At TechEd North America 2013, we announced that we had begun testing and validation of a new configuration for a database availability group (DAG) that would enable automatic site resilience when two datacenters were used in concert with a witness server that was deployed in a Windows Azure IaaS environment.
During the validation phase of our testing, it became clear that the Windows Azure infrastructure did not support the necessary underlying network components to allow us to configure a supported solution. As a result, we are not yet able to support the use of Azure for a DAG’s witness server.
The goal was to derive a supported configuration for Azure subscribers that already had at least two datacenters of their own. Two of the on-premises datacenters would house the Exchange DAG members, and the witness server would be deployed as an Azure file server VM, which would be located in a third datacenter (the Azure cloud).
In order to configure a DAG and its witness across three datacenters, you must meet the following requirements:
Unfortunately, Azure does not provide the necessary infrastructure to provide us with a third location with the appropriate network connectivity.
Today, Azure provides support for two types of networks:
To have a server deployed in Azure act as a witness server for the DAG, you would require two site-to-site VPN connections (one connecting each Exchange datacenter to the Azure infrastructure). This is not possible today, as Azure supports only a single site-to-site VPN connection per Azure network. Without a second site-to-site VPN connection for the other datacenter, only one datacenter can have persistent network connectivity with the Azure servers.
A point-to-site VPN cannot be used in the second datacenter for a variety of reasons:
The placement of a DAG’s witness server will depend on your business requirements and the options available to your organization. Exchange 2013 includes support for new DAG configuration options that are not recommended or not possible in previous versions of Exchange. These options include using a third location, such as a third datacenter or a branch office.
The following table lists general witness server placement recommendations for different deployment scenarios.
When a DAG has been deployed across two datacenters, a new configuration option in Exchange 2013 is to use a third location for hosting the witness server. If your organization has a third location with a network infrastructure that is isolated from network failures that affect the two datacenters in which your DAG is deployed, then you can deploy the DAG’s witness server in that third location, thereby configuring your DAG with the ability automatically failover databases to the other datacenter in response to a datacenter-level failure event.
For more information on the witness server and witness server placement, see Managing Database Availability Groups.
Unfortunately, without the required networking infrastructure in the Azure service, a DAG cannot be deployed on-premises using a witness server in the Azure cloud. The Exchange Product Group has made a formal feature request from the Azure team for multiple site-to-site VPN support. If that feature is introduced by the Azure team, then testing and validation of the Azure witness will reconvene with the hope of producing a supportable solution. In the meantime, Azure is not supported for use as a DAG witness.