question

DaveBryan-5712 avatar image
DaveBryan-5712 asked ·

Domain Controller in Azure also need FW rules to allow on-premises authentications

We are extending our domain into Azure. I am setting up an AD site for Azure and deploying a domain controller there. I have always thought the best design of AD is to allow any client to authenticate to any DC. That way if a DC goes down or there is a site discovery issue, etc. things do not break. Obviously you still want your on-premises clients to authenticate to your on-premises DCs and your Azure clients to authenticate to your Azure DCs. In order to accomplish this, we obviously have to setup a lot more NSG/Firewall rules, etc. What do you guys think? Obviously you need the DCs to replicate to each other, but should you allow on-premises clients to authenticate to an Azure DC? or is that not really needed if you have multiple on-premises DCs?

azure-active-directoryazure-ad-domain-services
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LukasBeran avatar image
LukasBeran answered ·

Hi.

If Azure is going to be your second datacenter, you should allow authentication to Azure DCs also from onprem infrastructure. So if Azure is going to extend your onpremises datacenter, then you should interconnect those networks, so use either Azure ExpressRoute or site-to-site VPN. Then the infrastructure deployed in Azure will be part of your internal network.

You should never expose DCs directly to the Internet, DCs should be accessible only from internal network.

Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ChaitanyaSreeramsetty-3905 avatar image
ChaitanyaSreeramsetty-3905 answered ·

I hope you have extended your DC to Azure from On-premises via a secure channel like express route or site-to-site VPN.

Where the Azure Gateway provides a connection between on-premises VPN device and virtual network. All requests between the DC servers in the cloud and on-premises pass through the gateway. User-defined routes (UDRs) handle routing for on-premises traffic that passes to Azure.

Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaveBryan-5712 avatar image
DaveBryan-5712 answered ·

Yes - We have an express route connection, but there are still FW rules and NSGs that have to be setup properly, so the main concern is should you add those ports in so that on-premises computers can authenticate to the DCs in Azure if needed. It sounds like everyone is saying that all on-premises workstations that normally only communicate with the on-premises DCs, should also have 389, 445, 53, etc open to the DC in Azure.

Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LukasBeran avatar image
LukasBeran answered ·

In that case yes, you should open the ports as Azure is your "external" datacenter and in case of some outage in your primary datacenter, Azure will handle the requests.

Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.