SOLVED

Best way to join VM from one VNet to Azure AD DS custom domain in a different VNet

%3CLINGO-SUB%20id%3D%22lingo-sub-2902659%22%20slang%3D%22en-US%22%3EBest%20way%20to%20join%20VM%20from%20one%20VNet%20to%20Azure%20AD%20DS%20custom%20domain%20in%20a%20different%20VNet%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2902659%22%20slang%3D%22en-US%22%3E%3CP%3EGreetings.%20%26nbsp%3BI%20have%20a%20functioning%20Azure%20AD%20DS%20custom%20domain%20that%20is%20deployed%20to%20a%20subnet%20in%20let's%20say%20VNet1.%20%26nbsp%3BI%20have%20a%20VM%20that%20resides%20in%20a%20subnet%20of%2C%20call%20it%20VNet2%2C%20that%20I%20would%20like%20to%20join%20to%20the%20custom%20domain.%20%26nbsp%3BWhat's%20the%20simplest%2C%20most%20effective%20way%20to%20achieve%20this%3F%20%26nbsp%3BIn%20looking%20thru%20the%20documentation%2C%20I've%20seen%20suggestions%20for%20Peering%20the%20two%20networks%20together.%20%26nbsp%3BThis%20may%20be%20fine%2C%20but%20I%20may%20prefer%20to%20keep%20the%20networks%20separate%20for%20security%20reasons.%20%26nbsp%3BI%20have%20Azure%20VPN%20Gateways%20installed%20in%20both%20VNets%20so%20perhaps%20a%20site-to-site%20tunnel%20could%20be%20the%20best%20option%3F%20%26nbsp%3BAlthough%2C%20if%20I'm%20going%20to%20do%20that%2C%20then%20perhaps%20the%20Peering%20option%20would%20be%20the%20better%20way%20to%20go.%20%26nbsp%3BWould%20it%20be%20possible%20to%20just%20add%20a%20route%20table%20in%20the%20appropriate%20subnet%20of%20VNet2%20and%20just%20let%20routing%20do%20the%20trick%3F%20%26nbsp%3BIf%20so%2C%20how%20do%20I%20find%20out%20the%20next%20hop%20address%20to%20add%20to%20the%20route%3F%20%26nbsp%3BAnd%20would%20I%20associate%20it%20with%20the%20gateway%20subnet%20or%20the%20default%20subnet%20of%20VNet2%3F%20%26nbsp%3BThanks%20in%20advance%20for%20any%20help.%20%26nbsp%3BI%20really%20want%20to%20understand%20what%20is%20regarded%20as%20a%20%22best%20practice%22%20in%20this%20scenario.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20again%20and%20cheers%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBrian%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2903105%22%20slang%3D%22en-US%22%3ERe%3A%20Best%20way%20to%20join%20VM%20from%20one%20VNet%20to%20Azure%20AD%20DS%20custom%20domain%20in%20a%20different%20VNet%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2903105%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F589723%22%20target%3D%22_blank%22%3E%40AzureBrian%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou've%20hit%20the%20nail%20on%20the%20head%20with%20the%20two%20options%3B%20vNET%20Peering%20or%20a%20vNET-to-vNET%20Gateway%20connection.%20This%20blog%20post%20gives%20you%20a%20good%20run%20down%20on%20the%20differences%20between%20the%20two%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-gb%2Fblog%2Fvnet-peering-and-vpn-gateways%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fazure.microsoft.com%2Fen-gb%2Fblog%2Fvnet-peering-and-vpn-gateways%2F%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EAs%20peering%20occurs%20over%20the%20private%20network%20within%20Azure%20only%20(there%20is%20no%20public%20traffic%20over%20a%20peered%20connection)%20I%20would%20implement%20Peering%20due%20to%20its%20lower%20latency%20and%20general%20easier%20administration.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20if%20having%20the%20traffic%20between%20the%20vNETs%20encrypted%20is%20a%20key%20requirement%20then%20Gateways%20would%20be%20the%20only%20appropriate%20course%20of%20action.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere's%20no%20way%20to%20use%20routing%20tables%20on%20their%20own%20to%20achieve%20what%20you're%20looking%20for%20as%20by%20design%20vNETs%20are%20isolated%20from%20each%20other.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20this%20helps%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnthony%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2923207%22%20slang%3D%22en-US%22%3ERe%3A%20Best%20way%20to%20join%20VM%20from%20one%20VNet%20to%20Azure%20AD%20DS%20custom%20domain%20in%20a%20different%20VNet%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2923207%22%20slang%3D%22en-US%22%3EThanks%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1199544%22%20target%3D%22_blank%22%3E%40Anthony_Norwood%3C%2FA%3E%20for%20the%20quick%20response!%20I%20do%20indeed%20believe%20the%20peering%20will%20likely%20be%20the%20way%20I%20will%20go.%20I've%20used%20that%20technique%20before%20but%20I%20didn't%20know%20if%20it%20was%20one%20of%20the%20preferred%20methods%20in%20this%20scenario.%20Thanks%20again!%3C%2FLINGO-BODY%3E
Occasional Contributor

Greetings.  I have a functioning Azure AD DS custom domain that is deployed to a subnet in let's say VNet1.  I have a VM that resides in a subnet of, call it VNet2, that I would like to join to the custom domain.  What's the simplest, most effective way to achieve this?  In looking thru the documentation, I've seen suggestions for Peering the two networks together.  This may be fine, but I may prefer to keep the networks separate for security reasons.  I have Azure VPN Gateways installed in both VNets so perhaps a site-to-site tunnel could be the best option?  Although, if I'm going to do that, then perhaps the Peering option would be the better way to go.  Would it be possible to just add a route table in the appropriate subnet of VNet2 and just let routing do the trick?  If so, how do I find out the next hop address to add to the route?  And would I associate it with the gateway subnet or the default subnet of VNet2?  Thanks in advance for any help.  I really want to understand what is regarded as a "best practice" in this scenario.

 

Thanks again and cheers,

 

Brian

2 Replies
best response confirmed by AzureBrian (Occasional Contributor)
Solution

Hi @AzureBrian 

 

You've hit the nail on the head with the two options; vNET Peering or a vNET-to-vNET Gateway connection. This blog post gives you a good run down on the differences between the two:

https://azure.microsoft.com/en-gb/blog/vnet-peering-and-vpn-gateways/

As peering occurs over the private network within Azure only (there is no public traffic over a peered connection) I would implement Peering due to its lower latency and general easier administration.

 

However, if having the traffic between the vNETs encrypted is a key requirement then Gateways would be the only appropriate course of action.

 

There's no way to use routing tables on their own to achieve what you're looking for as by design vNETs are isolated from each other.

 

Hope this helps,

 

Anthony

Thanks @Anthony_Norwood for the quick response! I do indeed believe the peering will likely be the way I will go. I've used that technique before but I didn't know if it was one of the preferred methods in this scenario. Thanks again!