locked
Extending on premise ADFS to AZURE RRS feed

  • Question

  • I am looking at at extending our ADFS deployment to the cloud for redundancy. Hope someone with that experience can answer the following.

    Is 6 VMs the minimum requirement for the cloud deployment?

    Would the cloud deployment share the same ADFS farm as the on prem one?

    What is the specific DNS setup so that clients on the cloud can resolve to the AZURE ADFS server if the on prem one is not available?

    Thanks

     


    • Edited by hkg04 Friday, April 26, 2019 8:04 PM
    Friday, April 26, 2019 2:27 PM

Answers

  • All steps are described here: https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adfs

    For the balancing, one of the option is to use Traffic Manager, it was discussed there: https://social.technet.microsoft.com/Forums/en-US/212b5ef7-9b29-4152-91eb-02734e209e79/is-adfs-and-azure-traffic-manager-a-supported-scenario-dns-cname


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by hkg04 Friday, May 3, 2019 3:32 PM
    Tuesday, April 30, 2019 6:57 PM

All replies

  • All steps are described here: https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adfs

    For the balancing, one of the option is to use Traffic Manager, it was discussed there: https://social.technet.microsoft.com/Forums/en-US/212b5ef7-9b29-4152-91eb-02734e209e79/is-adfs-and-azure-traffic-manager-a-supported-scenario-dns-cname


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by hkg04 Friday, May 3, 2019 3:32 PM
    Tuesday, April 30, 2019 6:57 PM
  • I've configured ADFS/WAP with several clients using both Azure Traffic Manager and AWS Route 53 for redundancy/load balancing. You don't need NLB component as Traffic Manager and Route 53 both work well, are quite simple to configure and maintain. However, you need to "tweak" the configuration a little bit to get real fault tolerance. The probe port on the WAP server only reports WAP health, not ADFS backend health! Use this trick to ensure you have a failover in case the ADFS backend crashes but WAP is still alive: https://www.easy365manager.com/high-availability-adfs-using-azure-traffic-manager-for-real-aws-route-53/

    As for needing 6 servers, you mean dedicated DC's for each ADFS/WAP string? It's not a requirement. Depending on your AD/network design you may have enough to ensure planned ADFS nodes can communicate fast/redundant with one of your existing DC's.

    The cloud ADFS will be installed in the existing ADFS farm (one farm per AD).

    DNS setup is as follows: ADFS name published as CNAME, e.g. adfs.yourdomain.com and mapped to a DNS record in Traffic Manager or Route 53 (depending on your preferred cloud). Traffic Manager/Route 53 both do the same: They check the health of ADFS/WAP instances and map to host name of healthy WAP (or randomly to either WAP if both instances are reporting as healthy or unhealthy). You find a more detailed explanation/visualization in the above link.

    Good luck.


    • Edited by kodekaj Saturday, May 4, 2019 11:39 AM
    Saturday, May 4, 2019 11:38 AM