How to secure On-Premises Windows server by joining them to Azure AD

Question

We have a set of Windows servers on an On-prem network (172.0.0.0/24)
They use Azure VPN, like our laptops do, to connect to Azure resources we have. Our azure vpn gateway provides an ip in the range of 192.168.0.0/24 and it has only a P2S connection.
This azure gateway is connected to our Azure VNet using a subnet: 10.0.2.0/24
The servers on the on-prem network are not connected to any domain.

We want to secure the connection to those servers by joining them to our Azure AD. This brought us to the idea to use Azure AD Domain Services. this aadds connects to our only VNet using a subnet 10.0.15.0/24 and has 2 ip numbers .4 and .5

Having all this done looks like our applications can access on-prem servers but; other way arround, the servers can not access internal resources like aadds to connect to! Seems like 10.0.15.4 and 10.0.15.5 are not reachable from on-prem network.

Is the direction I am going even possible? Or should I have a better solution?
why is my azure adds ip's not reachable?

Answer 1

Hi, firstly let's not confuse Azure AD Domain Services (AAD DS) with Azure AD. These are two different services. AAD DS is a managed domain service which provides some features of traditional Active Directory but without the requirement to manage and maintain underlying virtual machines. Azure AD is a completely separate service to this.

You say the IP addresses are not reachable, how are you trying to connect? You will not be able to RDP to those IP addresses but you should be able to contact them to do a domain join or ping for example.

Did you say you are connecting via P2S connection only? If so you would need to make sure that all of the VNET routes are published in the VPN configuration file so if you have recently added the AAD DS environment then make sure to download the Azure VPN configuration from the portal again to get all of the available routes included in the configuration.