This article describes a very easy and secure way of connecting your Azure Mobile Apps and Azure Web Apps to your existing on-premises infrastructure. The option is called Hybrid Connections and is a feature of Azure BizTalk Services. The feature does not require any VPN configuration or opening Inbound ports on the Firewall. After completion of a few simple configuration steps in the Azure Portal and installation of so-called Hybrid Connection Manager(HCM) program on your on-premises servers, you are ready to consume your on-premises services from your Cloud App right away.
Hybrid Connections requires you to install a relay agent called the Hybrid Connection Manager(HCM) in your network. The HCM needs to be able to connect to Azure and also to your application. This solution is especially great from a remote network such as your on-premise network or even another cloud-hosted network because it does not require an internet accessible endpoint. The HCM only runs on Windows, and you can have up to 5 instances running to provide high availability. Hybrid Connections only supports TCP though, and each HC endpoint has to match to a specific host:port combination.
There are a few use-cases when you would want to setup a Hybrid Connection:
- The scenario where a simple, quick and secure integration is required with some of your existing on-premises services
- When you move some of your old Web Applications to the cloud, while keeping other existing back-end services on-premises without the need to open Inbound connections on the Firewall
- Hybrid Connections currently depend on a BizTalk account which has pricing levels that start free and then get progressively more expensive based on the amount you need. For small data loads, free option can be very attractive
- When it comes to working across many networks, there is no other feature like Hybrid Connections which can enable you to access resources in well over 100 separate networks
- If you are a developer and simply want to run a site in Azure and have it access the database on the workstation under your desk, then the easiest thing to use is Hybrid Connections.
Benefits of Hybrid Connections:
- Quick easy setup
- No need to setup a Virtual Network, VPN, etc.
- Does not require any open Inbound ports
- Can be shared between multiple Web and Mobile Apps
- Good for exposing single on-premise resources to consumers in Azure
- Supports multiple HCM in a single network that distribute the load using round-robin
Disadvantages of Hybrid Connections:
- Performance limitations
- Supports only fixed TCP ports
- Supports only TCP
- In Preview (no SLA) and not available in all Azure Regions
Security
Hybrid Connections use Shared Access Signature (SAS) authorization to secure the connections from the Azure applications and the on-premises Hybrid Connection Manager to the Hybrid Connection. Separate connection keys are created for the application and the on-premises Hybrid Connection Manager. These connection keys can be rolled over and revoked independently.
TCP ports
Hybrid Connections require only outbound TCP or HTTP connectivity from your private network. You do not need to open any firewall ports or change your network perimeter configuration to allow any inbound connectivity into your network.
The following TCP ports are used by Hybrid Connections:
Port | Why you need it |
9350 – 9354 | These ports are used for data transmission. The Service Bus relay manager probes port 9350 to determine if TCP connectivity is available. If it is available, then it assumes that port 9352 is also available. Data traffic goes over port 9352. Allow outbound connections to these ports. |
5671 | When port 9352 is used for data traffic, port 5671 is used as the control channel. Allow outbound connections to this port. |
80, 443 | These ports are used for some data requests to Azure. Also, if ports 9352 and 5671 are not usable, then ports 80 and 443 are the fallback ports used for data transmission and the control channel. Allow outbound connections to these ports. Note It is not recommended to use these as the fallback ports in place of the other TCP ports. The HTTP/WebSocket is used as the protocol instead of native TCP for data channels. It could result in lower performance. |
If you would like to read more about Hybrid Connections, please read this article
Example: Accessing on-premise SQL Database from the Web App
I’ve captured the process of setting up of a Hybrid Connection using an example where you setup accesses an SQL Database on-premisses from a test Web Application. Below is the diagram that illustrates the solution.
To start with Hybrid Connection you need an App Service running in your Azure Subscription. Create a sample test application or publish one of your old apps that use SQL Database and have a connection string setup in Web.config.
Go to Azure Portal and find your App Service there.
Then click “Networking” tab in the menu on the right.
On the next screen click “Configure your hybrid connection endpoints.”
Click “Add” to add a new connection. Provide any name for the connection and enter a Hostname. The name of this host should be the same as it defined in your local on-premises network. This is the name that HCM will try to resolve while processing requests inside your company network.
Next step is to create a new BizTalk Service account. You can choose any region and price tier. I would recommend starting with a Free Tier as it is good enough for many applications.
Then please click OK two times and Azure will start working on the creation of your new Hybrid Connection. Once it is done, you will see that the Hybrid Connection is there but is not connected yet.
At this point, we need to go to a server located inside of your network. Please login there into the portal and navigate to Hybrid Connections. Click on the new connection, and then, click on “Listener Setup” icon. It will start the process of installation of the HCM.
You will see series of prompts and progress windows. Please choose automatic setup: “Install and configure now”. It will guarantee that Shared key will be set up properly.
Once system finishes setup process, in a few minutes you will see that new connection is in a Connected state and has a green tick on the left. This indicates that the installation is successful, and HCM can contact the App Service on the cloud.
Now we need to make sure that Connection string in the Web.config file of you Web App is pointing to the correct host. The Hostname must be set exactly as it is resolved inside your local network. In our example, it is “lablob01”. The SQL server must be installed on this host. In this scenario our connection string will look like this:
As you can see the Hostname ( or “Server” parameter in the connection string ) looks the same as if you would have written it in an application that runs on the local network. If you have old web applications running on-premises, they need almost no change in this respect.
Caveat
While working on Hybrid Connections and particularly on integrating with Microsoft SQL Server on-premises, we have found a serious bug in Hybrid Connection Manager. At the moment of the writing of this post, HCM version is 0.6.3. The bug is still there. There is a quick workaround suggested in this post.
You can find yourself in a situation when all steps above have been completed, all indicators are green but your Web Application is still throwing error 500 with Exception that tells you something about Arithmetic overflow while accessing SQL Database.
Exception: System.Data.Entity.Core.EntityException: The underlying provider failed on Open. —> System.OverflowException: Arithmetic operation resulted in an overflow. at System.Data.SqlClient.TdsParser.ConsumePreLoginHandshake(SqlAuthenticationMethod authType, Boolean encrypt, Boolean trustServerCert, Boolean integratedSecurity, Boolean& marsCapable, Boolean& fedAuthRequired)
or (64 bit Web app)
System.OverflowException: Array dimensions exceeded supported range, at System.Data.SqlClient.TdsParser.ConsumePreLoginHandshake
Well apparently, all you need to do is to write a single value to the registry on the server where you have installed HCM. The value is below:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
“SendExtraRecord”=dword:00000002
Conclusion
Azure Hybrid Connections provide very easy and secure way of access to on-premises infrastructure. The feature allows moving existing applications to the cloud without breaking internal ecosystem of back-end services already running in your company. While there are many limitations, the ease and convenience of a Hybrid Connection along with security, offers integrators a great opportunity to connect cloud applications with the existing Back-office tools without completely rebuilding infrastructure on the cloud.
Excellent article! You are also a life saver…that work around with the Registry Key worked for me after two days of scratching my head. 😉 #Kudos
Good article. How is HCM able to connect to Azure in server with no internet connectivity. To which Azure website/ip range should the server has connection to?