How to achieve high availability in ADFS across Azure and On Prem Data centre

Question

I am currently looking for a solution to achieve high availability for ADFS between a disaster recovery site in Azure and our core data centre on premise.

The ADFS is currently configured with split brain DNS so the internal users do not go through the WAP servers and go direct to the ADFS servers. I need to maintain this separation but in the event of a failure to my core site, i need the users to be redirected to Azure.

I am looking at Azure traffic manager to carry out the task, however, as the internal ADFS servers are not publicly accessible my understanding is that the probes will not work.

Has anybody got an experience with this scenario. Assistance would be greatly appreciated

Answer 1

I am not sure about your network design/architecture, but we do it with our customers like this. They have one/multiple onprem ADFS and WAP servers. And they have site-to-site (ExpressRoute) connectivity to Azure VNET, so the Azure VNET appears as their internal network. So they also have one/multiple ADFS and WAP servers in Azure. And in front of their ADFS and WAP servers they have Azure Traffic Managers (one in front of ADFS servers, one in front of WAP servers) that are used to monitor the health of the endpoints and provide automatic failover when an endpoint goes down.

Hope it helps.

Answer 2

@Brunsky You are correct. Azure traffic manager will not work in this scenario.

AFAIK, this has to be done manually. None of the Azure services available currently support this requirement. You can use the default ADFS probe to check the status continuously and trigger a script that updates the DNS towards your Azure site.