XACML 3.0 multiple PEP and PDP instances

Question

I am using XACML 3.0 I just want to know which is the best practices for separating the PEP and PDP instances. I have three scenarios here which one is best as per the cloud way of implementation.

1. I have one instance of PEP which will communicate to multiple PDP instances.
2. I have multiple PEP and multiple PDP instances which will communicate to each other.
3. I have multiple PEP instances which will communicate to one PDP instance.

Answer 1

The typical deployment I see is one or more enforcement points (PEP) talking to a load balancer that sits in front of multiple PDPs that are all equally configured.

That's true of any version of XACML.

PDPs rarely communicate together though you could imagine you'd have a PDP talking to another via a PIP connector.

--- EDIT --- Here's an architecture diagram