Jump to content

PS in HA in Azure (multi region)


Guest Matt

Recommended Posts

Hi

We are going to pull the trigger on PS and plan on running it as IaaS in Azure. We are purchasing the HA option as we plan to have an active/active setup.

 

Some questions.

 

Region 1: Web server and SQL server.

Region 2: Web server and SQL server

 

Plan to use availability groups and front them through an Azure load balancer. Preference is to use synchronous replication for data integrity.

 

Questions

    Is this possible? How do I connect the two SQL instances, is it just using network security groups and specifying the appropriate ports?

    Can I use synchronous replication with SQL in Azure IaaS. Should I consider Azure SQL, does PS even support it?

 

I'd rather not use an active/passive setup as PS documentation states that uses SQL transactional replication, and I have better experience with AoG and would prefer to use it.

Thanks in advance

Also posted in r/sysadmin

Link to comment
Share on other sites

Hi Matt,

 

Thanks for your post, and I'll try and provide some guidance - we do not have much in the way of experience with Azure, but hopefully between your knowledge of Azure, and ours of Passwordstate, we can get your questions answered.


Passwordstate can connect to any version of SQL Server (2012 an above), and it really doesn't care what database replication technology is used. With On-Premise solutions, you can use Transnational Replication, High Availability Groups, Clustering etc. Within the web.config file, you will see the "database connection string" - it is this configuration which governs which SQL Server it can connect to.

 

We've done limited testing with Azure SQL, and it seems to work fine - we can have Passwordstate pointed to one Azure SQL DB, and it seems to failover without any issues. So I do not believe this would be an issue for you.


When you install the second node of Passwordstate, we recommend setting the PassiveNode key in the web.config file to "active", and then both Nodes of Passwordstate can have write access to the DB's - changing this key simply means the second Node will not duplicate processing with the Passwordstate Windows Service i.e. sending emails, synchronising AD Security Groups, performing Password Resets, etc.

 

I hope this helps, and please let me know if you have any further questions about this.

Regards

Click Studios 
 

 

Link to comment
Share on other sites

  • 4 weeks later...

Hi

 

As a follow up, I now have a design idea to work to from help here

 

The plan is to have two web servers in one region with an Azure SQL instance, with a third web server connected to a second Azure SQL instance in another region.  SQL will use geo-location (AlwaysOn) and asynchronous replication to keep them consistent.  Region 1 will have a load balancer and then both regions will be managed by Traffic Manager for failover.  Couple of questions

 

1) What licence is appropriate for this setup, Enterprise with an HA licence or do I need a Global licence because I have 3 IaaS servers running + HA?

2) How do I configure the web config files to support this setup?

3) Is there any specific load balancer configuration that needs to be done so the web servers will accept the traffic?

 

Thanks

 

Matt

Link to comment
Share on other sites

Hi Matt,

 

Thanks very the further detail, and I will provide some feedback below for each bullet point:

  • If you want Unlimited users, then the Global option would be the best option in terms of cost. If you only require 20 users, as an example, then you would require the High Availability module, plus 2 copies of 20 CALs
  • You would need to modify the database connection string to point to the correct instance of SQL Azure, as well as to ensure the GUID, Secret1 and Secret2 values are the same. We can't really tell you at this stage what database connection string settings you would require, but Microsoft should provide guidance for this when you setup Azure SQL
  • Sorry, but we do not have any experience with Azure Load Balancers - again, Microsoft should have some documentation to help you with this. We know that with other load balancers like F5 BigIP, you have to have a common DNS entry which points to the load balancers, and the load balancers offload traffic to different URLs as appropriate. The BigIP Load Balancers also need to be configured for SSL Offloading as well, so there are no conflicts with SSL certificates

We hope this helps a little.

Regards

Click Studios

Link to comment
Share on other sites

Hi Matt,

 

Maybe the following two articles will help:

 

https://docs.microsoft.com/en-us/sql/database-engine/availability-groups/windows/listeners-client-connectivity-application-failover

https://www.sqlhammer.com/how-to-configure-sql-server-2012-alwayson-part-7-of-7/

 

If you are not using a SQL Account for connectivity in the web.config file, then there is additional work required in configuring Passwordstate. In our installation guide, you can look at the section 14 "MSA Account" for further instructions - https://www.clickstudios.com.au/downloads/version8/Installation_Instructions.pdf

 

Regards

Click Studios

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...