Hybrid relay connection in Azure and Azure

Stack Hub
Azure Stack Hub Virtual Machines

!Solution Idea

If you'd like to see us expand this article with more information, such as potential use cases, alternative
services, implementation considerations, or pricing guidance, let us know with GitHub Feedback !

This architecture uses Azure Relay Hybrid Connections to connect from Azure to edge resources or devices that
are protected by firewalls.

Potential use cases

Edge devices are often behind a corporate firewall or NAT device. They are unable to communicate with the public
cloud or edge devices on other corporate networks. You might need to expose certain ports and functionality, in a
secure manner, to users in the public cloud. This architecture uses Azure Relay to establish a WebSockets tunnel
between two endpoints that can't directly communicate. Devices that aren't on-premises, but need to connect to
an on-premises endpoint, will connect to an endpoint in the public cloud. This endpoint will redirect the traffic on
predefined routes over a secure channel. An endpoint inside the on-premises environment receives the traffic and
routes it to the correct destination.

Architecture

Download a Visio file of this architecture.

Dataflow
K. A device connects to the virtual machine (VM) in Azure, on a predefined port. The VM provides a publicly
accessible endpoint for the on-premises resource.
N. Traffic is forwarded to the Azure Relay in Azure. An Azure Relay provides the infrastructure for maintaining
the tunnel and connection between the Azure VM and Azure Stack Hub VM.
O. The VM on Azure Stack Hub, which has already established a long-lived connection to the Azure Relay,
receives the traffic and forwards it to the destination. The VM provides the server-side of the Hybrid Relay
tunnel.
P. The on-premises service or endpoint processes the request.