Using Azure App Services with Hybrid Connections
Application Development Manager Walid Amro discusses connecting Azure App Services with an on-premises Oracle Server and on-premises SQL Server using Azure App Service hybrid connections.
Your organization has decided to modernize its web application and move it to Azure. They currently host the website on-premises, which connects to both Oracle Database and SQL Server on-premises. As a developer or architect, you have been tasked to do a proof of concept to ensure the website works on Azure, and to discover what is needed to successfully modernize the website to utilize cloud capabilities.
You think about multiple major obstacles that will face you to succeed in this proof of concept:
- Hosting Oracle server on Azure.
- Installing Oracle Client on Azure App Services to connect to Oracle Database.
- Hosting SQL Server on Azure.
Let’s look at each of these aspects in more detail.
Hosting Oracle on Azure
Firstly, you’re not an Oracle DBA, and you do not know how to create and configure an Oracle server on Azure. More importantly, your task is not to move Oracle to the cloud; that task is for another team. You want to start testing as soon as possible, and you cannot wait for the other team to finish their migration.
Hosting your Web Application on Azure App Services
Hosting your ASP.NET MVC web application on Azure App Service is not a huge challenge and should be straightforward. The challenge here is that you need to access the two databases that your web application connects to on-premises, but they are not yet available on Azure and you cannot wait for the other team to complete their migratation. Also, your company does not have Azure ExpressRoute or any open connection from Azure to your on-premises resources. The other challenge is installing the Oracle client on Azure App Service. Since Azure App Service is Platform as a Service (PaaS), you have no direct access to the operating system. This makes you think that you need to move the web application to a virtual machine, which means that your solution will be an Infrastructure as a Service (IaaS) solution instead of PaaS, or you might think to deploy it as a Docker container. This result is not acceptable, and you must modernize your web application to be a PaaS service on Azure and to be less dependent on other software.
Hosting SQL Server on Azure
Hosting your SQL Server on Azure is very easy. Azure provides many options for migration, and you can spin up SQL Server within minutes on Azure. Your challenge here is that your database is huge, and you do not want to spin up SQL Server on Azure just for this test. More importantly, like Oracle, your task is not to move SQL Server to the cloud; as it is the task for another team, and you want to start testing as soon as possible.
In order to start your testing as quickly as possible, you need to use Azure Hybrid Connections.
Before we start setting up Azure Hybrid Connections, let’s understand what it does.
What is Azure App Service Hybrid Connections?
Hybrid Connections is both a service in Azure and a feature in Azure App Service.
Within App Service, Hybrid Connections can be used to access application resources in other networks. It provides access from your app to an application endpoint. It does not enable an alternate capability to access your application. As used in App Service, each Hybrid Connection correlates to a single TCP host and port combination. The Hybrid Connections feature does not know or care what the application protocol is, or what you are accessing. It is simply providing network access.
How it works
The Hybrid Connections feature consists of two outbound calls to Azure Service Bus Relay. There is a connection from a library on the host where your app is running in App Service. There is also a connection from the Hybrid Connection Manager (HCM) to Service Bus Relay. The HCM is a relay service that you deploy within the network hosting the resource you are trying to access.
Through the two joined connections, your app has a TCP tunnel to a fixed host:port combination on the other side of the HCM. The connection uses TLS 1.2 for security and shared access signature (SAS) keys for authentication and authorization.
When your App Service on Azure makes a DNS request that matches a configured Hybrid Connection endpoint, the outbound TCP traffic will be redirected through the Hybrid Connection.
App Service Hybrid Connection benefits
There are several benefits to the Hybrid Connections capability, including:
- Apps can access on-premises systems and services securely.
- The feature does not require an internet-accessible endpoint.
- It is quick and easy to set up.
- Each Hybrid Connection matches a single host:port combination, helpful for security.
- It normally does not require firewall holes. The connections are all outbound over standard web ports.
- Because the feature is network level, it is agnostic to the language used by your app and the technology used by the endpoint.
- It can be used to provide access in multiple networks from a single app.
Things you cannot do with Hybrid Connections
Things you cannot do with Hybrid Connections include:
- Mount a drive.
- Use UDP.
- Access TCP-based services that use dynamic ports, such as FTP Passive Mode or Extended Passive Mode.
- Support LDAP, because it can require UDP.
- Support Active Directory, because you cannot domain join an App Service worker.
Windows App service is required. It is only available on Windows (Linux support is coming soon).
How to set it up
Before you setup the Azure Hybrid Connection you need the following information:
- You need to decide which computer you need to install the Hybrid Connection Manager on. The Hybrid Connections feature requires a relay agent in the network that hosts your Hybrid Connection endpoint. That relay agent is called the Hybrid Connection Manager (HCM). The computer that will host the HCM should be able to resolve the destination service hostname or fully qualified domain name, and should be able to connect to that TCP service on a specific port. It is recommended to install the HCM in the DMZ of your network, but it is not mandatory. Please note that if you install the HCM in the DMZ you might need to open ports on the internal firewall, and not the external company firewall. HCM can be installed on Windows Server 2012 or later. It also works on Windows 10. Linux support is coming soon.
- You need the Oracle server hostname or fully qualified domain name that is hosting Oracle Database and the listener port number. You usually can find this information in the tnsnames.ora file. The default listener port is 1521 for Oracle. If you have failover enabled for Oracle, you need to get the alternate Oracle server hostname or fully qualified domain name, and the listener port number.
- You need the SQL Server hostname or fully qualified domain name and the port number for the SQL Server service. The default port for SQL Server is 1433.
You need to make sure that the computer that will host the HCM can access all these services. You do not need to install the Oracle client on the HCM host, but if you want you can install it only to test connectivity with Oracle.
Configuring the Hybrid Connection
First, I created a new Resource Group named rgBlog in the South Central Region. You can create it in any region you want with any name you want.
Next, I created a new App Service named OracleSqlServerWebApp under the rgBlog resource group.
To create a Hybrid Connection, go to the Azure portal and select your App Service, then select Networking > Configure your Hybrid Connection endpoints. Here you can see the Hybrid Connections that are configured for your app.
IMPORTANT NOTE: App Service Hybrid Connections are only available in Basic, Standard, Premium, and Isolated pricing SKUs. There are limits tied to the pricing plan. If you have an account through your Visual Studio subscription, you usually have a limit of 5 hybrid connections. In my case I can create up-to 25 hybrid connections for my account as you can see in the screenshot above.
|Pricing plan||Number of Hybrid Connections usable in the plan|
Click on the Add hybrid connection as shown in the previous screenshot, and you’ll see get the following screen:
Click on Create new hybrid connection link and the following blade will show:
In the Create new hybrid connection blade, you must fill in the following fields for your Oracle server hybrid connection:
- Hybrid connection name: Subscription unique reference name for the hybrid connection.
- Endpoint Host: Hostname for the endpoint which must resolve on the host where the Hybrid Connection Manager (HCM) is installed. I strongly advise not use localhost as it is a little bit confusing when you have multiple HCMs.
- Endpoint Port: The destination port for the hybrid connection for that service.
- Servicebus namespace: hybrid connection is built using service bus namespaces which are used as containers for messaging. In my case I want to create a new Service Bus namespace.
- Location: choose the closest region to your service for less latency. In my case South Central US.
- Name: Service Bus namespace name (if you are creating a new Service Bus namespace). This namespace must be unique in Azure and not just your subscription.
Once you click on OK button, Azure will start creating your hybrid connection. Notice that after creation the status of the hybrid connection is “Not connected” in the screenshot below. This is okay as we did not deploy the HCM or establish the connectivity yet.
Add a new hybrid connection for the SQL Server:
After creating the SQL Server hybrid connection, you should see the following hybrid connections list. Note that both connections’ status is “Not connected“:
To complete our hybrid connection setup, we must download and install the Hybrid Connection Manager (HCM) from the link in the portal:
Once you have downloaded the package, run it and perform following steps:
Click on the Install button (note that this will require elevated Windows permissions). This should install very quickly and the following confirmation window will show:
Open the Hybrid Connection Manager UI:
The following window will be shown:
Click on the Add a new Hybrid Connection link, login to your Azure subscription and choose the subscription that you created the hybrid connection under. Once logged in, you should see the following window:
Highlight both hybrid connections and click on the Save button, and then you should see the next window. Please note that the AZURE STATUS column is “Not Connected“. You can try to click on the Refresh button, but that did not work for me.
To change the status to connected you either need to restart the Azure Hybrid Connection Manager Service or reboot your computer:
Here is the HCM window after the service restart or computer reboot:
Here is the hybrid connection status in the Azure Portal after the service restart or computer reboot:
You did not have to reboot the computer to have this working, but the restart is needed to see that it connected in HCM. In some cases, based on your company’s security policy, you might never see the status as connected. If you want to test if the hybrid connection is working, we have some tools to do that. In the Azure Portal under the App Service, click on the Console. This console is running under a sandbox and you can use it to check hybrid connection socket connectivity. Here is an example of the commands to use:
The tcpping utility is used to test the reach-ability of a service on a host using TCP/IP and measure the time it takes to connect to the specified port. Here is how it will respond if the hybrid connection is not working:
Now you have the Azure Hybrid Connection is already setup and tested. If you have a failover Oracle server, you can add a new hybrid connection for that one as well.
Deploying the App Service
Before deploying the App Service we still have one unsolved issue: how can we install the Oracle client on the App Service on Azure since we do not have access to the operating system? This is the million dollar question!
The quick answer: we cannot install the Oracle client on Azure App Services. So how is our App Service going to connect to the Oracle Database service?
The answer is to use Oracle Managed Data Access. You need to reference the Oracle Managed Data Access from NuGet:
The Oracle Data Provider for .NET (ODP.NET), Managed Driver is a 100% native .NET driver. No additional Oracle Client software is required to be installed to connect to Oracle Database. It is provided and maintained by Oracle. Make sure that you remove any other Oracle clients you are currently reference in your application, and use the following namespace in your .NET application:
Another important change is needed: the Oracle connection string. If you use the old connection string, then it will not work when you publish it to Azure App Services. Here is how your Oracle connection string should look:
connectionString = "Data Source=(DESCRIPTION=(ADDRESS = (PROTOCOL = TCP)(HOST = ora-server-1)(PORT = 1521))(CONNECT_DATA = (SERVER = DEDICATED)(SERVICE_NAME = orcl.internal))));User Id=walid;Password=xyz;"
If you are not sure about the “Data Source=” part of the connection string, then you can run a tnsping command on your computer that has Oracle client installed on it, and you can copy the result string into your connection string. Here is an example:
C:\Users\amro>tnsping orcl.internal TNS Ping Utility for 64-bit Windows: Version 188.8.131.52.0 - Production on 31-MAR-2020 22:18:46 Copyright (c) 1997, 2010, Oracle. All rights reserved. Used parameter files: C:\app\amro\product\11.2.0\client_64bit\network\admin\sqlnet.ora Used TNSNAMES adapter to resolve the alias Attempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = ora-server-1)(PORT = 1521)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = orcl.internal))) OK (20 msec)
Use the text following “Attempting to contact ” as the connection string. Test the new connection string locally and leave it as is. It should stay the same as you already have the hybrid connection and the connection string and it will work the same way on-premises.
Publish the App Service and you should be able to access both on-premises Oracle server and SQL Server from the App Service. Here is how my test website looks:
I hope that this article helps you with your fast track cloud migration and application modernization. Using hybrid connections opens a whole new world of possibilities such as:
- Connecting applications inside Azure with other subscriptions – especially if you have a legacy services running on a virtual machine and do not need to expose it to the world.
- Connecting applications with other clouds without exposing any ports over the Internet.
- Sometimes you need to debug a service on-premises as it is not possible to debug on the cloud. For example you have a front-end website with no access to its source code, and you need to debug the middle-tier REST service that you manage. You can use hybrid connection to connect the front-end website in Azure to your Visual Studio local service and have the local service on your computer receive calls from Azure enabling you to debug the REST service.
To learn to more about Hybrid Connections please visit the Microsoft Docs website at:
Have fun with your application modernization journey…