To connect different geographical region to on-premise what will be the most suitable connection site to site or VNet to VNet peering or Express route?

Hello @Khushboo Kumari ,

Apologies for the delay in response.

Your question seems more related to Windows 365 and the blog you shared already mentions the use of Azure network connection (ANC) to provision Cloud PCs that are attached to a virtual network that you manage but I see that you would like to use hybrid Azure AD join.

After doing a bit of research, I'm sharing the below details which might help you understand the setup and requirements better.

If you see the Network requirements for Windows 365 documentation, you can find the below:

Windows 365 Enterprise:

To use your own network and provision Hybrid Azure AD joined Cloud PCs, you must meet the above requirements, and the following requirements:

• The Azure virtual network must be able to resolve DNS entries for your Active Directory Domain Services (AD DS) environment. To support this resolution, define your AD DS DNS servers as the DNS servers for the virtual network.
• The Azure vNet must have network access to an enterprise domain controller, either in Azure or on-premises.

As part of the Hybrid Azure AD Join requirements, your Cloud PCs must be able to join on-premises Active Directory. That requires that the Cloud PCs be able to resolve DNS records for your on-premises AD environment.

Configure your Azure Virtual Network where the Cloud PCs are provisioned as follows:

1. Make sure that your Azure Virtual Network has network connectivity to DNS servers that can resolve your Active Directory domain.
2. From the Azure Virtual Network's Settings, select DNS Servers and then choose Custom.
3. Enter the IP address of DNS servers that environment that can resolve your AD DS domain.

Tip: Adding at least two DNS servers, as you would with a physical PC, helps mitigate the risk of a single point of failure in name resolution.

To make sure that your Azure Vnet has network connectivity to DNS servers that can resolve your AD domain, you can refer Integrate on-premises AD with Azure.

Azure provides two solutions for implementing directory and identity services in Azure:

• Use Azure AD to create an Active Directory domain in the cloud and connect it to your on-premises Active Directory domain. Azure AD Connect integrates your on-premises directories with Azure AD.
• Extend your existing on-premises Active Directory infrastructure to Azure, by deploying a VM in Azure that runs AD DS as a Domain Controller. This architecture is more common when the on-premises network and the Azure virtual network (VNet) are connected by a VPN or ExpressRoute connection.

Your scenario meets the second setup where you need to extend your existing on-premises AD infra to Azure and you can use either VPN or ExpressRoute connection and this completely depends on your requirement and cost-management.

You could either use VPN or ExpressRoute and connect your on-premises to Azure and then deploy a VM in Azure which runs as AD DS and add this DNS server to your Azure Vnet as custom DNS.

There are also few other network requirements that you need to meet:

https://video2.skills-academy.com/en-us/windows-365/enterprise/requirements-network?tabs=enterprise%2Cent#allow-network-connectivity

Windows 365 fully qualified domain name (FQDN) tags make it easier to grant access to Windows 365 required service endpoints through an Azure firewall. For more information, see Use Azure Firewall to manage and secure Windows 365 environments. (If interested).

About different geographical region connectivity, you can find the list of supported Azure regions for Cloud PC provisioning in the below doc:

https://video2.skills-academy.com/en-us/windows-365/enterprise/requirements?tabs=enterprise%2Cent#supported-azure-regions-for-cloud-pc-provisioning

OPNC is deployed to a virtual network (vNet) and domain controller existing in a particular region.

So, if you want to deploy OPNC in different geographical regions, you should either make sure that you create separate Vnets in each region and connect them to your on-premises or just use Vnet peering to connect different region Vnets to each other (as explained in the blog you shared).

Using VPN or ExpressRoute would still require you to peer the Vnets to the VPN deployed Vnet and use gateway transit OR add the Vnets to the ExpressRoute circuit.

In case of VPN, you can use Vnet peering with gateway transit to connect other region Vnets to your on-premises:

https://video2.skills-academy.com/en-us/azure/virtual-network/virtual-network-peering-overview#gateways-and-on-premises-connectivity

https://video2.skills-academy.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit

NOTE: If you don't want to use gateway transit option with Vnet peering, then you will have to deploy separate VPN gateways for separate regions.

In case of ExpressRoute, you would need an ExpressRoute circuit with the premium add-on for global connectivity and then add the other region Vnets to the ExpressRoute circuit for on-premises connectivity:

https://video2.skills-academy.com/en-us/azure/expressroute/expressroute-introduction#global-connectivity-with-expressroute-premium

https://video2.skills-academy.com/en-us/azure/expressroute/expressroute-faqs#expressroute-premium

https://video2.skills-academy.com/en-us/azure/expressroute/expressroute-howto-linkvnet-portal-resource-manager

Both VPN and ExpressRoute connection is suitable for your setup, but they might vary in certain aspects such as your existing infrastructure and cost management.

Site-to-site VPN connection pre-requisites: https://video2.skills-academy.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal#prerequisites

VPN pricing: https://azure.microsoft.com/en-au/pricing/details/vpn-gateway/

ExpressRoute circuit pre-requisites: https://video2.skills-academy.com/en-us/azure/expressroute/expressroute-prerequisites

ExpressRoute circuit & gateways pricing: https://azure.microsoft.com/en-in/pricing/details/expressroute/

So, you need to consider all the above requirements and costs before deciding if you want to go with VPN or ExpressRoute.

Once this setup is complete, you need to create Azure network connection in your Microsoft Intune admin center and choose Hybrid Azure AD Join as the ANC type.

Refer: https://video2.skills-academy.com/en-us/windows-365/enterprise/create-azure-network-connection

For hybrid Azure AD join ANCs, on the AD domain page, you need to provide additional information as shown in the above document.

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.