How to achieve high availability in ADFS across Azure and On Prem Data centre

Brunsky 1 Reputation point
2019-12-05T10:36:07.02+00:00

I am currently looking for a solution to achieve high availability for ADFS between a disaster recovery site in Azure and our core data centre on premise.

The ADFS is currently configured with split brain DNS so the internal users do not go through the WAP servers and go direct to the ADFS servers. I need to maintain this separation but in the event of a failure to my core site, i need the users to be redirected to Azure.

I am looking at Azure traffic manager to carry out the task, however, as the internal ADFS servers are not publicly accessible my understanding is that the probes will not work.

Has anybody got an experience with this scenario. Assistance would be greatly appreciated

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,101 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Lukas Beran 176 Reputation points
    2019-12-05T19:19:06.327+00:00

    I am not sure about your network design/architecture, but we do it with our customers like this. They have one/multiple onprem ADFS and WAP servers. And they have site-to-site (ExpressRoute) connectivity to Azure VNET, so the Azure VNET appears as their internal network. So they also have one/multiple ADFS and WAP servers in Azure. And in front of their ADFS and WAP servers they have Azure Traffic Managers (one in front of ADFS servers, one in front of WAP servers) that are used to monitor the health of the endpoints and provide automatic failover when an endpoint goes down.

    Hope it helps.

    1 person found this answer helpful.
    0 comments No comments

  2. KAREDD-MSFT 406 Reputation points Microsoft Employee
    2019-12-05T12:29:23.123+00:00

    @Brunsky You are correct. Azure traffic manager will not work in this scenario.

    AFAIK, this has to be done manually. None of the Azure services available currently support this requirement. You can use the default ADFS probe to check the status continuously and trigger a script that updates the DNS towards your Azure site.

    0 comments No comments