question

JRallis avatar image
0 Votes"
JRallis asked ·

Cisco Meraki to Azure AAD DS

I am new(ish) to Azure networking and could use some input / direction.

Goal: I have a small network of VMs in a datacenter that I would like to join to my Azure Active Directory Domain Services.

Current Setup:

datacenter: Meraki MX84 acting as firewall, VM setup as DNS server for local network

Azure:

resource group:
vnet1
address space: 172.16.0.0/16
subnet: default - 172.16.0.0/24
subnet: gateway - 172.16.1.0/24
Gateway
Site-to-site VPN to datacenter meraki (actively connected successfully)

AAD DS with IPs: 172.16.0.4 & 172.16.0.5 attached to subnet default with a NSG with default rules from Azure.

S2S VPN is setup and connected between Meraki MX84 and above Azure gateway.

I can't get any of the datacenter VMs to talk to the AAD DS.

When I created the VPN on the Meraki side, the Meraki auto created a route in it's route table of 172.16.1.0/24 through the VPN.

Any help would be much appreciated.

azure-active-directory
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

JRallis avatar image
0 Votes"
JRallis answered ·

Thanks again for your responses. I got the VPN tunnel working correctly by adding a route table in Azure to the Gateway and AAD DS subnets.

· 1 · Share
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sikumars-msft avatar image sikumars-msft ·

@JRallis ,

Thanks for the confirmation.

Happy that you were able to overcome above issue. Once again thank you for leveraging Microsoft community forum.

0 Votes 0 ·
sikumars-msft avatar image
0 Votes"
sikumars-msft answered ·

Hello @JRallis ,

Thanks for reaching out.

You can use Azure ADDS to manage your on-premise workstations provided you have a Site-to-Site VPN connection between on-prem and Azure.

Since there are many components involved in this scenario, so just to isolate the issue, I would recommend you to create a new test VM in the same VNet where Azure ADDS is provision and see Azure VM can talk to the AAD DS without any issue? if doesn't work then we need to fix that in first place.

As you design the virtual network for Azure AD DS, the following considerations apply:

  • Azure AD DS must be deployed into the same Azure region as your virtual network. Make sure that you create or select a virtual network in a region that supports Azure AD DS.

  • Use a VPN gateway to create a secure tunnel using IPsec/IKE. This connection model lets you deploy the managed domain into an Azure virtual network and then connect on-premises locations or other clouds.

For more information,read Azure virtual network design and Using virtual private networking, Configure a (Site-to-Site (IPsec) by using the Azure portal.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 2 · Share
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JRallis avatar image JRallis ·

Hi sikumars, thanks for the response.

I created a VM in the same vnet as the AAD DS.

AAD DS 172.16.0.4 & .5
Test VM: 172.16.0.6

Test VM can ping and connect to AAD DS no issue.

I am still unable to reach the AAD DS or the test VM from the on prem network through the Gateway VPN.

I have also created a P2S VPN in the same gateway, and I am also unable to connect to the test VM or AAD DS from the P2S VPN.

I have the Gateway in it's own vnet now, with vnet peering and gateway transit enabled. Gateway subnet is 172.15.0.0/16

Side note: I have multiple vnets in Azure with vnet peering to the AAD DS vnet and all of those VMs are successfully connecting to AAD DS just fine.

Any other thoughts or suggestions of how to test or where to look?

0 Votes 0 ·
GitaraniSharmaMSFT-4262 avatar image GitaraniSharmaMSFT-4262 JRallis ·

Hello @JRallis ,

You have mentioned "Site-to-site VPN to datacenter meraki (actively connected successfully)" but you also mentioned that you are unable to reach the AAD DS or the test VM from the on prem network through the Gateway VPN. So I have the below questions:

  1. Are you able to connect to any VM in your Azure Vnet from on-premises via the site to site VPN?

  2. What is the address range of your on-premises network that you have added in the local network gateway?

  3. Could you check if there is any NSG or UDR on the GatewaySubnet?

  4. Also, please make sure that the site to site VPN between Azure & Meraki device is setup correctly. You can refer to : https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site_to_Site_VPN_tunnels_to_Azure_VPN_Gateway

  5. Lastly, confirm that the Meraki device's external interface is directly on the Internet. There should be no network address translation (NAT) or firewall between the Internet and the device.

Thanks,
Gita

0 Votes 0 ·