Article discussing the merits of deploying Active Directory in the cloud for Single Sign-On (SSO) scenarios for your infrastructure
Content / Solution:
When dealing with deploying an application, generally speaking, the more complex it is, the more infrastructure components it needs to help support services it's offering. For end users wanting to manage a few servers, LDAP-based login sources generally don't come into the picture. However, if you regularly manage more than that count, say hundreds of servers, LDAP services become more relevant to the conversation. One such technology used today is Microsoft implementation via Active Directory. Among other things, it allows a granular level of access levels be granted to users based on their role to access a server or group of servers.
If this is the case, then why don't people use it as a standard best practice? Well, it is usually more complex than you think when trying to make this all work. For simplicities sake, this generally falls into either of (2) categories:
- Net new build where there is not existing infrastructure to account for
- Existing infrastructure that has to be either extended into the cloud or separated as a separate source but still somehow tied into both the cloud and "externally accessible"
For the first option, a standard Microsoft build can be done. There is a lot of documentation out there that can help you plan and implement that. However, with the second option, there are many items to consider. A few of these concerns are highlighted below:
- Where is the infrastructure located that's outside of the cloud?
- How will traffic be sent over to ensure both locations are in sync?
- How fast are updates sent over? Where do they originate from?
- Who has access to add, modify or delete objects in Active Directory?
- What about security on the objects? Do they need to be locked down or deployed in a separate zone that isn't accessible to the Internet?
This is just a small list but overall, it underscores the need to think through how Active Directory gets implemented and what actually needs to access it whether it be an end user, or application or something else. But, for those who think this through, extending Active Directory to the cloud or vice versa to some site outside of the same is just like spinning up a new office or data center location.
Don't think it can be done, try it out in the Cloud. Each cloud location is joined by a VPN tunnel and can via the appropriate firewall ACL's talk back and forth to each other for synchronization, redundancy, or disaster recovery scenarios. Give it a try!