Hybrid connection with 2-tier application (2023)

  • Article
  • 8 minutes to read

A common scenario among larger Azure customer is the need to provide a two-tiered application exposed to the Internet, while allowing access to the back tier from an on-premises datacenter. This document will walk you through a scenario using User Defined Routes (UDR), a VPN Gateway, and network virtual appliances to deploy a two-tier environment that meets the following requirements:

  • Web application must be accessible from the public Internet only.
  • Web server hosting the application must be able to access a backend application server.
  • All traffic from the Internet to the web application must go through a firewall virtual appliance. This virtual appliance will be used for Internet traffic only.
  • All traffic going to the application server must go through a firewall virtual appliance. This virtual appliance will be used for access to the backend end server, and access coming in from the on-premises network via a VPN Gateway.
  • Administrators must be able to manage the firewall virtual appliances from their on-premises computers, by using a third firewall virtual appliance used exclusively for management purposes.

This is a standard perimeter network (also knowns as DMZ) scenario with a DMZ and a protected network. Such scenario can be constructed in Azure by using NSGs, firewall virtual appliances, or a combination of both. The table below shows some of the pros and cons between NSGs and firewall virtual appliances.

NSGNo cost.
Integrated into Azure RBAC.
Rules can be created in Azure Resource Manager templates.
Complexity could vary in larger environments.
FirewallFull control over data plane.
Central management through firewall console.
Cost of firewall appliance.
Not integrated with Azure RBAC.

The solution below uses firewall virtual appliances to implement a perimeter network (DMZ)/protected network scenario.


You can deploy the environment explained above in Azure using different features available today, as follows.

(Video) Run Azure Function PowerShell code On-Premises with a Relay Hybrid Connection

  • Virtual network (VNet). An Azure VNet acts in similar fashion to an on-premises network, and can be segmented into one or more subnets to provide traffic isolation, and separation of concerns.
  • Virtual appliance. Several partners provide virtual appliances in the Azure Marketplace that can be used for the three firewalls described above.
  • User Defined Routes (UDR). Route tables can contain UDRs used by Azure networking to control the flow of packets within a VNet. These route tables can be applied to subnets. One of the newest features in Azure is the ability to apply a route table to the GatewaySubnet, providing the ability to forward all traffic coming into the Azure VNet from a hybrid connection to a virtual appliance.
  • IP Forwarding. By default, the Azure networking engine forward packets to virtual network interface cards (NICs) only if the packet destination IP address matches the NIC IP address. Therefore, if a UDR defines that a packet must be sent to a given virtual appliance, the Azure networking engine would drop that packet. To ensure the packet is delivered to a VM (in this case a virtual appliance) that is not the actual destination for the packet, you need to enable IP Forwarding for the virtual appliance.
  • Network Security Groups (NSGs). The example below does not make use of NSGs, but you could use NSGs applied to the subnets and/or NICs in this solution to further filter the traffic in and out of those subnets and NICs.

Hybrid connection with 2-tier application (1)

In this example there is a subscription that contains the following:

  • 2 resource groups, not shown in the diagram.
    • ONPREMRG. Contains all resources necessary to simulate an on-premises network.
    • AZURERG. Contains all resources necessary for the Azure virtual network environment.
  • A VNet named onpremvnet used to mimic an on-premises datacenter segmented as listed below.
    • onpremsn1. Subnet containing a virtual machine (VM) running Ubuntu to mimic an on-premises server.
    • onpremsn2. Subnet containing a VM running Ubuntu to mimic an on-premises computer used by an administrator.
  • There is one firewall virtual appliance named OPFW on onpremvnet used to maintain a tunnel to azurevnet.
  • A VNet named azurevnet segmented as listed below.
    • azsn1. External firewall subnet used exclusively for the external firewall. All Internet traffic will come in through this subnet. This subnet only contains a NIC linked to the external firewall.
    • azsn2. Front end subnet hosting a VM running as a web server that will be accessed from the Internet.
    • azsn3. Backend subnet hosting a VM running a backend application server that will be accessed by the front end web server.
    • azsn4. Management subnet used exclusively to provide management access to all firewall virtual appliances. This subnet only contains a NIC for each firewall virtual appliance used in the solution.
    • GatewaySubnet. Azure hybrid connection subnet required for ExpressRoute and VPN Gateway to provide connectivity between Azure VNets and other networks.
  • There are 3 firewall virtual appliances in the azurevnet network.
    • AZF1. External firewall exposed to the public Internet by using a public IP address resource in Azure. You need to ensure you have a template from the Marketplace, or directly from your appliance vendor, that provisions a 3-NIC virtual appliance.
    • AZF2. Internal firewall used to control traffic between azsn2 and azsn3. This is also a 3-NIC virtual appliance.
    • AZF3. Management firewall accessible to administrators from the on-premises datacenter, and connected to a management subnet used to manage all firewall appliances. You can find 2-NIC virtual appliance templates in the Marketplace, or request one directly from your appliance vendor.

User Defined Routing (UDR)

Each subnet in Azure can be linked to a UDR table used to define how traffic initiated in that subnet is routed. If no UDRs are defined, Azure uses default routes to allow traffic to flow from one subnet to another. To better understand UDRs, visit What are User Defined Routes and IP Forwarding.

To ensure communication is done through the right firewall appliance, based on the last requirement above, you need to create the following route table containing UDRs in azurevnet.


In this scenario, the only traffic flowing from on-premises to Azure will be used to manage the firewalls by connecting to AZF3, and that traffic must go through the internal firewall, AZF2. Therefore, only one route is necessary in the GatewaySubnet as shown below.

DestinationNext hopExplanation on-premises traffic to reach management firewall AZF3


DestinationNext hopExplanation traffic to the backend subnet hosting the application server through AZF2 all other traffic to be routed through AZF1


DestinationNext hopExplanation traffic to azsn2 to flow from app server to the webserver through AZF2

You also need to create route tables for the subnets in onpremvnet to mimic the on-premises datacenter.

(Video) Introduction to Hybrid Connections


DestinationNext hopExplanation traffic to onpremsn2 through OPFW


DestinationNext hopExplanation traffic to the backed subnet in Azure through OPFW traffic to onpremsn1 through OPFW

IP Forwarding

UDR and IP Forwarding are features that you can use in combination to allow virtual appliances to be used to control traffic flow in an Azure VNet. A virtual appliance is nothing more than a VM that runs an application used to handle network traffic in some way, such as a firewall or a NAT device.

This virtual appliance VM must be able to receive incoming traffic that is not addressed to itself. To allow a VM to receive traffic addressed to other destinations, you must enable IP Forwarding for the VM. This is an Azure setting, not a setting in the guest operating system. Your virtual appliance still needs to run some type of application to handle the incoming traffic, and route it appropriately.

To learn more about IP Forwarding, visit What are User Defined Routes and IP Forwarding.

As an example, imagine you have the following setup in an Azure vnet:

  • Subnet onpremsn1 contains a VM named onpremvm1.
  • Subnet onpremsn2 contains a VM named onpremvm2.
  • A virtual appliance named OPFW is connected to onpremsn1 and onpremsn2.
  • A user defined route linked to onpremsn1 specifies that all traffic to onpremsn2 must be sent to OPFW.

At this point, if onpremvm1 tries to establish a connection with onpremvm2, the UDR will be used and traffic will be sent to OPFW as the next hop. Keep in mind that the actual packet destination is not being changed, it still says onpremvm2 is the destination.

Without IP Forwarding enabled for OPFW, the Azure virtual networking logic will drop the packets, since it only allows packets to be sent to a VM if the VM’s IP address is the destination for the packet.

(Video) AWS Summit DC 2022 - Connect your network to AWS with hybrid connectivity solutions

With IP Forwarding, the Azure virtual network logic will forward the packets to OPFW, without changing its original destination address. OPFW must handle the packets and determine what to do with them.

For the scenario above to work, you must enable IP Forwarding on the NICs for OPFW, AZF1, AZF2, and AZF3 that are used for routing (all NICs except the ones linked to the management subnet).

Firewall Rules

As described above, IP Forwarding only ensures packets are sent to the virtual appliances. Your appliance still needs to decide what to do with those packets. In the scenario above, you will need to create the following rules in your appliances:


OPFW represents an on-premises device containing the following rules:

  • Route: All traffic to (azurevnet) must be sent through tunnel ONPREMAZURE.
  • Policy: Allow all bidirectional traffic between port2 and ONPREMAZURE.


AZF1 represents an Azure virtual appliance containing the following rules:

  • Policy: Allow all bidirectional traffic between port1 and port2.


AZF2 represents an Azure virtual appliance containing the following rules:

(Video) Microsoft Azure hybrid connectivity overview

  • Policy: Allow all bidirectional traffic between port1 and port2.


AZF3 represents an Azure virtual appliance containing the following rules:

  • Route: All traffic to (onpremvnet) must be sent to the Azure gateway IP address (i.e., through port1.

Network Security Groups (NSGs)

In this scenario, NSGs are not being used. However, you could apply NSGs to each subnet to restrict incoming and outgoing traffic. For instance, you could apply the following NSG rules to the external FW subnet.


  • Allow all TCP traffic from the Internet to port 80 on any VM in the subnet.
  • Deny all other traffic from the Internet.


  • Deny all traffic to the Internet.

High level steps

To deploy this scenario, follow the high level steps below.

  1. Login to your Azure Subscription.
  2. If you want to deploy a VNet to mimic the on-premises network, provision the resources that are part of ONPREMRG.
  3. Provision the resources that are part of AZURERG.
  4. Provision the tunnel from onpremvnet to azurevnet.
  5. Once all resources are provisioned, sign in to onpremvm2 and ping to test connectivity between onpremsn2 and azsn3.


How do I add a hybrid connection to my app service? ›

To create a Hybrid Connection, go to the Azure portal and select your app. Select Networking > Configure your Hybrid Connection endpoints. Here you can see the Hybrid Connections that are configured for your app. To add a new Hybrid Connection, select [+] Add hybrid connection.

How many connection limits does Azure App Service have? ›

App Service Plan – Outbound Network Connection Limit
App Service PlanConnection Limit
Free F1250
Shared D1250
Basic B1 1 Instance1920
Basic B2 1 Instance3968
6 more rows
Nov 2, 2016

Which model is used for connecting hybrid model of resources in Azure? ›

Explanation: The Hybrid Cloud model combines both the public cloud and private cloud model. So, the company does not need to migrate its private cloud model to achieve the hybrid cloud model.

What is hybrid benefit? ›

Azure Hybrid Benefit is a cost-savings benefit that lets you bring your existing on-premises Windows Server and SQL Server licenses with active Software Assurance or subscriptions to Azure.

Do hybrid apps need Internet connection? ›

When developing a hybrid app, keep in mind that it will require internet access for full functionality. They can still operate offline but will not offer users the entire experience. They're developed using coding languages such as JavaScript, CSS, or HTML.

What is hybrid app example? ›

A hybrid app is essentially a web app, but it's given a lightweight native app “container” that allows it to leverage certain native platform features and device hardware (e.g., a device's camera, calendar, push notifications, and pinch and spread functionality) that a web application cannot access.

What is the maximum number of connections a server can handle? ›

What is the maximum number of concurrent TCP connections that a server can handle, in theory ? A single listening port can accept more than one connection simultaneously. There is a '64K' limit that is often cited, but that is per client per server port, and needs clarifying.

How many active connections can a server handle? ›

Then theoretical limit a server can support on a single port is 248 which is about 1 quadrillion because: The server distinguishes the connections from clients' source IPs and the source ports. [number of source IP addresses]x[num of source ports]

How many applications can you deploy to a single app service plan? ›

You can host up to 100 apps in a single app service plan, but the key thing to know here is that as with the free plan you are charged per app, not per app service plan. Each instance of a web app you deploy in the shared plan get's it's own 240 CPU minutes limit and is charged per app.

Is hybrid connection secure? ›

The new Hybrid Connections capability of Relay is a secure, open-protocol evolution based on HTTP and WebSockets.

How does a hybrid join a device to Azure? ›

In Connect to Azure AD, enter the credentials of a Global Administrator for your Azure AD tenant. In Device options, select Configure Hybrid Azure AD join, and then select Next.
Managed domains
  1. Select the Forest.
  2. Select an Authentication Service.
  3. Select Add to enter the enterprise administrator credentials.

How do hybrid models work? ›

A hybrid workplace model mixes in-office and remote work to offer flexibility and support to employees. In a hybrid workplace, employees typically enjoy more autonomy and better work-life balance – and are more engaged as a result.

What are the two most significant benefits of implementing a hybrid? ›

Hybrid cloud computing offers numerous benefits and advantages to enterprise organizations including:
  • Better support for a remote workforce. ...
  • Reduced costs. ...
  • Improved scalability and control. ...
  • Increased agility and innovation. ...
  • Business continuity. ...
  • Improved security and risk management. ...
  • Hardware costs.

How do I disable hybrid join? ›

You can disable hybrid join by preventing one of the requirement elements from triggering hybrid join registration: Modify the Scheduled Task which triggers AAD device registration. See Task Scheduler > Microsoft > Windows > Workplace Join > Automatic-Device-Join.

What are the disadvantages of hybrid application? ›

Drawbacks of hybrid apps

Browser needed: Users will need to open their web browser to run your app, which requires more steps and a URL or bookmark. With a native iOS or Android app, your software will always appear on your users' home screens. (There is a workaround.)

What is the purpose of hybrid apps? ›

Hybrid apps are popular because they allow developers to write code for a mobile app once and still accommodate multiple platforms. Because hybrid apps add an extra layer between the source code and the target platform, they may perform slightly slower than native or web versions of the same app.

What is hybrid internet connection? ›

What is a Hybrid Internet Connection? A hybrid internet connection brings together two types of internet connections, such as Wi-Fi and Ethernet. This ensures that a business can achieve higher bandwidth and security than it would when using just one type of internet connection.

How do I know if my app is a hybrid? ›

Yes, there is a simple way to distinguish between hybrid and native app. Go to Developer Options from Settings and turn on Show Layout bounds. And then launch your app and see the layout highlighted. If there are lots of rectangle highlighted, it's native.

What are the advantages and disadvantages of hybrid apps? ›

  • One codebase to rule them all. Hybrid apps use one codebase and can work across multiple platforms. ...
  • They are great for simpler applications. ...
  • Lower cost. ...
  • Quicker build. ...
  • Not good for high performance. ...
  • Higher complexity. ...
  • No access to native features. ...
  • Ways to make a hybrid app feel more native:

What is limit the number of simultaneous connections? ›

Specifies whether Remote Desktop Services limits the number of simultaneous connections to the server. You can use this setting to restrict the number of Remote Desktop Services sessions that can be active on a server.

How many connections can a load balancer handle? ›

Your load balancer uses these IP addresses to establish connections with the targets. Depending on your traffic profile, the load balancer can scale higher and consume up to a maximum of 100 IP addresses distributed across all enabled subnets.

What is maximum connection? ›

Max Connections controls the maximum number of keep-alive connections the server maintains. The possible range is zero to 32768, and the default is 256.

Can a server connect to multiple clients? ›

In the basic model, server handles only one client at a time, which is a big assumption if you want to develop any scalable server model. The simple way to handle multiple clients would be to spawn new thread for every new client connected to the server.

How many sockets can be opened per application? ›

For most socket interfaces, the maximum number of sockets allowed per each connection between an application and the TCP/IP sockets interface is 65535.

How many clients can a server accept connections from on the same port? ›

Irrespective of stateful or stateless protocols, two clients can connect to the same server port because for each client we can assign a different socket (as the client IP will definitely differ). The same client can also have two sockets connecting to the same server port - since such sockets differ by SRC-PORT .

How do I know if my device is hybrid joined? ›

Locally on the device
  1. Open Windows PowerShell.
  2. Enter dsregcmd /status .
  3. Verify that both AzureAdJoined and DomainJoined are set to YES.
  4. You can use the DeviceId and compare the status on the service using either the Azure portal or PowerShell.
Aug 15, 2022

How do I enable hybrid ad join? ›

In Connect to Azure AD, enter the credentials of a Global Administrator for your Azure AD tenant. In Device options, select Configure Hybrid Azure AD join, and then select Next.
Managed domains
  1. Select the Forest.
  2. Select an Authentication Service.
  3. Select Add to enter the enterprise administrator credentials.

When should you use a hybrid app? ›

Hybrid apps allow for the use of programming languages used frequently by web developers (HTML, JavaScript and CSS) who can thus reuse their knowledge. This makes finding resources to build a hybrid app easier. Reusing the code of the web app part: the code is written once and deployed across all mobile platforms.

How many apps are hybrid? ›

A full 74% of the top 50 retail apps on the U.S. App Store are hybrid apps according to a recent report: Low Code Explosion.

How do I qualify for Azure hybrid benefit? ›

To qualify for Azure Hybrid Benefit for Windows Server, you need on-premises core licenses for Windows Server with active Software Assurance. Software Assurance is only available as part of a commercial licensing agreement.

Which products are eligible for the Azure hybrid benefit? ›

Azure Hybrid Benefit is applicable only to Windows Server Standard and Datacenter editions, SQL Server Enterprise Core and Standard Core, and Azure SQL Database. The benefit does not apply to SQL Server licensed under the server/CAL license model.

How do I know if I have Azure hybrid benefit? ›

From portal VM blade, you can view the toggle for Azure Hybrid Benefit for Windows Server by selecting "Configuration" tab.

How do I remove hybrid connection? ›

You will see your list of Hybrid Connections on the right with the number of places they are being used listed under the "Listeners" column. When you select the one you want to delete, it will take you to a new page with a "Delete" icon (little trash can).

How can I know that my device is connected to another device? ›

Go to your Google Account. On the left navigation panel, select Security . On the Your devices panel, select Manage all devices. You'll see devices where you're currently signed in to your Google Account or have been in the last few weeks.

What are hybrid devices? ›

Hybrid device means a device with a combination of components from two or more lawful devices and is used for the take of wild- life, such as but not limited to a firearm, pneumatic weapon, or slingshot that shoots arrows or bolts.


1. VLOG - The New Hybrid Connections
(Team Mexia)
2. Lec-4: 2 tier and 3 tier Architecture with real life examples | Database Management System
(Gate Smashers)
3. DO NOT design your network like this!! // FREE CCNA // EP 6
4. Exchange On-Premise to Office 365 Hybrid | Mailbox Migration Exchange Online | Step by Step Guide
(Cloud Inspired)
5. SAP S/4HANA Cloud 1905 – Hybrid Deployment (2-Tier ERP) | Arun Nair | May 2019
(SAP Products & Services)
6. Secure Hybrid Access: Simplify your legacy application landscape with Azure AD
(Microsoft Security)


Top Articles
Latest Posts
Article information

Author: Trent Wehner

Last Updated: 08/03/2023

Views: 6772

Rating: 4.6 / 5 (76 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Trent Wehner

Birthday: 1993-03-14

Address: 872 Kevin Squares, New Codyville, AK 01785-0416

Phone: +18698800304764

Job: Senior Farming Developer

Hobby: Paintball, Calligraphy, Hunting, Flying disc, Lapidary, Rafting, Inline skating

Introduction: My name is Trent Wehner, I am a talented, brainy, zealous, light, funny, gleaming, attractive person who loves writing and wants to share my knowledge and understanding with you.