Active Directory VM in Azure and NSG Rules

Question

Hello,
We have a few AD VMs on prem, and would like to extend AD to Azure with VMs.
We have a site to site VPN between on prem and Azure.

I've set up the VMs in Azure that will eventually be hosting AD on Server 2022. My question is regarding NSG Rules.

There is decent documentation about Inbound ports required to be open for AD replication and authentication, and I have configured those inbound NSG rules so clients and on prem ADDS servers can communicate with the servers hosted in Azure.

What I'm not too clear on is whether I need to create Outbound NSG rules so my AD server in Azure can communicate back to on premises ADDS servers. For example:

Would I need to create an outbound rule for "Azure AD VM subnet x.x.x.x" to destination port 389(LDAP) "On Prem AD VM subnet y.y.y.y"
This is just an example, but wanted to know if I would need to do this for each port outbound, or if outbound is unrestricted by default.

Thank you.

Answer 1

You actually don't need to add any NSG rules at all.

The default AllowVnetInBound and AllowVnetOutBound rules will permit Inbound and Outbound traffic to all connect networks as specified by the VirtualNetwork service tag.

https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview#available-service-tags

Answer 2

Thanks for that information.
So with that said, we will have a deny all inbound rule before the default rules, so we're only allowing inbound from specific IP ranges.

If I wanted to follow the same logic for Outbound (denying outbound except for specific IPs), would the same question apply? Would I need outbound rules for the AD VM in Azure to talk to our on prem AD VM for replication and authentication?