STONITH Fence Agent Demo
Start course

High availability and disaster recovery are key to ensuring reliable business continuity. While SAP workloads are mainly confined to Azure's infrastructure layer, it is still possible to utilize many Azure functions and features to enhance system reliability with relatively little effort. This course looks at when, where, and how to use Azure's built-in infrastructure redundancy to improve system resiliency and how various database high availability options are supported.

Learning Objectives

  • Understand the key aspects of high availability and disaster recovery
  • Learn about availability and availability zones
  • Learn about Azure Site Recovery and how to implement it through the Azure portal
  • Learn how to set up an internal load balancer in the context of SAP workloads
  • Understand the Azure support options for Pacemaker and STONITH
  • Learn how to implement Data Guard mirroring via the Azure CLI
  • Set up Windows Failover Cluster and SQL Server Always On through the Azure portal

Intended Audience

This course is intended for anyone who wants to use Azure's built-in infrastructure redundancy to enhance the reliability and resiliancy of their SAP workloads.


To get the most out of this course, you should be familiar with Azure, Azure CLI, SAP, SQL Server, and STONITH.


The first thing we need to do is create a service principal by way of a new app registration. We do that through Azure Active Directory. First, I need to save the tenant id as we'll need that later. You can copy that from either the overview or property pages. Next, go into App Registrations and create a new registration. For the record, there is no app. The app registration can be thought of as a scaffold or home for the service principal. Give the app a name and select "Accounts in this organizational directory only" as the supported account type. The redirect URI  type is web, and the URI is any valid URI. Remember, this isn't a real app, and the URI won't be accessed – it just has to be in the correct format. Click the register button. Next, we need to create the means of authentication for our service principal, and we do that through certificates and secrets by creating a client secret. Click new client secret, select an expiry date and give the secret a name. Previously you had the option of never expires, but now 24 months is the longest time – even if you try to use a custom range. Copy the secret value, as this will be the service principal's password. The application id will be the service principal's name. 

The next step is to create a role with permissions that will enable the service principal to read, stop and start virtual machines, and assign the role to the service principal. To carry out this next step, you will need to be a subscription owner or user access administrator and have Azure AD Premium P1 or P2. Use the New-AzRoleDefintion PowerShell command with a JSON definition template to create the custom role. The tenant id goes after subscriptions under assignable scopes. Actions under permissions define the role's abilities. The role can monitor virtual machines with read permissions on all aspects of Microsoft compute, and it can power off and start VMs. Once created, assign the role to the service principal through your subscription's access control with add role assignment.  Alternatively, you can create the custom role through the portal by going into your subscription and selecting Access Control. On the bottom right, click add under create a custom role. I'm going to use start from JSON and use the template file I already have. The custom role will take a few minutes to register and become available. Assign the role to the service principal by going into add role assignment, selecting the new role, and clicking next. Click select members to find the Fence Agent Principal and select to add to the role. Then click next and review and assign. If, at any stage, your service principal has become assigned the owner role, remove it.

You use the resource group, tenant id, application id, and value password from the application registration to register each node running the Azure Fence Agent. The pcmk_host_map option is required when the virtual machine's name isn't the same as its hostname.

About the Author
Learning Paths

Hallam is a software architect with over 20 years experience across a wide range of industries. He began his software career as a  Delphi/Interbase disciple but changed his allegiance to Microsoft with its deep and broad ecosystem. While Hallam has designed and crafted custom software utilizing web, mobile and desktop technologies, good quality reliable data is the key to a successful solution. The challenge of quickly turning data into useful information for digestion by humans and machines has led Hallam to specialize in database design and process automation. Showing customers how leverage new technology to change and improve their business processes is one of the key drivers keeping Hallam coming back to the keyboard.