Database Availability Groups and Windows Azure
Published Aug 07 2013 08:16 AM 16.1K Views

Update 8/13/15: Since publication of this blog post, there have been change in our Azure support statement related to Exchange Server. Please see KB 2721672 and Using an Azure VM as a DAG Witness Server for more information.

At TechEd North America 2013, we announced that we had begun testing and validation of a new configuration for a database availability group (DAG) that would enable automatic site resilience when two datacenters were used in concert with a witness server that was deployed in a Windows Azure IaaS environment.

During the validation phase of our testing, it became clear that the Windows Azure infrastructure did not support the necessary underlying network components to allow us to configure a supported solution. As a result, we are not yet able to support the use of Azure for a DAG’s witness server.

Background Information

The goal was to derive a supported configuration for Azure subscribers that already had at least two datacenters of their own.  Two of the on-premises datacenters would house the Exchange DAG members, and the witness server would be deployed as an Azure file server VM, which would be located in a third datacenter (the Azure cloud).

In order to configure a DAG and its witness across three datacenters, you must meet the following requirements:

  • You need two well-connected datacenters, in which Exchange is deployed
  • You need a third location that is connected via the network to the other two datacenters
  • The third location needs to be isolated from network failures that affect the other two datacenters

Unfortunately, Azure does not provide the necessary infrastructure to provide us with a third location with the appropriate network connectivity.

Azure Networks

Today, Azure provides support for two types of networks:

  1. A single site-to-site VPN – a network that connects two locations
  2. One or more point-to-site VPNs – a network that connects a single VPN client to a location

To have a server deployed in Azure act as a witness server for the DAG, you would require two site-to-site VPN connections (one connecting each Exchange datacenter to the Azure infrastructure). This is not possible today, as Azure supports only a single site-to-site VPN connection per Azure network. Without a second site-to-site VPN connection for the other datacenter, only one datacenter can have persistent network connectivity with the Azure servers.

A point-to-site VPN cannot be used in the second datacenter for a variety of reasons:

  • A point-to-site connection is designed to be a client VPN connection that connects a single host to the Azure cloud service
  • Point-to-site VPN connections have timeouts and will automatically disconnect after a certain period of time
  • Point-to-site VPN connections do not automatically reconnect and require administrative intervention

Witness Server Placement Considerations

The placement of a DAG’s witness server will depend on your business requirements and the options available to your organization. Exchange 2013 includes support for new DAG configuration options that are not recommended or not possible in previous versions of Exchange. These options include using a third location, such as a third datacenter or a branch office.

The following table lists general witness server placement recommendations for different deployment scenarios.

Deployment Scenario Recommendation
Single DAG deployed in a single datacenter Locate witness server in the same datacenter as DAG members
Single DAG deployed across two datacenters; no additional locations available Locate witness server in primary datacenter
Multiple DAGs deployed in a single datacenter Locate witness server in the same datacenter as DAG members. Additional options include:
  • Using the same witness server for multiple DAGs
  • Using a DAG member to act as a witness server for a different DAG
Multiple DAGs deployed across two datacenters Locate witness server in the same datacenter as DAG members. Additional options include:
  • Using the same witness server for multiple DAGs
  • Using a DAG member to act as a witness server for a different DAG
Single or Multiple DAGs deployed across more than two datacenters In this configuration, the witness server should be located in the datacenter where you want the majority of quorum votes to exist.

When a DAG has been deployed across two datacenters, a new configuration option in Exchange 2013 is to use a third location for hosting the witness server. If your organization has a third location with a network infrastructure that is isolated from network failures that affect the two datacenters in which your DAG is deployed, then you can deploy the DAG’s witness server in that third location, thereby configuring your DAG with the ability automatically failover databases to the other datacenter in response to a datacenter-level failure event.

For more information on the witness server and witness server placement, see Managing Database Availability Groups.

Moving Forward From Here

Unfortunately, without the required networking infrastructure in the Azure service, a DAG cannot be deployed on-premises using a witness server in the Azure cloud.  The Exchange Product Group has made a formal feature request from the Azure team for multiple site-to-site VPN support. If that feature is introduced by the Azure team, then testing and validation of the Azure witness will reconvene with the hope of producing a supportable solution. In the meantime, Azure is not supported for use as a DAG witness.


Scott Schnoll

Version history
Last update:
‎Jul 01 2019 04:14 PM
Updated by: