The situation: Got a Win2016 DC in a cloud network. WAN is disabled for this machine. LAN is connected to PfSense. PfSense manages the VPN and IPSec between cloud an on-premise. PfSense only allows whitelisted traffic between all machines/services DC has a list of rules so it can so its job. This works partially, still got "no internet" alert in DC and WSUS is not working as expected.
Now DC needs a connection to another online service.
Should this be whitelisted or is it allowed to allow outbound traffic from this DC via PfSense to the internet? I know that a DC directly on the internet is bad practice but does this above also apply to this rule
In short: It depends on how security conscious you are, but a DC carries the keys to your kingdom, so you may want to play things especially safe with that kind of server.
The safest way to do things is to analyze what traffic you actually need to allow, and open up only for that in the pfSense - that would be a "default deny" approach.
Another way to go about things is to think of what outbound traffic you definitely do not want to allow, and deny that traffic specifically in the pfSense. Naturally this is worse from a security perspective since you're bound to forget about - or not even be aware of - some kinds of traffic you wouldn't want to leave your network.
A better question, perhaps, is this: Does the online service you want to open up traffic for really have to run on the DC, or would it be better to set up a separate VM for that service, and open up for the specific outbound traffic from the new machine instead? Optimally you really only want to run AD and DNS on a DC.