That’s mostly for general redundancy and speed. Speed is both for load balancing and
querying local servers first.
Say you don’t talk to IPA often and your cross-continental latency isn’t an issue, then
running 1 server in Iceland would fit.
For us, the redundancy part is relatively important because our sites and DCs have to be
able to run independently. We don’t want an issue in one DC or AWS account to affect
another.
This way, we could have 9 out of 10 systems fail and still have a fast and reliable
system. So far we had some cross connects fail, some undersea fibers broken and a few key
expiration issues cause inter-DC connectivity issues, but it never caused and service
interruption. Total cost of running multiple instances is negligible as long as you have a
reasonable amount of automation in place, or as we could say: cattle, not pets.
John
On 23 May 2019, at 09:11, Angus Clarke via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
Hello
Best practises say to deploy 2 - 3 IPA server per site (Deployment Recommendations)
however I've never really understood why. We run 2 IPA servers in each of our primary
DCs and then connect our smaller remote sites to those IPA servers over IPSEC VPNs. For
example, IPA clients in a small site in Italy connect to an IPA server in London and an
IPA server in Paris (I haven't yet looked at service discovery.)
Regards
Angus
> On 22 May 2019 at 22:46 Alex Corcoles via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
>
>
> Well, in that scenario site-to-site VPNs should not be too terrible (AWS
> provides one, for instance).
>
> I think that certainly having a default install which is "safe" to
> expose to the Internet would be a very nice feature. However, I realize
> that has its cost and maybe its drawbacks, so of course I'm not sure if
> it's the best use of development time for the project.
>
> I can say that it would be one of the top items in my features wishlist
> for FreeIPA*, but then again I'm neither a typical, nor paying, nor
> particularly smart customer, so I'm just talking here and I don't think
> I should be listened much. I think VPNs also have a cost, so not having
> to setup them up and maintain them is a huge plus in my book.
>
> Cheers,
>
> Álex
>
> * the other two would be very low effort monitoring (e.g. a built-in
> health check URL or command line tool included in the default install)
> and low effort full backup/restore + recovery.
>
> On 5/22/19 6:42 PM, Stepan Vardanyan via FreeIPA-users wrote:
>> See this image to have basic understanding of our infrastructure -
>>
https://imgur.com/a/R5c8BWW
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...