Edit

Hybrid relay connection in Azure and Azure Stack Hub

Azure Stack Hub
Azure Virtual Machines

This architecture uses Azure Relay Hybrid Connections to connect from Azure to edge resources or devices that are protected by firewalls.

Architecture

Architecture diagram that demonstrates Azure Relay Hybrid Connections.

Download a Visio file of this architecture.

Dataflow

  1. A device connects to the virtual machine (VM) in Azure, on a predefined port. The VM provides a publicly accessible endpoint for the on-premises resource.
  2. Traffic is forwarded to the Azure Relay in Azure. An Azure Relay provides the infrastructure for maintaining the tunnel and connection between the Azure VM and Azure Stack Hub VM.
  3. The VM on Azure Stack Hub, which has already established a long-lived connection to the Azure Relay, receives the traffic and forwards it to the destination. The VM provides the server-side of the Hybrid Relay tunnel.
  4. The on-premises service or endpoint processes the request.

Components

  • Azure Stack Hub broadens Azure to let you run apps in an on-premises environment and to deliver Azure services in your datacenter.
  • Azure Virtual Machines provides Linux and Windows virtual machines.
  • Azure Relay makes it possible for you to securely expose services that run in your corporate network to the public cloud, without opening a port on your firewall, and without making intrusive changes to your corporate network infrastructure.
  • Azure Stack Hub Storage is a set of cloud storage services that are consistent with the services provided by Azure Storage. These services include blobs, tables, and queues.
  • SQL databases on Azure Stack Hub is a SQL resource provider that offers SQL databases on Azure Stack Hub. You install the resource provider and connect it to one or more SQL Server instances.

Alternatives

You need a secure integration between solution components in Azure and components hosted in Azure Stack Hub. This integration can be implemented by using network-level integration technologies, such as VPN (Virtual Private Network) and Azure ExpressRoute. Azure Relay is less intrusive and can be scoped to a single application endpoint on a single machine.

Scenario details

Edge devices are often behind a corporate firewall or NAT device. They're unable to communicate with the public cloud or edge devices on other corporate networks. You might need to expose certain ports and functionality, in a secure manner, to users in the public cloud. This architecture uses Azure Relay to establish a WebSockets tunnel between two endpoints that can't directly communicate. Devices that aren't on-premises, but need to connect to an on-premises endpoint, will connect to an endpoint in the public cloud. This endpoint will redirect the traffic on predefined routes over a secure channel. An endpoint inside the on-premises environment receives the traffic and routes it to the correct destination.

Considerations

These considerations implement the pillars of the Azure Well-Architected Framework, which is a set of guiding tenets that can be used to improve the quality of a workload. For more information, see Microsoft Azure Well-Architected Framework.

Reliability

Reliability ensures that your application can meet the commitments that you make to your customers. For more information, see Overview of the reliability pillar.

Azure Relay connections aren't redundant. To ensure high-availability, you must implement error checking code or have a pool of Azure Relay-connected VMs behind a load balancer.

Security

Security provides assurances against deliberate attacks and the abuse of your valuable data and systems. For more information, see Overview of the security pillar.

This pattern, as shown, allows for unfettered access to a port on an internal device from the edge. Consider adding an authentication mechanism to the service on the internal device, or in front of the hybrid relay endpoint. See Azure Relay authentication and authorization and Network security for Azure Relay for more network security guidance.

Operational excellence

Operational excellence covers the operations processes that deploy an application and keep it running in production. For more information, see Overview of the operational excellence pillar.

This solution can span many devices and locations, which can get unwieldy. Azure's IoT services can automatically bring new locations and devices online and keep them up to date.

Monitoring and diagnostics are crucial. Cloud applications run in a remote data-center where you don't have full control of the infrastructure or, in some cases, the operating system. In a large application, it's not practical to log into virtual machines (VMs) to troubleshoot an issue or sift through log files. Use Azure Monitor on Azure Stack Hub to visualize, query, route, archive, and take other actions on metrics and logs.

Performance efficiency

Performance efficiency is the ability of your workload to scale to meet, in an efficient manner, the demands that are placed on it by users. For more information, see Performance efficiency pillar overview.

This solution only allows for 1:1 port mappings on the client and server. For example, if port 80 is tunneled for one service on the Azure endpoint, it can't be used for another service. Port mappings should be planned accordingly. The Azure Relay and VMs should be appropriately scaled to handle traffic.

Next steps