Forum Discussion
which port to join domain azure ad domain service ?
hello
I try create Azure Ad domain service in separate subnet and assign nsg to subnet , i want deny all and open only these port need to use for Azure domain service as join domain , ldap , powershell ...
picture below is default and it all all subnet in vnet can see all port .please guide help me to deny all and only open these port need using
Best Regards,
Thanks
- Hi good evening!
Now I understood, what you want.
In this case you will need to configure your own routes by using " User defined Routes" in the Azure Route Table, there you will can use a virtual Appliance to route the traffic.
It's not so complex, I will leave below two links, one talking about best practices on AZURE Networking and one to User Defined Routes, I recommend you read first the best practices.
Best practices= https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices
User Defined Routes=
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-create-route-table-portal
Hope it helps you!
Don't forget, let me know if it was helpful
See you Soon!
- RodNetBrass ContributorHi Tien Ngo Thanh
Good morning.
It is not necessary to create any other rules to deny all inbound connection different of the rules that you have created, because if you see on the NSG you already have the rule 65500 DenyAllInBound that will do this for you.
The lower priority takes precedence.
There is a good article talking about it on the link below:
https://blogs.msdn.microsoft.com/igorpag/2016/05/14/azure-network-security-groups-nsg-best-practices-and-lessons-learned/
Please, let me know if it could help you.
have a nice day!- Tien Ngo ThanhIron Contributor
Hello
Because default then all subnet can see Azure ADDS .
example as backend subnet then can see and join domain Azure ADDS but with DMZ subnet then i think need deny to see Azure ADDS . and also DMZ is public internet ,
and i see in on-premier then all subnet default will deny all and open IP to IP not all subnet , should I think in Azure as that , I am newbie azure .
please recommend help me best practice control traffic between all subnet in vnet ?
Best Regards,
Thanks
- RodNetBrass ContributorHi good evening!
Now I understood, what you want.
In this case you will need to configure your own routes by using " User defined Routes" in the Azure Route Table, there you will can use a virtual Appliance to route the traffic.
It's not so complex, I will leave below two links, one talking about best practices on AZURE Networking and one to User Defined Routes, I recommend you read first the best practices.
Best practices= https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices
User Defined Routes=
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-create-route-table-portal
Hope it helps you!
Don't forget, let me know if it was helpful
See you Soon!