Deploy ADFS Infrastructure In Azure


One of the most common scenarios that customers are asking to learn about is the deployment of an ADFS infrastructure in Azure.  There are a number of benefits to deploying this infrastructure in Azure including the ability to offload incoming traffic to an Azure endpoint, providing a highly-available solution that is protected from DDOS attacks, and being able to quickly scale up workloads if necessary, while providing a load balanced and highly available solution.

There are a number of ways to implement an Azure ADFS solution, including deploying a hybrid environment where you maintain some infrastructure on premise and some in the cloud, or moving the entire infrastructure to Azure to take advantage of the Azure platform security and protection from DDOS attacks.

In the following series of videos, we take you through the entire deployment of an all in Azure solution for ADFS.   This includes the deployment of storage, networking, virtual machines, load balancers, and network security groups.  It is important to note that you will want to evaluate the best options for your organization in terms of sizing, storage type, and security, but this demo provides significant insight into all of these topics.  Also note that we don’t go through the actual configuration of ADFS, but rather assume that customers are wanting to know how to apply their knowledge of ADFS and the supporting infrastructure to an Azure solution.

If you want to learn about these concepts without exposing any surface to the Internet, you can just skip the external load balancer configuration of an external facing IP.

Let’s get started with an introduction video that highlights the entire infrastructure that will be deployed.  At the end of this post, you’ll find the scripts and tools used to deploy this solution.

PowerShell Script Used For DC Deployments:

#login to Azure and select subscription for creation of objects

Login-AzureRmAccount

Get-AzureRmSubscription

Select-AzureRmSubscription Subscriptionid “Provide Your Subscription ID Here”

$Cred = Get-Credential #Must Be Complex – Contains uppercase, lowercase, numeric, AND special character

$VMName = “EDUDC01”

$RGName = ADFSDeployment

$StorageAccount = Get-AzureRmStorageAccount ResourceGroupName $RGName -Name “adfsedu01”

$OSDiskName = $VMName + “_OSDisk #Name of ‘to be’ created VHD.

$OSDiskUri = $StorageAccount.PrimaryEndpoints.Blob.ToString() + vhds/” + $OSDiskName + “.vhd #Name of ‘to be’ name & path of new VHD.

$AVSet = Get-AzureRmAvailabilitySet ResourceGroupName $RGName -Name AVSet-DC”

$Location = “West US 2”

#If Using An Azure Image

Get-AzureRmVMImage -Location “West US 2” PublisherName MicrosoftWindowsServer -Offer WindowsServer Skus “2012-R2-Datacenter” #Use to list current versions

$Publisher = MicrosoftWindowsServer

$Offer = WindowsServer

$Sku = “2012-R2-Datacenter”

$Version = “4.0.20160812” #Update with current version

#If Using HUB Benefit & Bring Your Own Image

$URIOfUploadedImage = $StorageAccount.PrimaryEndpoints.Blob.ToString() + “images/2012R2.vhd” #Location of Template VHD

#Networking Setup

$Vnet = Get-AzureRmVirtualNetwork -Name EDUNets ResourceGroupName $RGName

$SubnetProduction = Get-AzureRmVirtualNetworkSubnetConfig -Name “Production” VirtualNetwork $vNet

$NIC = New-AzureRmNetworkInterface ResourceGroupName $RGName -Name vNIC$VMname-Prod” -Subnet $SubnetProduction -Location $Location PrivateIpAddress 172.16.1.5

#Define VM Configuration

$VMConfig = New-AzureRmVMConfig VMName $VMName VMSize “Standard_DS2_V2” AvailabilitySetId $AVSet.id |

Set-AzureRmVMOperatingSystem -Windows ComputerName $VMName -Credential $Cred ProvisionVMAgent EnableAutoUpdate |

Set-AzureRmVMSourceImage PublisherName $Publisher -Offer $Offer Skus $Sku -Version $Version |

Set-AzureRmVMOSDisk -Name $VMName-OSDISK” VhdUri $OSDiskUri CreateOption fromImage -Caching ReadOnly |  #To Bring Your Own Image, Add ‘-SourceImageUri $URIOfUploadedImage|

Add-AzureRmVMNetworkInterface -Id $NIC.Id -Primary | Set-AzureRmVMBootDiagnostics -Enable ResourceGroupName $RGName StorageAccountName edudiagnostics

#Create VM

New-AzureRmVM ResourceGroupName $RGName -Location $Location -VM $VMConfig

 

 

PowerShell Script & JSON Template Used For WAP Server Deployments:

Login-AzureRmAccount

Get-AzureRmSubscription

Select-AzureRmSubscription Subscriptionid “Your Subscription Here”

$RGName = ADFSDeployment

New-AzureRmResourceGroupDeployment -Name ADFSWAPServer ResourceGroupName $RGName TemplateUri ‘Location of JSON File Below’

 ——Begin JSON—-

{
“$schema”: “https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#”,
“contentVersion”: “1.0.0.0”,
“parameters”: {
“vmName”: {
“type”: “string”,
“metadata”: { “description”: “Name for the VM” }

},
“vmSize”: {
“type”: “string”,
“defaultValue”: “Standard_DS2_V2”
},
“adminUsername”: {
“type”: “string”,
“metadata”: { “description”: “User name for the VM” }
},
“adminPassword”: {
“type”: “securestring”,
“metadata”: { “description”: “Password for the VM” }
},
“windowsOSVersion”: {
“type”: “string”,
“defaultValue”: “2012-R2-Datacenter”,
“allowedValues”: [
“2008-R2-SP1”,
“2012-Datacenter”,
“2012-R2-Datacenter”
]
},
“storageAccountName”: {
“type”: “string”,
“defaultValue”: “adfsedu01”
},
“diagStorageAccountName”: {
“type”: “string”,
“defaultValue”: “edudiagnostics”
},
“virtualNetworkName”: {
“type”: “string”,
“defaultValue”: “EDUNets”
},
“subnetName”: {
“type”: “string”,
“defaultValue”: “DMZ”
},
“avSetName”: {
“type”: “string”,
“defaultValue”: “AVSet-WAP”
}
},
“variables”: {
“apiVersion”: “2015-06-15”,
“location”: “[resourceGroup().location]”,
“imagePublisher”: “MicrosoftWindowsServer”,
“imageOffer”: “WindowsServer”,
“OSDiskName”: “[concat(parameters(‘vmName’),’-OSDisk’)]”,
“nicName”: “[concat(‘vNic-‘,parameters(‘vmName’),’-‘,parameters(‘subnetName’))]”,
“storageAccountType”: “Standard_LRS”,
“vmStorageAccountContainerName”: “vhds”,
“vnetID”: “[resourceId(‘Microsoft.Network/virtualNetworks’,parameters(‘virtualNetworkName’))]”,
“subnetRef”: “[concat(variables(‘vnetID’),’/subnets/’,parameters(‘subnetName’))]”
},
“resources”: [
{
“apiVersion”: “[variables(‘apiVersion’)]”,
“type”: “Microsoft.Network/networkInterfaces”,
“name”: “[variables(‘nicName’)]”,
“location”: “[variables(‘location’)]”,
“properties”: {
“ipConfigurations”: [
{
“name”: “ipconfig1”,
“properties”: {
“privateIPAllocationMethod”: “Dynamic”,
“subnet”: {
“id”: “[variables(‘subnetRef’)]”
}
}
}
]
}
},
{
“apiVersion”: “[variables(‘apiVersion’)]”,
“type”: “Microsoft.Compute/virtualMachines”,
“name”: “[parameters(‘vmName’)]”,
“location”: “[variables(‘location’)]”,
“dependsOn”: [ “[concat(‘Microsoft.Network/networkInterfaces/’, variables(‘nicName’))]” ],
“properties”: {
“availabilitySet”: {
“id”: “[resourceId(‘Microsoft.Compute/availabilitySets’, parameters(‘avSetName’))]”
},
“hardwareProfile”: {
“vmSize”: “[parameters(‘vmSize’)]”
},
“osProfile”: {
“computerName”: “[parameters(‘vmName’)]”,
“adminUsername”: “[parameters(‘adminUsername’)]”,
“adminPassword”: “[parameters(‘adminPassword’)]”
},
“storageProfile”: {
“imageReference”: {
“publisher”: “[variables(‘imagePublisher’)]”,
“offer”: “[variables(‘imageOffer’)]”,
“sku”: “[parameters(‘windowsOSVersion’)]”,
“version”: “latest”
},
“osDisk”: {
“name”: “osdisk”,
“vhd”: {
“uri”: “[concat(‘http://’,parameters(‘storageAccountName’),’.blob.core.windows.net/’,variables(‘vmStorageAccountContainerName’),’/’,variables(‘OSDiskName’),’.vhd’)]”
},
“caching”: “ReadWrite”,
“createOption”: “FromImage”
}
},
“networkProfile”: {
“networkInterfaces”: [
{
“id”: “[resourceId(‘Microsoft.Network/networkInterfaces’,variables(‘nicName’))]”
}
]
},
“diagnosticsProfile”: {
“bootDiagnostics”: {
“enabled”: “true”,
“storageUri”: “[concat(‘http://’,parameters(‘diagStorageAccountName’),’.blob.core.windows.net’)]”
}
}
}
}
]
}

 


Comments (0)

Skip to main content