Skip to content

Commit 3588858

Browse files
authored
Secondary endpoint
1 parent d621e85 commit 3588858

File tree

2 files changed

+78
-37
lines changed

2 files changed

+78
-37
lines changed

articles/azure-arc/data/deploy-active-directory-sql-managed-instance-cli.md

Lines changed: 25 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -56,8 +56,10 @@ az sql mi-arc create
5656
--ad-connector-name < your AD connector name >
5757
--keytab-secret < SQL MI keytab secret name >
5858
--ad-account-name < SQL MI AD user account >
59-
--primary-dns-name < SQL MI DNS endpoint >
60-
--primary-port-number < SQL MI port number >
59+
--primary-dns-name < SQL MI primary endpoint DNS name >
60+
--primary-port-number < SQL MI primary endpoint port number >
61+
--secondary-dns-name < SQL MI secondary endpoint DNS name >
62+
--secondary-port-number < SQL MI secondary endpoint port number >
6163
--use-k8s
6264
```
6365

@@ -72,6 +74,8 @@ az sql mi-arc create
7274
--ad-account-name arcuser
7375
--primary-dns-name arcsqlmi.contoso.local
7476
--primary-port-number 31433
77+
--secondary-dns-name arcsqlmi-2.contoso.local
78+
--secondary-port-number 31434
7579
--use-k8s
7680
```
7781

@@ -82,9 +86,11 @@ az sql mi-arc create
8286
--name < SQL MI name >
8387
--ad-connector-name < your AD connector name >
8488
--keytab-secret < SQL MI keytab secret name >
85-
--ad-account-name < SQL MI AD user account >
86-
--primary-dns-name < SQL MI DNS endpoint >
87-
--primary-port-number < SQL MI port number >
89+
--ad-account-name < SQL MI AD user account >
90+
--primary-dns-name < SQL MI primary endpoint DNS name >
91+
--primary-port-number < SQL MI primary endpoint port number >
92+
--secondary-dns-name < SQL MI secondary endpoint DNS name >
93+
--secondary-port-number < SQL MI secondary endpoint port number >
8894
--custom-location < your custom location >
8995
--resource-group < resource-group >
9096
```
@@ -99,6 +105,8 @@ az sql mi-arc create
99105
--ad-account-name arcuser
100106
--primary-dns-name arcsqlmi.contoso.local
101107
--primary-port-number 31433
108+
--secondary-dns-name arcsqlmi-2.contoso.local
109+
--secondary-port-number 31434
102110
--custom-location private-location
103111
--resource-group arc-rg
104112
```
@@ -170,8 +178,10 @@ az sql mi-arc create
170178
--k8s-namespace < namespace >
171179
--ad-connector-name < your AD connector name >
172180
--ad-account-name < SQL MI AD user account >
173-
--primary-dns-name < SQL MI DNS endpoint >
174-
--primary-port-number < SQL MI port number >
181+
--primary-dns-name < SQL MI primary endpoint DNS name >
182+
--primary-port-number < SQL MI primary endpoint port number >
183+
--secondary-dns-name < SQL MI secondary endpoint DNS name >
184+
--secondary-port-number < SQL MI secondary endpoint port number >
175185
--use-k8s
176186
```
177187

@@ -185,6 +195,8 @@ az sql mi-arc create
185195
--ad-account-name arcuser
186196
--primary-dns-name arcsqlmi.contoso.local
187197
--primary-port-number 31433
198+
--secondary-dns-name arcsqlmi-2.contoso.local
199+
--secondary-port-number 31434
188200
--use-k8s
189201
```
190202

@@ -195,8 +207,10 @@ az sql mi-arc create
195207
--name < SQL MI name >
196208
--ad-connector-name < your AD connector name >
197209
--ad-account-name < SQL MI AD user account >
198-
--primary-dns-name < SQL MI DNS endpoint >
199-
--primary-port-number < SQL MI port number >
210+
--primary-dns-name < SQL MI primary endpoint DNS name >
211+
--primary-port-number < SQL MI primary endpoint port number >
212+
--secondary-dns-name < SQL MI secondary endpoint DNS name >
213+
--secondary-port-number < SQL MI secondary endpoint port number >
200214
--custom-location < your custom location >
201215
--resource-group <resource-group>
202216
```
@@ -210,6 +224,8 @@ az sql mi-arc create
210224
--ad-account-name arcuser
211225
--primary-dns-name arcsqlmi.contoso.local
212226
--primary-port-number 31433
227+
--secondary-dns-name arcsqlmi-2.contoso.local
228+
--secondary-port-number 31434
213229
--custom-location private-location
214230
--resource-group arc-rg
215231
```

articles/azure-arc/data/deploy-active-directory-sql-managed-instance.md

Lines changed: 53 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -35,34 +35,34 @@ The following instructions expect that the users can bring in the Active Directo
3535

3636
* An Active Directory user account for SQL
3737
* Service Principal Names (SPNs) under the user account
38-
* DNS record for the endpoint DNS name for SQL
38+
* DNS A (forward) record for the primary (and optionally, secondary) endpoint of SQL
3939

4040
#### [System-managed keytab mode](#tab/system-managed-keytab-mode)
4141

4242
The following instructions expect that the users can bring in the Active Directory domain and provide to the AD system-managed keytab deployment.
4343

4444
* A unique name of an Active Directory user account for SQL
45-
* DNS record for the endpoint DNS name for SQL
45+
* DNS A (forward) record for the primary (and optionally, secondary) endpoint of SQL
4646

4747
---
4848

4949
## Before you deploy SQL Managed Instance
5050

51-
1. Identify a DNS name for the SQL endpoint.
51+
1. Identify a DNS name for the SQL endpoints.
5252

53-
Choose a unique DNS name for the SQL endpoint that clients will connect to from outside the Kubernetes cluster.
53+
Choose unique DNS names for the SQL endpoints that clients will connect to from outside the Kubernetes cluster.
5454

55-
This DNS name should be in the Active Directory domain or its descendant domains.
55+
These DNS names should be in the Active Directory domain or its descendant domains.
5656

57-
The examples in these instructions use `sqlmi.contoso.local` for the DNS name.
57+
The examples in these instructions use `sqlmi-primary.contoso.local` for the primary DNS name and `sqlmi-secondary.contoso.local` for the secondary DNS name.
5858

59-
2. Identify the port number for the SQL endpoint.
59+
2. Identify the port numbers for the SQL endpoints.
6060

61-
You provide a port number for the SQL endpoint.
61+
You provide a port number for each of the SQL endpoints.
6262

63-
This port number must be in the acceptable range of port numbers for Kubernetes cluster.
63+
These port numbers must be in the acceptable range of port numbers for Kubernetes cluster.
6464

65-
The examples in these instructions use `31433` for the port number.
65+
The examples in these instructions use `31433` for the primary port number and `31434` for the secondary port number.
6666

6767
### [Customer-managed keytab mode](#tab/customer-managed-keytab-mode)
6868

@@ -88,17 +88,17 @@ The following instructions expect that the users can bring in the Active Directo
8888

8989
---
9090

91-
4. Create a DNS record for the SQL endpoint in the Active Directory DNS servers.
91+
4. Create DNS records for the SQL endpoints in the Active Directory DNS servers.
9292

93-
In one of the Active Directory DNS servers, create an A record (forward lookup record) for the DNS name chosen in step 1. This DNS record should point to the IP address that the SQL endpoint will listen on for connections from outside the Kubernetes cluster.
93+
In one of the Active Directory DNS servers, create A records (forward lookup records) for the DNS names chosen in step 1. These DNS records should point to the IP address that the SQL endpoint will listen on for connections from outside the Kubernetes cluster.
9494

95-
You do not need to create a PTR record (reverse lookup record) in association with the A record.
95+
You do not need to create PTR records (reverse lookup records) in association with the A records.
9696

9797
### [Customer-managed keytab mode](#tab/customer-managed-keytab-mode)
9898

9999
5. Create Service Principal Names (SPNs)
100100

101-
In order for SQL to be able to accept AD authentication against the SQL endpoint DNS name, we need to register two SPNs under the account generated in the previous step. These two SPNs should be of the following format:
101+
In order for SQL to be able to accept AD authentication against the SQL endpoints, we need to register two SPNs under the account generated in the previous step. SPNs must be registered for the primary endpoint and optionally for the secondary endpoint if AD authentication is desired on the secondary endpoint. The SPNs should be of the following format:
102102

103103
```output
104104
MSSQLSvc/<DNS name>
@@ -112,11 +112,18 @@ The following instructions expect that the users can bring in the Active Directo
112112
setspn -S MSSQLSvc/<DNS name>:<port> <account>
113113
```
114114

115-
With the chosen example DNS name, port number and the account name in this document, the commands should look like the following:
115+
With the chosen example primary endpoint DNS name, port number and the account name in this document, the commands should look like the following:
116116

117117
```console
118-
setspn -S MSSQLSvc/sqlmi.contoso.local sqlmi-account
119-
setspn -S MSSQLSvc/sqlmi.contoso.local:31433 sqlmi-account
118+
setspn -S MSSQLSvc/sqlmi-primary.contoso.local sqlmi-account
119+
setspn -S MSSQLSvc/sqlmi-primary.contoso.local:31433 sqlmi-account
120+
```
121+
122+
Additionally, if AD authentication is needed on the secondary endpoint, the following commands will add SPNs for the secondary endpoint using the chosen example DNS name and port number:
123+
124+
```console
125+
setspn -S MSSQLSvc/sqlmi-secondary.contoso.local sqlmi-account
126+
setspn -S MSSQLSvc/sqlmi-secondary.contoso.local:31434 sqlmi-account
120127
```
121128

122129
6. Generate a keytab file containing entries for the account and SPNs
@@ -148,12 +155,14 @@ The following instructions expect that the users can bring in the Active Directo
148155

149156
The input parameters are expecting the following values:
150157
* `--realm` expects the uppercase of the AD domain, such as CONTOSO.LOCAL
151-
* `--account` expects the AD account under where the SPNs are registered, such sqlmi-account
152-
* `--port` expects the SQL endpoint port number 31433
153-
* `--dns-name` expects the DNS name for the SQL endpoint
158+
* `--account` expects the AD account under where the SPNs are registered, such as sqlmi-account
159+
* `--port` expects the primary SQL endpoint port number, such as 31433
160+
* `--dns-name` expects the DNS name for the primary SQL endpoint
154161
* `--keytab-file` expects the path to the keytab file
155162
* `--secret-name` expects the name of the keytab secret to generate a specification for
156163
* `--secret-namespace` expects the Kubernetes namespace containing the keytab secret
164+
* `--secondary-port` expects the secondary SQL endpoint port number, such as 31434 (optional)
165+
* `--secondary-dns-name` expects the DNS name for the secondary SQL endpoint (optional)
157166

158167
Choose a name for the Kubernetes secret hosting the keytab. The namespace should be the same as what SQL will be deployed in.
159168

@@ -211,14 +220,18 @@ To support Active Directory authentication on SQL, the deployment specification
211220
Name of the Active Directory account for this managed instance.
212221
- `spec.security.activeDirectory.keytabSecret`
213222
Name of the Kubernetes secret hosting the pre-created keytab file by users. This secret must be in the same namespace as the managed instance. This parameter is only required for the AD deployment in customer-managed keytab mode.
214-
- `spec.services.primary.dnsName`
223+
- `spec.services.primary.dnsName`
215224
You provide a DNS name for the primary SQL endpoint.
216-
- `spec.services.primary.port`
225+
- `spec.services.primary.port`
217226
You provide a port number for the primary SQL endpoint.
218227

219228
- **Optional**
220229
- `spec.security.activeDirectory.connector.namespace`
221230
Kubernetes namespace of the pre-existing Active Directory connector to join for AD authentication. When not provided, system will assume the same namespace as SQL.
231+
- `spec.services.readableSecondaries.dnsName`
232+
You provide a DNS name for the secondary SQL endpoint.
233+
- `spec.services.readableSecondaries.port`
234+
You provide a port number for the secondary SQL endpoint.
222235

223236
### [System-managed keytab mode](#tab/system-managed-keytab-mode)
224237

@@ -235,8 +248,12 @@ To support Active Directory authentication on SQL, the deployment specification
235248
- **Optional**
236249
- `spec.security.activeDirectory.connector.namespace`
237250
Kubernetes namespace of the pre-existing Active Directory connector to join for AD authentication. When not provided, system will assume the same namespace as SQL.
238-
- `spec.security.activeDirectory.encryptionTypes`
239-
List of Kerberos encryption types to allow for the automatically generated AD account provided in `spec.security.activeDirectory.accountName`. Accepted values are RC4, AES128 and AES256. It defaults to allow all encryption types when there is no value provided. You can disable RC4 by providing only AES128 and AES256 as encryption types.
251+
- `spec.security.activeDirectory.encryptionTypes`
252+
List of Kerberos encryption types to allow for the automatically generated AD account provided in `spec.security.activeDirectory.accountName`. Accepted values are RC4, AES128 and AES256. It defaults to allow all encryption types when there is no value provided. You can disable RC4 by providing only AES128 and AES256 as encryption types.
253+
- `spec.services.readableSecondaries.dnsName`
254+
You provide a DNS name for the secondary SQL endpoint.
255+
- `spec.services.readableSecondaries.port`
256+
You provide a port number for the secondary SQL endpoint.
240257

241258
---
242259

@@ -283,8 +300,12 @@ spec:
283300
services:
284301
primary:
285302
type: LoadBalancer
286-
dnsName: <Endpoint DNS name>
287-
port: <Endpoint port number>
303+
dnsName: <Primary Endpoint DNS name>
304+
port: <Primary Endpoint port number>
305+
readableSecondaries:
306+
type: LoadBalancer
307+
dnsName: <Secondary Endpoint DNS name>
308+
port: <Secondary Endpoint port number>
288309
storage:
289310
data:
290311
volumes:
@@ -333,8 +354,12 @@ spec:
333354
services:
334355
primary:
335356
type: LoadBalancer
336-
dnsName: <Endpoint DNS name>
337-
port: <Endpoint port number>
357+
dnsName: <Primary Endpoint DNS name>
358+
port: <Primary Endpoint port number>
359+
readableSecondaries:
360+
type: LoadBalancer
361+
dnsName: <Secondary Endpoint DNS name>
362+
port: <Secondary Endpoint port number>
338363
storage:
339364
data:
340365
volumes:

0 commit comments

Comments
 (0)