Provisioning a cloud service is quick and easy, but connecting on-premises resources to the cloud services always comes with certain challenges. In this article, i will explain the benefits of using Azure Hybrid Connections on connecting a function in Azure to on-premises server.

The Hybrid connection works by creating an outbound TCP call (uses TLS 1.2 for security) to the hybrid endpoint port (on-prem box) through Azure Service Bus Relay. You need to install Hybrid Connection Manager (HCM) which acts as an agent and creates a connection between azure function and service bus relay.

In the first step, we need to run below PowerShell script on the on-premises server. This server can then be used to manage all resources in the on-premises environment from an Azure PowerShell function.

# Enable PowerShell remoting.
Enable-PSRemoting -Force

# Create firewall rule for WinRM. The default HTTPS port is 5986.
New-NetFirewallRule -Name "WinRM HTTPS" `
                    -DisplayName "WinRM HTTPS" `
                    -Enabled True `
                    -Profile "Any" `
                    -Action "Allow" `
                    -Direction "Inbound" `
                    -LocalPort 5986 `
                    -Protocol "TCP"

# Create new self-signed-certificate to be used by WinRM.
$Thumbprint = (New-SelfSignedCertificate -DnsName $env:COMPUTERNAME  -CertStoreLocation Cert:\LocalMachine\My).Thumbprint

# Create WinRM HTTPS listener.
$Cmd = "winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=""$env:COMPUTERNAME ""; CertificateThumbprint=""$Thumbprint""}"
cmd.exe /C $Cmd

Create a function app in the portal

The App Service Hybrid Connections feature is not available in Consumption Plan.  On the Hosting page, select App Service Plan (Basic, Standard, and Isolated pricing plans).

Create a hybrid connection for the function app

Once function app is deployed, navigate to Networking and and click on Hybrid connections.

Click on create new hybrid connection.

In Endpoint Host, enter the name of FQDN of the on premises machine. In Endpoint Port, enter the port number you added to configure the firewall rule to allow inbound access to the machine.

Download and install the hybrid connection

Select Download connection manager to save the .msi file locally on your computer.

Install the .msi file and configure the hybrid connection (You will need to authenticate to Azure and choose the subscription)

Click on Save.

If Azure Status column values shows Not Connected, It might be due to the inactivity of Azure Hybrid Connection Manager Service. Restart the service and click on Refresh to update the status.

Create a function HTTP trigger

Navigate to Functions and click on add to create a new function

In the new function, select Code + Test. Replace the PowerShell code from the template with the following code:

using namespace System.Net

# Input bindings are passed in via param block.
param($Request, $TriggerMetadata)

# Write to the Azure Functions log stream.
Write-Host "PowerShell HTTP trigger function processed a request."

Write-Host "PowerShell timer trigger function ran! TIME: $currentUTCtime"
$Credential = New-Object -TypeName System.Management.Automation.PSCredential 
            -ArgumentList $Env:ServiceAccountUserName , (ConvertTo-SecureString -String $Env:ServiceAccountPassword  -AsPlainText -Force)
$HybridEndpoint = "az-vm-win01"

$Script = {
    $apiEndpoint = 'http://demp-api.com/api/refresh'
    Invoke-RestMethod  -Uri $apiEndpoint -Method Post 
}

Write-Output "Running command via Invoke-Command"
$session = New-PSSession -ComputerName $HybridEndpoint -Credential $Credential -Port 5986 -UseSSL -SessionOption (New-PSSessionOption -SkipCACheck)
Invoke-Command -Session $session `
               -ScriptBlock $Script `
               -ArgumentList "*" `

Remove-PSSession -Session $session

Click on Save. Select Test, and then select Run to test the function. Review the logs to verify that the test was successful.