Configure access to a private network for a Azure App Services

On-Premise connections for Azure App Services can be created by using Hybrid Connections. Hybrid connections do not need any development or re-configuration of your application. It only needs a small client service in the private network (downloadable from the Azure Portal) and the hybrid connection configured in the Azure Portal.

Hybrid Connection

Hybrid Connections give an easy and fast way to connect to on-premise resources for Azure App Services and Azure Mobile Apps.

Hybrid Connection

Hybrid connections cannot be used in every situation, for hybrid connections the following scenario’s apply:

  • .NET framework access to SQL Server
  • .NET framework access to HTTP/HTTPS services with WebClient
  • PHP access to SQL Server, MySQL
  • Java access to SQL Server, MySQL and Oracle
  • Java access to HTTP/HTTPS services

The connections are secured using  Shared Access Signature (SAS) authorization between Azure applications and the on-premises Hybrid Connection Manager to the Hybrid Connection. Separate connection keys are created for the application and the on-premises Hybrid Connection Manager. These connection keys can be rolled over and revoked independently.

Hybrid Connections provide for seamless and secure distribution of the keys to the applications and the on-premises Hybrid Connection Manager.

In order to get Hybrid connections working you do not have to configure an inbound TCP port within you firewall. All you need is outbound TCP or HTTP connectivity from your private network.

Port Description
9350 – 9354 Data transmission ports, you should allow outbound connections on these ports to have the best performance
5671 When port 9352 is used for data traffic, port 5671 is used as the control channel, you should allow outbound connections to this port.
80, 443 If the above ports are not available these ports are used as fallback.

Configuration

A great advantage from hybrid connections is that the client application does not need to be altered, as an example you can use the same connection string as you would when deploying the application in the private network. In order to set up a hybrid connection follow the below steps:

  1. Open the Azure Portal and find the application that needs to be connected to the private network.
  2. In the application blade click on “Networking”.

Networking

  1. In the networking blade click on “Configure your hybrid connection endpoints”.
  2. This will open the hybrid connections blade,  in this blade select “Add Hybrid Connection”.

Hybrid Connections

  1. The “Add Hybrid connection” blade will show a list of all available hybrid connections within your Azure Subscription. If you do not have a hybrid connection you will be able to add a new hybrid connection. To do this select “Create new Hybrid Connection”.

Create Hybrid Connection

  1. In the “Create Hybrid Connection” blade the correct information for the hybrid connection needs to be filled in.

New Hybrid Connection

Property Description
Endpoint Name The endpoint name for the hybrid connection.
Endpoint Host The  hostname of the on-premise system.
Endpoint Port The port for the on-premise connection
Location Location for the servicebus used for the hybrid connection
Name Name for the servicebus used for the hybrid connection.

 

  1. With all the correct values entered click on “Create” to create the hybrid connection.
  2. When the hybrid connection is created it will show up in the list of all available hybrid connections. In this blade select the hybrid connection you want to use and click on “Add selected hybrid connection”.

Add selected hybrid connection

  1. Adding the hybrid connection is not the last step. In order to make it work a small application needs to be installed on a on-premise system to route the traffic. To download this application click on “Download connection manager” in the hybrid connection blade.

2017-05-07_19-00-10

  1. When the connection manager is installed it will ask for a connection string to the hybrid connection configured in the Azure Portal. This connection string can be found on the hybrid connection detail page when you click on it from the hybrid connection overview blade.

Hybrid Connection properties

  1. If the connection manager is correctly configured it will show a connected status on the hybrid connection overview page.

 

Note: Make sure you replace all classic hybrid connections by 31-05-2018 because Microsoft then stops with Azure BizTalk services: https://azure.microsoft.com/en-au/updates/azure-biztalk-services-simplifying-our-azure-offerings/

Related Posts

Restricting access to your Azure Web Application As you may know almost everything that is deployed to Azure is publicly available. As with Azure SQL Database you do not have a firewall available for...
Extensions and Tips for deploying with Azure Resource Templates Working with Azure Services in different subscriptions means that the Azure Services need to run in different subscriptions. This often occurs when we...
Part 3 – Console application to call a API with Azure Active Directory Aut... This post is the third and last in a series of three posts and will help you with the creation of identity pass-through authentication from a client a...
Part 2 – Azure API Application to query the Azure SQL Database This post is the second in a series of three posts and will help you with the creation of identity pass-through authentication from a client applicati...
Part 1 – Azure SQL Database with Azure Active Directory Authentication This post is the first post in a series of three posts and will help you with the creation of identity pass-through authentication from a client appli...
Pass-Through Authentication with Azure Active Directory, Azure SQL, Azure API an... In situations you need to login to an application and use that identity to access an API (pass-through identity) and also get data from Azure SQL Serv...

Leave a Reply

Your email address will not be published. Required fields are marked *