Azure NSG rules for Active Directory Subnet

Easily add or modify existing NSG rules for Active Directory. Script: Add-ADDSRulesToAzureRmNSG.ps1 (available on GitHub).

Today I’ll be demoing a script I’ve been working on – Add-ADDSRulesToAzureRmNSG.ps1.  The script is meant to accompany a reference architecture from Microsoft – Extend Active Directory Domain Services (AD DS) to Azure.  When installing domain controllers for your on-premises domain/forest in Azure, there are several options for where you might place them within your virtual network (VNET / vnet).  Microsoft’s reference architecture is a nice and neat approach, dedicating a subnet to Active Directory Directory Services (ADDS), protected by Network Security Group (NSG) rules that only allow the necessary AD-related ports/protocols to pass through.

See the “AD DS subnet”

It’s quite likely that the NSG rules will need to be updated time and time again to accommodate changes (e.g. adding/removing subnets, etc.).  Let’s say you’ve got an “Apps” subnet  ( where all of your application servers sit and it is currently the only subnet whose hosts need connectivity to ADDS.  The NSG rules in place contain the source address prefix of, allowing all hosts in the Apps subnet to communicate with the DC’s in the ADDS subnet.  However, tomorrow you determine that a special-case host in your “Data” subnet ( is also going to need to communicate with your DC’s.  With ~20 inbound rules and ~20 outbound rules to cover off the ADDS requirements (Active Directory and Active Directory Domain Services Port Requirements), updating these manually is time consuming, whether using PowerShell or the Azure Portal.  Enter Add-ADDSRulesToAzureRmNSG.ps1.

Here’s a look at the script. Be, sure to use the GitHub link above for the latest version.

Leave a Reply

Your email address will not be published. Required fields are marked *