network in Microsoft Azure that does not conflict with any on-premises IP allocation.
When you use a different IP address range in Microsoft Azure, IP traffic will be able to
be routed cross-premises. If the on-premises gateway device that is used to connect to
Microsoft Azure is not the default gateway for on-premises, you will need to add
manual routes so that on-premises traffic that is destined for Microsoft Azure will
route correctly. Also make sure that all on-premises IP scopes are defined within
Microsoft Azure correctly, to ensure correct routing of traffic from Microsoft Azure to
the on-premises network.
When using the site-to-site VPN connection option, multiple on-premises locations
can be connected to the single Azure gateway. This helps connect multiple locations
not only for normal operation, but also for disaster-recovery scenarios. For
organizations that utilize a primary and a disaster-recovery location, both locations
can be connected, avoiding the need for gateway reconfiguration in the event of an
actual disaster and required failover. If using ExpressRoute, the exact connectivity will
vary depending on the type of ExpressRoute leveraged. However, whether an
Exchange provider or network service provider ExpressRoute vendor is utilized, it is
always possible to connect to multiple on-premises locations. Typically, the network
service provider option is simpler, as it can use existing multilocation connectivity
solutions such as MPLS (Multiprotocol Label Switching). Nevertheless, I’ve also seen
exchange providers apply some ingenious solutions, and so I always encourage my
customers to talk to their current communications partners about how they can help
with connectivity to Azure and always to keep an open mind.
Once network connectivity is established cross-premises, some operating system
instances running in Microsoft Azure will most likely need to be domain joined. This
introduces various considerations. One requirement is name resolution via DNS.
Initially, configure the virtual network in Microsoft Azure to use on-premises DNS
servers for name resolution, which will allow machines to locate domain controllers
and join the domain. Using a shared DNS infrastructure between on-premises servers
and Microsoft Azure will also allow cross-premises name resolution.
Within Active Directory, create a separate Active Directory site for the IP ranges used
in Microsoft Azure and create a site link to the actual on-premises location that has
connectivity. Make sure to set the site link cost and replication interval to values that
meet your requirements. The default replication of every 3 hours is likely not fast
enough.
The next decision is whether Active Directory domain controllers should be placed in
Microsoft Azure. Initially, many organizations have security concerns about placing a
domain controller in Microsoft Azure for fear of directory or security compromise,
which would potentially expose the entire contents of the directory service. As
previously discussed, the Microsoft datacenters likely have far more security than any
normal company could hope for. It is more a question of trust, and that trust has to be
built over time. However, Microsoft has been very public about its security, including
its fights to protect customer data from government requests, and they offer