Hybrid cloud applications
Tailwind Traders has several applications that have front-end components that currently run on-premises in a perimeter network. The back-end elements are on a protected internal network. One of Tailwind Traders' aims in moving to a hybrid cloud is to retire its perimeter network and host any public-facing workloads in the cloud. Because of compliance concerns and workload owners' concerns, some of these applications should remain physically in Tailwind Traders facilities instead of being hosted in an Azure datacenter.
Tailwind Traders has some other applications that are accessed through VPN connections into the internal protected networks in the Sydney, Melbourne, and Auckland datacenters. These applications generally require users to authenticate with their on-premises Active Directory instance.
In this unit, you learn about technologies for making hybrid connections. These connections allow Tailwind Traders to maintain applications for users to connect to through Azure, even when data or the application itself is hosted on Tailwind Traders equipment.
What is Azure Relay?
Azure Relay is a service that you can use to securely expose workloads that run on your organization's internal network to the public cloud. The service securely exposes these workloads without opening an inbound port on a perimeter network firewall.
Azure Relay supports the following scenarios between on-premises services and applications running in Azure:
- Traditional one-way, request/response, and peer-to-peer communication
- Event distribution to enable publish/subscribe scenarios
- Bidirectional and unbuffered socket communication across network boundaries
Azure Relay has the following features:
- Hybrid Connections. This feature uses open-standard web sockets and can be used in multiplatform architectures. It supports .NET Core, .NET Framework, JavaScript/Node.js, standards-based open protocols, and remote procedure call (RPC) programming models.
- WCF Relay. This feature uses Windows Communication Foundation (WCF) to enable remote procedure calls. It's option that many customers use with their WCF programs. It also supports the .NET Framework.
Azure Relay allows Tailwind Traders to publish some applications that run on the internal network to clients on the internet without requiring a VPN connection. The company should use Azure Relay instead of Azure App Service Hybrid Connections when there's no front-end web app running in Azure. Azure Relay should be used instead of Microsoft Entra application proxy when the application doesn't require Microsoft Entra authentication.
What is App Service Hybrid Connections?
The Hybrid Connections feature of Azure App Service can use any application resource in any network that can send outbound requests to Azure on port 443. For example, you can use Hybrid Connections to allow a web app running in Azure to use a SQL Server database running on-premises. The Hybrid Connections feature provides access from an app running in Azure to a Transmission Control Protocol (TCP) endpoint.
Hybrid Connections isn't limited to workloads running on Windows Server platforms. You can configure Hybrid Connections to access any resource that functions as a TCP endpoint, regardless of which application protocol is being used. For example, you can configure a hybrid connection between a web app running in Azure and a MySQL database running on an on-premises Linux virtual machine.
Hybrid Connections uses a relay agent. You deploy the relay agent in a location where it can establish connectivity to the TCP endpoint on the internal network and establish a connection to Azure. This connection is secured through Transport Layer Security (TLS) 1.2. Shared access signature (SAS) keys are used for authentication and authorization.
The following image shows a hybrid connection between a web app running in Azure and a database endpoint running on-premises.
Hybrid Connections has the following functionality:
- Apps running in Azure can access on-premises systems and services in a secure manner.
- The on-premises systems or services don't need to be directly accessible to hosts on the internet.
- It's not necessary to open a port in the firewall to allow inbound access from Azure to the relay agent. All communication is initiated in an outbound manner from the relay agent through port 443.
Hybrid Connections has the following limitations:
- It can't be used to mount an SMB share on an on-premises network.
- It can't use the User Datagram Protocol (UDP).
- It can't access TCP-based services that use dynamic ports.
- It doesn't support Lightweight Directory Access Protocol (LDAP) because of the reliance on UDP.
- It can't be used to perform an Active Directory Domain Services domain-join operation.
For Tailwind Traders, Hybrid Connections enables the retirement of several applications that currently have their front ends running on the Tailwind Traders perimeter network. These apps can be migrated to Azure. Hybrid Connections can then provide a secure connection to protected networks that host the app's back-end components.
What is Microsoft Entra application proxy?
Microsoft Entra application proxy allows you to provide secure remote access to a web application that's running in an on-premises environment through an external URL. You can configure Application Proxy to allow remote access and single sign-on to SharePoint, Microsoft Teams, IIS web applications, and Remote Desktop. Application Proxy can be implemented as a replacement for VPNs to internal networks or reverse proxies.
Application Proxy functions with the following applications:
- Web applications that use Integrated Windows Authentication
- Web applications that use header-based or form-based authentication
- Applications hosted through Remote Desktop Gateway
Application Proxy functions in the following way:
- The user connects to the application through a publicly available endpoint and then performs a Microsoft Entra sign-on.
- A token is forwarded to the user's device after the sign-in is complete.
- The client device forwards the token to the Application Proxy service, which returns the user principal name (UPN) and security principal name (SPN) from the token. Application Proxy then forwards the request to the Application Proxy connector.
- The Application Proxy connector performs further authentication if single sign-on is enabled.
- The Application Proxy connector forwards the request to the on-premises application.
- The response is sent through the connector and the Application Proxy service to the user.
The following image shows this process:
Users of internal networks that allow direct connection to applications should avoid using Application Proxy.
Tailwind Traders can use Microsoft Entra application proxy to give external users access to internal applications that use Active Directory authentication.