question

NicBuihner-4614 avatar image
0 Votes"
NicBuihner-4614 asked msrini-MSFT answered

Azure AD Domain Services with 0.0.0.0/0 -> Virtual network gateway

I have a subnet that is connected to our on-prem network via an IPSec tunnel. I have the default route for that subnet configured to route through that IPSec tunnel, through our firewall, and then out to the internet. I have performed all the configuration, including the Powershell steps, to get this to work. Traffic coming from VMs in the subnet have the external IP of our on-prem firewall. So far so good.

My question is, will Azure AD Domain Services deployed to this subnet be able to sync with Azure AD in this configuration? From what I have read, Azure AD Domain Services requires a subnet directly connected to the internet and cannot sync across a Virtual network gateway as describe above? User routes and service endpoints, even to Azure AD, appear to break it's ability to sync with Azure AD?

Another possibility appears to be setting up Azure AD Domain Services in a subnet with a direct connection to the internet, and then peering?

Thanks in advance!

azure-virtual-network
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

msrini-MSFT avatar image
0 Votes"
msrini-MSFT answered

Hi,

You can deploy ADDS in a separate subnet. Add a UDR to this subnet with an option "Disable Route Propagation" or add a rule stating 0.0.0.0/0 next hop Internet.

By doing that your ADDS subnet will directly speak to the Interent rather than forwarding traffic to On-Prem.

Regards,
Msrini

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.