ADFS on Azure Virtual Machines (part 2)

Now that we have our VPN between Azure and our on-premises environment up and running (see part 1), we can move forward with creating the needed virtual machines to support our solution. (Links to other articles in the series are in the conclusion.)

Azure Virtual Machines, Affinity Groups, and Availability Sets

Affinity Groups and Virtual Networks

Azure allows us to use Affinity Groups to insure that our services reside within the same data center cluster. This improves performance by eliminating the latency caused by inter-cluster communications and also potentially reduces cost by allowing for the use of cache and local storage calls. Since all of our Virtual Machines will be on one Virtual Network, and since a given Virtual Network can be associated with only one Affinity Group, all of our Virtual Machines will be in the same Affinity Group.

Availability Sets

Availbilty Sets help to protect nodes (Virtual Machines in our case) from single points of failure. Availability Sets utilize both Fault Domains and Update Domains to accomplish this. When we add two Virtual Machines to an Availability Set, they will be placed into two different Fault Domains. That placement insures that the machines will run on separate racks of physical server hosts and that they will utilize separate network switches. Sharing an Availability Set will also place the Virtual Machines into separate Update Domains. This placement insures that maintenance/updates to the underlying host clusters will be performed at different times. Thus, by adding our nodes to an Availability Set, they should not go down for hardware failure nor for scheduled maintenance at the same time. The use of multiple nodes protected by an Availability Set in a service is required to qualify for Azure's SLA.

Creating the Virtual Machines and Availability Sets

For this solution, we will be creating 4 Virtual Machines. Two of the Virtual Machines will run ADFS Proxy, and two of the Virtual Machines will run ADFS and ADDS. (Note that the recommendation for production deployment is not to run ADDS and ADFS on the same machine because ADFS requires IIS, which is not recommended on ADDS servers. We are choosing to do that here because we will be locking down the access to ADFS pretty tightly and because we are attempting to keep costs low. If our load were higher, or if we were overly concerned about ADDS and ADFS coexistence--I am not but YMMV,--we could simply deploy 6 virtual machines instead of 3.)


  1. In the Azure Management Portal, click New > Compute > Virtual Machine > From Gallery
  2. Choose Windows Server 2012 Datacenter, then click the next arrow
  3. Choose the latest version release date available (should be default); enter a virtual machine name (can be the same as your intended machine name but does not have to be--we will use ADFS01 for the guide); choose Extra Small for the size; and enter your desired credentials, then click the next arrow
  4. Virtual Machine Mode
    • The wording for Virtual Machine Mode is a little confusing. Although we don't want this Virtual Machine to be a stand-alone machine, we have to choose that option for the first virtual machine since there is no existing Virtual Machine to which we can connect yet.
    • The DNS Name requested in this step will be the cloud service that will be created for the Availability Set. This name has to be unique within the namespace, so something like ContosoADFS will likely suffice.
    • For our first Virtual Machine, we have no option for Storage Account other than "Use an automatically generated storage account."
    • Choose the Virtual Network we created in Step 1 and the appropriate subnet, then click the next arrow.
  5. Choose to create an availability set and name is appropriately (e.g. ADFS). Be sure to check "Enable PowerShell Remoting, then click the finish checkmark.


Note: You may have to wait a few minutes for ADFS01 to be provisioned before you can start with ADFS02. Otherwise, you won't be able to select the existing virtual machine in step 4. You may want to skip this section and move on to creating ADFSP01 while you wait.

  1. Follow ADFS01 step
  2. Follow ADFS01 step
  3. Follow ADFS01 step
  4. Choose "Connect to an existing Virtual Machine" and choose the cloud service we created in ADFS01 step 4; choose the storage account that was automatically created for ADFS01; then click the next arrow.
  5. Choose the Availability set we created for ADFS01, and check to Enable PowerShell Remoting, then click finish checkmark

ADFSP01 (First ADFS Proxy)

  1. Follow ADFS01 step
  2. Follow ADFS01 step
  3. Follow ADFS01 step
  4. Follow ADFS01 step, but choose a proxy-specific cloud service name (like ContosoADFSProxy), and choose the storage account that was automatically created for ADFS01;
  5. Follow ADFS01 step, but choose a proxy-specific Availability Set name (like ADFSProxy)

ADFSP01 (Second ADFS Proxy)

Follow instructions for ADFS02, but replace references to ADFS01 with ADFSP01.


Once you understand the purposes of Affinity Groups, Virtual Networks, and Availability Sets, creating highly available Virtual Machines on Azure is fairly straightforward. Next, we'll begin configuring the Virtual Machines we've just created to perform the workloads for which we created them. Here's a quick review of where we've been and where we're going.





Exact Technical Solutions LLC
2435 E. North Street, #118
Greenville, SC  29615
phone: 864.292.9391