Blog Post

Apps on Azure Blog
3 MIN READ

Announcing the Public Preview of the New Hybrid Connection Manager (HCM)

jordanselig's avatar
jordanselig
Icon for Microsoft rankMicrosoft
Apr 10, 2025

We are excited to announce the public preview of the new version of the Hybrid Connection Manager (HCM), a powerful tool designed to enhance connectivity and streamline the management of Hybrid Connections. This release marks a significant milestone in our ongoing efforts to provide robust and user-friendly solutions for managing hybrid environments with App Service.

Update May 28, 2025: The new Hybrid Connection Manager is now Generally Available. The download links shared in this post will give you the latest Generally Available version. Learn more Key Fe...
Updated Aug 28, 2025
Version 6.0
azure app service
Jakeuj's avatar
Jakeuj
Copper Contributor
Dec 17, 2025

Hi IT Team,

We are currently preparing to deploy the new Azure Hybrid Connection Manager (HCM).
According to Microsoft documentation, the HCM client requires outbound access on ports 4999–5001 (Windows) or 5001 (Linux).

To support your outbound firewall allowlist (positive list) configuration, could you please advise:

  • Whether there is a defined source IP range or FQDN that should be used for outbound traffic from HCM, or
  • If Microsoft provides an official list of destination IP addresses or FQDNs that must be allowed for HCM outbound connections.

If outbound traffic is expected to go through dynamic Azure endpoints (e.g. Azure Service Bus or region-based services), please let us know the recommended approach (such as allowing specific Azure service tags or FQDN-based rules).

Any guidance or internal standard you recommend for handling this scenario would be greatly appreciated.

Thank you for your support.

Best regards,
JK

  • jordanselig's avatar
    jordanselig
    Icon for Microsoft rankMicrosoft
    Dec 17, 2025

    Hi JK,

    Here's the guidance for configuring your outbound firewall for the Hybrid Connection Manager:

    Outbound Port Requirements:

    • The HCM requires outbound access to Azure over port 443 (not 4999-5001 as mentioned - those are local ports used by the HCM service itself, not outbound ports).

    Destination FQDNs to Allowlist:

    You need to allow outbound traffic to two types of endpoints:

    1. Service Bus endpoint URL - This is specific to your Hybrid Connection and can be found in the HCM GUI or CLI after adding a connection.
    2. Service Bus gateways - These are in the format:
      • G#-prod-[stamp]-sb.servicebus.windows.net
      • GV#-prod-[stamp]-sb.servicebus.windows.net
      Where # is 0-127 and stamp is your datacenter instance (found via nslookup on your Service Bus endpoint).

    Recommended Approach:

    • If your firewall supports wildcards: Allowlist *.servicebus.windows.net on port 443
    • If wildcards aren't supported: You'll need to allowlist all 256 gateway FQDNs for your specific stamp

    Source IP: There's no defined source IP range - the source is simply the machine running HCM.

    For more info, have a look at our troubleshooting info https://learn.microsoft.com/en-us/azure/app-service/app-service-hybrid-connections?tabs=windows#troubleshooting or feel free to reply here.