Now in Public Preview: Active Directory Support for Azure Relay
- By John K. Waters
Microsoft will soon make it possible to use Azure Active Directory to authenticate and authorize an application's access to Azure Relay resources, the company says. The new integration is now in public preview.
Formerly known as Service Bus Relay, Azure Relay provides a secure means of exposing corporate network services running on-premises to the public cloud. The services can be exposed without opening a firewall connection or requiring intrusive changes to the corporate network required by technologies such as a VPN. Azure Relay can be scoped (using a namespace) to a single application endpoint on a single machine.
Until now, companies have relied on shared access signatures (SAS) to authenticate and authorize an application's access to Azure Relay services. (A SAS is a URI that grants restricted access rights to Azure Storage resources.)
The new Azure AD integration with Azure Relay enables the use of Azure role-based access control (Azure RBAC) over a security principal, which may be a user, group or application service principal. The security principal is authenticated by Azure AD to return an OAuth 2.0 token, which can be used to authorize a request to access an Azure Relay resource. The OAuth 2.0 authorization protocol allows a user to grant a third-party Web site or app access to protected resources without revealing their long-term credentials or identity.
Microsoft said in a blog post that authorizing users of apps using OAuth 2.0 tokens returned by Azure AD "provides superior security and ease of use over SAS. With Azure AD, there is no need to store tokens in your code and risk potential security vulnerabilities."
Microsoft is recommending that Azure AD be used with Azure Relay applications "when possible," because it supports fine-grained control over a client's access to resources.
Azure Relay comprises two feature that enable secure connections to assets within a corporate network. Microsoft describes the Hybrid Connections feature as "a secure and open-protocol evolution of the Relay features that existed earlier." Based on HTTP and WebSockets protocols, this feature allows users to send requests and receive responses over Web sockets or HTTP(S). It also uses the Windows Communication Foundation (WCF) to enable remote procedure calls. Microsoft describes the second feature, WCF Relays, as "the legacy relay offering that many customers already use with their WCF programming models."
Azure Relay supports three basic scenarios for exposing on-premises resources to apps running in the cloud: one-way, request-response and peer-to-peer communication; event distribution at Internet-scope to enable publish/subscribe; bi-directional and unbuffered socket communication across network boundaries.
Microsoft has provided a quickstart page with step-by-step instructions for registering an application in the Azure portal.
John K. Waters is the editor in chief of a number of Converge360.com sites, with a focus on high-end development, AI and future tech. He's been writing about cutting-edge technologies and culture of Silicon Valley for more than two decades, and he's written more than a dozen books. He also co-scripted the documentary film Silicon Valley: A 100 Year Renaissance, which aired on PBS. He can be reached at [email protected].