This chapter covers Azure Relay, a service that enables secure hybrid connectivity between on-premises services and cloud applications without opening firewall ports. For the AZ-204 exam, understanding Azure Relay is critical for the "Integrate" domain (Objective 5.1), which focuses on implementing hybrid connectivity solutions. Approximately 5-10% of exam questions touch on Azure Relay, often comparing it to related technologies like VPN Gateway and Azure Service Bus. Mastering this topic ensures you can select the correct connectivity mechanism for scenarios requiring secure, bidirectional communication across network boundaries.
Jump to a section
Imagine a large company with a private internal phone network (the on-premises service) and a separate public phone line (the cloud client). The company does not want to publish its internal extension numbers to the outside world. They hire a switchboard operator (Azure Relay) who sits at a neutral location. The operator has two phones: one connected to the public line and one connected to the internal network. When an internal employee needs to receive calls, they first call the operator and ask to be put on the "listening" list. The operator notes their extension and keeps the line open. Now, when an external caller dials the operator's public number and asks for that extension, the operator patches the call through the already-open internal line. The external caller never directly dials the internal extension; all communication flows through the operator. The operator also enforces security by verifying the caller's identity and ensuring only authorized callers are connected. If the internal employee hangs up, the operator cannot connect new calls until the employee calls back. This is exactly how Azure Relay works: an on-premises service initiates an outbound connection to the Relay, creating a bidirectional socket. Cloud clients then connect to the Relay, which bridges the two connections without exposing the on-premises firewall ports.
What is Azure Relay and Why Does It Exist?
Azure Relay is a cloud service that facilitates secure communication between services running in different network environments, such as on-premises datacenters and Azure cloud, without requiring direct network connectivity or inbound firewall rules. It is part of the Azure Service Bus family and is designed specifically for hybrid connectivity scenarios where one party (typically the on-premises service) is behind a NAT or firewall that blocks inbound connections.
Azure Relay solves a fundamental problem: many enterprise environments have strict firewall policies that deny all inbound traffic from the internet. Traditional approaches like VPN gateways require opening ports or configuring complex routing. Azure Relay eliminates this need by allowing the on-premises service to initiate an outbound connection to the Relay in Azure, which then maintains a persistent bidirectional socket. Cloud clients connect to the Relay and are transparently connected to the on-premises service through this socket.
How Azure Relay Works Internally
Azure Relay uses a relayed communication model. The process involves three actors: - Listener: The on-premises service that registers itself with the Relay. - Relay Service: The Azure-managed endpoint that mediates connections. - Sender: The cloud client that wants to communicate with the listener.
#### Step-by-Step Mechanism:
1. Listener Registration: The listener (on-premises service) opens an outbound WebSocket connection to the Azure Relay endpoint (e.g., wss://your-namespace.servicebus.windows.net/$hc/your-path?api-version=2016-07). This connection is authenticated using a Shared Access Signature (SAS) token. The listener sends a registration request, and the Relay acknowledges, creating a persistent bidirectional channel.
2. Connection Offer: When a sender wants to connect, it sends a request to the Relay with the listener's path. The Relay creates a new, temporary endpoint (a "connect" endpoint) and sends an "offer" to the listener over the persistent channel. The offer includes a unique connection ID.
3. Listener Acceptance: The listener receives the offer and can accept or reject it. If accepted, the listener opens a new WebSocket connection to the provided connect endpoint. This is a separate connection from the persistent channel.
4. Bidirectional Bridging: Once both the sender and listener are connected to the Relay's temporary endpoint, the Relay begins relaying data between them. Data flows through the Relay, which acts as a transparent proxy. The Relay does not inspect or modify the payload; it simply forwards bytes.
5. Connection Teardown: When either side closes the connection, the Relay cleans up the temporary endpoint and notifies the other side. The persistent listener channel remains open for future connections.
Key Components, Values, Defaults, and Timers
Relay Namespace: A container for Relay entities, created within an Azure Service Bus namespace. The namespace provides a unique DNS name (e.g., your-namespace.servicebus.windows.net).
Hybrid Connection: The primary entity type for Azure Relay. It supports both WebSocket and raw TCP connections. Each Hybrid Connection has a name (path) that clients use to connect.
Shared Access Signature (SAS): Used for authentication. SAS tokens can be generated with specific permissions (Listen, Send, Manage) and have an expiry time. Default token expiry is 1 hour, but can be configured up to 24 hours.
WebSocket Protocol: The default protocol for Hybrid Connections. Uses wss:// for secure connections. Maximum message size is 64 KB per frame.
TCP Relay: An older relay mode (WCF Relay) that uses the NetTcpRelay binding. It supports larger payloads but is less common in modern applications.
Connection Timeout: The Relay service has a default idle timeout of 60 seconds. If no data is sent for 60 seconds, the connection may be dropped. To keep the connection alive, applications should send periodic heartbeats or keepalive frames.
Maximum Concurrent Listeners: Each Hybrid Connection can have multiple listeners, but only one listener can be active at a time. If multiple listeners register, the Relay uses a round-robin distribution.
Listener Limit: A single namespace can have up to 100 Hybrid Connections. Each Hybrid Connection can support up to 25 concurrent sender connections.
Configuration and Verification Commands
Azure Relay is typically configured using the Azure portal, Azure CLI, or ARM templates. Below are essential commands:
Create a Relay namespace:
az relay namespace create --resource-group myRG --name myRelayNS --location eastusCreate a Hybrid Connection:
az relay hybrid-connection create --resource-group myRG --namespace-name myRelayNS --name myHCGenerate a SAS key for the Hybrid Connection:
az relay hybrid-connection authorization-rule create --resource-group myRG --namespace-name myRelayNS --hybrid-connection-name myHC --name myPolicy --rights Listen Send
az relay hybrid-connection authorization-rule keys list --resource-group myRG --namespace-name myRelayNS --hybrid-connection-name myHC --name myPolicyVerify connection using .NET SDK (listener side):
var listener = new HybridConnectionListener("sb://myRelayNS.servicebus.windows.net/myHC", "sas-key");
listener.Connecting += (o, e) => { Console.WriteLine("Connecting..."); };
listener.Online += (o, e) => { Console.WriteLine("Listener online"); };
await listener.OpenAsync(TimeSpan.FromSeconds(10));Verify connection using .NET SDK (sender side):
var client = new HybridConnectionClient("sb://myRelayNS.servicebus.windows.net/myHC", "sas-key");
var connection = await client.CreateConnectionAsync();
// Use connection stream for bidirectional communicationInteraction with Related Technologies
Azure VPN Gateway: VPN Gateway creates an encrypted tunnel between on-premises and Azure VNets, enabling full network-layer connectivity. Azure Relay operates at the application layer, providing point-to-point connections without network-level integration. Use VPN for site-to-site connectivity; use Relay for specific service exposure.
Azure Service Bus: Service Bus is a message broker for decoupled communication via queues and topics. Azure Relay is for direct, bidirectional streaming communication. They share the same namespace and authentication model but serve different purposes.
Azure API Management: API Management can expose on-premises APIs through Azure Relay by configuring a backend endpoint that points to the Relay Hybrid Connection. This allows API Management to route requests to on-premises services securely.
Azure Functions: Azure Functions can act as both listeners and senders for Azure Relay. For example, a function can listen for incoming requests from the cloud and forward them to on-premises systems.
Security Considerations
Authentication: All connections to Azure Relay must use SAS tokens. Tokens can be scoped to specific Hybrid Connections and permissions (Listen, Send). It is recommended to use separate tokens for listeners and senders and to rotate keys regularly.
Encryption: All communication between clients and Azure Relay is encrypted using TLS 1.2 (for WebSocket connections). The relay itself does not inspect payloads, so end-to-end encryption (e.g., using application-level encryption) is recommended for sensitive data.
Firewall Rules: Since listeners initiate outbound connections, no inbound firewall rules are required. However, outbound access to *.servicebus.windows.net on port 443 must be allowed.
IP Address Restrictions: Azure Relay does not support IP-based access control natively. However, you can use network service tags in Azure Firewall or NSGs to restrict outbound traffic from Azure resources.
Performance and Scaling
Latency: Azure Relay introduces minimal latency (typically <10 ms) because it simply forwards bytes. However, geographic distance between client, Relay, and listener can increase latency. Deploy the Relay namespace in a region close to both parties.
Throughput: Each Hybrid Connection can handle up to 25 concurrent sender connections. For higher throughput, multiple Hybrid Connections can be used with load balancing at the application layer.
Scaling Listeners: Multiple listeners can register on the same Hybrid Connection, but only one is active at a time. To scale, create multiple Hybrid Connections and distribute clients among them.
Monitoring: Use Azure Monitor to track metrics like incoming/outgoing messages, active connections, and errors. Alerts can be set for connection failures or high latency.
Listener Registers with Relay
The on-premises service opens an outbound WebSocket connection to the Azure Relay endpoint. It sends a registration request that includes the Hybrid Connection path and a SAS token with Listen permission. The Relay validates the token and responds with an acknowledgment. This creates a persistent bidirectional channel (the control channel) that remains open indefinitely. The listener must handle reconnection if the channel drops; typical reconnection logic uses exponential backoff with a maximum delay of 30 seconds.
Sender Requests Connection
A cloud client (sender) opens a WebSocket connection to the Relay, specifying the same Hybrid Connection path and a SAS token with Send permission. The Relay receives the request and checks if a listener is registered. If no listener is available, the sender receives an error (HTTP 504 Gateway Timeout). If a listener is available, the Relay creates a temporary connect endpoint (a unique URL) and sends an "offer" message to the listener over the control channel. The offer includes the connect endpoint URL and a connection ID.
Listener Accepts the Offer
The listener receives the offer and decides whether to accept. If it accepts, it opens a new WebSocket connection to the provided connect endpoint. This connection is separate from the control channel. The listener can also reject the offer if it is overloaded or for security reasons. Once the listener connects to the connect endpoint, the Relay bridges this connection with the sender's connection, creating a bidirectional data path.
Data Relay Begins
Once both sender and listener are connected to the temporary endpoint, the Relay begins forwarding data between them. Data is relayed in both directions simultaneously. The Relay does not buffer data; it streams bytes as they arrive. Each side can send data at any time. The Relay maintains the connection until either side closes it or an idle timeout occurs (default 60 seconds). Applications should implement keepalive mechanisms to prevent timeout.
Connection Teardown and Cleanup
When either the sender or listener closes the connection, the Relay immediately closes the corresponding connection on the other side. The temporary connect endpoint is destroyed. The control channel remains open for future connections. If the listener disconnects from the control channel (e.g., due to network failure), all active data connections are torn down, and new sender requests will fail until the listener reconnects.
Enterprise Scenario 1: Exposing On-Premises Web APIs to Cloud Applications
A large financial institution has a legacy customer management system running on-premises behind a strict firewall. They are building a new mobile app that needs to retrieve customer data in real-time. The cloud development team wants to call the on-premises API directly, but the network team refuses to open inbound ports. Azure Relay is chosen to bridge the gap. The on-premises service is wrapped with a Hybrid Connection listener that registers with the Relay namespace. The mobile app's backend (running on Azure App Service) uses the Hybrid Connection client SDK to send requests through the Relay. In production, the system handles 500 requests per second during peak hours. The team monitors connection counts and latency using Azure Monitor. A common issue is idle timeout: if the listener does not send data for 60 seconds, the control channel drops. They implement a heartbeat message every 30 seconds to keep the channel alive. Misconfiguration occurs when the SAS token expires (default 1 hour) without renewal, causing all connections to fail. They now use tokens with 24-hour expiry and a background job to refresh tokens before expiry.
Enterprise Scenario 2: Hybrid IoT Data Ingestion
A manufacturing company collects sensor data from factory floor devices that cannot connect directly to the cloud. The sensors send data to an on-premises gateway (listener) over a local network. The gateway uses Azure Relay to forward the data to an Azure IoT Hub for processing. The gateway registers as a listener, and a cloud worker role acts as a sender, pulling data from the relay and pushing it to IoT Hub. The system ingests 10,000 messages per second across 50 Hybrid Connections. Scaling is achieved by distributing sensors across multiple gateways, each with its own Hybrid Connection. A common failure mode is when the gateway loses network connectivity; the listener disconnects, and the cloud sender receives errors. The team implements automatic reconnection with exponential backoff and alerts on connection loss. Another issue is that the relay adds a few milliseconds of latency, which is acceptable for sensor data but would not be suitable for real-time control systems.
Scenario 3: Cross-Premises Database Synchronization
A retail chain uses an on-premises SQL Server database for point-of-sale transactions and needs to synchronize inventory data with an Azure SQL Database. They use Azure Relay to create a secure tunnel for a custom sync service. The on-premises sync agent acts as a listener, and the cloud sync service acts as a sender. The relay ensures that no firewall ports are opened. The sync runs every 5 minutes, transferring about 10 MB of data each time. The team found that the default 64 KB WebSocket frame size limits throughput, so they switched to TCP Relay mode for larger payloads. They also encountered issues with multiple listeners: if two sync agents registered on the same Hybrid Connection, only one would receive offers, causing data loss. They now use a dedicated Hybrid Connection per agent.
AZ-204 Exam Focus on Azure Relay
The AZ-204 exam tests Azure Relay under Objective 5.1: "Integrate with Azure Relay." You need to understand when to use Azure Relay versus other hybrid connectivity options, how to authenticate using SAS, and how to implement listeners and senders using the .NET SDK. The exam emphasizes conceptual understanding over deep configuration details.
Common Wrong Answers and Why Candidates Choose Them
Choosing VPN Gateway instead of Azure Relay: Candidates often select VPN Gateway for hybrid connectivity because they think all hybrid scenarios require a network tunnel. However, VPN Gateway is for site-to-site connectivity, not for exposing a single service. The trap is that VPN Gateway requires opening ports and routing changes, which Azure Relay avoids. If the scenario says "no inbound firewall ports" and "point-to-point communication," Azure Relay is correct.
Selecting Azure Service Bus instead of Azure Relay: Both use the same namespace, but Service Bus is for messaging (queues/topics) while Relay is for direct bidirectional streaming. Candidates confuse them because they share the same authentication model. The exam will describe a scenario requiring real-time, two-way communication; Service Bus would be wrong because it is asynchronous.
Thinking Azure Relay requires inbound ports on the listener side: This is false. The listener always initiates an outbound connection. Candidates who do not understand the architecture may assume that the Relay needs to connect to the listener, requiring an inbound rule.
Using the wrong SAS permission: The listener needs "Listen" permission; the sender needs "Send" permission. Candidates may use "Manage" for both, which is overly permissive and a security risk. The exam tests granular permissions.
Specific Numbers and Terms That Appear on the Exam
Default idle timeout: 60 seconds. Know that you need to implement keepalive to prevent disconnection.
Maximum concurrent listeners per Hybrid Connection: 1 active listener (others are standby).
Maximum concurrent sender connections per Hybrid Connection: 25.
Protocol: WebSocket (wss://) for Hybrid Connections; TCP for WCF Relay.
Authentication: SAS tokens with Listen, Send, or Manage permissions.
Namespace: Created within Azure Service Bus.
Edge Cases and Exceptions
Multiple listeners: If multiple listeners register, only one receives offers (round-robin). The exam may ask what happens if a second listener registers: it becomes a backup.
Token expiry: If the token expires, the connection is dropped. The listener must obtain a new token and reconnect.
Firewall requirements: Only outbound HTTPS (443) is needed from the listener's network.
Hybrid Connection vs. WCF Relay: The exam focuses on Hybrid Connection (WebSocket). WCF Relay is legacy and rarely tested.
How to Eliminate Wrong Answers
If the scenario mentions "real-time, bidirectional" and "no inbound ports," eliminate VPN Gateway and Service Bus.
If the scenario mentions "messaging" or "queues," eliminate Relay.
If the scenario requires "site-to-site" or "network-level" connectivity, eliminate Relay.
Look for keywords: "expose an on-premises service," "behind a firewall," "outbound connection only."
Azure Relay enables secure hybrid connectivity without opening inbound firewall ports; the listener initiates an outbound WebSocket connection to Azure.
Default idle timeout is 60 seconds; applications must send keepalive signals to prevent disconnection.
Each Hybrid Connection supports up to 25 concurrent sender connections and one active listener.
Authentication uses Shared Access Signatures (SAS) with granular permissions: Listen for listeners, Send for senders.
Azure Relay is for point-to-point, real-time bidirectional communication; do not confuse with Azure Service Bus (messaging) or VPN Gateway (network-level).
The listener must handle reconnection with exponential backoff if the control channel drops.
Hybrid Connection uses WebSocket protocol (wss://) with a maximum message size of 64 KB per frame.
Azure Relay can be combined with Azure API Management to expose on-premises APIs to external clients.
These come up on the exam all the time. Here's how to tell them apart.
Azure Relay
Operates at application layer (L7); connects specific services.
No inbound ports required; listener initiates outbound connection.
Point-to-point connectivity between cloud and on-premises service.
Uses WebSocket or TCP relay; supports bidirectional streaming.
Best for exposing individual on-premises APIs or services.
Azure VPN Gateway
Operates at network layer (L3); connects entire networks.
Requires opening UDP 500 and 4500 (IPsec) on on-premises firewall.
Site-to-site connectivity between Azure VNet and on-premises network.
Uses IPsec tunnels; supports all IP-based traffic.
Best for full network integration, e.g., domain join or database replication.
Azure Relay
Provides direct, bidirectional streaming communication.
Listener must be online for sender to connect.
Suitable for real-time, synchronous scenarios.
No message persistence; data is relayed immediately.
Authentication via SAS tokens with Listen/Send permissions.
Azure Service Bus
Provides asynchronous messaging via queues and topics.
Sender can send messages even if receiver is offline; messages are stored.
Suitable for decoupled, durable messaging.
Messages are persisted until consumed (up to 14 days).
Authentication via SAS tokens with Send/Listen/Manage permissions.
Mistake
Azure Relay requires opening inbound firewall ports on the on-premises network.
Correct
Azure Relay does NOT require any inbound ports. The on-premises listener initiates an outbound connection to Azure Relay, so only outbound HTTPS (port 443) is needed. This is a key differentiator from VPN Gateway.
Mistake
Azure Relay and Azure Service Bus are interchangeable for hybrid connectivity.
Correct
They are different services. Azure Relay provides direct, bidirectional streaming communication. Azure Service Bus provides asynchronous messaging via queues and topics. The exam tests the distinction: if the scenario needs real-time two-way communication, use Relay; if it needs decoupled messaging, use Service Bus.
Mistake
Multiple listeners on the same Hybrid Connection provide load balancing and high availability.
Correct
Only one listener can be active at a time per Hybrid Connection. Additional listeners are standby. For load balancing, you must create multiple Hybrid Connections and distribute clients among them.
Mistake
SAS tokens with Manage permission are required for both listeners and senders.
Correct
Listeners need only Listen permission; senders need only Send permission. Manage permission is for administrative operations like creating Hybrid Connections. Using Manage unnecessarily increases the security risk.
Mistake
Azure Relay automatically keeps connections alive indefinitely.
Correct
The default idle timeout is 60 seconds. If no data is sent within that window, the connection is dropped. Applications must implement keepalive (e.g., sending a heartbeat every 30 seconds) to maintain the connection.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Azure Relay provides direct, bidirectional streaming communication between two parties, requiring both to be online simultaneously. It is ideal for real-time scenarios like exposing an on-premises API. Azure Service Bus, on the other hand, is a message broker that decouples senders and receivers via queues and topics. Messages are persisted until consumed, allowing asynchronous communication. On the exam, if the scenario mentions 'real-time' or 'bidirectional,' choose Relay; if it mentions 'decoupled' or 'durable messaging,' choose Service Bus.
No. The on-premises listener initiates an outbound connection to Azure Relay over HTTPS (port 443). No inbound ports are required. This is a key advantage over VPN Gateway, which requires opening UDP ports for IPsec. The exam frequently tests this distinction: look for 'no inbound ports' or 'outbound only' as clues for Relay.
The default idle timeout is 60 seconds. To prevent the connection from being dropped, the listener should send periodic keepalive messages (e.g., a heartbeat every 30 seconds). This can be implemented by sending a small data frame or using the SDK's built-in keepalive feature if available. On the exam, remember the 60-second default timeout.
Yes, multiple listeners can register, but only one is active at a time. The Relay uses round-robin to distribute connection offers among listeners. If the active listener disconnects, one of the standby listeners becomes active. For true load balancing, you need multiple Hybrid Connections and distribute clients among them.
The listener requires a SAS token with 'Listen' permission. The sender requires a token with 'Send' permission. Using 'Manage' is unnecessary and a security risk. The exam may present a scenario where a candidate incorrectly uses 'Manage' for both; the correct answer is to use granular permissions.
Azure Relay is designed for streaming data, but the Hybrid Connection (WebSocket) has a maximum frame size of 64 KB. For larger payloads, consider using TCP Relay (WCF Relay) which supports larger messages, or chunk the data into smaller frames. However, for bulk file transfer, other services like Azure Blob Storage or Azure File Sync are more appropriate.
All connections to Azure Relay are authenticated using SAS tokens. The communication is encrypted using TLS 1.2 for WebSocket connections. However, the Relay does not inspect or encrypt the payload, so for sensitive data, implement end-to-end encryption at the application layer.
You've just covered Azure Relay for Hybrid Connectivity — now see how well it sticks with free AZ-204 practice questions. Full explanations included, no account needed.
Done with this chapter?