Azure Friday | Azure App Service with Hybrid Connections to On-premises Resources


Hey, everybody. I’m Scott Hanselman. This is another episode
of Azure Friday. I’m here with Christina Compy,
and we’re gonna talk about
App Service Hybrid Connections.>>Yes.
>>It’s a hybrid cloud. What are the Hybrid Connections?>>Hybrid Connections gives
you access to resources in other networks. So you can have resources
on-premise or in customer networks that you want your
application to have access to, or that your customers
are giving you access to.>>So it’s not necessarily other
networks within Azure itself. This is always outside Azure?>>Doesn’t have to
be outside Azure. You could use it within Azure. You could use it
from a competitor. You could use it
from on-premise. You can have up to 200
Hybrid Connections in an individual app.>>Wow.
>>And it gives you access, secure access, to TCP endpoints. This is a host port endpoint,
right? So it’s not giving you
network access from your app to another network. It’s giving you access directly
to a single host end point.>>Okay, so this is even more
refined than just like on a VPN site to site.>>Yeah.
>>This is like a wormhole from one network to another network.>>Right, right, right,
exactly correct. It’s a secure wormhole directly
to an application endpoint. And Hybrid Connections doesn’t
care whether you’re doing SQL or web protocol. It’s TCP based.>>Interesting.
>>So you can go access a MySQL database,
your Oracle database. We had a customer access
a mainframe endpoint.>>That was my next question,
cuz I used to work in banking, and we would talk to backend
mainframes and AS400s, and all kinds of stuff. As long as I know my port range,
that’s totally okay as well.>>Well,
it’s not a range though, it’s a specific port, right? So it’s an actual host and
port combination for each Hybrid Connection endpoint.>>Okay.
>>Now, you can have, like I said, up to 200. But if you’re doing like SQL
name database instances and you had port redirection, you’d
have to have a Hybrid Connection for both the 1433 port and
the redirection port.>>Okay, but
200 is a pretty good amount, and I could make little pseudo
arranges if need be.>>True.
>>Interesting.>>And it’s way better and
secure than open ended, excuse me, access to
a network from your app.>>Okay, so I’m sure there’s
consultants that are watching who have had experiences with
clients where the client has said I don’t really
feel comfortable yet putting my data in the cloud. Let’s let the work
happen in the cloud, but I really want my
data on-premises. That’s something that would be
used for Hybrid Connections?>>Yeah, yeah. Or if you’re a developer and
you wanted to quickly prototype something, Hybrid Connections
lets you access resources even on your local workstation
without having to setup and configure a VPN
connection up to Azure. So this is something that it’s
really simple to setup and get going without all of the
overhead of putting a Internet accessible endpoint there for
that is a possible hack entry.>>That’s a good point. I’ve actually done
that a couple times, where I’ve had a Mongo
database running, and I set up the DMZ
locally in my house. Probably not the smartest idea. I could have my little
Mongo database, throw my website up in the cloud, and
then punch a hole, and I’m off.>>Right, yeah. Since the protocol for Hybrid
Connections is web sockets, you probably don’t even
need to punch a hole.>>Really?
>>So it’s all over 443, TLS 1.2, and you have secure
access outbound from your network where you
install the relay agent.>>So there’s no firewall
stuff I have to do?>>Not unless you’re blocking
outbound to the Internet, in which case that’s-
>>[LAUGH] Then you’ve got bigger problems.>>Right, it really limits
your network usefulness.>>All right, cool. Let’s see a demo
if you’ve got one.>>Sure,
I’ve got a real quick easy demo. So everybody’s familiar
with WordPress. WordPress uses a backend
MySQL database. And so in this case, the backend MySQL database
is sitting on a workstation under my desk in a Microsoft
campus building somewhere.>>It is real?>>This is real. This is live demo,
this isn’t papier-mache.>>So okay, so
this is on the outside, it’s .AzureWebsites.net,
that’s real. But the database that holds
that is under your desk?>>That’s right. And so you just saw it work. And we can do the negative
scenario where we’re gonna break it.>>Okay.>>Because-
>>You don’t know if it’s real unless you break it.>>I know, it’s a lot more
believable if you break something.>>Okay, so you’re just going
into Hybrid Connections. You had two, now you have one.>>Right, I deleted the one
that goes to my MySQL database. Which, by the way, it uses the, I’m waiting if my screen’s
gonna do anything. It uses the host and
port that you define for your Hybrid Connection
in your app. So my app is making a look-up
and a call to, in this case, copy work station 1433. That’s not an Internet
accessible endpoint. But in the public cloud,
we catch that, redirect it, and send it
through the Hybrid Connection. So as long as it resolves where
my Hybrid Connection manager’s installed Then it works.>>Okay, so let me see if I
can paraphrase and understand, it’ll go and do a DNS
lookup effectively to like->>Yes.>>Food doesn’t exist. It’s not even a fully
qualified domain name, it’s just like an intranet name. You notice it, you tunnel it through the worm
hole under your desk.>>As long as it resolves on the
Hybrid Connection Manager it’ll make it out there,
and so basically, you can define any endpoint you
want in your Hybrid Connection, and lift and shift as well.>>Is there something running
under your desk that is allowing that to happen?>>Well, I do have a workstation
named compuwork station.>>I understand that,
but how did it know?>>How did it know?>>Is there a tray icon, or
something, or a service?>>Yeah, well so, when I build
the Hybrid Connection in the first place, I define that
host import, and then there is a agent that runs on my-
>>Yes, right, and that’s what we call
the Hybrid Connection Manager, which you can download it
here in the Hybrid Connection Manager UI,-
>>Okay.>>And it looks like-
>>That’s the machine, there it is.>>It looks beautiful.>>So the Hybrid Connection
Manager registers that, that known name and then that’s
allowing the magic tunneling. So this is your desk,
and there it is.>>Right.
>>All right, cool, and that it right there.>>Right, and so both of
them are still connected, I just disconnect
it from my app.>>So if you hit refresh,
would it disappear?>>No, it’s going to stay there,
because it’s still connected. The agent running on my
computer is still connected, supporting these to the cloud.>>Okay.
>>So it’s connected to the cloud supporting
those items.>>Okay.>>So if I was to go then, wrong
one, back to the application, and refresh it, all I have done
so far is break the database connection, and so
we’ve proven failure.>>Mm-hm.>>Or proven with failure. [LAUGH]
>>How fast is it? Is it fast enough for
production?>>Yes, we have customers
using it around the world for production needs. I wouldn’t stream videos
through it, of course, but it does handle
a fair amount of data. It’s roughly about the same as
a small scale VPN connection. But since you can have so
many of them from your web app, it gives you a lot
of versatility. So, let’s say you’re doing
inventory management, and you have supplier databases
all around the world, then this is a nice easy way that you
can touch their database, with their permission if they
set it up, to collect that and then front it through
single web application.>>And it’s totally secure, like
you said, it’s over, it’s SSL, and it’s locked down. Do I need to worry about anyone
sniffing that traffic on the way,
there’s no man in the middle?>>No, no man in the middle
attacks, it’s secured with SAS keys for connections,
its secured with TLS 1.2. So it’s current and up to
date in terms of encryption technologies, and I would say
it’s even more secure than you would consider a VPN,
which is also SSL connection.>>Right.
>>But there’s alway a Internet endpoint involved,
right? So you have to have
an Internet endpoint for a site-to-site connection where
you’re connecting between Azure, or any public cloud and
a private cloud. In this case, because you
have an agent, a real agent, operating in your own network,
that connects outbound to Azure, you don’t have to
worry about an inbound IP address that’s hackable or
sniffable. Not that I would say VPNs
are hackable or sniffable,->>Sure, sure.>>But, I just feel more secure
with something like Hybrid connections than I
do with pretty much all the other connectivities
technologies.>>Yeah, interesting. So it works,
it’s nonspecific to technology, it doesn’t care about
the database, it’s TCP level. If I had a custom service that
I’d written in my own protocol, doesn’t matter?>>Nope, doesn’t matter if
you’re doing a Java app with a JDBC call, or a .net app
making an Oracle call, it’s->>I wonder this is, I wonder if there
are databases that are so legacy that I couldn’t
run them in the cloud, so this is a totally appropriate
thing, or like you pointed out, mainframes, where they have no
business in any kind of cloud scenario, and what about
from a privacy perspective? Would this allow me to maybe
be compliant for things when I couldn’t be compliant
depending on what my country?>>Yeah, this is certified and
compliant. So Azure Relay, which this is
built upon, is certified and compliant. It’s up to date. I don’t remember the list, so I don’t wanna call
out all the list.>>Sure.
>>But it is definitely to be, we rediscussed this recently,
but it’s->>So you said Azure Relay. That’s what this is built on?>>Yeah, so Hybrid Connections
is actually offered as a subservice of Azure Relay, and
then the variant app service, Hybrid Connections, is a variant
thereof where we lock it down to just a host and port. You can’t use this to reach up
to the cloud from on premise, this doesn’t give you
private site access. What this does give you though, is secure access to remote
resources from your app, and we’ve locked down the entire
system to behave that way.>>When you were back in your,
over here, said that you had 25, and then you said
something about 200, does it depend on what
app service I have?>>Right, well it depends what
app service plan level you have. So in a basic plan you
can get up to five. In a standard plan you
could have up to 25. In a premium plan, or obsolete,
you can get up to 200.>>Certainly more than enough to do stuff like
a Word Press website.>>Right, way more. Word Press is using one, so, though this one is configured
for a SQL system, but yes.>>All right, very cool, and this exists today, and
people can use it today?>>This exists today, it’s fully supported, it is
a GA featuring capability, and we look forward to more people
using it in the future.>>Very cool,
thank you very much.>>You’re very welcome.>>I am learning all about
Hyper Connections and app service here
on Azure Friday. [MUSIC]

Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2019 Toneatronic. All rights reserved.