In our integration solutions, we’re often dealing with a need to integrate an Azure cloud application with a client’s on-premise system. A while ago a colleague of mine wrote the article about using On-Premises Data Gateway to connect Azure Logic App with an on-premise SQL Server. Azure On-Premises Data Gateway offers a set of built-in connectors (for Files System, SQL Server, SAP Application Server,…). However, sometimes we need a more “low-level” connectivity that we can use directly in our Azure Web App or Azure Function to connect with an on-premise resource and that’s where Azure Hybrid Connections come. In this post, I’d like to show you how Hybrid Connection works, how to set it up and how to use it.
How does it work?
The Azure Hybrid Connection represents a connection between Azure App Service and TCP endpoint (host and port) of an on-premise system. At the heart of the Hybrid Connection is Azure Service Bus Relay. It receives two encrypted outbound connections. One from the side of Azure App Service (Web App in our case) and another from the Hybrid Connection Manager (HCM). HCM is a program that has to be installed on your on-premise system. It is in charge to wire your on-premise service with Azure Service Bus Relay. It’s important to note that there’s not any inbound connection from the internet but just an outbound connection from the on-premise side over TCP port 80. This eliminates NAT and firewall set-up to make such connections possible.
In my example, I connect Azure Web App with the SQL Server installed on the desktop computer (DESKTOP-PC-PKA). Once the hybrid connection is established, Azure Web App can use the SQL Server database the same way as we use Azure SQL.
It’s good to mention that the Azure Hybrid Connection could be established between App Service and a TCP endpoint with a static port. UDP endpoints, drive mounting, LDAP service, FTP in Passive or Extended mode won’t work with hybrid connections.
Setting up an Azure Hybrid Connection
To show how Azure Hybrid connection could be used I’ve created a simple web application called Contoso University following this Microsoft Documentation tutorial. The application allows managing university students and their enrollments. Entity Framework is used to map business objects with the SQL Server database. The goal is to deploy the web on Azure App Service and connect it (by using hybrid connection) to the SQL Server database running on my desktop computer.
Creating a hybrid connection in Azure Portal
Firstly, I’ll create an App Service to host the web application. Go to Azure Portal and create App Service (note that App Service with Free or Shared App Service plan do not support hybrid connection so at least Basic B1 plan should be used). Once your App Service is created (I’ve called mine ContosoUniversityMW), select Networking > Configure hybrid connection endpoints. The first thing you might notice is that you have 5 connections available (and 0 connections used). The number of connections depends on the selected Application Service plan (the higher plan should be chosen if you need more connections). Select [+] Add hybrid connection to create your first hybrid connection.
To set up the hybrid connection, you should identify the port of the service running on your host environment. The common service ports are 1433 for SQL Server, 3306 for MySQL, 27017 for MongoDB, 22 for SFTP, etc.
To create the hybrid connection, you need to specify Hybrid connection Name, Endpoint Host (which is local computer hostname), Endpoint Port (I’ll connect to SQL Server so 1433 port will be used) and Service Bus namespace (Location and Name).
Once the hybrid connection is created, you can see on the dashboard that one connection is used. The connection appears as well in the list of connections with the initial status “Not connected”.
Finally, download the hybrid connection manager (HCM) by using the download link.
Set up on the on-premise side
First of all, install the program downloaded from Azure Portal on the local computer with the on-premise service. After that, run the Hybrid Connection Manager UI where you can add the hybrid connections that have been previously created on Azure.
Select [+] Add a new Hybrid Connection. You might be asked to log in to Azure to list your Azure subscriptions. After that choose the subscription where you’ve created the Azure Hybrid connection. When the connection appears in the list select Save. Note that you can enter the connection also manually by providing a connection string. You can find in Azure Portal in the list of hybrid connections.
As you see, the connection has been registered on the local computer. However, the connection status is still “Not Connected” even though the connection was successfully created on Azure.
The solution is simple. Open the Windows services console, find Azure Hybrid Manager service. This service is installed on the computer together with Hybrid Connection Manager UI. Restart the service and return to HCM UI.
The hybrid connection is now connected, and everything is ready to deploy and test the Contoso University web application.
Using Hybrid Connection
To see the Azure Hybrid Connection in action, I open the solution with the Contoso University application in Visual Studio. Then I find the appsettings.json file and search for ConnectionStrings property to configure the Entity Framework context (called SchoolContext in my case). I put my local hostname (DESKTOP-PC-PKA) for the server and ContosoUniversityDb for the database. It’s important to note that the hybrid connection does not support integrated authentication so the User/Password combination should be used. The credentials are encrypted on the Azure side and decrypted at the on-premise endpoint. They are transported over encrypted TPC tunnel, so the security should not be an issue. After the connection string is set-up, I deploy the application directly from the Visual Studio to the Azure App Service.
After that, I browse to the page with the list of the students of the Contoso University. Azure App Service that hosts my Web App looks for the server/port name in the hybrid connections. The outbound connection to Azure Service Bus Relay is created. It is mapped down to the on-premise system by using the HCM connection. The hybrid connection performance is decent so the user can work seamlessly with the application.
As you’ve seen, Azure Hybrid connections provide an easy way to access one or more on-premise resources from Azure. Not only Azure Web App but also Azure Functions (with App Service Plan) could benefit from hybrid connections. However, it might turn out that the hybrid connection is not enough. Then the next solution would probably be putting the Azure resources in a VNet and connect it with the on-premise system by using Site-to-Site VPN gateway connection. But this might be covered one day in another blog post.