I have a subnet that is connected to our on-prem network via an IPSec tunnel. I have the default route for that subnet configured to route through that IPSec tunnel, through our firewall, and then out to the internet. I have performed all the configuration, including the Powershell steps, to get this to work. Traffic coming from VMs in the subnet have the external IP of our on-prem firewall. So far so good.
My question is, will Azure AD Domain Services deployed to this subnet be able to sync with Azure AD in this configuration? From what I have read, Azure AD Domain Services requires a subnet directly connected to the internet and cannot sync across a Virtual network gateway as describe above? User routes and service endpoints, even to Azure AD, appear to break it's ability to sync with Azure AD?
Another possibility appears to be setting up Azure AD Domain Services in a subnet with a direct connection to the internet, and then peering?
Thanks in advance!