Create a Relay Hybrid Connection from Azure Function App

Question

Create a Relay Hybrid Connection from Azure Function App

Daniel O'Sullivan 40

I want to create a Hybrid Connection from an Azure Relay from an Azure Function App.
I have made sure the Identity in my function app is set to system assigned. The Azure Relay also has my Function App the assigned role of owner.

I am failing to get the MSI token which I then intend to pass in the axios request to create the Hybrid Connection.

The error I am receiving when trying to retrieve the MSI token is: Error: connect EACCES 169.254.169.254:80.

Below is my code for retrieving the token.

const axios = require('axios');

const apiVersion = '2020-06-01';

const resource = 'https://relay.azure.net/';

let cachedResponse = null;

// This function retrieves the MSI token

async function getMsiToken() {

const endpoint = `http://169.254.169.254/metadata/identity/oauth2/token?api-version=${apiVersion}&resource=${encodeURIComponent(resource)}`;

const headers = { 'Metadata': 'true' };

try {

const response = await axios.get(endpoint, { headers });

cachedResponse = response.data;

return response.data.access_token;

} catch (error) {

cachedResponse = error;

return null; // explicitly return null to indicate a failure

}

Ben Gimblett 4,560 Reputation points Microsoft Employee

2023-08-08T15:11:23.44+00:00

Hey Daniel O'Sullivan- thanks for the question

A little confused by what you're doing - generally speaking Hybrid Connections (which do apply to functions, but not on consumption plans) are turn key - you enable it on the function side and deploy the HCM (hybrid connection manager gateway) onto a VM at the destination - which could be on premises or another cloud and configure the connection.

There is implicit auth with the Relay service (which underpins Hybrid connections) but you dont need to worry about Managed Service Identity to enable it

There are some blogs about enabling Hybrid connections for Funcs - but the steps are the same as for App Service (where the plan supports the feature) REF https://learn.microsoft.com/en-us/azure/app-service/app-service-hybrid-connections
Ben Gimblett 4,560 Reputation points Microsoft Employee

2023-08-08T15:14:57.8666667+00:00

Irrespective - if you want to obtain a Managed Identity token in code then MSAL / Microsoft Identity is the best way to do that REF https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/AzureIdentityExamples.md#authenticating-azure-hosted-applications
Daniel O'Sullivan 40 Reputation points

2023-08-09T12:45:00.07+00:00

HI Ben. Sorry to clarify I'm trying to create a Hybrid Connection in an Azure Relay.
https://learn.microsoft.com/en-us/rest/api/relay/hybrid-connections/create-or-update?tabs=HTTP#code-try-0

In this microsoft example you can see the request to create a Hybrid Connation request requires an Authorization Bearer token. This is what I'm trying to acquire through code.

Ultimately I wish to have have a function app with a http trigger function that has an endpoint that I can call. Whenever I call that endpoint it creates a Hybrid Connection in my Azure Relay.
Ben Gimblett 4,560 Reputation points Microsoft Employee

2023-08-09T14:26:28.96+00:00

The point being the identity lib abstracts the plumbing and heavy lifting required to obtain the token on behalf of the MSI
Daniel O'Sullivan 40 Reputation points

2023-08-10T10:36:12.2166667+00:00
Hi Ben,

That worked thanks.
I used the code below and it is able to obtain a valid token.

const token = await credential.getToken("https://management.azure.com/.default");

Accepted answer

0 additional answers

Your answer

Ben Gimblett 4,560 Reputation points Microsoft Employee

2023-08-08T15:11:23.44+00:00

Hey Daniel O'Sullivan- thanks for the question

A little confused by what you're doing - generally speaking Hybrid Connections (which do apply to functions, but not on consumption plans) are turn key - you enable it on the function side and deploy the HCM (hybrid connection manager gateway) onto a VM at the destination - which could be on premises or another cloud and configure the connection.

There is implicit auth with the Relay service (which underpins Hybrid connections) but you dont need to worry about Managed Service Identity to enable it

There are some blogs about enabling Hybrid connections for Funcs - but the steps are the same as for App Service (where the plan supports the feature) REF https://learn.microsoft.com/en-us/azure/app-service/app-service-hybrid-connections
Ben Gimblett 4,560 Reputation points Microsoft Employee

2023-08-08T15:14:57.8666667+00:00

Irrespective - if you want to obtain a Managed Identity token in code then MSAL / Microsoft Identity is the best way to do that REF https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/AzureIdentityExamples.md#authenticating-azure-hosted-applications
Daniel O'Sullivan 40 Reputation points

2023-08-09T12:45:00.07+00:00

HI Ben. Sorry to clarify I'm trying to create a Hybrid Connection in an Azure Relay.
https://learn.microsoft.com/en-us/rest/api/relay/hybrid-connections/create-or-update?tabs=HTTP#code-try-0

In this microsoft example you can see the request to create a Hybrid Connation request requires an Authorization Bearer token. This is what I'm trying to acquire through code.

Ultimately I wish to have have a function app with a http trigger function that has an endpoint that I can call. Whenever I call that endpoint it creates a Hybrid Connection in my Azure Relay.
Ben Gimblett 4,560 Reputation points Microsoft Employee

2023-08-09T14:26:28.96+00:00

The point being the identity lib abstracts the plumbing and heavy lifting required to obtain the token on behalf of the MSI
Daniel O'Sullivan 40 Reputation points

2023-08-10T10:36:12.2166667+00:00

Hi Ben,

That worked thanks.
I used the code below and it is able to obtain a valid token.

const token = await credential.getToken("https://management.azure.com/.default");

Answer 1

Ben Gimblett 4,560 Microsoft Employee

Hi - OK so you want to create the HC Relay via an ARM management (control plane) call from the function to facilitate comms from point A to point B (but not from the function itself, that's just a wrapper for creating the HC in this case?)

(Let me know if i got that right or wrong)

As it's a management operation the best practice would be to use the identity lib (your example was JS so you need the JS version linked above) to return a token - the managed identity would be fine as it's the identity the function runs under and that makes sense here

For RBAC , what role you need to grant the MSI , see here https://learn.microsoft.com/en-us/azure/azure-relay/authenticate-managed-identity#azure-built-in-roles-for-azure-relay

Ben Gimblett 4,560 Reputation points Microsoft Employee

2023-08-10T12:23:20.82+00:00

Glad you got it working - please do mark the answer as accepted as it helps others

Share via

Create a Relay Hybrid Connection from Azure Function App

0 additional answers

Your answer