Deploy ADFS Infrastructure In Azure
One of the most common scenarios that customers are asking to learn about is the deployment of an ADFS infrastructure in Azure. There are a number of benefits to deploying this infrastructure in Azure including the ability to offload incoming traffic to an Azure endpoint, providing a highly-available solution that is protected from DDOS attacks, and being able to quickly scale up workloads if necessary, while providing a load balanced and highly available solution.
There are a number of ways to implement an Azure ADFS solution, including deploying a hybrid environment where you maintain some infrastructure on premise and some in the cloud, or moving the entire infrastructure to Azure to take advantage of the Azure platform security and protection from DDOS attacks.
In the following series of videos, we take you through the entire deployment of an all in Azure solution for ADFS. This includes the deployment of storage, networking, virtual machines, load balancers, and network security groups. It is important to note that you will want to evaluate the best options for your organization in terms of sizing, storage type, and security, but this demo provides significant insight into all of these topics. Also note that we don't go through the actual configuration of ADFS, but rather assume that customers are wanting to know how to apply their knowledge of ADFS and the supporting infrastructure to an Azure solution.
If you want to learn about these concepts without exposing any surface to the Internet, you can just skip the external load balancer configuration of an external facing IP.
Let's get started with an introduction video that highlights the entire infrastructure that will be deployed. At the end of this post, you'll find the scripts and tools used to deploy this solution.
https://www.youtube.com/playlist?list=PLA-g-NaN7Xajuj5vJit5rUy-Gj0aI6o8h
https://www.youtube.com/watch?v=49ltqYPS46Y
https://www.youtube.com/watch?v=5OIBVexJnMw
https://www.youtube.com/watch?v=KIbhJVTs5Ig
https://www.youtube.com/watch?v=W0n1Ccm0px8
https://www.youtube.com/watch?v=mG-Na3zJAMk
https://www.youtube.com/watch?v=NY4duPaP6S8
PowerShell Script Used For DC Deployments:
#login to Azure and select subscription for creation of objects
Login-AzureRmAccount
Get-AzureRmSubscription
Select-AzureRmSubscription -Subscriptionid "Provide Your Subscription ID Here"
$Cred = Get-Credential #Must Be Complex - Contains uppercase, lowercase, numeric, AND special character
$VMName = "EDUDC01"
$RGName = "ADFSDeployment"
$StorageAccount = Get-AzureRmStorageAccount -ResourceGroupName $RGName -Name "adfsedu01"
$OSDiskName = $VMName + "_OSDisk" #Name of 'to be' created VHD.
$OSDiskUri = $StorageAccount.PrimaryEndpoints.Blob.ToString() + "vhds/" + $OSDiskName + ".vhd" #Name of 'to be' name & path of new VHD.
$AVSet = Get-AzureRmAvailabilitySet -ResourceGroupName $RGName -Name "AVSet-DC"
$Location = "West US 2"
#If Using An Azure Image
Get-AzureRmVMImage -Location "West US 2" -PublisherName "MicrosoftWindowsServer" -Offer "WindowsServer" -Skus "2012-R2-Datacenter" #Use to list current versions
$Publisher = "MicrosoftWindowsServer"
$Offer = "WindowsServer"
$Sku = "2012-R2-Datacenter"
$Version = "4.0.20160812" #Update with current version
#If Using HUB Benefit & Bring Your Own Image
$URIOfUploadedImage = $StorageAccount.PrimaryEndpoints.Blob.ToString() + "images/2012R2.vhd" #Location of Template VHD
#Networking Setup
$Vnet = Get-AzureRmVirtualNetwork -Name "EDUNets" -ResourceGroupName $RGName
$SubnetProduction = Get-AzureRmVirtualNetworkSubnetConfig -Name "Production" -VirtualNetwork $vNet
$NIC = New-AzureRmNetworkInterface -ResourceGroupName $RGName -Name "vNIC-$VMname-Prod" -Subnet $SubnetProduction -Location $Location -PrivateIpAddress 172.16.1.5
#Define VM Configuration
$VMConfig = New-AzureRmVMConfig -VMName $VMName -VMSize "Standard_DS2_V2" -AvailabilitySetId $AVSet.id |
Set-AzureRmVMOperatingSystem -Windows -ComputerName $VMName -Credential $Cred -ProvisionVMAgent -EnableAutoUpdate |
Set-AzureRmVMSourceImage -PublisherName $Publisher -Offer $Offer -Skus $Sku -Version $Version |
Set-AzureRmVMOSDisk -Name "$VMName-OSDISK" -VhdUri $OSDiskUri -CreateOption fromImage -Caching ReadOnly | #To Bring Your Own Image, Add '-SourceImageUri $URIOfUploadedImage' |
Add-AzureRmVMNetworkInterface -Id $NIC.Id -Primary | Set-AzureRmVMBootDiagnostics -Enable -ResourceGroupName $RGName -StorageAccountName "edudiagnostics"
#Create VM
New-AzureRmVM -ResourceGroupName $RGName -Location $Location -VM $VMConfig
PowerShell Script & JSON Template Used For WAP Server Deployments:
Login-AzureRmAccount
Get-AzureRmSubscription
Select-AzureRmSubscription -Subscriptionid "Your Subscription Here"
$RGName = "ADFSDeployment"
New-AzureRmResourceGroupDeployment -Name ADFSWAPServer -ResourceGroupName $RGName -TemplateUri 'Location of JSON File Below'
------Begin JSON----
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vmName": {
"type": "string",
"metadata": { "description": "Name for the VM" }
},
"vmSize": {
"type": "string",
"defaultValue": "Standard_DS2_V2"
},
"adminUsername": {
"type": "string",
"metadata": { "description": "User name for the VM" }
},
"adminPassword": {
"type": "securestring",
"metadata": { "description": "Password for the VM" }
},
"windowsOSVersion": {
"type": "string",
"defaultValue": "2012-R2-Datacenter",
"allowedValues": [
"2008-R2-SP1",
"2012-Datacenter",
"2012-R2-Datacenter"
]
},
"storageAccountName": {
"type": "string",
"defaultValue": "adfsedu01"
},
"diagStorageAccountName": {
"type": "string",
"defaultValue": "edudiagnostics"
},
"virtualNetworkName": {
"type": "string",
"defaultValue": "EDUNets"
},
"subnetName": {
"type": "string",
"defaultValue": "DMZ"
},
"avSetName": {
"type": "string",
"defaultValue": "AVSet-WAP"
}
},
"variables": {
"apiVersion": "2015-06-15",
"location": "[resourceGroup().location]",
"imagePublisher": "MicrosoftWindowsServer",
"imageOffer": "WindowsServer",
"OSDiskName": "[concat(parameters('vmName'),'-OSDisk')]",
"nicName": "[concat('vNic-',parameters('vmName'),'-',parameters('subnetName'))]",
"storageAccountType": "Standard_LRS",
"vmStorageAccountContainerName": "vhds",
"vnetID": "[resourceId('Microsoft.Network/virtualNetworks',parameters('virtualNetworkName'))]",
"subnetRef": "[concat(variables('vnetID'),'/subnets/',parameters('subnetName'))]"
},
"resources": [
{
"apiVersion": "[variables('apiVersion')]",
"type": "Microsoft.Network/networkInterfaces",
"name": "[variables('nicName')]",
"location": "[variables('location')]",
"properties": {
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"privateIPAllocationMethod": "Dynamic",
"subnet": {
"id": "[variables('subnetRef')]"
}
}
}
]
}
},
{
"apiVersion": "[variables('apiVersion')]",
"type": "Microsoft.Compute/virtualMachines",
"name": "[parameters('vmName')]",
"location": "[variables('location')]",
"dependsOn": [ "[concat('Microsoft.Network/networkInterfaces/', variables('nicName'))]" ],
"properties": {
"availabilitySet": {
"id": "[resourceId('Microsoft.Compute/availabilitySets', parameters('avSetName'))]"
},
"hardwareProfile": {
"vmSize": "[parameters('vmSize')]"
},
"osProfile": {
"computerName": "[parameters('vmName')]",
"adminUsername": "[parameters('adminUsername')]",
"adminPassword": "[parameters('adminPassword')]"
},
"storageProfile": {
"imageReference": {
"publisher": "[variables('imagePublisher')]",
"offer": "[variables('imageOffer')]",
"sku": "[parameters('windowsOSVersion')]",
"version": "latest"
},
"osDisk": {
"name": "osdisk",
"vhd": {
"uri": "[concat('https://',parameters('storageAccountName'),'.blob.core.windows.net/',variables('vmStorageAccountContainerName'),'/',variables('OSDiskName'),'.vhd')]"
},
"caching": "ReadWrite",
"createOption": "FromImage"
}
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces',variables('nicName'))]"
}
]
},
"diagnosticsProfile": {
"bootDiagnostics": {
"enabled": "true",
"storageUri": "[concat('https://',parameters('diagStorageAccountName'),'.blob.core.windows.net')]"
}
}
}
}
]
}