Azure AD Domain Services with 0.0.0.0/0 -> Virtual network gateway

Nic Buihner 1 Reputation point
2020-06-16T20:57:07.567+00:00

I have a subnet that is connected to our on-prem network via an IPSec tunnel. I have the default route for that subnet configured to route through that IPSec tunnel, through our firewall, and then out to the internet. I have performed all the configuration, including the Powershell steps, to get this to work. Traffic coming from VMs in the subnet have the external IP of our on-prem firewall. So far so good.

My question is, will Azure AD Domain Services deployed to this subnet be able to sync with Azure AD in this configuration? From what I have read, Azure AD Domain Services requires a subnet directly connected to the internet and cannot sync across a Virtual network gateway as describe above? User routes and service endpoints, even to Azure AD, appear to break it's ability to sync with Azure AD?

Another possibility appears to be setting up Azure AD Domain Services in a subnet with a direct connection to the internet, and then peering?

Thanks in advance!

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,285 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. msrini-MSFT 9,271 Reputation points Microsoft Employee
    2020-06-20T21:41:49.45+00:00

    Hi,

    You can deploy ADDS in a separate subnet. Add a UDR to this subnet with an option "Disable Route Propagation" or add a rule stating 0.0.0.0/0 next hop Internet.

    By doing that your ADDS subnet will directly speak to the Interent rather than forwarding traffic to On-Prem.

    Regards,
    Msrini

    0 comments No comments