1. Home
  2. Training Library
  3. Microsoft Azure
  4. Courses
  5. Design an Application Storage and Data Access Strategy for Azure 70-534 Certification

Hybrid Data Access


Course Introduction
Start course


This course provides the practical knowledge and expertise you will need to master the Design an Application Storage and Data Access Strategy section of the Microsoft Azure 70-534 certification exam. In this session, we will cover: Options for data storage, mobile application back-ends, push notifications, web API and web jobs and hybrid data access patterns. We will also discuss Azure Media Services (streaming, video on-demand and monitoring).


Welcome back, in this lesson, we're going to talk about how Hybrid solutions require some different patterns for accessing and sharing data in purely on-prem or purely cloud based applications.

Cloud migrations can be slow going. There are a lot of things to consider and a lot of moving parts so Hybrid solutions aren't uncommon and that means as companies move to the cloud, they'll need ways to start extending on-prem solutions with cloud based options.

Suppose you have a WCF service inside of your company and it's behind the firewall and now you need to invoke it from some cloud service but you don't wanna expose it directly to the internet. So how do you go about doing something like that? So this is what Azure Service Bus is for. Azure Service Bus is a messaging infrastructure that works as a relay. It can allow you to create bidirectional channels for exchanging data. When Service Bus receives a message, it will relay the message to the on-prem bidirectional socket that has already been opened by the service.

If you already have a WCF endpoint, you don't need to change anything in the implementation though what you need to do is configure the netTcpRelay endpoint and WCF will do all the work of establishing a two way socket connection to the Service Bus.

On the WCF service, you don't need to worry about security because you can securely control access to the services directly from Azure Service Bus. So Service Bus is going to allow us to have a relay between our on-prem services and our Azure based services and this allows us to call existing on-prem services from Azure based things such as a web app and this is a very easy way to start building out new solutions in Azure that use existing on-prem resources and at a code level, if you're using dependency injection to inject our implementation of a given service, we can ensure that there's minimal code refactoring when it comes to porting the on-prem version of the resource to Azure.

Alright, not all applications will connect with WCF services so it's going to exclude using Service Bus Relay for some cases so that may mean that we need to expose on-prem services or resources in a secure way. Let's say for example, SQL Server. In this scenario, we can use BizTalk API Apps which can establish, publish and control Hybrid connections to on-prem TCP services and we can define and manage those connections from the portal.

To use this, you're gonna need to install the Hybrid Connection Manager and On-Prem software Daemon. That will allow us to have a bridge between Azure services and internal services. You're gonna need to bind some additional ports outside of the ports used by the services. It's gonna use port 84 Cert Validation. It's gonna use 443 for https. It's gonna use 5671 to connect to Azure and 9352 to push and hold data. This sort of thing is useful for connecting web or mobile apps to on-prem databases and speaking of web apps, we can configure a web app to access a virtual network which doesn't move the web app inside of the original network though it can access resources inside of it and if the virtual network is connected to our on-prem network thought a site to site VPN then that web app can access our on-prem resources as well and the same applies to ExpressRoute connections. Now, this is gonna be a viable option for some scenarios. However, it can also open up some security concerns so this sort of setup should be reviewed by a member of your info sec team before setting up.

Also, keep in mind that there are some limitations with the VPN. A virtual network can establish connections to 10 networks. In particular, it can connect to six on-prem networks and four other virtual networks. Now, if none of these options meet your need for sharing data, you can allow Cloud Services and Virtual Machines to domain-join and this is useful to limit access to users that are already present on the domain controller.

There are two main methods to domain-join Cloud Services. The first is to use PowerShell scripts configured as a startup cast or if the domain-joining operations you need aren't available in PowerShell, you can execute them in code inside of the Cloud Service RoleEntryPoint.

A Virtual Machine can domain-join in two ways as well. You can manually do it from the Windows UI adding the computer to the network and the other way is through PowerShell and this can be executed during the VM creation automatically running after the machine completes its deployment and this is the cloud friendly infrastructure as code way to do it.

Okay, that's gonna wrap up this lesson. In our next lesson, we're gonna talk about media solutions so let's get started with the next lesson.

About the Author
Learning paths15

Ben Lambert is a software engineer and was previously the lead author for DevOps and Microsoft Azure training content at Cloud Academy. His courses and learning paths covered Cloud Ecosystem technologies such as DC/OS, configuration management tools, and containers. As a software engineer, Ben’s experience includes building highly available web and mobile apps. When he’s not building software, he’s hiking, camping, or creating video games.