I’m working with a great company named Opsgility to produce some training around using SQL Server and Azure Database. Some of the demos I’ve been producing are around using hybrid scenarios without Active Directory and/or a VPN connection to Azure. Some people may unfortunately encounter these scenrios and have to use them. I’m sorry!
I know this is a SQL Server focused blog and most of my readers aren’t AD or networking experts (heaven knows, I’m not). But let me state this—if you are building a hybrid environment follow the following two steps:
GET A $%^&ing VPN CONFIGURED BETWEEN YOUR ON-PREM SITE AND AZURE
This will make everything way easier—no firewalls (Except for the pesky windows one) to worry about, no opening SQL Server to the public internet, or any of that nonsense. You’ll be able to ping and connect to your servers just like they are in your data center. It costs $30/month roughly to have a network gateway, and my rate is way higher than that, and it took me most of the day to get log shipping working in this scenario yesterday.
USE ACTIVE DIRECTORY AND HAVE A SECOND DC IN AZURE
Not having AD makes everything really painful. In order to make log shipping work, I had to set both of my SQL Service accounts to the same user id and password—I don’t think that configuration is inherently insecure, but it just feels dirty. It also makes mirroring setup a lot more painful than it needs to be. If you are using Availability Groups of course, you’ll have AD, as it’s requirement of clustering, but some of these other scenarios (replication, log shipping, mirroring) don’t require it. Set it up anyway.
When you have AD and a VPN Azure feels like an extension of your data center. When you don’t have these things, everything feels like a painful kludge. Don’t build a Rube Goldberg machine.