LogoLogo
LogoLogo
  • Welcome
  • Details
  • Editions
  • Use Cases
  • SCEPMAN Deployment
    • Getting Started
      • Standard Guide
      • Extended Guide
    • Permissions
      • Azure App Registration
      • Managed Identities
    • Deployment Options
      • Marketplace deployment
      • Enterprise deployment
      • Terraform deployment
    • Root CA
    • Intermediate CA
  • Certificate Management
    • Revocation
    • Microsoft Intune
      • Windows
        • Certificate Based Authentication for RDP
      • macOS
      • Android
      • iOS/iPadOS
      • Linux
    • Jamf Pro
      • General Configuration
      • Computers
      • Devices
      • Users
    • Other MDM Solutions
      • Google Workspace
        • ChromeOS
      • Kandji
      • Mosyle
      • SOTI MobiControl
    • Certificate Master
      • Manage Certificates
      • Certificate Signing Request (CSR)
      • TLS Server Certificate
      • Sub CA Certificate
      • Code Signing Certificate
      • Client Certificate
      • User Certificate
    • Domain Controller Certificates
    • Enrollment REST API
      • Self Service Enrollment
        • Intune Managed Linux Client
        • Unmanaged Linux Client
      • API Enrollment
        • Linux Server
        • Windows Server
      • SCEPmanClient
  • Azure Configuration
    • Application Insights
    • App Service Sizing
      • Autoscaling
    • Custom Domain
    • Geo-Redundancy
    • Health Check
      • Using 3rd Party Monitoring
    • Log Management
    • Moving Resources
    • Private Endpoints
    • Split-Tenancy
  • Update Strategy
  • SCEPman Configuration
    • SCEPman Settings
      • Basics
      • Certificates
      • Certificate Master
      • CRL
      • Dependencies (Azure Services)
        • Azure KeyVault
        • Logging
        • Microsoft Entra ID (Azure AD)
        • National Cloud Platforms
      • Enrollment REST API
      • OCSP
      • SCEP Endpoints
        • DC Validation
        • Intune Validation
        • Jamf Validation
        • Static Validation
        • Static-AAD Validation
    • Certificate Master Settings
      • Basics
      • Microsoft Entra ID (Azure AD)
      • Logging
      • National Cloud Platforms
    • Application Artifacts
    • Certificate Master RBAC
    • Device Directories
    • Intune Strong Mapping
  • Other
    • Security & Privacy
    • Support
    • Licensing
      • Azure Marketplace
    • FAQs
      • General
      • Certificate Connector
      • Network Access Controllers
      • Renewing SCEPman Root CA
    • Troubleshooting
      • Common Problems
      • Certifried Security Vulnerability
      • Cisco ISE Host Header Limitation
      • Intune service discovery API permissions
      • Re-enrollment trigger
  • Uninstallation
  • Change Log
  • Links
  • SCEPman Website
Powered by GitBook
On this page
  • Basics
  • Dependencies
  • Recommendation
  • Azure Cost Prognosis
  • Fine Tuning
  • Manual Scale
  • Auto Scale
  • Manual vs. Auto Scale

Was this helpful?

  1. Azure Configuration

App Service Sizing

Basics

SCEPman depends mainly on the CPU resources. Memory and disk are much less important.

One SCEPman instance (version 2.5 and newer) in one Azure P0V3 App Service Plan (195 ACUs) can serve around 2000 requests per minute under usual conditions. Requests are

  • SCEP issuing requests and

  • OCSP requests.

This means that SCEPman can serve about 10 requests per minute per ACU.

Since a certificate is enrolled once, but its validity is checked many times, there will be much more OCSP requests than SCEP requests in total. Hence, you should size your SCEPman instance based on your OCSP requests.

Dependencies

The load for your SCEPman service has several dependencies and varies in the different environments. Important dependencies are:

  1. Distribution of requests

  2. Frequency of logins to network resources

  3. Frequency of certificate requests/renewals

Especially the distribution of the requests has a high importance. If all clients do requests at the same time, your SCEPman instances get heavy load. You should strive to let SCEPman answer to SCEP requests in less than a minute in all cases.

Please do not assign SCEP profiles to a large number of users/devices at once, since this may result in a request-peak at your SCEPman instances.

Recommendation

We recommend the following sizing in Azure Compute Units (ACU) for the Azure App Service Plans as a starting point:

Amount of users/clients
Singular design
Geo-Redundant design

< 2000 clients

~100 ACUs (e.g. 1 x S1)

2 x ~100 ACUs

(e.g. 2 x S1)

< 5000 clients

~200 ACUs

(e.g. 1 x P0V3)

2 x ~200 ACUs

(e.g. 2 x P0V3)

< 10.000 clients

~400 ACUs

(e.g. 2 x P0V3)

2 x ~400 ACUs (e.g. 4 x P0V3)

< 25.000 clients

~800 ACUs

(e.g. 4 x P0V3)

2 x ~800 ACUs (e.g. 8 x P0V3)

< 50.000 clients

~1600 ACUs

(e.g. 4 x P1V3)

2 x ~1600 ACUs

(e.g. 8 x P1V3)

< 100.000 clients

~3200 ACUs

(e.g. 4 x P2V3)

2 x ~3200 ACUs

(e.g. 2 x 4 x P2V3)

Azure Cost Prognosis

The additional Azure resources (Key Vault, Storage Account, Log Analytics, network resources for private endpoints) play a minor role in the cost. Depending on the use cases in your environment, you should expect an additional 5% to 25% on top of the App Service Plan cost for these additional Azure resources.

This cost projection is just a rule of thumb to help you estimate the cost of Azure. It can vary significantly in different environments.

Fine Tuning

Every environment has its own load distribution over the day. In many environments the morning (start of work) generates a peak in terms of load at your SCEPman.

Manual Scale

You can adapt the computing power for your App Service to your individual daily load distribution with the Azure App Service Scale Out features. E.g. you could define 2 x S1 in the morning from 08:00-10:00 to cover the morning peak, while you reduce to 1 x S1 for the rest of the day.

Auto Scale

Manual vs. Auto Scale

If you are able to predict your load well (e.g. derived from load history), we recommend Manual Scale over Auto Scale, since Auto Scale has to behave lazy (hysteresis) to prevent flapping between scales.

Last updated 20 days ago

Was this helpful?

Based on these recommendations, you can monitor your traffic and see whether you can scale down as described in the Section below.

The main Azure costs will be for the Azure Apps Service Plan(s). You can derive your cost from the requirements in the table above and or the generic undiscounted overview.

Alternatively you can use the Azure App Autoscaling feature to adapt to needed resources. Learn more about that in .

your Azure pricelist
App Service Pricing
Autoscaling
Fine Tuning