Username: sa-azurevc01-vcenter
• User cannot change password
• Password never expires
• Description: AzureVC01 - vCenter Service Account
• Member Of:
  • Domain Users
  • Local Administrators group (Server Manager → Tools → Computer management → Local Users and Groups → Groups) of vCenter server (AzureVC01)
• “Log on as a service” permission (Server Manager → Tools → Local Security Policy → Local Policies → User Rights Assignment ) on the vCenter server (AzureVC01)

• Log onto the vCenter server as the service account
• Navigate to the installation software. Now this is a ISO but nowadays you can right-click the ISO and select mount. This will mount the ISO on F:
• As autorun is disabled by default, navigate to F: and doubleclick autorun.exe
• On the VMware vCenter Installer select vCenter Server for Windows and click Install:
  

• Click Next on the “Welcome to the VMware vCenter Server 6.5.0 Installer” window
• Accept the license agreement and click Next
• Select the Embedded Deployment to install vCenter Server and the Platform Services Controller on one server:
  

• Use the FQDN name as the System Name:
  

• Ignore the warning (if applicable) about IPv6. I intend to use IPv4
• Also ignore the warning about DHCP IP addresses. I did not set a static IP address through Azure but if you want to it's possible
• Setup the vCenter Single Sign-On Configuration:
  

• Setup the vCenter Server Service Account:
  

• Use an embedded database (VMware Postgres):
  

• Keep all the ports default:
  

• Keep the default Destination Directories, although for production deployments you might consider to move these to a different location:
  

• Set your preferences regarding the Customer Experience Improvement Program
• Review the installation settings and click Install to start the installation
• Wait for the installation to finish (get coffee, this might take a while) and review the post-installation steps:
  

• Either click Finish or Launch vSphere Web Client to finish the installation.

When the installation is done we need to check if the services are indeed running under the installation account:

• Log on to the vCenter server (not using the service account credentials)
• Start Server Manager → Tools → Services

hmmm… There seems to be a bug with the installation, none of the services is running under the service account:

Now I want that administrators from Active Directory can log on to the environment and admin it, to do so we have to configure an Identity Source. We do that through the vSphere Web Client but as that needs Flash and we don't want to run Flash on a server we'll do that from a Windows 10 client which has Flash Player integrated (test it on https://get.adobe.com/flashplayer ). In Setup a Point To Site VPN to Azure we already connected a Windows 10 client to the Azure tenant, so on the client, connect to the Azure Tenant through VPN and navigate to the vSphere Web Client on https://azurevc01.shift.local/vsphere-client/

Note that you might get an error that the host cannot be found, which is probably caused if you do not have set up DNS correctly on your client. Note that is not part of your domain (see Setup a Point To Site VPN to Azure for the setup). The easiest way to solve it right now is to follow these steps:

• Start notepad as an administrator
• Navigate to and open c:\windows\system32\drivers\etc\hosts
• Add this line to the file: 10.0.0.5 azurevc01.shift.local azurevc01

Now you should be able to access the vSphere Web Client, so follow these steps to setup Active Directory as an Identity Source:

• Log in using the credentials supplied during the installation:
  

• Go to Administration → Single Sign-On → Configuration → Identity Sources:
  

• Click the Green + symbol to add an Identity Source:
  

• As the Identity Source Type select Active Directory (Integrated Windows Authentication):
  

• Enter the domain name and keep the default to use the machine account:
  

• Click finish on the completion page
• Select the Identity Source you've just created and click the “Set as Default Domain” button:
  

• Now that Active Directory is set as the default Identity Source go to Administration → Global Permissions:
  

• Go to the Manage tab and click the green + to add new permissions:
  

• In the new Add Permission window, click Add:
  

• In the Select Users/Groups window, set the domain to shift.local, select the user, and click Add. Click OK when you're done:
  

• Click OK to close the Add Permission window
• If done correct you can now see the new permission: \\2

You can test this now by logging off and try to log in to the vSphere Web Client as the user you added.

Note: Because you made the AD Identity Source the default you don't need to add the domain to your login name (SHIFT\adminsjoerd)

To avoid the browser messages regarding an invalid/untrusted certificate follow these steps to import the CA root certificate in the rusted Root Certification Authorities store:

• On the vCenter server navigate to %ALLUSERSPROFILE%\VMware\vCenterServer\data\vmca (For example: C:\ProgramData\VMware\vCenterServer\data\vmca)
• Locate the root.cer file and make it available on the Windows 10 client
• On the Windows 10 client, right-click the certificate
• Select Install Certificate
• Select Local Machine as the store location
• Select to place all certificates in the “Trusted Root Certification Authorities” store:
  

• Finish the Certificate Import Wizard

Now restart the browser and check that the message is gone.

Note that this is how far I came. I have a verified working vCenter, but how hard I tried, I could not get a host added to the inventory. But I did get all requirements in place, so read on if you want to know about managing firewalls, Azure Network Security Groups etc.

I have a standard setup for installing ESXi hosts, which I followed here.

Now the main trouble here was deciding on how to configure the network. You have basically two choices, NAT and bridged. Because of the downsides of NAT I first opted for bridging. However, it turned out that bridging had a even bigger disadvantage. If you followed this manual and you check the network adapter that was added for the VPN you'll notice it is a PPP adapter. This is basically a modem, and are only capable of running 1 IP address. And therefore, you can't bridge it. No way. Tried, Googled, tried again. No luck. So I had no choice but to go for NAT, even though it has these disadvantages:

• First host:
  • Make a NAT port mapping for every required vCenter port
• Second host:
  • Make sure all the required services/ports run on different ports
  • Make a NAT port mapping for each of them

Now that is a lot of work, so I concentrated on just getting it to work on the first host.

This step was done for the bridging option and should be adjusted for the NAT option. Which actually means you can't add the hosts in DNS. Because of the NAT, all hosts will be known under the same IP address. So you could add that one, but if you do add it with the IP address of the VPN Client (for example 192.168.1.7)

First we'll add the DNS records on the DNS server:

• Log on to the DNS server and go to Server Manager → Tools → DNS
• Right-click the Reverse Lookup Zones
• Select New-Zone
• Click Next on the welcome screen
• Select a primary zone
• Select your replication scope, I decided to replicate to all DNS servers running on domain controllers in the forest
• Select a IPv4 Reverse Lookup Zone
• Fill in the network ID for the zone (192.168.1):
  

• Allow only secure dynamic updates
• Finish the wizard

Now to add the correct DNS records, still in DNS manager, right-click the Forward Lookup Zones and expand it:

• Right-click the shift.local zone and select New Host (A or AAAA)
• Fill in the record data:
  

• Click on Add Host and repeat these steps for the second host
• When done click Done and check in both the forward as the reverse lookup zone if the records have been created correctly

Skip this step and the next one. Keep the host on NAT.

First we will modify the network settings of the ESXI host in VMware Workstation:

• Open VMware workstation and select the tab for the host you want to edit
• Click directly on the Network Adapter settings to open the Virtual Machine Settings:
  

• Change the network connection to Bridged:
  

• Click OK and click the Power On link to start the VM:
  

When the host is started follow these steps to set the static IP and DNS settings

• Press F2 and enter the root credentials
• Select Configure Management Network, then press Enter.
• Select IPv4 Configuration, then press Enter.
• Select “Set static IP addresses and network configuration”, then press the Space bar.
• Press the Down Arrow key to select the IP Address field, then enter the correct information, followed by ENTER
• Select DNS Configuration, then press Enter.
  • Enter 10.0.0.4 (the Azure DNS server) as the Primary DNS server
  • Set the hostname
  • Press ENTER to save the setting
• Select Custom DNS Suffixes, then press ENTER
  • Set the suffix to shift.local and press ENTER
• Press ESC to save to exit
• When you are prompted to restart the management network for the changes to take effect, press Y.
• Press ESC again to go back to the main screen.

To configure NAT for vCenter and ESXi communication on VMware workstation follow these steps:

• In VMware Workstation go to Edit → Virtual Network Editor
• Select the VMnat adapter that is configured for NAT and click NAT Settings:
  

• On the NAT settings window, click Add to add a new Port Forwarding Rule
• On the Map Incoming port, configure a port forward, example for SSH (port 22):
  • Host port: 22
  • Type: TCP
  • Virtual machine IP address: The IP address of the ESXi host: 192.168.75.201
  • Virtual machine port: 22
  • Description: SSH:
    

• Click OK

Now repeat these steps port the following ports:

• SSH: 22 (TCP)
• DNS: 53 (TCP/UDP)
• HTTP: 80 (TCP)
• HTTPS: 443 (TCP)
• vCenter/ESXi: 902 (TCP/UDP)

We'll start with port 22 to test communication between vCenter server and the ESXi hosts

Follow these steps to open port 22 in the Azure Network Security Group:

• In the portal, open the Network Security Groups and select the security group that was created for your server (AzureVC01-ndg)
• Click on Outbound security rules
• Click on +Add:
  

• In the Add Outbound security rule, give the rule a name and select the (SSH) service:
  

• Click on OK and wait for the rule to be created
• It will now show in the Outbound Security Rules:
  

During the installation of vCenter, the correct firewall rules were already created. But doublechecking is always a good idea:

• Click start and type firewall to open the “Windows Firewall with Advanced Security”
• In the inbound rules you see several services that are recently added and look a lot like required vCenter ports:
  

• Outbound rules are not effectively blocked. Check in the overview of “Windows Firewall with Advanced Security”:
  

So just check if the ports are blocked by a rule…

Follow these steps to open port 22 for the client:

• Click start and type firewall to open the “Windows Firewall with Advanced Security”
• Select Inbound Rules
• Click New Rule on the Inbound Rules Actions panel:
  

• In the New Inbound Rule Wizard select a custom rule and click next
• Select All Programs and click next
• Set the protocol type to TCP and the local port to 22 and click next:
  

• Set any/any for the scope and click next
• Allow the connection as Action and click next
• Set the rule for all profiles (Domain/Private/Public) and click next
• Name it and give a description and click next

The new rule is automatically enabled and now you should be able to make a SSH connection from the vCenter server in Azure to the ESXi host on your local workstation. Please note that you need to use the IP address assigned to the Azure VPN client to connect to:

Repeat each of these steps for each of these ports:

• SSH: 22 (TCP)
• DNS: 53 (TCP/UDP)
• HTTP: 80 (TCP)
• HTTPS: 443 (TCP)
• vCenter/ESXi: 902 (TCP/UDP)

Don't forget there are 4 places for port configuration: - NAT translation - Network security group in azure - Outbound firewall rule op vCenter Server - Inbound firewall rule op Windows 10 Azure Client

Now as you could see above in the screenshot I had a connection between the vCenter Server and the ESXi host on both port 22 and 902. However, after adding a datacenter to the vCenter environment I tried to add a host. It did found the host, I even got a warning on the host's certificate but I could not add it. I kept getting this error:

Cannot complete login due to an incorrect user name or password

Of course the credentials are correct and I suspect the problem is still somewhere in the opening of ports, in the installation or just simply using a Point to Site VPN between vCenter and ESXi. I also did try a lot of different things in the process to fix it so I might have even broke it even further while trying to break it. Logfiles did not supply a simple solution and the vSphere Client (the old one) is no longer working with vSphere 6.6. So I did not solve the issue, so if someone has an idea just drop me a message and I'm sure I'll try it.