Skip to content

Commit 241c6f6

Browse files
authored
Merge pull request #211967 from mikhailalmeida/mikhail-doc-updates
Secondary Endpoint Doc Update
2 parents 703aafe + 536bc00 commit 241c6f6

File tree

2 files changed

+78
-41
lines changed

2 files changed

+78
-41
lines changed

articles/azure-arc/data/deploy-active-directory-sql-managed-instance-cli.md

Lines changed: 25 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -54,8 +54,10 @@ az sql mi-arc create
5454
--ad-connector-name < your AD connector name >
5555
--keytab-secret < SQL MI keytab secret name >
5656
--ad-account-name < SQL MI AD user account >
57-
--primary-dns-name < SQL MI DNS endpoint >
58-
--primary-port-number < SQL MI port number >
57+
--primary-dns-name < SQL MI primary endpoint DNS name >
58+
--primary-port-number < SQL MI primary endpoint port number >
59+
--secondary-dns-name < SQL MI secondary endpoint DNS name >
60+
--secondary-port-number < SQL MI secondary endpoint port number >
5961
--use-k8s
6062
```
6163

@@ -70,6 +72,8 @@ az sql mi-arc create
7072
--ad-account-name arcuser
7173
--primary-dns-name arcsqlmi.contoso.local
7274
--primary-port-number 31433
75+
--secondary-dns-name arcsqlmi-2.contoso.local
76+
--secondary-port-number 31434
7377
--use-k8s
7478
```
7579

@@ -80,10 +84,11 @@ az sql mi-arc create
8084
--name < SQL MI name >
8185
--ad-connector-name < your AD connector name >
8286
--keytab-secret < SQL MI keytab secret name >
83-
--ad-account-name < SQL MI AD user account >
84-
--primary-dns-name < SQL MI DNS endpoint >
85-
--primary-port-number < SQL MI port number >
86-
--location < your cloud region >
87+
--ad-account-name < SQL MI AD user account >
88+
--primary-dns-name < SQL MI primary endpoint DNS name >
89+
--primary-port-number < SQL MI primary endpoint port number >
90+
--secondary-dns-name < SQL MI secondary endpoint DNS name >
91+
--secondary-port-number < SQL MI secondary endpoint port number >
8792
--custom-location < your custom location >
8893
--resource-group < resource-group >
8994
```
@@ -98,7 +103,8 @@ az sql mi-arc create
98103
--ad-account-name arcuser
99104
--primary-dns-name arcsqlmi.contoso.local
100105
--primary-port-number 31433
101-
--location westeurope
106+
--secondary-dns-name arcsqlmi-2.contoso.local
107+
--secondary-port-number 31434
102108
--custom-location private-location
103109
--resource-group arc-rg
104110
```
@@ -170,8 +176,10 @@ az sql mi-arc create
170176
--k8s-namespace < namespace >
171177
--ad-connector-name < your AD connector name >
172178
--ad-account-name < SQL MI AD user account >
173-
--primary-dns-name < SQL MI DNS endpoint >
174-
--primary-port-number < SQL MI port number >
179+
--primary-dns-name < SQL MI primary endpoint DNS name >
180+
--primary-port-number < SQL MI primary endpoint port number >
181+
--secondary-dns-name < SQL MI secondary endpoint DNS name >
182+
--secondary-port-number < SQL MI secondary endpoint port number >
175183
--use-k8s
176184
```
177185

@@ -185,6 +193,8 @@ az sql mi-arc create
185193
--ad-account-name arcuser
186194
--primary-dns-name arcsqlmi.contoso.local
187195
--primary-port-number 31433
196+
--secondary-dns-name arcsqlmi-2.contoso.local
197+
--secondary-port-number 31434
188198
--use-k8s
189199
```
190200

@@ -195,9 +205,10 @@ az sql mi-arc create
195205
--name < SQL MI name >
196206
--ad-connector-name < your AD connector name >
197207
--ad-account-name < SQL MI AD user account >
198-
--primary-dns-name < SQL MI DNS endpoint >
199-
--primary-port-number < SQL MI port number >
200-
--location < your cloud region >
208+
--primary-dns-name < SQL MI primary endpoint DNS name >
209+
--primary-port-number < SQL MI primary endpoint port number >
210+
--secondary-dns-name < SQL MI secondary endpoint DNS name >
211+
--secondary-port-number < SQL MI secondary endpoint port number >
201212
--custom-location < your custom location >
202213
--resource-group <resource-group>
203214
```
@@ -211,7 +222,8 @@ az sql mi-arc create
211222
--ad-account-name arcuser
212223
--primary-dns-name arcsqlmi.contoso.local
213224
--primary-port-number 31433
214-
--location westeurope
225+
--secondary-dns-name arcsqlmi-2.contoso.local
226+
--secondary-port-number 31434
215227
--custom-location private-location
216228
--resource-group arc-rg
217229
```

articles/azure-arc/data/deploy-active-directory-sql-managed-instance.md

Lines changed: 53 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -33,34 +33,34 @@ The following instructions expect that the users can bring in the Active Directo
3333

3434
* An Active Directory user account for SQL
3535
* Service Principal Names (SPNs) under the user account
36-
* DNS record for the endpoint DNS name for SQL
36+
* DNS A (forward) record for the primary (and optionally, secondary) endpoint of SQL
3737

3838
#### [System-managed keytab mode](#tab/system-managed-keytab-mode)
3939

4040
The following instructions expect that the users can bring in the Active Directory domain and provide to the AD system-managed keytab deployment.
4141

4242
* A unique name of an Active Directory user account for SQL
43-
* DNS record for the endpoint DNS name for SQL
43+
* DNS A (forward) record for the primary (and optionally, secondary) endpoint of SQL
4444

4545
---
4646

4747
## Before you deploy SQL Managed Instance
4848

49-
1. Identify a DNS name for the SQL endpoint.
49+
1. Identify a DNS name for the SQL endpoints.
5050

51-
Choose a unique DNS name for the SQL endpoint that clients will connect to from outside the Kubernetes cluster.
51+
Choose unique DNS names for the SQL endpoints that clients will connect to from outside the Kubernetes cluster.
5252

53-
This DNS name should be in the Active Directory domain or its descendant domains.
53+
These DNS names should be in the Active Directory domain or its descendant domains.
5454

55-
The examples in these instructions use `sqlmi.contoso.local` for the DNS name.
55+
The examples in these instructions use `sqlmi-primary.contoso.local` for the primary DNS name and `sqlmi-secondary.contoso.local` for the secondary DNS name.
5656

57-
2. Identify the port number for the SQL endpoint.
57+
2. Identify the port numbers for the SQL endpoints.
5858

59-
You provide a port number for the SQL endpoint.
59+
You provide a port number for each of the SQL endpoints.
6060

61-
This port number must be in the acceptable range of port numbers for Kubernetes cluster.
61+
These port numbers must be in the acceptable range of port numbers for Kubernetes cluster.
6262

63-
The examples in these instructions use `31433` for the port number.
63+
The examples in these instructions use `31433` for the primary port number and `31434` for the secondary port number.
6464

6565
### [Customer-managed keytab mode](#tab/customer-managed-keytab-mode)
6666

@@ -86,17 +86,17 @@ The following instructions expect that the users can bring in the Active Directo
8686

8787
---
8888

89-
4. Create a DNS record for the SQL endpoint in the Active Directory DNS servers.
89+
4. Create DNS records for the SQL endpoints in the Active Directory DNS servers.
9090

91-
In one of the Active Directory DNS servers, create an A record (forward lookup record) for the DNS name chosen in step 1. This DNS record should point to the IP address that the SQL endpoint will listen on for connections from outside the Kubernetes cluster.
91+
In one of the Active Directory DNS servers, create A records (forward lookup records) for the DNS names chosen in step 1. These DNS records should point to the IP address that the SQL endpoint will listen on for connections from outside the Kubernetes cluster.
9292

93-
You do not need to create a PTR record (reverse lookup record) in association with the A record.
93+
You do not need to create PTR records (reverse lookup records) in association with the A records.
9494

9595
### [Customer-managed keytab mode](#tab/customer-managed-keytab-mode)
9696

9797
5. Create Service Principal Names (SPNs)
9898

99-
In order for SQL to be able to accept AD authentication against the SQL endpoint DNS name, we need to register two SPNs under the account generated in the previous step. These two SPNs should be of the following format:
99+
In order for SQL to be able to accept AD authentication against the SQL endpoints, we need to register two SPNs under the account generated in the previous step. SPNs must be registered for the primary endpoint and optionally for the secondary endpoint if AD authentication is desired on the secondary endpoint. The SPNs should be of the following format:
100100

101101
```output
102102
MSSQLSvc/<DNS name>
@@ -110,11 +110,18 @@ The following instructions expect that the users can bring in the Active Directo
110110
setspn -S MSSQLSvc/<DNS name>:<port> <account>
111111
```
112112

113-
With the chosen example DNS name, port number and the account name in this document, the commands should look like the following:
113+
With the chosen example primary endpoint DNS name, port number and the account name in this document, the commands should look like the following:
114114

115115
```console
116-
setspn -S MSSQLSvc/sqlmi.contoso.local sqlmi-account
117-
setspn -S MSSQLSvc/sqlmi.contoso.local:31433 sqlmi-account
116+
setspn -S MSSQLSvc/sqlmi-primary.contoso.local sqlmi-account
117+
setspn -S MSSQLSvc/sqlmi-primary.contoso.local:31433 sqlmi-account
118+
```
119+
120+
Additionally, if AD authentication is needed on the secondary endpoint, the following commands will add SPNs for the secondary endpoint using the chosen example DNS name and port number:
121+
122+
```console
123+
setspn -S MSSQLSvc/sqlmi-secondary.contoso.local sqlmi-account
124+
setspn -S MSSQLSvc/sqlmi-secondary.contoso.local:31434 sqlmi-account
118125
```
119126

120127
6. Generate a keytab file containing entries for the account and SPNs
@@ -146,12 +153,14 @@ The following instructions expect that the users can bring in the Active Directo
146153

147154
The input parameters are expecting the following values:
148155
* `--realm` expects the uppercase of the AD domain, such as CONTOSO.LOCAL
149-
* `--account` expects the AD account under where the SPNs are registered, such sqlmi-account
150-
* `--port` expects the SQL endpoint port number 31433
151-
* `--dns-name` expects the DNS name for the SQL endpoint
156+
* `--account` expects the AD account under where the SPNs are registered, such as sqlmi-account
157+
* `--port` expects the primary SQL endpoint port number, such as 31433
158+
* `--dns-name` expects the DNS name for the primary SQL endpoint
152159
* `--keytab-file` expects the path to the keytab file
153160
* `--secret-name` expects the name of the keytab secret to generate a specification for
154161
* `--secret-namespace` expects the Kubernetes namespace containing the keytab secret
162+
* `--secondary-port` expects the secondary SQL endpoint port number, such as 31434 (optional)
163+
* `--secondary-dns-name` expects the DNS name for the secondary SQL endpoint (optional)
155164

156165
Choose a name for the Kubernetes secret hosting the keytab. The namespace should be the same as what SQL will be deployed in.
157166

@@ -209,14 +218,18 @@ To support Active Directory authentication on SQL, the deployment specification
209218
Name of the Active Directory account for this managed instance.
210219
- `spec.security.activeDirectory.keytabSecret`
211220
Name of the Kubernetes secret hosting the pre-created keytab file by users. This secret must be in the same namespace as the managed instance. This parameter is only required for the AD deployment in customer-managed keytab mode.
212-
- `spec.services.primary.dnsName`
221+
- `spec.services.primary.dnsName`
213222
You provide a DNS name for the primary SQL endpoint.
214-
- `spec.services.primary.port`
223+
- `spec.services.primary.port`
215224
You provide a port number for the primary SQL endpoint.
216225

217226
- **Optional**
218227
- `spec.security.activeDirectory.connector.namespace`
219228
Kubernetes namespace of the pre-existing Active Directory connector to join for AD authentication. When not provided, system will assume the same namespace as SQL.
229+
- `spec.services.readableSecondaries.dnsName`
230+
You provide a DNS name for the secondary SQL endpoint.
231+
- `spec.services.readableSecondaries.port`
232+
You provide a port number for the secondary SQL endpoint.
220233

221234
### [System-managed keytab mode](#tab/system-managed-keytab-mode)
222235

@@ -233,8 +246,12 @@ To support Active Directory authentication on SQL, the deployment specification
233246
- **Optional**
234247
- `spec.security.activeDirectory.connector.namespace`
235248
Kubernetes namespace of the pre-existing Active Directory connector to join for AD authentication. When not provided, system will assume the same namespace as SQL.
236-
- `spec.security.activeDirectory.encryptionTypes`
237-
List of Kerberos encryption types to allow for the automatically generated AD account provided in `spec.security.activeDirectory.accountName`. Accepted values are RC4, AES128 and AES256. It defaults to allow all encryption types when there is no value provided. You can disable RC4 by providing only AES128 and AES256 as encryption types.
249+
- `spec.security.activeDirectory.encryptionTypes`
250+
List of Kerberos encryption types to allow for the automatically generated AD account provided in `spec.security.activeDirectory.accountName`. Accepted values are RC4, AES128 and AES256. It defaults to allow all encryption types when there is no value provided. You can disable RC4 by providing only AES128 and AES256 as encryption types.
251+
- `spec.services.readableSecondaries.dnsName`
252+
You provide a DNS name for the secondary SQL endpoint.
253+
- `spec.services.readableSecondaries.port`
254+
You provide a port number for the secondary SQL endpoint.
238255

239256
---
240257

@@ -281,8 +298,12 @@ spec:
281298
services:
282299
primary:
283300
type: LoadBalancer
284-
dnsName: <Endpoint DNS name>
285-
port: <Endpoint port number>
301+
dnsName: <Primary Endpoint DNS name>
302+
port: <Primary Endpoint port number>
303+
readableSecondaries:
304+
type: LoadBalancer
305+
dnsName: <Secondary Endpoint DNS name>
306+
port: <Secondary Endpoint port number>
286307
storage:
287308
data:
288309
volumes:
@@ -331,8 +352,12 @@ spec:
331352
services:
332353
primary:
333354
type: LoadBalancer
334-
dnsName: <Endpoint DNS name>
335-
port: <Endpoint port number>
355+
dnsName: <Primary Endpoint DNS name>
356+
port: <Primary Endpoint port number>
357+
readableSecondaries:
358+
type: LoadBalancer
359+
dnsName: <Secondary Endpoint DNS name>
360+
port: <Secondary Endpoint port number>
336361
storage:
337362
data:
338363
volumes:

0 commit comments

Comments
 (0)