I’ve recently started doing lots of presentation on Azure thanks to the release of Azure via Open licensing. People wonder what the scenarios ate where an SME would deploy machines in Azure and on premises. Here’s one I came up with this morning (an evolution of one I’d looked at before).
I was chatting with one of my colleagues about a scenario where a customer was looking deploying ADFS to provide Office 365 authentication for a medium-sized multinational company. I wondered why they didn’t look at using Azure. Here’s what I came up with.
Note: I know SFA about ADFS. My searches make me believe that deploying a stretch ADFS cluster with a mirrored SQL backend is supported.
The company has two on-premises networks, one in Ireland and one in the USA. We’ll assume that there is some WAN connection between the two networks with a single AD domain. They have users in Ireland, the USA, and roaming. They want ADFS for single sign-on and they need it to be HA.
This is where companies normally think about deploying ADFS on-premises. Two issues here:
- You need local infrastructure: Not so bad if you have spare license and hardware capacity on your hosts, but that’s not a given in an SME.
- Your ISP becomes a risk: You will place ADFS on premises. Your office has a single Internet connection. A stray digger or ISP issue can put the entire business (not just that office) out of action because ADFS won’t be there for roaming/remote users to authenticate with O365.
So my original design was to stretch the network into Azure. Create a virtual network in an Azure region that is local to your Office 365 account (for example, an Irish O365 customer would deploy a virtual network in Azure Europe North). Create a site-to-site VPN network to connect the on-premises network to the Azure VNet. Then deploy an additional DC, in the same domain as on-premises, in the Azure VNet. And now you can create an ADFS cluster in that site. All good … but what about the above multi-national scenario? I want HA and DR.
Deploy an Azure VNet for Ireland office (Azure Europe North) and for the USA office (Azure USA East) and place virtual DCs in both. Connect both VNets using a VPN. And connect both on-premises networks to both VNets via site-to-site VPNs. Then create an ADFS stretch cluster (mirrored SQL cluster) that resides in both VNets. Now the company’s users (local, roaming and remote) have the ability to authenticate against O365 using ADFS if:
- Any or both local on-premises networks go offline
- Either Azure region goes offline
As I said, I am not an ADFS person, so I’ll be interested in hearing what those how know ADFS think of this potential solution.
To create HA for ADFS hosted in Azure, you could leverage an Azure based load balancer like KEMP’s Virtual Load Master for Azure (VLM-Azure) in Azure as an IaaS VM. To minimize the impact of an Azure region failure, you could install another copy in a different region. VLM-Azure has built in Global Server Load Balancing (GSLB) functionality to help distribute the traffic across. Check out this VLM-Azure HA Guide for detail set up instructions http://j.mp/VLM-AzureHAGuide
What was your train of thought around load balancing the ADFS servers… Azure Traffic Manager?
Another point i’d make to anyone implementing this is to double check your VPN device is supported by Azure for Dynamic Routing otherwise you are limited to a single S2S VPN from your VNet (http://msdn.microsoft.com/library/azure/jj156075.aspx)
Thanks folks. I’ve also heard from a consultant that has deployed this solution using A records with a very small TTL. It requires some manual effort to modify the A record, and there is a brief outage … but it’s brief … and cheap.