"so I need to use Entra Connect to synchronize the on-premise AD and Entra ID in a locked hybrid network which connected by ExpressRoute between local office and Azure which means there should be no public traffic from or out of the on-premise network, is it possible?"
Simply put, No. You will need allowances for specific URLS and ports for functionality.
Entra connect needs access to specific ports and URLS. It is a prerequisite. https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-install-prerequisites. I am listing the prerequisites from the above doc below per networking:
- The Microsoft Entra Connect server needs DNS resolution for both intranet and internet. The DNS server must be able to resolve names both to your on-premises Active Directory and the Microsoft Entra endpoints.
- Microsoft Entra Connect requires network connectivity to all configured domains
- Microsoft Entra Connect requires network connectivity to the root domain of all configured forest
- If you have firewalls on your intranet and you need to open ports between the Microsoft Entra Connect servers and your domain controllers, see Microsoft Entra Connect ports for more information.
- If your proxy or firewall limit which URLs can be accessed, the URLs documented in Office 365 URLs and IP address ranges must be opened. Also see Safelist the Microsoft Entra admin center URLs on your firewall or proxy server.
- If you're using the Microsoft cloud in Germany or the Microsoft Azure Government cloud, see Microsoft Entra Connect Sync service instances considerations for URLs.
The URL you mentioned is"*.msappproxy.net", which is used for Azure AD Application Proxy. It needs internet access and cannot be routed through ExpressRoute.
If you have a locked environment, I will recommend:
- Review the full list of URLs and IP address ranges required by Entra Connect.
- Work with your network team to ensure that only the necessary traffic is allowed through your firewall.
- Consider using Azure Firewall or a similar solution to manage outbound traffic from your Azure environment.
You can mark it 'Accept Answer' and 'Upvote' if this helped you
Regards,
Abiola