Azure Hybrid Connection Manager
You want to connect from Azure to an On-prem resource, like an SQL DB.
Least disruptive/ easiest Solution — Using Azure Hybrid Connection
Azure Hybrid Connections is a feature in Azure Relay based on HTTPS and Web Sockets protocol. It allows you to send requests and receive responses over web sockets or HTTP(S). This feature is compatible with the WebSocket API available in common web browsers. Azure Relay is a secure, and open-protocol evolution of Relay features that existed previously in Azure.
Here is a High Level Overview of how the connection works.
The Hybrid Connection Manager (HCM) is a relay service that needs to be deployed in the network that hosts the resource that Azure needs to connect to. The HCM runs as a Service on an On-Prem server (referred to as HCM Relay Server in the diagram)and connects to Azure Relay on port 443 (the internet port that http(s) uses).
The HCM/ Azure relay relies on Web sockets for Connectivity. When the Azure app makes a DNS request that matches a configured Hybrid Connection endpoint, the outbound TCP traffic will be redirected through the Hybrid Connection.
To support the Hybrid Connections that it is configured with, HCM requires:
* TCP access to Azure over port 443.
* TCP access to the Hybrid Connection endpoint.
* The ability to do DNS look-ups on the endpoint host and the Service Bus namespace.
The TCP connection established, uses TLS 1.2 for security and shared access signature (SAS) keys for authentication and authorization.
Consider an Azure App service that uses HCM to connect to On-Prem Database. The connection itself between Azure and On-Prem is via a secure TCP Tunnel. There should be measures taken to secure the app service if it is accessed by an external service/ client. Measures like the following -
- Have multi-factor authentication enabled for the Client that accesses the App service or secure using OAuth 2.0 Client Authentication.
- If a Client Secret is used by the 3rd party refresh it every 6 months.
An alternate to the above is to build an Infrastructure in the Cloud involving Azure Virtual Network and Virtual Network Gateways with an Express Route. Hope to write something about this soon.
