This topic shows you how to configure domain peering between Managed Service for Microsoft Active Directory (Managed Microsoft AD) and Shared VPC. This allows you to make Managed Microsoft AD available to service projects attached to Shared VPC.
Overview
Domain peering in Managed Microsoft AD creates a domain peering resource in each domain resource and VPC resource projects. Managed Microsoft AD domain can be made available to all the projects attached to the Shared VPC by creating a domain peering between Managed Microsoft AD and Shared VPC. For example, you can authenticate and login to SQL Server using Managed Microsoft AD domain, where SQL Server and Managed Microsoft AD are in different service projects that are attached to the Shared VPC.
Before you begin
Before you begin, do the following:
In the Google Cloud console, on the project selector page, select or create three Google Cloud projects. They are called host and service projects. The host project is where the Shared VPC is enabled. Managed Microsoft AD domain and Cloud SQL instances must reside in different service projects. The VMs could reside in one of the service projects.
Enable billing for your Cloud project(s). For more information, see Check if billing is enabled on a project.
Enable Shared VPC on the host project. For more information, see Enable a host project.
Attach the service project(s) to the Shared VPC network. Each of the projects need to have Compute Engine API enabled. For the purpose of this example, we recommend creating separate subnets in the Shared VPC. While attaching the project, choose the appropriate subnet for each of the project(s). For more information, see Attach service projects.
Create a Managed Microsoft AD domain in the service project. The VPC network authorized while creating the Managed Microsoft AD domain is independent of the Shared VPC networks. To create a Managed Microsoft AD domain without an authorized network, use the gcloud CLI command.
Configure domain peering
Create domain peering from the service project having the domain resource to the Shared VPC network. For more information about domain peering, see Configure domain peering.
gcloud active-directory peerings create PEERING-RESOURCE-NAME \ --domain=DOMAIN-RESOURCE-NAME \ --authorized-network=SHARED-VPC-NAME
Replace the following:
PEERING-RESOURCE-NAME: A name for your domain peering resource (such asmy-domain-peering).DOMAIN-RESOURCE-NAME: The full resource name of your Managed Microsoft AD domain, in the form of:projects/PROJECT-ID/locations/global/domains/DOMAIN-NAME.SHARED-VPC-NAME: The full resource name of your Shared VPC network, in the form of:projects/PROJECT-ID/global/networks/NETWORK-NAME.
List the domain peerings to verify the state. Run the following gcloud CLI command:
gcloud active-directory peerings list --project=PROJECT_ID
Replace PROJECT_ID with the project ID of the service project that is used to create your domain peering resource.
It returns the state as
DISCONNECTED.Create the reverse domain peering from the host project.
gcloud active-directory peerings create PEERING-RESOURCE-NAME \ --domain=DOMAIN-RESOURCE-NAME \ --authorized-network=SHARED-VPC-NAME \ --project=VPC-RESOURCE-PROJECT-ID
Replace the following:
PEERING-RESOURCE-NAME: A name for your domain peering resource (such asmy-domain-peering).DOMAIN-RESOURCE-NAME: The full resource name of your Managed Microsoft AD domain, in the form of:projects/PROJECT-ID/locations/global/domains/DOMAIN-NAME.SHARED-VPC-NAME: The full resource name of your Shared VPC network, in the form of:projects/PROJECT-ID/global/networks/NETWORK-NAME.VPC-RESOURCE-PROJECT-ID: The project ID of the host project that is hosting the Shared VPC.
List the domain peerings again to verify the state. Run the following gcloud CLI command:
gcloud active-directory peerings list --project=PROJECT_ID
Replace PROJECT_ID with the project ID of the service project that is used to create your domain peering resource.
It returns the state as
CONNECTEDfrom both the host and service projects.
Configure the Cloud SQL (SQL Server) instance
Create the Cloud SQL (SQL Server) instance in the service project with Private IP enabled and select the network of the Shared VPC. For more information, see Create an instance with Windows Authentication.
After the domain peering is complete, modify the Cloud SQL (SQL Server) configuration to use your Managed Microsoft AD domain for authentication. Run the following gcloud CLI command:
gcloud beta sql instances patch INSTANCE-NAME \ --active-directory-domain=DOMAIN-RESOURCE-NAME
Replace the following:
INSTANCE-NAME: The name of your Cloud SQL instance in the service project.DOMAIN-RESOURCE-NAME: The full resource name of your Managed Microsoft AD domain that you want to use for authentication. Full resource name format:projects/PROJECT-ID/locations/global/domains/DOMAIN-NAME.
For more information, see Enable cross-project Windows authentication.
The SQL Server is now configured with Windows authentication enabled.
Test the setup
- Create a Windows or Linux VM in the service project. While creating the VM, select the Shared VPC and the subnet which is shared in the Shared VPC with this service project.
- Join the VM to a domain. For more information about joining a Windows VM to a domain, see Join a Windows VM to a domain.
- Create a SQL Server login based on a Windows user or group. For more information, see Connect to an instance with a user.
- Connect using the SQL Server's instance DNS name. For more information, see Step 2 in Connect to an instance with a user.
Summary
You have domain peered a Managed Microsoft AD domain with the Shared VPC host and created SQL Server on the Shared VPC. With this domain peering, cross-project Windows authentication is enabled for SQL Server.
While in the above scenario Managed Microsoft AD and SQL Server are in different service projects, configuring them in the same service project is also supported.
Alternatively, you can also have the Managed Microsoft AD domain in the host project. In this case, Shared VPC needs to be added as an authorized network to the Managed Microsoft AD domain. For more information, see Adding authorized networks to an existing domain.
In all these scenarios through peering with Shared VPC, the domain is available to the service project(s) attached to the Shared VPC.