Can't find clear documentation to connect local devices to Azure AD Domain Services (AADDS).
Have already successfully setup Azure WAN + Azure Hub + User point-to-site VPN connection.
But don't have clear documentation on how to setup NSG rules to connect to AADDS domain controller.
Any documentation / tips on next troubleshooting steps would be helpful.
Got it working now.
The key was to setup NSG rules on the Azure Active Directory Domain Services subnet and have VNET peering enabled between the AADDS service and Gateway service.
Default NSG rules then allow traffic to flow between VNETs.
Key is in assigning security rules to allow traffic from service "AzureActiveDirectoryDomainServices"
Below is the Terraform Code used to deploy the Gateway:
# ...
data "azurerm_client_config" "default" {}
# ...
# VNET
resource "azurerm_virtual_network" "external" {
name = "external-vnet"
location = azurerm_resource_group.external.location
resource_group_name = azurerm_resource_group.external.name
address_space = ["10.2.0.0/16"]
tags = var.azure_tags
dns_servers = [
"10.0.0.4",
"10.0.0.5",
]
}
# Subnet
resource "azurerm_subnet" "external" {
name = "GatewaySubnet"
resource_group_name = azurerm_resource_group.external.name
virtual_network_name = azurerm_virtual_network.external.name
address_prefixes = ["10.2.0.0/24"]
}
# Public Ip for Gateway
resource "azurerm_public_ip" "external" {
name = "external-vnet-gateway-public-ip"
location = azurerm_resource_group.external.location
resource_group_name = azurerm_resource_group.external.name
sku = "Standard"
sku_tier = "Regional"
allocation_method = "Static"
tags = var.azure_tags
}
# Virtual Network Gateway
resource "azurerm_virtual_network_gateway" "external" {
name = "external-vnet-gateway"
location = azurerm_resource_group.external.location
resource_group_name = azurerm_resource_group.external.name
tags = var.azure_tags
type = "Vpn"
vpn_type = "RouteBased"
active_active = false
private_ip_address_enabled = true
enable_bgp = false
sku = "VpnGw1AZ"
ip_configuration {
name = "vnetGatewayConfig"
public_ip_address_id = azurerm_public_ip.external.id
private_ip_address_allocation = "Dynamic"
subnet_id = azurerm_subnet.external.id
}
vpn_client_configuration {
address_space = ["10.3.0.0/24"]
# Azure AD Authentication Settings
vpn_client_protocols = ["OpenVPN"]
aad_tenant = "https://login.microsoftonline.com/${data.azurerm_client_config.default.tenant_id}/"
aad_audience = "...<REDACTED_FOR_PRIVACY>..."
aad_issuer = "https://sts.windows.net/${data.azurerm_client_config.default.tenant_id}/"
}
}
# ###########################################################
# This is important!
# enable global peering between the two virtual network
resource "azurerm_virtual_network_peering" "aadds_external" {
name = "peering-${data.azurerm_virtual_network.aadds.name}-to-${azurerm_virtual_network.external.name}"
resource_group_name = data.azurerm_resource_group.aadds.name
virtual_network_name = data.azurerm_virtual_network.aadds.name
remote_virtual_network_id = azurerm_virtual_network.external.id
allow_virtual_network_access = true
allow_forwarded_traffic = true
allow_gateway_transit = false
use_remote_gateways = true
}
resource "azurerm_virtual_network_peering" "external_aadds" {
name = "peering-${azurerm_virtual_network.external.name}-to-${data.azurerm_virtual_network.aadds.name}"
resource_group_name = azurerm_resource_group.external.name
virtual_network_name = azurerm_virtual_network.external.name
remote_virtual_network_id = data.azurerm_virtual_network.aadds.id
allow_virtual_network_access = true
allow_forwarded_traffic = true
allow_gateway_transit = true
use_remote_gateways = false
}