You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/app-service/app-service-hybrid-connections.md
+22-20Lines changed: 22 additions & 20 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -296,7 +296,7 @@ After you edit the configuration file, restart the Hybrid Connection Manager ser
296
296
- **Windows**: Restart the service through **Services** from the **Start Menu**.
297
297
- **Linux**: Run `systemctl restart hybridconnectionmanager.service`.
298
298
299
-
Configuring a proxy server routes requests from the Hybrid Connection Manager through the selected proxy server before reaching the destination. Ensure your proxy server supports HTTP/HTTPS traffic so that the Hybrid Connection Manager can communicate with the Azure Relay Service.
299
+
Configuring a proxy server routes requests from the Hybrid Connection Manager through the selected proxy server before reaching the destination. Ensure your proxy server supports HTTP/HTTPS and WebSocket traffic over port 443 so that the Hybrid Connection Manager can communicate with Azure Relay. If your proxy supports DNS allowlisting, allow `*.servicebus.windows.net`. If you can't use a wildcard, allow the specific Relay namespace hostname and the gateway hostnames for that namespace.
300
300
301
301
> [!NOTE]
302
302
> All addresses setin`appsettings.json` (`ProxyAddress`, `BypassList`) should be in RegEx format if not an exact match.
@@ -387,7 +387,7 @@ The status of **Connected** means that at least one Hybrid Connection Manager is
387
387
- Does your host have outbound access to Azure on port 443? You can test from your Hybrid Connection Manager host using the PowerShell command`Test-NetConnection Destination -P Port`.
388
388
- Is your Hybrid Connection Manager potentially in a bad state? Try restarting the **Azure Hybrid Connection Manager Service**local service.
389
389
- Do you have conflicting software installed? Hybrid Connection Manager can't coexist with Biztalk Hybrid Connection Manager or Service Bus for Windows Server. When you install the Hybrid Connection Manager, you should remove any versions of these packages first.
390
-
- Do you have a firewall between your Hybrid Connection Manager host and Azure? If so, you need to allow outbound access to both the Service Bus endpoint URL *AND* the Service Bus gateways that service your Hybrid Connection.
390
+
- Do you have a firewall between your Hybrid Connection Manager host and Azure? If so, allow outbound HTTPS and WebSocket traffic over port 443. If your firewall supports DNS allowlisting, allow `*.servicebus.windows.net`, which is the preferred configuration. If you can't use a wildcard, allow the Relay namespace hostname and the gateway hostnames forthat namespace. IP allowlists aren't recommended because the Relay gateway IP addresses can change.
391
391
392
392
- You can find the Service Bus endpoint URL in the Hybrid Connection Manager GUI.
393
393
@@ -397,31 +397,33 @@ The status of **Connected** means that at least one Hybrid Connection Manager is
397
397
398
398
:::image type="content" source="media/app-service-hybrid-connections/hybrid-connections-service-bus-endpoint-cli.png" alt-text="Screenshot of Hybrid Connection Service Bus endpoint in the CLI.":::
399
399
400
-
- The Service Bus gateways are the resources that accept the request into the Hybrid Connection and pass it through the Azure Relay. You need to allow list all of the gateways. The gateways are in the format: `G#-prod-[stamp]-sb.servicebus.windows.net` and `GV#-prod-[stamp]-sb.servicebus.windows.net`. The number sign, `#`, is a number between 0 and 127 and `stamp` is the name of the instance within your Azure data center where your Service Bus endpoint exists.
400
+
- The Service Bus gateways are the resources that accept the request into the Hybrid Connection and pass it through Azure Relay. The gateway hostnames are in the format `G#-prod-[stamp]-sb.servicebus.windows.net` and `GV#-prod-[stamp]-sb.servicebus.windows.net`. The number sign, `#`, is a number between 0 and 127 and `stamp` is the name of the instance within your Azure datacenter where your Service Bus endpoint exists.
401
401
402
-
- If you can use a wildcard, you can allow list *\*.servicebus.windows.net*.
403
-
- If you can't use a wildcard, you must allow list all 256 of the gateways.
402
+
- If your firewall or proxy supports DNS allowlisting, allow `*.servicebus.windows.net`. This approach is simpler to maintain and avoids relying on changing IP addresses.
403
+
- If your firewall or proxy doesn't support wildcard DNS rules, allow the namespace hostname shown inthe Hybrid Connection Manager and all gateway hostnames for that namespace. Use hostnames, not IP addresses.
404
404
405
405
You can find out the stamp using *nslookup* on the Service Bus endpoint URL.
406
406
407
407
:::image type="content" source="media/app-service-hybrid-connections/hybrid-connections-stamp-name.png" alt-text="Screenshot of terminal showing where to find the stamp name for the Service Bus.":::
408
408
409
-
In this example, the stamp is `sn3-010`. To allow list the Service Bus gateways, you need the following entries:
410
-
411
-
G0-prod-sn3-010-sb.servicebus.windows.net
412
-
G1-prod-sn3-010-sb.servicebus.windows.net
413
-
G2-prod-sn3-010-sb.servicebus.windows.net
414
-
G3-prod-sn3-010-sb.servicebus.windows.net
415
-
...
416
-
G126-prod-sn3-010-sb.servicebus.windows.net
417
-
G127-prod-sn3-010-sb.servicebus.windows.net
418
-
GV0-prod-sn3-010-sb.servicebus.windows.net
419
-
GV1-prod-sn3-010-sb.servicebus.windows.net
420
-
GV2-prod-sn3-010-sb.servicebus.windows.net
421
-
GV3-prod-sn3-010-sb.servicebus.windows.net
422
-
...
423
-
GV126-prod-sn3-010-sb.servicebus.windows.net
409
+
In this example, the stamp is `sn3-010`. If you need namespace-specific DNS rules instead of `*.servicebus.windows.net`, allow the namespace hostname and the following gateway hostnames:
410
+
411
+
```text
412
+
G0-prod-sn3-010-sb.servicebus.windows.net
413
+
G1-prod-sn3-010-sb.servicebus.windows.net
414
+
G2-prod-sn3-010-sb.servicebus.windows.net
415
+
G3-prod-sn3-010-sb.servicebus.windows.net
416
+
...
417
+
G126-prod-sn3-010-sb.servicebus.windows.net
418
+
G127-prod-sn3-010-sb.servicebus.windows.net
419
+
GV0-prod-sn3-010-sb.servicebus.windows.net
420
+
GV1-prod-sn3-010-sb.servicebus.windows.net
421
+
GV2-prod-sn3-010-sb.servicebus.windows.net
422
+
GV3-prod-sn3-010-sb.servicebus.windows.net
423
+
...
424
+
GV126-prod-sn3-010-sb.servicebus.windows.net
424
425
GV127-prod-sn3-010-sb.servicebus.windows.net
426
+
```
425
427
426
428
If your status says **Connected** but your app can't reach your endpoint then:
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments