Hello everyone,
We are in the process of redesigning our VA architecture. I would like to ensure sure that the design is meeting the recommended architecture and requirements. Of course, every organization has its own VA architecture and will change accordingly.
Here is a brief overview of our connectors:
Two Active directory domain sources. One of the active domains is in our local/internal server.
Two Azure active domain sources.
Nine cloud hosted sources.
We are planning to integrate two additional active directory sources. However, they are not in the local/internal server.
I am considering the following architecture:
First VA cluster - contains one va that manages the on prem/local server active directory
Second VA cluster - contains two VA’s (load balanced) that manages the rest of the active directory sources and 9 cloud hosted sources.
Does this approach seem good? I have also observed that the VA and IQservice server must talk to each other and it ends up 1 VA cluster per active directory domain. I want to make sure the architecture is also scalable.
Greetings. If I may suggest, do consider atleast 2 VAs in first cluster as well . Even though not so used, the second one would help as a failover in case the first VA is not available due to a failure or upgrade pushed from SailPoint.
What would be the footprint of your org or an average numbers of accounts in the sources?
I was wondering if there are any criteria on where VA’s should be hosted. Can you please provide any reference documentation for this? Since we plan on integrating more active directory domains, does the VA need to be hosted on the same domain as the DNS server? Or can it be hosted in any domain in an azure env
For an Active Directory source, I believe both options are possible. The VA can be hosted in Azure or placed closer to DNS. I would let your connectivity tests and network teams’ guidance take the best option.