Update V-net connectivity explanation for AD FS #8090
Conversation
Clarified the V-net to V-net connectivity requirements for AD FS deployment, specifying the communication method between federation servers and WAP servers - https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#communication-between-federation-servers
|
@tom-maher : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change. |
prmerger-automator
bot
added
ad-fs/subsvc
Change sent to author
windows-server/svc
labels
|
Learn Build status updates of commit ddbc11e: ✅ Validation status: passed
For more details, please refer to the build report. |
There was a problem hiding this comment.
Pull Request Overview
This PR updates the documentation for AD FS deployment in Azure to clarify V-net to V-net connectivity requirements. The change replaces the previous statement that no connectivity between virtual networks is needed with specific communication requirements for federation servers and WAP servers.
- Clarified communication requirements between federation servers and WAP servers
- Specified HTTP port 80 usage for configuration synchronization
- Updated guidance on V-net connectivity for AD FS deployments
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| * **DNS Labels for public IP addresses:** Azure Traffic Manager can refer to endpoints ONLY via DNS labels. Therefore, you are required to create DNS labels for the External Load Balancers' public IP addresses. | ||
| * **Azure Traffic Manager:** Microsoft Azure Traffic Manager allows you to control the distribution of user traffic to your service endpoints running in different datacenters around the world. Azure Traffic Manager works at the DNS level. It uses DNS responses to direct end-user traffic to globally-distributed endpoints. Clients then connect to those endpoints directly. With different routing options of Performance, Weighted and Priority, you can easily choose the routing option best suited for your organization's needs. | ||
| * **V-net to V-net connectivity between two regions:** You do not need to have connectivity between the virtual networks itself. Since each virtual network has access to domain controllers and has AD FS and WAP server in itself, they can work without any connectivity between the virtual networks in different regions. | ||
| * **V-net to V-net connectivity between two regions:** Federation servers on an AD FS farm communicate with other servers in the farm and the Web Application Proxy (WAP) servers via HTTP port 80 for configuration synchronization. |
There was a problem hiding this comment.
The updated explanation is incomplete and potentially misleading. It only mentions HTTP port 80 but doesn't address whether V-net to V-net connectivity is actually required or not, which was the key point of the original text. Consider clarifying whether connectivity between virtual networks is needed and under what circumstances.
| * **V-net to V-net connectivity between two regions:** Federation servers on an AD FS farm communicate with other servers in the farm and the Web Application Proxy (WAP) servers via HTTP port 80 for configuration synchronization. | |
| * **V-net to V-net connectivity between two regions:** V-net to V-net connectivity may be required if your AD FS farm spans multiple regions and federation servers or Web Application Proxy (WAP) servers in different regions need to communicate for configuration synchronization (typically via HTTP port 80). If each region is deployed as a fully self-contained environment with its own domain controllers and AD FS farm, V-net to V-net connectivity may not be necessary. Carefully assess your deployment topology to determine whether cross-region connectivity is needed for your scenario. |
Copilot uses AI. Check for mistakes.
|
@robinharwood, @Xelu86 #label:"aq-pr-triaged" |
prmerger-automator
bot
added
the
aq-pr-triaged
5 participants
Clarified the V-net to V-net connectivity requirements for AD FS deployment, specifying the communication method between federation servers and WAP servers - https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#communication-between-federation-servers