It is always a good practice to test the desired implementation, and see for yourself the effort involved, whether it works with your environment, and how it all comes together. https://docs.microsoft.com/en-us/office365/enterprise/federated-identity-for-your-office-365-dev-test-environment has the steps to create the required test environment, along with configuration for the participating servers and O365 portal settings. Once testing is completed successfully, deployment options can be considered based on the usage of O365 services. In organizations with heavy usage of productivity and communication applications, ensuring high availability for that is a given. https://docs.microsoft.com/en-us/office365/enterprise/deploy-high-availability-federated-authentication-for-office-365-in-azure has the steps to deploy a high availability federated authentication for Office 365 in Azure.
The steps involve virtual machines in a single cross-premises Azure virtual network (VNet). Further, highly available Cross-Premises and VNet-to-VNet connectivity needs to be established. Towards this, one would expect the VPN gateway to handle that, however this is to be noted – “Every Azure VPN gateway consists of two instances in an active-standby configuration. For any planned maintenance or unplanned disruption that happens to the active instance, the standby instance would take over (failover) automatically, and resume the S2S VPN or VNet-to-VNet connections. The switch over will cause a brief interruption” – https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable
For establishing a dual-redundancy: active-active VPN gateways for both Azure and on-premises networks, you create and setup the Azure VPN gateway in an active-active configuration, and create (at least) two local network gateways and two connections for your (at least) two on-premises VPN devices with the result being a full mesh connectivity of (at least) 4 IPsec tunnels between your Azure virtual network and your on-premises network. The same active-active configuration can also be applied to Azure VNet-to-VNet connections by creating active-active VPN gateways for both virtual networks, and connecting them together to form the same full mesh connectivity of (at least) 4 tunnels between the two VNets.
How Drootoo makes this a Snap!?
With Drootoo core services, Provision Cloud Resources is a single, simplified section from where the required cloud resources on Azure can be created for this purpose of integrating on-premises and O365 for user authentication and identity management. Compute options can be used to create the desired VM instances, among the regions exposed by the cloud provider. Our Network options enable creation of Virtual Network, Gateway and VPN connections required to complete the task.
One also wonders whether this collection of configured options can be made available in a cloud resource template like that of AWS CloudFormation. Our new innovation, Drootoo Blueprint, is a provider agnostic way to provision a collection of resources on the cloud. In this case, a single Drootoo Blueprint can be created with the required resources by the Active Directory and Network experts in an organization. It can be reviewed by the technology management chain of command. Once satisfied with the desired configuration, the Drootoo Blueprint can be Launched to provision the collection of resources on a single/ multiple/ mix of cloud service providers. The Drootoo Blueprint is available for reuse, along with options for version control.
Our future vision is to enable solution providers, system integrators and other organizations to create, share and reuse Drootoo Blueprints, thereby enabling organizations with limited technical resources to simply select and deploy the required cloud resource solutions for their businesses.