Tailwind Traders has several applications whose front-end components currently run on-premises in a perimeter network. The back-end elements are hosted in a protected internal network.

One of Tailwind Traders’ goals in its transition to a hybrid cloud is to remove its perimeter network and host publicly accessible workloads in the cloud.

However, due to compliance constraints and concerns from the owners of certain workloads, some of these applications must remain physically hosted in Tailwind Traders’ facilities rather than in an Azure datacenter.

Tailwind Traders also has other applications accessible through VPN connections to the protected internal networks of the Sydney, Melbourne, and Auckland datacenters. These applications typically require users to authenticate via the on-premises Active Directory instance.

In this unit, you will learn about hybrid connection technologies. These connections allow Tailwind Traders to keep applications accessible through Azure even when the data or the application itself is hosted on Tailwind Traders’ equipment.

What is Azure Relay?

Azure Relay is a service that securely exposes workloads running on your organization’s internal network to the public cloud without opening an inbound port on the perimeter network firewall.

Supported scenarios between on-premises services and applications in Azure:

• Traditional one-way communication, request/response, and peer-to-peer
• Event distribution for publish/subscribe scenarios
• Bidirectional, unbuffered communication across network boundaries

Azure Relay features:

• Hybrid Connections: Uses standard web sockets and can be used in cross-platform architectures. Supports .NET Core, .NET Framework, JavaScript/Node.js, open protocols, and RPC models.
• WCF Relay: Uses Windows Communication Foundation (WCF) to enable remote procedure calls. A popular option for WCF programs on .NET Framework.

Azure Relay allows Tailwind Traders to publish certain internal applications to internet clients without requiring a VPN connection.
It is preferable to Azure App Service Hybrid Connections when there is no web front-end application in Azure, and preferable to Microsoft Entra Application Proxy when Microsoft Entra authentication is not required.

What is App Service Hybrid Connections?

The Hybrid Connections feature of Azure App Service allows you to use any application resource in any network capable of sending outbound requests to Azure on port 443.

For example, you can use Hybrid Connections to allow a web application running in Azure to access an on-premises SQL Server database. This feature enables access from an Azure application to a TCP endpoint.

Hybrid Connections is not limited to Windows Server workloads. You can configure hybrid connections to any resource functioning as a TCP endpoint, regardless of the application protocol used.

For example, you can configure a hybrid connection between a web application in Azure and a MySQL database on an on-premises Linux VM.

Hybrid Connections uses a relay agent. You deploy this agent in a location where it can establish connectivity with the TCP endpoint on the internal network and create a secure connection to Azure.

This connection is secured via TLS 1.2, and authentication/authorization is handled by Shared Access Signature (SAS) keys.

The following image shows a hybrid connection between a web application in Azure and an on-premises database.

Hybrid Connections Features

• Applications running in Azure can securely access on-premises systems and services.
• On-premises systems or services do not need to be directly accessible from hosts on the internet.
• No firewall port needs to be opened to allow inbound access from Azure to the relay agent.
• All communication is outbound from the relay agent over port 443.

Hybrid Connections Limitations

• Cannot be used to mount an SMB share on an on-premises network.
• Cannot use the UDP protocol.
• Cannot access TCP services using dynamic ports.
• Does not support LDAP due to its dependency on the UDP protocol.
• Cannot be used to join Active Directory Domain Services.

For Tailwind Traders, Hybrid Connections allows the removal of several applications whose front ends currently run in the perimeter network.
These applications can be migrated to Azure, and Hybrid Connections can then provide a secure connection to the protected networks hosting the back-end components.

What is Microsoft Entra Application Proxy?

Microsoft Entra Application Proxy provides secure remote access to an on-premises web application through an external URL.

You can configure Application Proxy to enable:

• Remote access
• Single Sign-On (SSO) to applications such as SharePoint, Microsoft Teams, IIS web apps, and Remote Desktop

Application Proxy can be used as a replacement for VPNs to internal networks or reverse proxies.

Supported applications:

• Web applications using Integrated Windows Authentication
• Web applications using header-based or form-based authentication
• Applications hosted via Remote Desktop Gateway

How Application Proxy works:

1. The user connects to the application through a public endpoint and performs Microsoft Entra authentication.
2. A token is sent to the user’s device after login.
3. The client device sends the token to the Application Proxy service, which returns the UPN (User Principal Name) and SPN (Security Principal Name) from the token.
4. Application Proxy forwards the request to the Application Proxy connector.
5. The connector performs additional authentication if SSO is enabled.
6. The connector forwards the request to the on-premises application.
7. The response is returned through the connector and the Application Proxy service to the user.

The following image illustrates this process.