First published on MSDN on May 22, 2017
What can you do if your Web App’s Hybrid Connection shows a status of “Connected”, but the application fails to connect to your on-premise resource? Chances are the reason is because you have configured your Hybrid Connection so that it actually gets by-passed when you attempt to connect to your on-premise resource. In this post, I’ll describe how this happens and what you can do about it.
The specific details in this post refer to Hybrid Connections using Azure Relay. However, the same concept applies to classic Hybrid Connections using BizTalk services as well.
One of the benefits of using Hybrid Connections is that it is not necessary to open a port on your firewall. The Hybrid Connection Manager that runs in your on-premise network connects to the Service Bus endpoint in Azure on port 443 and provides the network connection for your Web App to connect to your on-premise resource. Therefore, when you configure your Hybrid Connection, your endpoint needs to be one that resolves at your on-premise network. In most cases, that means using the hostname for the server running your resource. For example, suppose I am connecting to a MySQL database running on a server with a hostname of
. When I configure my Hybrid Connection, I will need to specify an endpoint of
as shown in the figure below.
My database connection string in this case would point to the same endpoint, so in the case of MySQL, my database connection would be something like this:
Database=wordpress;Data Source=DatabaseServer;User Id=wp_user;Password=Password!
The important point here is that I’m using the exact same connection string in my Web App in Azure that I would be using if my Web App were running on an on-premise web server.
(I emphasized that statement because it’s an important point about Hybrid Connections.) That’s the beauty of Hybrid Connections. Where customers can sometimes get into trouble is when they configure the Hybrid Connection incorrectly in the first place.
Suppose that my database server is also accessible using a fully-qualified domain name of databaseserver.contoso.com. Suppose, also, that I configure my Hybrid Connection as shown in the following figure.
I’ve also set up my connection string to use a data source of
. After I configure this and add the Hybrid Connection to my Hybrid Connection Manager, the status will show as “Connected” in both the Hybrid Connection Manager and in the Azure portal, but when my app attempts to access the database, I’ll get an error that says “Error Establishing a Database Connection.” Strangely, if I open port 3306 on my firewall, the application works as expected, but I’m using Hybrid Connections so that I don’t have to open a port.
In this kind of scenario, your application is actually not even using the Hybrid Connection to connect to your database. When your application attempts to connect to the fully-qualified domain name (
in my example), it has to look up that DNS name in order to make the connection. In most cases, that DNS lookup occurs on a DNS server on the Internet and not within your local network. Once that DNS lookup succeeds, the connection attempts to come back into your local network, but it’s not going through the Hybrid Connection. Instead, it hits your firewall, and since port 3306 is blocked, the connection fails unless you open the port.
The solution here is to ensure that you are using the hostname of your on-premise server rather than the fully-qualified domain name. If you are using a fully-qualified domain name, you need to ensure that it’s a name that can be resolved within your local network. (In some cases, customers are running DNS in the local network, and it’s that local DNS service that resolves the name.)
Keep in mind that while you can open a port on your firewall to make this work, you shouldn’t. If you want to go that route, you don’t even have to use Hybrid Connections at all! One of the benefits of using Hybrid Connections is that you don’t have to expose an open port. By ensuring that your Hybrid Connections are correctly configured, you can ensure a more secure environment for your application and your network.