Integrating On-Premise Apps via Azure VNet and Hybrid Connections

08.17.17 By

Integrating Onpremise Apps via Azure VNet and Hybrid Connections Many organizations have started using cloud services in varying degrees. But if deploying an entire legacy system in a cloud-based environment is not optimal for your organization, Azure Cloud offer great options for integrating on-premises applications with other cloud-based software. These options, when used along with those for Migrating On-Premise Apps to Microsoft Azure Cloud, can offer organizations improved efficiency and reduced costs. Let’s look at a couple techniques to integrate on-premises resources to those already in the Azure Cloud:
  • Azure Virtual Network (VNet)
  • Hybrid Connections 

What is Azure VNet?

Azure VNet can integrate on-premises networks through private network connections between the on-premises network and the Azure Cloud Environment.
The following graphic and subsequent descriptions explain the different ways to connect an on-premises network with the Azure virtual network: *
VNet Image 1
  • Point-to-site VPN: this type of connectivity helps establish the connection between a single PC and a VNet with changes to the existing network. It can be used to provide encrypted communicaitons betwen a client and the VNet via the internet. Secure Socket Tunneling Protocol (SSTP) is used in establishing encrypted communication for this connectivity. The VPN device is not required to implement point-to-site connectivity, but it requires the Azure VPN gateway at the on-premise side.
  • Site-to-site VPN: In this type, the connection is established between the VPN devices and the Azure VPN Gateway. This type of connection provides VNet access to any on-premises resource via the internet. It uses an IPSec VPN to establish secure communication between on-premises resources and the Azure VNet gateway via the internet. A VPN device is required on-premises to establish site-to-site connection. 
  • Azure ExpressRoute: Unlike point-to-site and site-to-site VPNs where the connection is over the internet, Azure ExpressRoute is used to set up a direct private connection between an on-premises network and a VNet. Compared with similar connectivity options, this type of connectivity is secure, reliable and fast, as the traffic traverses through a private network and not the internet.
VNet benefits
  • Traffic flows through the internet for point-to-site and site-to-site connections
  • With the ExpressRoute method:
    • Traffic cannot be intercepted over the public internet due to the dedicated connection
    • Latency, if present, can be predicted
  • Azure Cloud Services and Virtual Machines (VMs) are connected to an Azure VNet within the defined network boundary, which helps in isolation of Azure services and VMs
  • Requires minimal ongoing administration
  • Using point-to-site and site-to-site connections, all on-premise devices can communicate with Azure services connected to a VNet, so there’s no need to configure individual connections
  • The site-to-site VPN can be configured or used as a secure failover path for ExpressRoute, or used to connect to sites that are not connected through ExpressRoute
VNet limitations
  • The latency cannot be predicted because the connection traverses via the internet for site-to-site or point-to-site connections
  • ExpressRoute requires dedicated router management from a network provider
  • The ExpressRoute gateway needs to be created first and then linked to a circuit before adding the site-to-site VPN gateway

What is a hybrid connection?

A hybrid connection is a feature of the Azure App Service. Using this type of connectivity, an encrypted connection can be established between the Azure network and on-premises resources, which may be using static TCP Ports (e.g. SQL Server, MySQL, Custom Web services, etc.) A hybrid connection has two different types:
  • New hybrid connections, which are available under Azure Relay and can be used as a service
  • BizTalk hybrid connections, which are classic hybrid connections in the Azure portal
Hybrid connections can be used to access application resources on outside networks. Every hybrid connection uses a single TCP host and port combination for network access. To provide access to other networks, the outbound ports of an on-premises network need to be open for the external networks, which creates some security concerns. The alternate approach of Azure VNet can be used for on-premises connectivity to avoid these security concerns, as shown in the below image. Azure VNet alternate approach Hybrid connection benefits
  • An easy and fast way to access on-premises data and services securely
  • Does not require a publicly accessible endpoint to establish connections
  • Easy to set up and share within resources
  • Provides access to multiple networks from a single app
Hybrid connection limitations
  • Lack of support for dynamic ports
  • Only use of static TCP ports is recommended

Two viable options for on-premise to cloud connectivity and integration

These on-premises connectivity methods are designed to be customized by businesses depending on their needs. For on-premises integration, suitable connectivity can be chosen depending on the resource and scalability requirements, security restrictions, budget, and cloud capabilities. The cloud architects at Emtec can guide you through the process of identifying the most suitable option for connecting on-premises applications with the help of Microsoft Azure Cloud Services. For a complimentary consultative discussion with the cloud architects, click here. 

Solution-oriented technology is our specialty.