![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 1%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYJ%3C/text%3E%3C/svg%3E)
25,081 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 63%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBD%3C/text%3E%3C/svg%3E)
Hello @Yu-Jeong Seo,
Thank you for posting your query on Microsoft Q&A.
Both options have their pros and cons, and the most suitable choice depends on your specific requirements and management.
Here’s a comparison to help you decide:
Microsoft Entra Domain Services
Pros:
- Provides a managed domain service that supports LDAP authentication
- Reduces the need for on-premises infrastructure and management
- Since you're already in a hybrid setup, Entra can synchronize users, groups, and credentials from your On-Prem AD via Azure AD Connect.
- No need to configure and manage VPN connections or worry about network outages affecting authentication.
Cons:
- If your VMs are frequently interacting with the On-Prem AD (for example, during password authentication), this could add some latency
- May have limitations in terms of customization and control
Site-to-Site VPN Gateway
Pros:
- Establishes a secure connection between Azure and on-premises environments
- Provides more control and customization options
- More control over the network setup and configurations.
- Potentially lower cost if you already have a VPN infrastructure in place.
Cons:
- Requires more infrastructure and management on-premises
- Requires more setup and ongoing management, including maintaining the VPN connection.
- Dependent on the stability of the VPN connection; network issues can disrupt authentication
Additionally, please find the Common use-cases scenarios
https://learn.microsoft.com/en-us/entra/identity/domain-services/network-considerations
If you prefer a managed, low-maintenance solution and are okay with the associated costs, Microsoft Entra Domain Services is likely the better option. It simplifies management and provides high availability without the need for a VPN.
However, if you need greater control over your network and can manage the complexity, a Site-to-Site VPN Gateway might be more suitable, especially if cost is a significant factor.
I hope this information is helpful. Please feel free to reach out if you have any further questions. If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".