Configure access to a private network for a Azure App Services
On-Premise connections for Azure App Services can be created by using Hybrid Connections. Hybrid connections do not need any development or re-configuration of your application. It only needs a small client service in the private network (downloadable from the Azure Portal) and the hybrid connection configured in the Azure Portal.
Hybrid Connections give an easy and fast way to connect to on-premise resources for Azure App Services and Azure Mobile Apps.
Hybrid connections cannot be used in every situation, for hybrid connections the following scenario’s apply:
- .NET framework access to SQL Server
- .NET framework access to HTTP/HTTPS services with WebClient
- PHP access to SQL Server, MySQL
- Java access to SQL Server, MySQL and Oracle
- Java access to HTTP/HTTPS services
The connections are secured using Shared Access Signature (SAS) authorization between Azure applications and the on-premises Hybrid Connection Manager to the Hybrid Connection. Separate connection keys are created for the application and the on-premises Hybrid Connection Manager. These connection keys can be rolled over and revoked independently.
Hybrid Connections provide for seamless and secure distribution of the keys to the applications and the on-premises Hybrid Connection Manager.
In order to get Hybrid connections working you do not have to configure an inbound TCP port within you firewall. All you need is outbound TCP or HTTP connectivity from your private network.
|9350 – 9354||Data transmission ports, you should allow outbound connections on these ports to have the best performance|
|5671||When port 9352 is used for data traffic, port 5671 is used as the control channel, you should allow outbound connections to this port.|
|80, 443||If the above ports are not available these ports are used as fallback.|
A great advantage from hybrid connections is that the client application does not need to be altered, as an example you can use the same connection string as you would when deploying the application in the private network. In order to set up a hybrid connection follow the below steps:
- Open the Azure Portal and find the application that needs to be connected to the private network.
- In the application blade click on “Networking”.
- In the networking blade click on “Configure your hybrid connection endpoints”.
- This will open the hybrid connections blade, in this blade select “Add Hybrid Connection”.
- The “Add Hybrid connection” blade will show a list of all available hybrid connections within your Azure Subscription. If you do not have a hybrid connection you will be able to add a new hybrid connection. To do this select “Create new Hybrid Connection”.
- In the “Create Hybrid Connection” blade the correct information for the hybrid connection needs to be filled in.
|Endpoint Name||The endpoint name for the hybrid connection.|
|Endpoint Host||The hostname of the on-premise system.|
|Endpoint Port||The port for the on-premise connection|
|Location||Location for the servicebus used for the hybrid connection|
|Name||Name for the servicebus used for the hybrid connection.|
- With all the correct values entered click on “Create” to create the hybrid connection.
- When the hybrid connection is created it will show up in the list of all available hybrid connections. In this blade select the hybrid connection you want to use and click on “Add selected hybrid connection”.
- Adding the hybrid connection is not the last step. In order to make it work a small application needs to be installed on a on-premise system to route the traffic. To download this application click on “Download connection manager” in the hybrid connection blade.
- When the connection manager is installed it will ask for a connection string to the hybrid connection configured in the Azure Portal. This connection string can be found on the hybrid connection detail page when you click on it from the hybrid connection overview blade.
- If the connection manager is correctly configured it will show a connected status on the hybrid connection overview page.
Note: Make sure you replace all classic hybrid connections by 31-05-2018 because Microsoft then stops with Azure BizTalk services: https://azure.microsoft.com/en-au/updates/azure-biztalk-services-simplifying-our-azure-offerings/