Goal

Build an automated E2E pipeline to deploy and configure an Azure cloud environment capable of Cross-Cluster Live Migration (CCLM) for virtualization testing.

This story consolidates all Azure CCLM work. _ACM-27703 (Azure BM) is closed – Azure BM is not feasible per RFE-4142.

Requirements

CCLM enables live migration of a running VM from one OpenShift cluster to another. On Azure, this requires:

1. Azure portal permissions and service principals

The Azure subscription and user account must have sufficient permissions to configure networking and storage resources via portal.azure.com. A service principal is also needed for subctl cloud prepare azure. See ACM-30201 for details on the current permission gap (identified Dec 2025).

2. Non-overlapping network CIDRs

Each managed cluster needs unique Pod, Service, and Machine CIDRs for Submariner routing (set at install time, cannot be changed).

3. Azure networking for Submariner

Submariner gateway nodes need public reachability for IPsec tunnels. Azure IPI clusters don't expose this by default.

Automated (preferred): subctl cloud prepare azure creates a gateway VM with a static public IP and a dedicated NSG (ports 4500/UDP, 4490/UDP, ESP, AH). Requires the installer metadata.json and an Azure SP auth file.

subctl cloud prepare azure --ocp-metadata cluster-a/metadata.json --auth-file my.auth

Manual (fallback): Assign a public IP to a node's NIC, add NSG inbound rules, and create LB inbound NAT rules. See the CCLM Network Guide for manual steps.

4. Submariner deployment

Deploy via subctl to establish encrypted tunnels and service discovery. Gateway connections must show "All connections established."

5. RWX storage

Live migration requires ReadWriteMany. Azure managed-csi is RWO only – an Azure Files NFS StorageClass must be created on both managed clusters.

6. CCLM feature enablement

CNV decentralizedLiveMigration gate, MTV live migration flag, CCLM UI toggle, and virt-synchronization-controller Service. The setup_virt-cclm_env.sh script (_ACM-27325) handles this.

7. Worker instance type

Standard_D8s_v3 or larger (8+ CPU, 32GB+ RAM) for nested virtualization.

Current State

An existing Azure env (hub + 2 spokes) was investigated in Feb 2026. CCLM does not work because:

• Both spokes have identical CIDRs – Submariner cannot route between them
• Spoke workers are Standard_D2s_v3 (2 CPU, 8GB) – too small for VMs
• No Azure networking configured for Submariner
• No RWX storage
• Azure portal subscription has limited permissions (see ACM-30201)

The existing env proved Azure VM deployment and CNV/MTV installation work. The gap is CCLM infrastructure: permissions, CIDRs, Submariner networking, and RWX storage.

Deliverables

1. Azure portal permissions and service principals configured (ACM-30201)
2. Hub + 2 managed clusters with correct CIDRs and D8s_v3 workers (ACM-30198)
3. Submariner networking and deployment (ACM-30199)
4. RWX storage, CCLM features enabled, e2e migration verified (ACM-30200)
5. Jenkins pipeline automating the full flow

References

• CCLM Network Setup Guide
• Submariner Azure Quickstart
• submariner-io/cloud-prepare – Azure implementation
• submariner-io/subctl – Azure prepare orchestration
• RFE-4142 – Azure BM not supported
• _ACM-27703 – Closed, consolidated here