Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into dns-sec-pol-toc

asudbring · asudbring · commit 3a5abcca302d · 2025-12-02T13:34:22.000-06:00
diff --git a/articles/virtual-network/how-to-dhcp-azure.md b/articles/virtual-network/how-to-dhcp-azure.md
@@ -15,7 +15,7 @@ ms.date: 02/28/2024
 
 # Deploy a DHCP server in Azure on a virtual machine
 
-Learn how to deploy a highly available DHCP server in Azure on a virtual machine. This server is used as a target for an on-premises DHCP relay agent to provide dynamic IP address allocation to on-premises clients. Broadcast packets directly from clients to a DHCP Server don't work in an Azure Virtual Network by design.
+Learn how to deploy a highly available DHCP server in Azure on a virtual machine. This server is used as a target for an on-premises DHCP relay agent to provide dynamic IP address allocation to on-premises clients. The DHCP relay agent forwards unicast DHCP requests from on-premises clients to the DHCP servers running in Azure. Direct broadcast packets from clients to a DHCP server don't work in an Azure Virtual Network by design.
 
 > [!NOTE]
 > The on-premises client to DHCP Server (source port UDP/68, destination port UDP/67) is still not supported in Azure, since this traffic is intercepted and handled differently. This will result in timeout messages at the time of DHCP RENEW at T1 when the client directly attempts to reach the DHCP Server in Azure. The DHCP RENEW will succeed when the DHCP RENEW attempt is made at T2 via DHCP Relay Agent. For more details on the T1 and T2 DHCP RENEW timers, see [RFC 2131](https://www.ietf.org/rfc/rfc2131.txt).
@@ -26,125 +26,61 @@ Learn how to deploy a highly available DHCP server in Azure on a virtual machine
 
 [!INCLUDE [virtual-network-create-with-bastion.md](~/reusable-content/ce-skilling/azure/includes/virtual-network-create-with-bastion.md)]
 
-## Create internal load balancer
-
-In this section, you create an internal load balancer that load balances virtual machines. An internal load balancer is used to load balance traffic inside a virtual network with a private IP address.
-
-During the creation of the load balancer, you configure:
-
-* Frontend IP address
-* Backend pool
-* Inbound load-balancing rules
-
-1. In the search box at the top of the portal, enter **Load balancer**. Select **Load balancers** in the search results.
-
-1. In the **Load balancer** page, select **Create**.
-
-1. In the **Basics** tab of the **Create load balancer** page, enter, or select the following information: 
-
-    | Setting                 | Value                                              |
-    | ---                     | ---                                                |
-    | **Project details** |   |
-    | Subscription               | Select your subscription.    |    
-    | Resource group         | Select **test-rg**. |
-    | **Instance details** |   |
-    | Name                   | Enter **load-balancer**                                   |
-    | Region         | Select **(US) East US 2**.                                        |
-    | SKU           | Leave the default **Standard**. |
-    | Type          | Select **Internal**.                                        |
-    | Tier          | Leave the default **Regional**. |
-
-1. Select **Next: Frontend IP configuration** at the bottom of the page.
-
-1. In **Frontend IP configuration**, select **+ Add a frontend IP configuration**.
-
-1. Enter **frontend-1** in **Name**.
-
-1. Select **subnet-1 (10.0.0.0/24)** in **Subnet**.
-
-1. In **Assignment**, select **Static**.
-
-1. In **IP address**, enter **10.0.0.100**.
-
-1. Select **Add**.
-
-1. Select **Next: Backend pools** at the bottom of the page.
-
-1. In the **Backend pools** tab, select **+ Add a backend pool**.
-
-1. Enter **backend-pool** for **Name** in **Add backend pool**.
-
-1. Select **NIC** or **IP Address** for **Backend Pool Configuration**.
-
-1. Select **Save**.
-
-1. Select the blue **Review + create** button at the bottom of the page.
-
-1. Select **Create**.
-
-## Configure second load balancer frontend
-
-A second frontend is required for the load balancer to provide high availability for the DHCP server. Use the following steps to add a second frontend to the load balancer.
-
-1. In the Azure portal, search for and select **Load balancers**.
-
-1. Select **load-balancer**.
-
-1. In **Settings**, select **Frontend IP configuration**.
-
-1. Select **+ Add**.
-
-1. Enter or select the following information in **Add frontend IP configuration**:
-
-    | Setting                 | Value                                              |
-    | ---                     | ---                                                |
-    | **Name** | Enter **frontend-2**. |
-    | **Subnet** | Select **subnet-1 (10.0.0.0/24)**. |
-    | **Assignment** | Select **Static**. |
-    | **IP address** | Enter **10.0.0.200**. |
-    | **Availability zone** | Select **Zone-redundant**. |
-
-1. Select **Add**.
-
-1. Verify that in **Frontend IP configuration**, you have **frontend-1** and **frontend-2**.
-
-## Create load balancer rules
-
-The load balancer rules are used to distribute traffic to the virtual machines. Use the following steps to create the load balancer rules.
-
-1. In the Azure portal, search for and select **Load balancers**.
-
-1. Select **load-balancer**.
-
-1. In **Settings**, select **Load balancing rules**.
-
-1. Select **+ Add**.
-
-1. Enter or select the following information in **Add load balancing rule**:
-
-    | Setting                 | Value                                              |
-    | ---                     | ---                                                |
-    | **Name** | Enter **lb-rule-1**. |
-    | **IP version** | Select **IPv4**. |
-    | **Frontend IP address** | Select **frontend-1**. |
-    | **Backend pool** | Select **backend-pool**. |
-    | **Protocol** | Select **UDP**. |
-    | **Port** | Enter **67**. |
-    | **Backend port** | Enter **67**. |
-    | **Health probe** | Select **Create new**. </br> Enter **dhcp-health-probe** for **Name**. </br> Select **TCP** for **Protocol**. </br> Enter **3389** for **Port**. </br> Enter **67** for **Interval**. </br> Enter **5** for **Unhealthy threshold**. </br> Select **Save**. |
-    | **Enable Floating IP** | Select the box. |
-
-1. Select **Save**.
-
-1. Repeat the previous steps to create the second load balancing rule. Replace the following values with the values for the second frontend:
-
-    | Setting                 | Value                                              |
-    | ---                     | ---                                                |
-    | **Name** | Enter **lb-rule-2**. |
-    | **Frontend IP address** | Select **frontend-2**. |
-    | **Health probe** | Select **dhcp-health-probe**. |
-
-[!INCLUDE [create-two-virtual-machines-windows-load-balancer.md](../../includes/create-two-virtual-machines-windows-load-balancer.md)]
+## Create virtual machines
+
+In this section, you create two VMs (**vm-1** and **vm-2**) in two different availability zones (**Zone 1** and **Zone 2**) to provide high availability for your DHCP service.
+
+1. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines** in the search results.
+
+1. Select **+ Create** then **Azure virtual machine**.
+   
+1. In **Create a virtual machine**, type or select the values in the **Basics** tab:
+
+    | Setting | Value |
+    |---|---|
+    | **Project details** |  |
+    | Subscription | Select your subscription. |
+    | Resource group | Select **test-rg**. |
+    | **Instance details** |  |
+    | Virtual machine name | Enter **vm-1**. |
+    | Region | Select **East US 2**. |
+    | Availability options | Select **Availability zone**. |
+    | Availability zone | Select **Zone 1**. |
+    | Security type | Select **Standard**. |
+    | Image | Select **Windows Server 2022 Datacenter - x64 Gen2**. |
+    | VM architecture | Leave the default of **x64**. |
+    | Size | Select a size. |
+    | **Administrator account** |  |
+    | Authentication type | Select **Password**. |
+    | Username | Enter **azureuser**. |
+    | Password | Enter a password. |
+    | Confirm password | Reenter the password. |
+    | **Inbound port rules** |  |
+    | Public inbound ports | Select **None**. |
+
+1. Select the **Networking** tab, or select **Next: Disks**, then **Next: Networking**.
+  
+1. In the Networking tab, enter or select the following information:
+
+    | Setting | Value |
+    |-|-|
+    | **Network interface** |  |
+    | Virtual network | Select **vnet-1**. |
+    | Subnet | Select **subnet-1 (10.0.0.0/24)**. |
+    | Public IP | Select **None**. |
+    | NIC network security group | Select **Basic**. |
+    | Public inbound ports | Leave the default of **None**. |
+   
+1. Select **Review + create**. 
+  
+1. Review the settings, and then select **Create**.
+
+1. Follow the previous steps to create a second VM with the following values and all the other settings the same as **vm-1**:
+
+    | Setting | VM 2 |
+    | ------- | ----- |
+    | Name |  **vm-2** |
+    | Availability zone | **Zone 2** |
 
 ## Configure DHCP server network adapters
 
@@ -219,6 +155,34 @@ Use the following steps to set a static IP address for the Microsoft Loopback Ad
 
 1. Select **Close**.
 
+### Add loopback IP address as secondary IP configuration in Azure
+
+After configuring the loopback adapter IP address on the virtual machine, you must add the same IP address as a secondary IP configuration on the Azure VM's network interface. This critical step ensures that Azure can route unicast DHCP requests to the DHCP server.
+
+1. In the Azure portal, search for and select **Virtual machines**.
+
+1. Select **vm-1**.
+
+1. In the **vm-1** page, select **Networking** then **Network settings**.
+
+1. Select the network interface name next to **Network interface**. The network interface name is similar to **vm-1123**.
+
+1. In the network interface page, select **IP configurations** in **Settings**.
+
+1. Select **+ Add**.
+
+1. Enter or select the following information in **Add IP configuration**:
+
+    | Setting                 | Value                                              |
+    | ---                     | ---                                                |
+    | **Name** | Enter **ipconfig2**. |
+    | **Allocation** | Select **Static**. |
+    | **IP address** | Enter **10.0.0.100**. |
+
+1. Select **OK**.
+
+1. Verify that in **IP configurations**, you have **ipconfig1** and **ipconfig2** listed.
+
 ### Enable routing between the loopback interface and the network adapter
 
 Use the following steps to enable routing between the loopback interface and the network adapter:
@@ -262,8 +226,45 @@ Use the following steps to enable routing between the loopback interface and the
 
 1. Close the bastion connection to **vm-1**.
 
-1. Repeat the previous steps to configure **vm-2**. Replace the IP address of **10.0.0.100** with **10.0.0.200** in the static IP address configuration of the loopback adapter.
+1. Repeat the previous steps to configure **vm-2**. Replace the IP address of **10.0.0.100** with **10.0.0.200** in both the static IP address configuration of the loopback adapter and the secondary IP configuration in the Azure portal.
+
+### Verify DHCP server binding
+
+After completing the configuration, verify that the DHCP server is correctly bound to the loopback adapter IP address.
+
+1. Connect to **vm-1** via Azure Bastion.
+
+1. Open **PowerShell** as an administrator.
+
+1. Run the following command to verify the DHCP server is listening on the loopback IP address:
+
+    ```powershell
+    netstat -an | Select-String "67"
+    ```
+
+    You should see output showing UDP port 67 bound to **10.0.0.100**:
+
+    ```output
+    UDP    10.0.0.100:67          *:*
+    ```
+
+1. Alternatively, open the **DHCP** management console and verify that the loopback adapter is listed and bound to the IP address **10.0.0.100** in the DHCP console.
+
+1. Close the bastion connection to **vm-1**.
+
+## Configure DHCP relay agent
+
+Configure your on-premises DHCP relay agent to forward DHCP requests to the loopback IP addresses of the DHCP servers in Azure. For high availability, configure the relay agent with both server addresses:
+
+- **10.0.0.100** (vm-1)
+- **10.0.0.200** (vm-2)
+
+DHCP relay agents natively support specifying multiple DHCP servers in their configuration, providing failover and redundancy without requiring additional load-balancing components.
+
+Consult your DHCP relay agent manufacturer's documentation for specific configuration steps.
 
 ## Next step
 
-In this article, you learned how to deploy a highly available DHCP server in Azure on a virtual machine. You also learned how to configure the network adapters and installed the DHCP role on the virtual machines. Further configuration of the DHCP server is required to provide DHCP services to on-premises clients from the Azure Virtual Machines. The DHCP relay agent on the on-premises network must be configured to forward DHCP requests to the DHCP servers in Azure. Consult the manufacturer's documentation for the DHCP relay agent for configuration steps.
+In this article, you learned how to deploy a highly available DHCP server in Azure on a virtual machine. You configured the network adapters with loopback adapters and added the loopback IP addresses as secondary IP configurations in Azure to ensure proper routing. You also installed the DHCP role on the virtual machines. 
+
+Further configuration of the DHCP server is required to provide DHCP services to on-premises clients from the Azure Virtual Machines. The DHCP relay agent on the on-premises network must be configured to forward DHCP requests to the loopback IP addresses (10.0.0.100 and 10.0.0.200) of the DHCP servers in Azure. Consult the manufacturer's documentation for the DHCP relay agent for configuration steps.
