How to Configure Active Directory Network Security Groups and Firewall Rules in Azure using Terraform

Guillermo Musumeci
18 min readJan 19


This story will list all the ports required to communicate with Active Directory Domain Controllers and how to create network security groups and firewall rules using Terraform to secure communications to AD Domain Controllers.

We are going to talk about the following:

  • Description of Ports used by Active Directory
  • List of ports used required for Client Machines to connect to AD Domain Controllers
  • Terraform Code to Create Azure Network Security Groups (NSGs) for Clients to AD Domain Controllers
  • List of ports used for communication between AD Domain Controllers
  • Terraform Code to Create Azure Network Security Groups (NSGs) for communication between AD Domain Controllers

Description of Ports

Below is the list of all ports in the Active Directory with a short description of the role.

  • 53 — TCP/UDP — DNS: map IP addresses to host names. Client machines use DNS to locate resource records in the domain and look up external domain names.
  • 88 — TCP/UDP-Kerberos: This authentication protocol authenticates requests between a client and server securely.
  • 123 — UDP — W32Time/NTP: the Windows Time system service maintains date and time synchronization on all the computers on a network that are running Windows. This service uses Network Time Protocol (NTP) to synchronize computer clocks so that an accurate clock value, or time stamp, is assigned for network validation and resource access requests.
  • 135 — TCP/UDP — Microsoft RPC Endpoint Mapper: this port is used by many Microsoft services (check the full of services here). First, the client connects to the RPC mapper service and asks the mapper what port a given service is listening on. The RPC mapper responds to the client with the port, and then the client connects to that port.
  • 137 — UDP — NetBIOS Name Resolution: used by NetLogon and NetBIOS Name Resolution.
  • 138 — UDP — NetBIOS Datagram Service: used by the SYSVOL replication service to replicate contents of the SYSVOL folder…



Guillermo Musumeci

Certified AWS, Azure & GCP Architect | HashiCorp Ambassador | Terraform SME | KopiCloud Founder | ex-AWS | Entrepreneur | Book Author | Husband & Dad of ✌