将Active Directory联合身份验证服务（AD FS）扩展到Azure [英] Extend Active Directory Federation Services (AD FS) to Azure

问题描述

嗨！

我正在阅读 在文档中将Active Directory联合身份验证服务（AD FS）扩展到Azure

Im reading Extend Active Directory Federation Services (AD FS) to Azure at docs

我们是关于扩展ADDS / ADFS。

We're about to extend ADDS/ADFS.

我知道当我使用3个子网关于segmentation / nsg时，我获得了更多的机会，但我也获得了更多的管理。 

I know i get more opportunities when i use 3 subnets regarding segmentation/nsg, but i also get more administration. 

如果我使用一个子网用于WAP，一个子网用于ADFS / ADDS 而不是3个子网，如infraservices网络onprem。 

if i use one subnet for WAP and one subnet for ADFS / ADDS  instead of 3 subnets, like a infraservices network onprem. 

我错过了什么？ 

Am i missing something ? 

最好的问候

推荐答案

Hello  Kjell
权力， 

是的，您可以使用两个子网。想法是将WAP保持在不同的子网中，将ADFS和ADDS保持在不同的子网中，在我们内部部署的DMZ网络结构中隔离WAP。但是，在Azure中，我们建议始终配置NSG /
NSG规则以保护您的网络。你对增加管理和管理是对的。因此，如果您不需要具有多个服务器的大型环境来处理具有数千个用户的请求，则基于服务器角色的这种分段
网络可能不是最佳选择。所以你肯定可以使用2个子网，它应该是绝对正常的。只需确保您有适当的NSG规则和与天蓝网络/子网相关联的NSG。 

Yes you can use two subnets . The Idea is to keep WAP in a different subnet and ADFS and ADDS in different subnet segregating WAP within a DMZ like network structure that we have on-premise. However while in Azure we would recommend to always configure NSG/ NSG rules in order to protect your network. And you are right about increased management and administration . hence if you do not have need for large environment with multiple servers servicing requests with several thousand users , this kind of segmentation of network based on server roles may not be the best idea. So you can surely go with 2 subnets and it should be absolutely alright . Just make sure you have proper NSG rules and the NSG associated with the azure networks/subnets. 

希望此信息有所帮助。 

Hope this information helps. 

这篇关于将Active Directory联合身份验证服务（AD FS）扩展到Azure的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！