Hi!
For a customers account we have set up ADFS on Azure VM's. The set up is pretty similar to an on-prem solution, but we have a few questions.
Let me start by describing our current situation:
2 ADFS Proxies, with a load-balanced endpoint on port 443.
2 ADFS servers, in the same cloud service (if this is the correct term, they have the same VIP anyway)
2 Domain Controllers, different VIP's
1 Dirsync server, using it's own VIP.
VPN connection to the on-prem environment.
All of these are placed on the same internal network since, from what we have found out, we can't create a DMZ network without being dependant on the VPN.
We have no ADFS servers on-prem.
To the questions;
How do we load balance the internal ADFS servers and maintain the fault tolerance without exposing the to the internet? At the moment these servers have no endpoint and thus we are forced to use the internal IP adress of one of the servers to have the federation working. In a normal on-prem environment this would be achieved with a NLB cluster, but that is not supported in Azure. Is there a best practice document somewhere for running the ADFS service on Azure VM's?
How should we secure the servers since they are on the same network? I was thinking we would use the firewall on the individual machines (controlled via GPO) to set firewall rules to only allow HTTPS traffic between the proxies and the other VM's. We will also remove all RDP and Powershell endpoints from all VM's to minimize the exposure to Internet. Do we need to do anything else?
Any other advice for running an entire ADFS farm in Windows Azure VM's?