Even though you can't use Microsoft Azure virtual machines to host Exchange servers, you could use Azure VMs to...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
extend and improve a hybrid Exchange deployment. Doing so will likely increase the availability of the services you run in Azure. The reasoning behind this is simple: It's difficult to match the level of service Microsoft offers with its data centers.
A hybrid setup involves much more than Exchange. For instance, there's the mandatory DirSync server. It doesn't need to be highly available, and you could cohost it on virtually any other server (including a domain controller), but it's a critical component.
There's typically also Active Directory Federation Services (AD FS). This isn't a mandatory component, because you can also run a hybrid Exchange environment with Password Sync. But most organizations choose to deploy AD FS. Choosing AD FS will make it a critical part of your environment, so if your AD FS servers become unavailable, your end users won't be able to sign in and access Office 365-based services.
Full Windows Azure deployment
Using Azure VMs to host DirSync or AD FS workloads opens up two new scenarios, in addition to a traditional full on-premises deployment:
- All services in Azure;
- Some services on-premises, others in Azure (a hybrid deployment).
In a full Azure deployment, you would run both DirSync and AD FS in Azure. The VPN between Azure and your on-premises environment ensures that servers can communicate with necessary support services such as Active Directory. In light of the availability requirements, you might also want to install a domain controller in Azure. This removes the criticality from the VPN connection and allows the Azure-based services to continue working -- even if the VPN is down briefly.
The load-balanced Virtual IP Address feature in Azure allows you to create a pool of AD FS servers or AD FS server proxies, just like you would on-premises (Figure 1).
'Hybrid' Azure VM deployments
In a so-called "hybrid" deployment, you divide the workload cross-premises. This can be useful if you want to spread the load or if you just want to use Azure as a disaster recovery (DR) scenario in case things "go south" on-premises. Theoretically, you could load-balance the workloads across Azure and your on-premises environment, but that introduces some other challenges. If you really want to do that, you could have your internal end users point to your on-premises AD FS servers and all external (public) traffic to your Azure AD FS servers.
You can choose to run all services in Azure without necessarily deploying part of the on-premises infrastructure. This means you'll just have to use a VPN tunnel (preferably a redundant one) to ensure connectivity between Azure and your on-premises network.
Steps to deploy Azure VMs
Deploying Azure VMs is pretty simple. Configuring AD FS or DirSync is no different from how you would configure them on-premises. After all, Azure would be nothing more than an extension of your on-premises deployment -- an additional site, if you will.
Here are some recommendations for deploying Azure VMs:
- Deploy your AD FS farm using the Windows Internal Database.
- Avoid splitting workloads across Azure and an on-premises environment. If you want to install a hybrid topology, go for an active/passive or DR scenario.
- Always deploy a domain controller in Azure; this limits the traffic that goes over the WAN link and removes the single point of failure from the VPN connection.
Azure VMs are getting better as Microsoft continues to improve the service. The company recently added the ability to create multiple site-to-site VPNs, effectively removing the single point of failure that once existed there.
About the author:
Michael Van Horenbeeck is a technology consultant, Microsoft Certified Trainer and Exchange MVP from Belgium, mainly working with Exchange Server, Office 365, Active Directory and a bit of Lync. He has been active in the industry for 12 years and is a frequent blogger, a member of the Belgian Unified Communications User Group Pro-Exchange and a regular contributor to The UC Architects podcast.