Forum Discussion

Tien Ngo Thanh's avatar
Tien Ngo Thanh
Iron Contributor
May 02, 2019

which port to join domain azure ad domain service ?

hello

     I try create Azure Ad domain service in separate subnet and assign nsg to subnet , i want deny all and open only these  port need to use for Azure domain service as join domain , ldap , powershell ...

    picture below is default and it all all subnet in vnet can see all port .please guide help me to deny all and only open these port need using

     

Best Regards,

Thanks

  • RodNet's avatar
    RodNet
    Brass Contributor
    Hi Tien Ngo Thanh

    Good morning.

    It is not necessary to create any other rules to deny all inbound connection different of the rules that you have created, because if you see on the NSG you already have the rule 65500 DenyAllInBound that will do this for you.

    The lower priority takes precedence.

    There is a good article talking about it on the link below:

    https://blogs.msdn.microsoft.com/igorpag/2016/05/14/azure-network-security-groups-nsg-best-practices-and-lessons-learned/


    Please, let me know if it could help you.

    have a nice day!
    • Tien Ngo Thanh's avatar
      Tien Ngo Thanh
      Iron Contributor

      Hello

           Because default then all subnet can see Azure ADDS .

           example as backend subnet then can see and join domain Azure ADDS but with DMZ subnet then i think need deny to see Azure ADDS . and also DMZ is public internet ,      

           and i see in on-premier then all subnet default will deny all and open IP to IP not all subnet , should I think in Azure as that , I am newbie azure .

         please recommend help me best practice control traffic between all subnet in vnet ?

      Best Regards,

      Thanks

Resources