question

Hi.

If Azure is going to be your second datacenter, you should allow authentication to Azure DCs also from onprem infrastructure. So if Azure is going to extend your onpremises datacenter, then you should interconnect those networks, so use either Azure ExpressRoute or site-to-site VPN. Then the infrastructure deployed in Azure will be part of your internal network.

You should never expose DCs directly to the Internet, DCs should be accessible only from internal network.

I hope you have extended your DC to Azure from On-premises via a secure channel like express route or site-to-site VPN.

Where the Azure Gateway provides a connection between on-premises VPN device and virtual network. All requests between the DC servers in the cloud and on-premises pass through the gateway. User-defined routes (UDRs) handle routing for on-premises traffic that passes to Azure.

Yes - We have an express route connection, but there are still FW rules and NSGs that have to be setup properly, so the main concern is should you add those ports in so that on-premises computers can authenticate to the DCs in Azure if needed. It sounds like everyone is saying that all on-premises workstations that normally only communicate with the on-premises DCs, should also have 389, 445, 53, etc open to the DC in Azure.

In that case yes, you should open the ports as Azure is your "external" datacenter and in case of some outage in your primary datacenter, Azure will handle the requests.