Hi there,
I'm sure you'll get some good advice from the rest of the team, but I'll just add one more suggestion - consider using a site to site vpn to isolate your new domain controller from any public access.
Also consider the operational cost of running your new DC in Azure. Since AD and AAD are not compatible, what you're doing totally makes sense, especially if you're planning a near-term migration away from AD.
This walkthrough looks like it has many related steps to what you're considering (of course I can't guarantee it's a perfect process, and it's 1 year back):
watch
You're likely aware there are some free credits for people migrating to Azure:
search
Good luck!