I have a question in regards to sites and services and more on the Azure resources and how to limit activity to these domain controllers. In a nutshell i have the following configured.
– Site to Site VPN connected to Azure
– Subnet assigned to a VNET in Azure lets say 10.10.0.0/16
– 2 domain controllers in the 10.10.1.0/24 subnet
it is all working well for now but i want to do a few tings on top of the above
– Deploy ADFS to a subnet in Azure (2 proxy 2 adfs boxes)
– Lock down ADFS to talk only to the 2 DC located in Azure
– From reading i can config the host file to only connect to the 2 DCs located in Azure.
Is there away to stop extra kerberos requests etc going to these domain controllers in Azure? at the moment the interesting traffic and the firewall rules on-premises only allow the onsite Active Directory subnet to talk to the Azure Active Directory subnet but im not sure this will work or might cause issues. Is the subnet alone enough to minimize this?
Has anyone else done something similar? created a new domain with trusts etc is out of the question at this stage.