Domain Controller in Azure also need FW rules to allow on-premises authentications

Dave Bryan 96 Reputation points
2020-01-02T16:26:35.21+00:00

We are extending our domain into Azure. I am setting up an AD site for Azure and deploying a domain controller there. I have always thought the best design of AD is to allow any client to authenticate to any DC. That way if a DC goes down or there is a site discovery issue, etc. things do not break. Obviously you still want your on-premises clients to authenticate to your on-premises DCs and your Azure clients to authenticate to your Azure DCs. In order to accomplish this, we obviously have to setup a lot more NSG/Firewall rules, etc. What do you guys think? Obviously you need the DCs to replicate to each other, but should you allow on-premises clients to authenticate to an Azure DC? or is that not really needed if you have multiple on-premises DCs?

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,090 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Lukas Beran 176 Reputation points
    2020-01-02T17:42:05.923+00:00

    Hi.

    If Azure is going to be your second datacenter, you should allow authentication to Azure DCs also from onprem infrastructure. So if Azure is going to extend your onpremises datacenter, then you should interconnect those networks, so use either Azure ExpressRoute or site-to-site VPN. Then the infrastructure deployed in Azure will be part of your internal network.

    You should never expose DCs directly to the Internet, DCs should be accessible only from internal network.

    0 comments No comments

  2. Chaitanya Sreeramsetty 1 Reputation point
    2020-01-03T12:42:28.63+00:00

    I hope you have extended your DC to Azure from On-premises via a secure channel like express route or site-to-site VPN.

    Where the Azure Gateway provides a connection between on-premises VPN device and virtual network. All requests between the DC servers in the cloud and on-premises pass through the gateway. User-defined routes (UDRs) handle routing for on-premises traffic that passes to Azure.

    0 comments No comments

  3. Dave Bryan 96 Reputation points
    2020-01-03T15:37:55.533+00:00

    Yes - We have an express route connection, but there are still FW rules and NSGs that have to be setup properly, so the main concern is should you add those ports in so that on-premises computers can authenticate to the DCs in Azure if needed. It sounds like everyone is saying that all on-premises workstations that normally only communicate with the on-premises DCs, should also have 389, 445, 53, etc open to the DC in Azure.

    0 comments No comments

  4. Lukas Beran 176 Reputation points
    2020-01-03T18:07:56.033+00:00

    In that case yes, you should open the ports as Azure is your "external" datacenter and in case of some outage in your primary datacenter, Azure will handle the requests.

    0 comments No comments