If you deploy Active Roles in an AWS or Azure virtual environment via its marketplace image, One Identity recommends using the following virtual environments to host your Active Roles installation.
TIP: Before choosing the Azure virtual machine (VM) or Amazon Elastic Compute Cloud (EC2) instance to use, see the following resources:
NOTE: One Identity offers limited support for the virtual environments recommended in this section, as the actual performance on the listed environments (and the optimal environment to choose) might depend on the number of dynamic groups, Managed Units (MU), policies, scripts, workflows and other resources managed in your organization.
One Identity reserves the right to withhold support until you adapt your virtual environment for optimal performance to manage your resources with Active Roles.
Recommended AWS EC2 instance types
The Active Roles marketplace image was tested to work with the following Amazon Elastic Compute Cloud (EC2) instances:
-
m5a.2xlarge: 8 vCPU, 32 GB RAM, up to 10 Gbps network bandwidth, up to 2880 Mbps EBS bandwidth.
-
m5a.xlarge: 4 vCPU, 16 GB RAM, up to 10 Gbps network bandwidth, up to 2880 Mbps EBS bandwidth.
-
m5.2xlarge: 8 vCPU, 32 GB RAM, up to 10 Gbps network bandwidth, up to 4750 Mbps EBS bandwidth.
-
m5.xlarge: 4 vCPU, 16 GB RAM, up to 10 Gbps network bandwidth, up to 4750 Mbps EBS bandwidth.
-
m4.2xlarge: 8 vCPU, 32 GB RAM, EBS-only storage, high network performance.
-
m4.xlarge: 4 vCPU, 16 GB RAM, EBS-only storage, high network performance.
-
m3.2xlarge (previous generation): 2 vCPU, 30 GB RAM, non-EBS optimized SSD, high network performance.
-
m3.xlarge (previous generation): 4 vCPU, 15 GB RAM, non-EBS optimized SSD, high network performance.
Recommended Azure VMs
One Identity recommends using the following Azure VMs with the Active Roles marketplace image:
-
Standard D8s v3: 8 vCPU, 32 or 64 GB RAM, 12800 max IOPS, 64 GiB local storage.
-
Standard D4s v3: 4 vCPU, 16 GB RAM, 6400 max IOPS, 32 GiB local storage.
-
Standard D3 v2: 4 vCPU, 14 GB RAM, 0 max IOPS, 200 GiB local storage.
-
Standard DS3 v2: 4 vCPU, 14 GB RAM, 12800 max IOPS, 28 GiB local storage.
-
Standard D2 v4: 2 vCPU, 8 GB RAM, 3200 max IOPS, 16 GiB local storage.
-
Standard D2s v3: 2 vCPU, 16 GB RAM, 3200 max IOPS, 16 GiB local storage.
-
Standard D2 v2: 2 vCPU, 7 GB RAM, 0 max IOPS, 100 GiB local storage.
Active Roles supports the following virtual environment types:
NOTE: One Identity provides no support or assistance in the configuration of these environments, or troubleshooting connectivity and performance issues related to the Azure and AWS services.
In a hybrid on-premises setup, some Active Roles components are deployed in the cloud while others in your on-premises environment.
NOTE: Consider the following if you plan to deploy Active Roles and its resources in a hybrid on-premises environment:
-
Active Roles supports hybrid on-premises environments using the Azure or AWS cloud platforms.
-
For optimal performance, One Identity recommends hosting Active Roles and the SQL Server containing the Active Roles databases in the same region.
One Identity recommends configuring a site-to-site VPN connection between your cloud environment (Azure or AWS) and your on-premises environment. This connection will be used to connect your on-premises network to your cloud virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. The connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it.
Prerequisites
Before you start configuring the site-to-site VPN connection between your on-premises and cloud environments (Azure or AWS), make sure that the following conditions are met:
-
Your organization has a compatible VPN device that you can configure.
-
The VPN device has an externally-facing public IPv4 address.
-
You are familiar with the IP address ranges located in the on-premises network configuration.
-
All cloud (Azure or AWS) resources are located in the same region or location.
To configure a site-to-site VPN between Azure and your on-premises environment
-
In the Azure portal, create a new resource group in your desired region. For more information, see Create resource groups in the Microsoft Azure documentation.
-
Create a virtual network with required address space. For more information, see Quickstart: Use the Azure portal to create a virtual network in the Microsoft Azure documentation.
-
Create a gateway subnet in virtual network you configured. For more information, see Create a gateway subnet in the Microsoft Azure documentation.
-
Specify a public IP address.
-
Create the VPN gateway using the public IP address you specified. For more information, see Create a VPN gateway in the Microsoft Azure documentation.
-
Create the local network gateway using the public IP address of the on-premises gateway and the address space of the on-premises network. For more information, see Local network gateway configuration in the Microsoft Azure documentation.
-
Configure your VPN device.
-
Create the VPN connection in the local network gateway configured earlier.
-
Make sure that the shared key provided in the Connection settings of Azure matches with that of the on-premises environment.
-
In Azure, check that the Azure Connection and Connection Status fields are updated and the status appears as Connected.
-
After the site-to-site VPN connection has been set, configure Active Roles with the on-premises domain controller (DC).
For more information about configuring site-to-site VPN connections with Azure, see Tutorial: Create a site-to-site VPN connection in the Azure portal in the Microsoft Azure documentation.
To configure a site-to-site VPN between AWS and your on-premises environment
-
Create a customer gateway using the public IP address of your on-premises network. For more information, see Your customer gateway device in the AWS Site-to-Site VPN User Guide.
-
Create a virtual private gateway, and attach it to your VPC. For more information, see Creating a virtual private gateway in the AWS Direct Connect User Guide.
-
In the route table, select Route Propagation. For more information, see Configure route tables in the Amazon Virtual Private Cloud User Guide.
-
Update your security groups. For more information, see Work with security groups in the Amazon Virtual Private Cloud User Guide.
-
Create a site-to-site VPN connection between the customer gateway and the virtual private gateway configured earlier. For more information, see the AWS Site-to-Site VPN User Guide.
-
Once the configuration is ready, to save it in TXT format with the network details, click Download Configuration, then set the following options:
-
Configure your on-premises gateway and/or VPN device.
-
In the AWS Console, check that the Tunnel status of the site-to-site VPN connection appears as UP.
-
After the site-to-site VPN connection has been set, configure Active Roles with the on-premises domain controller (DC).
For more information about configuring site-to-site VPN connections with AWS, see Getting started with AWS Site-to-Site VPN in the AWS Site-to-Site VPN User Guide.
To deploy Active Roles in the AWS or Azure cloud with a marketplace image, you must:
-
Open all required communication ports. For more information, see Opening communication ports for the Active Roles virtual machine.
-
Create the Active Roles virtual machine (VM) and deploy Active Roles on it with its marketplace image. For more information, see Configuring the Azure or AWS virtual machine.
Prerequisites
Before you begin, make sure that the following prerequisites are met:
-
Configure the domain controller (DC) before deploying the Active Roles VM in the cloud.
-
Configure the SQL Server that will host the Active Roles databases before deploying the Active Roles VM in the cloud.
NOTE: When configuring your SQL Server, make sure that the Active Roles Administration Service has the necessary access permissions.
-
Make sure that the DC and your SQL Server are accessible from the Active Roles VM.
-
If you use a hybrid on-premises environment type, add a DC to your environment and connect Active Roles to it. Also, make sure that your network is configured so that both the DC and your SQL Server are accessible to the Active Roles VM.
-
If you use a hybrid on-premises environment type, make sure that your network is configured so that both the DC and your SQL Server are accessible to the Active Roles VM.