Network Architecture

Overview

Hydra’s network architecture is designed to be secure, modular, and cloud-native, with support for both public and private access models. All core services can run within a dedicated Azure Resource Group and communicate over secure Azure networking channels by using private endpoints configured by the customer.

The platform is composed of the following key components:

• Hydra App Service: The central logic layer handling API requests, automation workflows, and tenant operations.

• SQL Server + Database: Stores configuration data, tenant metadata, and operational state.

• Log Analytics Workspace: Collects telemetry for diagnostics, health monitoring, and platform insights.

• Key Vault: Stores application secrets and a cryptographical key.

Connectivity and Flow

• The Hydra App Service communicates outbound with:

  • The SQL Server via Azure SQL’s secure endpoints.

  • Log Analytics for telemetry output (https://api.loganalytics.azure.com).

  • Azure Resource Manager APIs to perform AVD and Azure-related operations (e.g., host creation).

  • Key Vault for secrets and keys

  • GitHub for installs and updates

  • License URL for automatic license polling (https://itpc-business-product-callback.azurewebsites.net)

  • All traffic flows over secure channels (TCP 443, 1433)

• Hydra App Service receives communication inbound with:

  • Users and Admins using the HTTPS web service

  • Hydra Agent using 443-based WebSockets (must be enabled). For more information, see the Microsoft Documentation.

Networking Models

Hydra supports two deployment options:

1. Public Access (Default)

• App Service and database are reachable via Azure public endpoints.

• Simpler to deploy and manage.

• Secured using Entra, HTTPS, and optional network-level firewall rules.

2. Private Networking (Recommended for Production)

• Hydra services are integrated with Azure Private Endpoints, allowing access only from within a private VNet.

• Enhances security by eliminating public exposure of App Service, Key Vault, and SQL endpoints.

• Ideal for enterprise environments with strict egress and segmentation requirements.

• For a video on how to configure the various components with Private Endpoints, see Securing an App Service, a Key Vault, and a Database with Private Endpoints.