Forum Discussion

db_Vanir's avatar
db_Vanir
Copper Contributor
Sep 26, 2022

Using Azure as a failover solution for ADFS server on prem

We want to set up ADFS on Azure as a failover solution. We want to keep our on-premise ADFS server in place, and rely on the Azure ADFS only as a backup if we were to have a failure with our on-prem server. We are trying to come up with an architecture where if our on-premise ADFS server goes down, the Azure environment (also running ADFS) would automatically kick in.

 

How can we set this up so that it would automatically fail over from the on-premise environment to the Azure environment? Is it possible to have two instances of ADFS running at the same time? One on premise and the other one on Azure?

 

We were looking at the diagram in the link below, and wanted to know if it'd possible to tell the Traffic Manager to route all the traffic to our internal ADFS, and if our on premise ADFS were to go down then tell it to redirect traffic to the load balancers hosted on the Azure environment.

 

https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/active-directory-adfs-in-azure-with-azure-traffic-manager

 

In short, what I want is to be able to "flip a switch" and point traffic to the Azure environment if our on-premise ADFS server were to become unavailable. What is the best solution to accomplish this? 

  • KurtBMayer's avatar
    KurtBMayer
    Steel Contributor

    db_Vanir 

     

    In this scenario, the ADFS farm would span both on-prem and in-cloud. Nodes would be added to the farm as secondary. You'd also need to ensure SQL has high availability to keep the farm resilient.

     

    While Traffic Manager can send to the cloud or to a private datacenter, it uses DNS to perform resolution. So, you'd need to use CNAMEs with priority set to favor the datacenter versus the cloud. Traffic Manager does Round Robin by default.

     

    Reference: Azure Traffic Manager - How to use on-premises endpoints 

     

    Using a public IP behind a Load Balancer which performs probes against the back-end servers both on-prem and in-cloud may be preferable, so it responds to network conditions without intervention.

     

    The other way to go about this would be to just have the public IP set to point on-premises, and if the IT team determines there's an outage, someone must manually go in and update the CNAME to point to Azure instead. That wouldn't provide real-time failover, but if it's documented as the procedure it'd also work to "flip the switch".

     

    While you could have two ADFS instances if you wanted to, the problem would be keeping them in 100% sync. You'd need a firm change control process to ensure that anytime Farm A is edited, the same change is made on Farm B. Hence, this approach wouldn't be ideal and likely isn't viable from a maintenance perspective.

     

    Please like or mark this thread as answered if it's helpful, thanks!

Resources