Configure access to a private network for a Azure App Services

4 minute read

On-Premise connections for Azure App Services can be created by using Hybrid Connections. Hybrid connections do not need any development or re-configuration of your application. It only needs a small client service in the private network (downloadable from the Azure Portal) and the hybrid connection configured in the Azure Portal.

Hybrid Connection

Hybrid Connections give an easy and fast way to connect to on-premise resources for Azure App Services and Azure Mobile Apps.

Hybrid Connection

Hybrid connections can be used in different scenario's:

  • .NET framework access to SQL Server
  • .NET framework access to HTTP/HTTPS services with WebClient
  • PHP access to SQL Server, MySQL
  • Java access to SQL Server, MySQL and Oracle
  • Java access to HTTP/HTTPS services

The connections are secured using  Shared Access Signature (SAS) authorization between Azure applications and the on-premises Hybrid Connection Manager to the Hybrid Connection. Separate connection keys are created for the application and the on-premises Hybrid Connection Manager. These connection keys can be rolled over and revoked independently.

Hybrid Connections provide for seamless and secure distribution of the keys to the applications and the on-premises Hybrid Connection Manager.

The previous Hybrid Connections (classic) relied on BizTalk Services and used multiple TCP ports for connectivity and were susceptible to firewall issues and performance issues. The new Azure Relay Hybrid Connections use web sockets and communication takes place over a single port; 443.


A great advantage from hybrid connections is that the client application does not need to be altered, as an example you can use the same connection string as you would when deploying the application in the private network. In order to set up a hybrid connection follow the below steps:

  1. Open the Azure Portal and find the application that needs to be connected to the private network.
  2. In the application blade click on “Networking”.


  1. In the networking blade click on “Configure your hybrid connection endpoints”.
  2. This will open the hybrid connections blade,  in this blade select “Add Hybrid Connection”.

Hybrid Connections

  1. The “Add Hybrid connection” blade will show a list of all available hybrid connections within your Azure Subscription. If you do not have a hybrid connection you will be able to add a new hybrid connection. To do this select “Create new Hybrid Connection”.

Create Hybrid Connection

  1. In the “Create Hybrid Connection” blade the correct information for the hybrid connection needs to be filled in.

New Hybrid Connection

Property Description
Endpoint Name The endpoint name for the hybrid connection.
Endpoint Host The  hostname of the on-premise system.
Endpoint Port The port for the on-premise connection
Location Location for the servicebus used for the hybrid connection
Name Name for the servicebus used for the hybrid connection.


  1. With all the correct values entered click on “Create” to create the hybrid connection.
  2. When the hybrid connection is created it will show up in the list of all available hybrid connections. In this blade select the hybrid connection you want to use and click on “Add selected hybrid connection”.

Add selected hybrid connection

  1. Adding the hybrid connection is not the last step. In order to make it work a small application needs to be installed on a on-premise system to route the traffic. To download this application click on “Download connection manager” in the hybrid connection blade.


  1. When the connection manager is installed it will ask for a connection string to the hybrid connection configured in the Azure Portal. This connection string can be found on the hybrid connection detail page when you click on it from the hybrid connection overview blade.

Hybrid Connection properties

  1. If the connection manager is correctly configured it will show a connected status on the hybrid connection overview page.


Note: Make sure you replace all classic hybrid connections by 31-05-2018 because Microsoft then stops with Azure BizTalk services: