SOLVED

which port to join domain azure ad domain service ?

%3CLINGO-SUB%20id%3D%22lingo-sub-521459%22%20slang%3D%22en-US%22%3Ewhich%20port%20to%20join%20domain%20azure%20ad%20domain%20service%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-521459%22%20slang%3D%22en-US%22%3E%3CP%3Ehello%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3BI%20try%20create%20Azure%20Ad%20domain%20service%20in%20separate%20subnet%20and%20assign%20nsg%20to%20subnet%20%2C%20i%20want%20deny%20all%20and%20open%20only%20these%26nbsp%3B%20port%20need%20to%20use%20for%20Azure%20domain%20service%20as%20join%20domain%20%2C%20ldap%20%2C%20powershell%20...%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20picture%20below%20is%20default%20and%20it%20all%20all%20subnet%20in%20vnet%20can%20see%20all%20port%20.please%20guide%20help%20me%20to%20deny%20all%20and%20only%20open%20these%20port%20need%20using%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F111879iE21F9153F4684F0D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Capture.PNG%22%20title%3D%22Capture.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EBest%20Regards%2C%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-521459%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ENetworking%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EVirtual%20Network%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-525047%22%20slang%3D%22en-US%22%3ERe%3A%20which%20port%20to%20join%20domain%20azure%20ad%20domain%20service%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-525047%22%20slang%3D%22en-US%22%3EHi%20Tien%20Ngo%20Thanh%3CBR%20%2F%3E%3CBR%20%2F%3EGood%20morning.%3CBR%20%2F%3E%3CBR%20%2F%3EIt%20is%20not%20necessary%20to%20create%20any%20other%20rules%20to%20deny%20all%20inbound%20connection%20different%20of%20the%20rules%20that%20you%20have%20created%2C%20because%20if%20you%20see%20on%20the%20NSG%20you%20already%20have%20the%20rule%2065500%20DenyAllInBound%20that%20will%20do%20this%20for%20you.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20lower%20priority%20takes%20precedence.%3CBR%20%2F%3E%3CBR%20%2F%3EThere%20is%20a%20good%20article%20talking%20about%20it%20on%20the%20link%20below%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.msdn.microsoft.com%2Figorpag%2F2016%2F05%2F14%2Fazure-network-security-groups-nsg-best-practices-and-lessons-learned%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.msdn.microsoft.com%2Figorpag%2F2016%2F05%2F14%2Fazure-network-security-groups-nsg-best-practices-and-lessons-learned%2F%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3EPlease%2C%20let%20me%20know%20if%20it%20could%20help%20you.%3CBR%20%2F%3E%3CBR%20%2F%3Ehave%20a%20nice%20day!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-525477%22%20slang%3D%22en-US%22%3ERe%3A%20which%20port%20to%20join%20domain%20azure%20ad%20domain%20service%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-525477%22%20slang%3D%22en-US%22%3E%3CP%3EHello%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3BBecause%20default%20then%20all%20subnet%20can%20see%20Azure%20ADDS%20.%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3Bexample%20as%20backend%20subnet%20then%20can%20see%20and%20join%20domain%20Azure%20ADDS%20but%20with%20DMZ%20subnet%20then%20i%20think%20need%20deny%20to%20see%20Azure%20ADDS%20.%20and%20also%20DMZ%20is%20public%20internet%20%2C%26nbsp%3B%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3Band%20i%20see%20in%20on-premier%20then%20all%20subnet%20default%20will%20deny%20all%20and%20open%20IP%20to%20IP%20not%20all%20subnet%20%2C%20should%20I%20think%20in%20Azure%20as%20that%20%2C%20I%20am%20newbie%20azure%20.%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3Bplease%20recommend%20help%20me%20best%20practice%20control%20traffic%20between%20all%20subnet%20in%20vnet%20%3F%3C%2FP%3E%3CP%3EBest%20Regards%2C%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-530155%22%20slang%3D%22en-US%22%3ERe%3A%20which%20port%20to%20join%20domain%20azure%20ad%20domain%20service%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-530155%22%20slang%3D%22en-US%22%3EHi%20good%20evening!%3CBR%20%2F%3ENow%20I%20understood%2C%20what%20you%20want.%3CBR%20%2F%3EIn%20this%20case%20you%20will%20need%20to%20configure%20your%20own%20routes%20by%20using%20%22%20User%20defined%20Routes%22%20in%20the%20Azure%20Route%20Table%2C%20there%20you%20will%20can%20use%20a%20virtual%20Appliance%20to%20route%20the%20traffic.%3CBR%20%2F%3E%3CBR%20%2F%3EIt's%20not%20so%20complex%2C%20I%20will%20leave%20below%20two%20links%2C%20one%20talking%20about%20best%20practices%20on%20AZURE%20Networking%20and%20one%20to%20User%20Defined%20Routes%2C%20I%20recommend%20you%20read%20first%20the%20best%20practices.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3EBest%20practices%3D%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity%2Fazure-security-network-security-best-practices%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity%2Fazure-security-network-security-best-practices%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3EUser%20Defined%20Routes%3D%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-network%2Ftutorial-create-route-table-portal%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-network%2Ftutorial-create-route-table-portal%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20it%20helps%20you!%3CBR%20%2F%3EDon't%20forget%2C%20let%20me%20know%20if%20it%20was%20helpful%3CBR%20%2F%3E%3CBR%20%2F%3ESee%20you%20Soon!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-548346%22%20slang%3D%22en-US%22%3ERe%3A%20which%20port%20to%20join%20domain%20azure%20ad%20domain%20service%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-548346%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F253908%22%20target%3D%22_blank%22%3E%40RodNet%3C%2FA%3E%26nbsp%3B%3A%20I%20Still%20some%20not%20understand%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20i%20understand%20then%20all%20subnet%20in%20azure%20will%20see%20all%20port%20as%20default%20to%20control%20portl%20between%20these%20subnet%20then%20need%20route%20traffic%20by%20UDR%20and%20to%20NVA%20(VM%2B%20Firewall)%20%3F%20and%20to%20do%20that%20need%20follow%20as%20step%20below%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3ECreate%20a%20route%20table%3C%2FLI%3E%3CLI%3ECreate%20a%20route%3C%2FLI%3E%3CLI%3ECreate%20a%20virtual%20network%20with%20multiple%20subnets%3C%2FLI%3E%3CLI%3EAssociate%20a%20route%20table%20to%20a%20subnet%3C%2FLI%3E%3CLI%3ECreate%20an%20NVA%20that%20routes%20traffic%3C%2FLI%3E%3CLI%3EDeploy%20virtual%20machines%20(VM)%20into%20different%20subnets%3C%2FLI%3E%3CLI%3ERoute%20traffic%20from%20one%20subnet%20to%20another%20through%20an%20NVA%3C%2FLI%3E%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-553869%22%20slang%3D%22en-US%22%3ERe%3A%20which%20port%20to%20join%20domain%20azure%20ad%20domain%20service%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-553869%22%20slang%3D%22en-US%22%3ENO.%20Only%20Subnet%20inside%20the%20same%20VNET%20will%20have%20communication%20with%20each%20other%20by%20default%2C%20so%20in%20this%20case%20you%20will%20need%20to%20use%20a%20user%20defined%20route.%3CBR%20%2F%3E%3CBR%20%2F%3EI'd%20suggest%20you%20to%20create%20the%20VNET%20and%20subnets%20first.%20but%20every%20others%20steps%20are%20OK.%3CBR%20%2F%3E%3CBR%20%2F%3E%3DD%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-561271%22%20slang%3D%22en-US%22%3ERe%3A%20which%20port%20to%20join%20domain%20azure%20ad%20domain%20service%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-561271%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20all%20Support%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Regular Contributor

hello

     I try create Azure Ad domain service in separate subnet and assign nsg to subnet , i want deny all and open only these  port need to use for Azure domain service as join domain , ldap , powershell ...

    picture below is default and it all all subnet in vnet can see all port .please guide help me to deny all and only open these port need using

     Capture.PNG

Best Regards,

Thanks

6 Replies
Highlighted
Hi Tien Ngo Thanh

Good morning.

It is not necessary to create any other rules to deny all inbound connection different of the rules that you have created, because if you see on the NSG you already have the rule 65500 DenyAllInBound that will do this for you.

The lower priority takes precedence.

There is a good article talking about it on the link below:

https://blogs.msdn.microsoft.com/igorpag/2016/05/14/azure-network-security-groups-nsg-best-practices...


Please, let me know if it could help you.

have a nice day!
Highlighted

Hello

     Because default then all subnet can see Azure ADDS .

     example as backend subnet then can see and join domain Azure ADDS but with DMZ subnet then i think need deny to see Azure ADDS . and also DMZ is public internet ,      

     and i see in on-premier then all subnet default will deny all and open IP to IP not all subnet , should I think in Azure as that , I am newbie azure .

   please recommend help me best practice control traffic between all subnet in vnet ?

Best Regards,

Thanks

Highlighted
Best Response confirmed by Tien Ngo Thanh (Regular Contributor)
Solution
Hi good evening!
Now I understood, what you want.
In this case you will need to configure your own routes by using " User defined Routes" in the Azure Route Table, there you will can use a virtual Appliance to route the traffic.

It's not so complex, I will leave below two links, one talking about best practices on AZURE Networking and one to User Defined Routes, I recommend you read first the best practices.


Best practices= https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices


User Defined Routes=
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-create-route-table-portal


Hope it helps you!
Don't forget, let me know if it was helpful

See you Soon!
Highlighted

@RodNet : I Still some not understand 

As i understand then all subnet in azure will see all port as default to control portl between these subnet then need route traffic by UDR and to NVA (VM+ Firewall) ? and to do that need follow as step below ?

   

  • Create a route table
  • Create a route
  • Create a virtual network with multiple subnets
  • Associate a route table to a subnet
  • Create an NVA that routes traffic
  • Deploy virtual machines (VM) into different subnets
  • Route traffic from one subnet to another through an NVA
Highlighted
NO. Only Subnet inside the same VNET will have communication with each other by default, so in this case you will need to use a user defined route.

I'd suggest you to create the VNET and subnets first. but every others steps are OK.

=D

Highlighted

Thanks all Support