What are some Architecture design consideration while choosing Azure HCM over Azure VPN S2S connection for application hosted on Azure App Service?

Question

I am trying to deploy Hybrid Application on Azure. My Application will be hosted on Azure Cloud App Service and Database will be on company's private DC. I have some question on optimal architecture or optimum architecture solution on Azure in this scenario. I have an option to use VPN S2S connection or Azure Application Service Hybrid Connection Manager (HCM).

Since they both establish connection over public Internet they both will suffer from multiple hops connections and probably no SLA guarantees.

So what are the design consideration while choosing one over other and when would I choose Hybrid Connection manager (HCM) over VPN Site-to-site (S2S) when establishing hybrid connectivity from Azure hosed Application (PaaS) with the on-premise DB? Which one is faster?

Answer 1

As far as I know, in the case of connection from your app service to the on-premise database, the HCM features with app service is more easier deployed and without gateway needed than Azure app service over Site-to-site (S2S) connection. It's enough to use it for connecting resources in remote network. It's secure to makes outbound calls to Azure over port 443.

Each Hybrid Connection correlates to a single TCP host and port combination. It simply provides network access. See App Service Hybrid Connection benefits and Things you cannot do with Hybrid Connections

However, If you're using azure app service with virtual network and VPN connection, it makes a private connection from your web app service to your database and have more control of your network security rules. Also, there is preview feature to use Private Endpoints for Azure Web App.

You can use Private Endpoint for your Azure Web App to allow clients located in your private network to securely access the app over Private Link. The Private Endpoint uses an IP address from your Azure VNet address space. Network traffic between a client on your private network and the Web App traverses over the VNet and a Private Link on the Microsoft backbone network, eliminating exposure from the public Internet.