Blog Post

Messaging on Azure Blog
5 MIN READ

Bridging Connectivity: Exploring Azure Relay Bridge (azbridge)

msft-samuel's avatar
msft-samuel
Icon for Microsoft rankMicrosoft
Nov 14, 2024

Introduction to Secure Remote Access with Azure Relay and Azbridge

In modern IT environments, securely accessing on-premises resources from remote locations is a common challenge. Traditional methods, such as setting up VPNs, often require complex configurations and can introduce significant overhead. For organizations seeking a more streamlined solution, Azure Relay, combined with the open-source tool Azure Relay Bridge (azbridge), offers an efficient way to establish secure, direct connections without the need for VPNs.

Azbridge leverages Azure Relay to create TCP, UDP, HTTP, and Unix Socket tunnels, enabling secure traversal through NATs and firewalls using only outbound HTTPS (443) connectivity. This makes it ideal for connecting remote clients to on-premises resources, such as Remote Desktop Protocol (RDP) sessions, without exposing them to the public internet.

While Azure Relay is fully supported by Microsoft, it’s important to note that azbridge is an open-source tool and is not covered by Microsoft support. Users can seek assistance for Azure Relay, but azbridge-specific issues should be reported directly on its repository, where response times may vary.

In this guide, we’ll walk through the setup process for using azbridge with Azure Relay to create an RDP connection. You’ll learn how to configure a Hybrid Connection in Azure, customize client and server configuration files, and run azbridge as a service across different operating systems. 

Example Use Case for AZBridge

Azbridge enables secure Remote Desktop Protocol (RDP) connections by allowing users to expose a network-isolated socket that can be accessed from an entirely separate network. This approach provides secure, remote access to on-premises resources—such as RDP, databases, or web servers—without the complexity of setting up a VPN, making it ideal for users needing isolated, controlled access across network boundaries. Using Azure Relay, azbridge creates direct tunnels that bypass NATs and firewalls without requiring extensive network configuration. This setup not only simplifies access but also enhances security by enabling RDP connections without exposing sessions to the public internet, thereby reducing potential risks.

In many situations, users need access to specific resource endpoints rather than an entire network. Azbridge is especially valuable in scenarios such as accessing billing databases in franchise locations, integrating with secure test systems, or making web service calls to protected applications. By leveraging Azure Relay, azbridge provides a controlled way to reach exactly the endpoint you need without exposing the entire network that it is in.

Additionally, azbridge is a cost-effective solution, avoiding traditional VPN licensing fees and charging only for active Azure Relay connections. Because it relies on outbound HTTPS (443), azbridge works seamlessly across restrictive networks, allowing connections without additional firewall adjustments. For developers and IT admins, azbridge provides quick, secure access to on-premises machines from any location, serving as a fast, flexible alternative to traditional VPNs for endpoint-specific connectivity.

The diagram above demonstrates how azbridge enables a secure Remote Desktop Protocol (RDP) connection across network boundaries using Azure Relay. In this setup, On-Premises Network A contains the client machine, where azbridge (labeled as "Relay Bridge") is installed. This client is seeking to establish an RDP connection to a remote machine located in a different network, On-Premises Network B.

Azure Relay acts as a secure intermediary between the two networks, facilitating the connection without exposing either network to the public internet. By creating a direct tunnel that bypasses NATs and firewalls, Azure Relay allows the client in Network A to communicate with the endpoint in Network B safely. On-Premises Network B contains the target machine with azbridge installed, which is also labeled as "Relay Bridge." This machine hosts the specific endpoint (such as an RDP server) that the client in Network A is trying to access.

Through this configuration, azbridge in Network A connects via Azure Relay to reach the endpoint in Network B without requiring a VPN. Only the designated RDP endpoint is exposed to the connection, while the rest of Network B remains isolated and secure. This approach provides a secure, controlled RDP connection across networks, allowing remote access to on-premises resources without exposing the entire network.

Prerequisites and Initial Setup

To get started, you will first need to set up an Azure Relay Hybrid Connection the basic instructions for doing so are provided below. Presuming you have already gained the Entra id login credentials for Azure, set up some environment variables in your environment:  

export NAMESPACE=<your_namespace_name>   # e.g., mynamespacename
export LOCATION=<location_name>          # e.g., eastus2
export RELAYNAME=<your_relay_name>       # e.g., azbridge

 

Next, use the specified namespace and location to create a resource group:

az group create --name $NAMESPACE --location $LOCATION

 

In your resource group, create an azure relay namespace for this example the resource group and the azure relay namespace are identically named: 

az relay namespace create -g $NAMESPACE --name $NAMESPACE

 

Create a new Hybrid Connection in your Azure Relay namespace: 

az relay hyco create -g $NAMESPACE --namespace-name $NAMESPACE --name $RELAYNAME

 

Create an authorization rule with your Hybrid Connection, allow send and listen permissions on the authorization rule: 

az relay hyco authorization-rule create -g $NAMESPACE --namespace-name $NAMESPACE --hybrid-connection-name $RELAYNAME -n sendlisten --rights Send Listen

 

Retrieve the primaryConnectionString for the authorization rule generated. This will be needed for the azbridge configuration files:

az relay hyco authorization-rule keys list -g $NAMESPACE --namespace-name $NAMESPACE -n sendlisten --hybrid-connection-name $RELAYNAME --out tsv --query "primaryConnectionString"

 

Setting Up RDP with Azure Relay and Azbridge

For this example, we’ll be using the Windows operating system. Install the MSI package on both your client machine and the remote RDP machine. You can download the MSI package for installation from Azure Relay Bridge Releases on GitHub 

Client Machine Configuration

On the client machine, generate a client_config.yaml file with the following contents: 

LocalForward :
  - BindAddress: 127.1.0.2
    BindPort: 13389
    PortName: rdp
    RelayName: <<RELAYNAME>>
    ConnectionString: <<primaryConnectionString>>

LogLevel: INFO

Bind Address: Source address of outbound, forwarding connections, in this example, 127.1.0.2 is used to create a local endpoint on the client machine without affecting 127.0.0.1 

BindPort: TCP port mapped to the hybrid connection 13389 is used in this case because Windows does not allow listening on port 3389 on any address.

PortName: Primarily used for internal configuration within azbridge to label and map the local and remote ports consistently. This label helps identify the specific purpose of each connection.

RelayName: Hybrid Connection on Azure Relay that will be used for this connection

ConnectionString: primaryConnectionString created for the Azure Relay Hybrid Connection with Send and Listen permissions.

To start the client connection, open up a command prompt and specify the client_config.yml file that was generated. 

azbridge -f client_config.yml

Remote RDP Machine Configuration

On the rdp machine, generate a server_config.yml file with the following contents: 

RemoteForward :
   - RelayName: <<RELAYNAME>>
     Host: localhost
     PortName: rdp
     HostPort: 3389
     ConnectionString: <<primaryConnectionString>>

LogLevel: INFO

Similar to the Client setup, only this file sets up a remote forwarder that binds the hybrid connection with logical port "rdp" to the Windows RDP endpoint on "localhost", port 3389.

 

To start the local RDP connection, open up a command prompt and specify the server_config.yml file that was generated. 

azbridge -f server_config.yml

Connect via RDP

On your client machine, open up a Remote Desktop Connection to your Remote RDP host. For this connection, you will use the 127.1.0.2:13389 specified in your client_config.yml: 

 

  •  

 

Updated Nov 13, 2024
Version 1.0
azure service bus
  • junpark1135's avatar
    junpark1135
    Icon for Microsoft rankMicrosoft
    Nov 18, 2024

    hi thanks for the nice article. Can i use az relay and bridge between az vm and on-prem as well without vpn? If possible i wonder if i can use this solution instead of vpn because in some environments azure resources need to connect on-premises resources like database and api service. Thanks