Hello I was wondering if someone could provide their experience or knowledge in load balancing an ADFS farm with one ADFS server on-premise and two ADFS servers in Azure as members. We would be load balancing across two different subnets. Can this be done? For ADFS servers in Azure, would it be best to use the Azure load balancer VIP as a member or add each ADFS server individually to form the F5 VIP? We were thinking of using the F5 iApp template for MS ADFS. And most importantly our plan is to have the onprem ADFS server handle traffic requests, and if down forward the traffic to the Azure ADFS servers. Any issues doing so? Anything else to watch out for?
Pool members don't need to be in the same subnet, so that is not a problem.
So, yes can be done.
There is no need to use Azure load balancer, as F5 will handle that.
You can use priority groups, your single on-premise server will be the high priority group, if down, the system will activate the second group that has both Azure servers.
You just need to make sure F5 knows how to talk with the Azure servers, probably a VPN between you DC to Azure, and the traffic returns via the F5.
For traffic to return, you can use SNAT.
The speed of accessing the DC server will be faster than accessing the Azure servers, but I guess you know that.
In relation to the iApp, you can use without problems, as it will not care about where is the IP located.
However, not sure if the iApp will give you the option to use priority groups, so you can change that after (disable strict updates in the iApp) or setup without iApp.
Some useful links for your case:
Thanks Leonardo. Your response is exactly what I was looking for. I also checked and the iApp (https://www.f5.com/pdf/deployment-guides/microsoft-adfs-dg.pdf) has the ability to use priority groups via advanced. Thanks again. I greatly appreciate it. I'll reach out if anything else. -josh