In this article, I review and rank my top five Azure hybrid cloud technologies. I also explain how best to use them depending on your use case.

Get started with ACG and transform your career with courses and real hands-on labs in AWS, Microsoft Azure, Google Cloud, and beyond.

There are a lot of similarities across the big three cloud providers, but one area where I think Microsoft Azure has the upper hand is hybrid computing. There are a range of Azure hybrid cloud services that are aimed squarely at making your life easier when working across cloud and on-premises, and even across multiple cloud providers. 

So, here I present to you my top five Azure hybrid cloud technologies.

Now I have a challenge for you. Read this post, and I’ll be surprised if you don’t have a “huh, I didn’t know that” moment. And if you do have one of those moments, share this post with your network, with a “today I learned”, so others can learn too. 

Do we have a deal? Great, let’s jump in!

If your company, like most, manages their identities using Active Directory Domain Services (AD DS), you’ll no doubt be aware of Azure AD Connect. It allows you to synchronize your AD DS identities to Azure Active Directory (Azure AD).

Azure AD Connect includes support for a range of synchronization and authentication options. It’s extremely flexible – you choose what to synchronize and how your users will authenticate. You can even keep all your authentication on-premises if you need to.

The process for installing and configuring Azure AD Connect has improved dramatically over the last few years. It’s now easier than ever to set up and manage. Azure AD also provides more options than ever to help you configure your hybrid identities. And with the introduction of Azure AD Connect cloud sync, you can now do this with high availability or between multiple disconnected AD DS forests.

Synchronizing your identities between your on-premises AD DS environment and Azure AD is referred to as hybrid identity. Hybrid identity unlocks a huge range of benefits. Some of these benefits include:

• Users can log on to your on-premises applications and cloud applications using the same username and password.
• You can protect your identities with multi-factor authentication and password health checks, preventing risky sign-ins.
• Users can reset their passwords if required using self-service password reset.
• You can control access to sensitive applications. This helps you to implement more stringent security controls using conditional access.

Now you might be thinking. Wayne, I knew all of that that already. 

OK, but did you know you can also allow your users to log on to Azure VMs on disconnected virtual networks using their AD DS credentials? This even supports conditional access and multi-factor authentication. Wait, what? Yep, it totally does.

Now you can stop sharing or reusing credentials on your VMs that are not AD DS domain-joined.

Azure AD authentication is great for applications that were born in the cloud and built to support the authentication options that Azure AD supports. But what about all of the applications that don’t have this support? 

If your company has been around for a while, they might have a whole bunch of these applications. Not only that, these applications might be tightly integrated with other applications and services on your internal network.

It might not be a simple ‘flick of the switch’ to upgrade, replace, or migrate these applications. Does that mean that you're stuck with a Virtual Private Network (VPN) connection? No way! Azure AD Application Proxy allows you to provide remote access to your legacy web applications from anywhere, on any device.

It’s also really easy to set up. You just need to deploy one or more Application Proxy Connectors on your internal network, and then add the application configuration in Azure AD. That’s it. No special firewall configuration or reverse proxies are required.

Alright, so you knew all that already, did you? OK, did you know that your backend application doesn’t need to be on-premises, and it also doesn’t need to run on Windows Server or even use Internet Information Services (IIS)? Your backend application can be almost any web application.

Alright, just in case you already knew that, did you know that you can use Azure AD Application Proxy to provide single sign-on (SSO) for applications that don’t support AD DS authentication?

That’s right, you can configure password-based authentication for applications that use a simple username and password combination without sharing those credentials with the users that require access.

Neat, right?

When you deploy an Azure storage account, you get access to Azure Blobs, Azure Tables, Azure Storage Queues, and Azure Files. Blobs, tables, and queues are nice, but Azure Files is special. Azure Files allows you to access Azure Storage using familiar protocols like Network File System (NFS) and Server Message Block (SMB).

What’s good about this is that you can move your existing file servers to the platform as a service without changing any applications. The problem with this is that access to storage in the cloud is slower when you’re accessing it from on-premises.

Azure Files includes Azure File Sync, which allows you to synchronize data between your Azure files shares and your on-premises Windows servers. You can use this functionality for a range of purposes. But my favorite functionality that isn’t obvious at first glance is the ability to use Azure File Sync for disaster recovery.

In the event of a server failure, you can quickly spin up another file server, install the Azure File Sync agent, download the namespace from Azure Files, and provide access to the data almost immediately. If you’ve never tried this before, it’s insanely quick. And because you’re only downloading the namespace (essentially file stubs) you can access all of the data immediately without waiting for a complete restore.

You might have already known that, but did you know that you can snapshot your Azure file shares too? This provides you point in time restores without consuming additional disk space on your file share or servers. Sweet.

Oh now we’re getting to the really good stuff. At number two we have Azure Automation. Azure Automation is the often overlooked automation, configuration, and update management tool box provided by Azure. 

It’s built from the ground up to be hybrid-ready. Everything in Azure Automation provides the same functionality both in Azure and on-premises. Everything.

If you’re not using Azure Automation Update Management to automate your Microsoft patch deployment, you really should take a look.

Where Azure Automation gets really powerful is in its integration with other Azure services. One really common objection to automating update management is the “what if?”. What if our domain controllers don't start up correctly? What if the SQL Servers don’t start properly?

You have a few options to make sure this won’t be a problem. You can run Azure Automation pre-and-post scripts as part of your update schedule. The problem with these runbooks is that they only run in Azure. But did you know that you can call other runbooks from these runbooks? You can also call a runbook to run on-premises on what’s known as a hybrid worker. Yeah, you can have a script that checks Active Directory and checks your SQL Servers after patch deployment to make sure they’re available. 

Alternatively, you could also integrate this with Azure Monitor alerts. You can likely use the good old 80/20 rule here and deal with 80% of the most common problems with broad scripts that check for service startup and things like that, and 20% that focus on your really critical applications and have really specific checks for those.

Before you know it, your patches will always be up-to-date and a problem no more. So you can spend more time delivering value for your company, instead of keeping the lights on.

We made it. The number one spot in my top five Azure hybrid cloud favorites. You’ve heard of Azure Arc, right? Azure Arc extends the Azure management plane, sometimes referred to as the control plane, to your workloads outside Azure, either on-premises or in other clouds. It’s really neat.

The control plane provides role-based access control and management capabilities for your workloads. This means you can manage and monitor your on-premises servers just like you do with your Azure VMs.

One of my favorite features of Azure Arc is when you integrate it with Azure Monitor Log Analytics. To help ease the management and monitoring burden on central IT teams, you can distribute this effort to the workload teams. 

When you onboard a server into Azure Arc, the server gets an Azure resource ID. If you grant the workload team read-access to the Azure Arc server using Azure role-based access control (RBAC), you can use resource-context mode on the Log Analytics Workspace to grant the workload teams access to just the logs they require, without granting access to the entire workspace.

It’s a must for any company that wants to implement the decentralized operations operating model from the cloud adoption framework.

How did we go – did you get one of those “huh, I didn’t know that” moments? Make sure you share what you learned with your network so others can learn too!

If you’re interested in learning more about Azure hybrid cloud technologies, especially when working with Windows Server, make sure you check out my latest course, AZ-800: Administering Windows Server Hybrid Core Infrastructure. Not only does it prepare you for the exam, but I share heaps of tips and tricks along the way to help you in the real world.

Want to learn more about Azure certifications?
Check out our Azure Certifications and Learning Paths.