I have a small office network with about 10 workstations and a single physical domain controller. I want to move it to the cloud. For that, I deployed a Windows VM on Azure, which I'm going to promote as an additional DC. Then, I'll shut down the physical one.
Currently the physical server also serves as a VPN server, and the cloud VM is connected to the local office network via this VPN with L2TP and IPSec. When I'll shut down the physical server, it will also kill the VPN.
I thought about exposing the cloud VM itself to the office, instead of initiating a connection from it. On Azure, I have the ability to expose the VM to all traffic from a single IP address on the Internet. This way I can use the office's external static IP and the workstations will be able to communicate with the cloud DC.
My question is, what realistic security risks are involved in this process? Would it be easy to exploit, even when I expose it only to a single IP address? Should I avoid this strategy and keep the VPN approach?