ArcGIS Enterprise Active Directory Federated Services to Azure

GIS412 · ‎03-22-2024

Hello. I come to you great people with a question(s) about migrating from AD FS to Azure. This is not my area of expertise and I'll do my best to try and explain our current setup.

We are currently on ArcGIS Enterprise 11.2, this is running on a single server.

We also have an ArcGIS Online portal.

We have 2 hosting servers that house our published layers (both running web adapter and enterprise 11.2).

We have 2 databases that house our gis data. These are on 2 different servers. (Not quite sure if we want to migrate these to Azure).

I also found out that Azure allows:

For AD groups to be migrated to Azure

AD groups permissions can be migrated to Azure.

What are some architecture setup(s) can you recommend based on my needs?

Thanks in Advance!

TimoT · ‎03-24-2024

This area is not my strong suit either, but the following Esri document has architectural diagrams that can give you ideas and a good starting point:

Highly available ArcGIS Enterprise deployment scenarios—Portal for ArcGIS | Documentation for ArcGIS...

It's targeted at high-availability deployment scenarios, but can still be used to look at non-HA deployment scenarios.

GIS412 · ‎03-25-2024

Thank you!

HenryLindemann · ‎03-24-2024

Hi @GIS412,
If you have domain integration, you will not be able to use this in Azure unless if you spin up an AD server in a VM, what I would recommend is that you use SAML for your authentication, here is a link for that, Tutorial: Microsoft Entra SSO integration with ArcGIS Enterprise - Microsoft Entra ID | Microsoft Le...

Then you mentioned that you will perhaps keep your databases on premise, this has a few pros and cons,

The Latency between Azure and on prem can be quite hi so you will have performance knock on any referenced services that you have in ArcGIS Enterprise.
If you do move your databases to Azure then you have the same problem in reverse because your ArcGIS Desktop users will direct connect to your databases and the latency will be hi a database connection can have up to 200 request per action.
The Recommended approach is to have everything in Azure and for your ArcGIS for Desktop users you will need to spin up a VDI in azure it is an Azure Virtual Desktop, it can be costly if not planned correctly, because it is a pooled service. But the benefit of this approach is that everything is close together so your latency will be low so your performance will be good.

Depending on what you can afford it is usually a good approach to apply something called workload separation, this is where you deploy a server for each workload this will give your servers breathing room because congestion on ArcGIS Server will not impact portal for ArcGIS.

Web Layer

Webserver

ArcGIS Webadaptor

portal For ArcGIS

Applications Layer

ArcGIS Server

Database Layer

ArcGIS Datastore

SQL Servers

I would also suggest that you have a proper plan in place for backups azure only provides hardware redundancy so if you application fails you would need application-level backups like webgisdr for ArcGIS Enterprise or vm snapshots.

Hope it helps.
regards

Henry

GIS412 · ‎03-25-2024

Thank you! This is very helpful.

For our enterprise portal, we currently use SAML for logins and we also have arcgis login enabled (for users outside our org that need read only access).

Our ArcGIS Online does not use SAML and the users create their own passwords.

AD FS groups and permissions can be migrated to Entra ID as well?