In order to access an on-premise database from Nathean Analytics deployments, we use Microsoft Azure’s Hybrid Connections. Hybrid Connections are a feature of Azure Relay Services. Hybrid Connections provide an easy and convenient way to connect on premise databases from behind a firewall to Nathean Analytics in the Cloud or every on premise which requires only outbound TCP or HTTP connectivity. The following is a summary of materials taken from the Azure documentation web site. Full details on the technology is available here.
Security and ports
Hybrid Connections use Shared Access Signature (SAS) authorization to secure the connections from the Azure applications and the on-premises Hybrid Connection Manager to the Hybrid Connection. Separate connection keys are created for the application and the on-premises Hybrid Connection Manager. These connection keys can be rolled over and revoked independently.
Application authorization is separate from the Hybrid Connection. Accessing an on-premises SQL Server requires SQL Authorization and is supported end-to-end.
Hybrid Connections require only outbound TCP or HTTP connectivity from a private network. You do not need to open any firewall ports or change your network perimeter configuration to allow any inbound connectivity into your network.
The following TCP ports are used by Hybrid Connections:
Port Why you need it
9354 These ports are used for data transmission. The Service Bus relay manager probes port 9350 to determine if TCP connectivity is available. If it is available, then it assumes that port 9352 is also available. Data traffic goes over port 9352.
Allow outbound connections to these ports.
5671 When port 9352 is used for data traffic, port 5671 is used as the control channel.
Allow outbound connections to this port.
80, 443 These ports are used for some data requests to Azure. Also, if ports 9352 and 5671 are not usable, then ports 80 and 443 are the fallback ports used for data transmission and the control channel. Allow outbound connections to these ports.
Note It is not recommended to use these as the fallback ports in place of the other TCP ports. The HTTP/WebSocket is used as the protocol instead of native TCP for data channels. It could result in lower performance.