Featured image of post Building a Hybrid On-Prem Cloud App with a Secret API!
Cloud Amazon Cloud-AWS Azure Cloud Google Cloud-GCP Python CSharp DotNet Microservices Docker Mobile IOS Android

Building a Hybrid On-Prem Cloud App with a Secret API!

Examples of mixing cloud and on prem servers

Background and Related project: eFit Aware IOS and Android Mobile Apps
eFit Aware - Android iPhone Mobile with Azure Cloud Sync

Introduction

Hybrid cloud architecture is one of those things that sounds fancy, but in reality, it’s just a way to mix on-premise computing with cloud services.

There are many reasons to not put everything in the cloud, and I once had a real-world use case for this.

The Problem: Our algorithms were highly sensitive, and we didn’t want to put even the compiled code on a cloud VM. The best solution? Keep our algorithm running on-premise while using the cloud for everything else.

This article will show how to build a similar hybrid cloud setup using the latest features in AWS, Azure, and Google Cloud.

What is a Hybrid Cloud?

A hybrid cloud is an IT architecture where some workloads run on-premise (your own servers) while others run in the public cloud (AWS, Azure, Google Cloud).

Why Use a Hybrid Cloud?

  • Security – Keep sensitive data/code on-prem.
  • Performance – Keep high-speed processing local.
  • Cost Savings – Reduce cloud costs for predictable workloads.
  • Compliance – Some industries have regulations requiring on-premise storage.

How I Built a Hybrid Cloud Before Modern Cloud Services

Back in the day, I built a hybrid cloud system using an early version of Azure. It worked, but it was painful:

  • We had a secret algorithm running on a local server in our office.
  • Our cloud-based app called the on-premise server via a VPN.
  • We manually managed connections.

Now, let’s do this properly with modern AWS, Azure, and Google Cloud.

The Hybrid Cloud Architecture

💡 Use Case: We will build a super-secret microservice that divides two numbers (yeah, real spy stuff 🕵️‍♂️).

📌 How it works:

  1. The secret division algorithm runs on-premise (Python & C# microservices).
  2. A public cloud microservice (AWS/Azure/GCP) acts as a proxy API.
  3. The cloud forwards API requests to the on-premise service.

Architecture Diagram

Step 1: Write the Super-Secret Microservice (Python & C#)

Python Version (Runs On-Prem)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

from flask import Flask, request, jsonify

app = Flask(__name__)

@app.route('/divide', methods=['POST'])
def divide():
    data = request.json
    try:
        result = data['a'] / data['b']
        return jsonify({"result": result})
    except ZeroDivisionError:
        return jsonify({"error": "Division by zero!"}), 400

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=5001)

C# Version (Runs On-Prem)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

using Microsoft.AspNetCore.Mvc;

[ApiController]
[Route("api/[controller]")]
public class DivideController : ControllerBase
{
    [HttpPost]
    public IActionResult Divide([FromBody] DivisionRequest request)
    {
        if (request.B == 0)
            return BadRequest("Division by zero!");

        return Ok(new { result = request.A / request.B });
    }
}

public class DivisionRequest
{
    public double A { get; set; }
    public double B { get; set; }
}

Step 2: Deploy the Microservice in Docker (On-Prem)

Create a Dockerfile:

1
2
3
4
5

FROM python:3.9
WORKDIR /app
COPY app.py .
RUN pip install flask
CMD ["python", "app.py"]

Build and Run:

1
2

docker build -t secret-division .
docker run -p 5001:5001 secret-division

Now, we have our secret microservice running under my desk.

Step 3: Build the Cloud Proxy Microservice

Cloud Proxy Service (Python Flask)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

import requests
from flask import Flask, request, jsonify

app = Flask(__name__)
ON_PREM_SERVICE = "http://my-office-server:5001/divide"

@app.route('/divide', methods=['POST'])
def proxy_divide():
    data = request.json
    response = requests.post(ON_PREM_SERVICE, json=data)
    return response.json(), response.status_code

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=5000)

Step 4: Deploy the Proxy Service in AWS, Azure, and Google Cloud

AWS: Use Elastic Beanstalk or Lambda + API Gateway

  1. Deploy the proxy microservice using AWS Elastic Beanstalk.
  2. Set up AWS API Gateway to expose it publicly.
  3. Configure AWS Site-to-Site VPN to connect to the on-prem service.

Azure: Use Azure App Service + VPN Gateway

  1. Deploy the proxy microservice to Azure App Service.
  2. Use Azure API Management to expose it.
  3. Configure Azure VPN Gateway to reach the on-prem service.

Google Cloud: Use Cloud Run + Hybrid Connectivity

  1. Deploy the proxy to Google Cloud Run.
  2. Expose it via Google API Gateway.
  3. Use Google Cloud Interconnect to talk to on-prem services.

Key Takeaways

  • Hybrid Cloud = Best of Both Worlds → Security + Cloud Benefits.
  • We kept our sensitive division algorithm on-prem while using cloud for API proxying.
  • Modern hybrid cloud solutions (AWS VPN, Azure Hybrid Cloud, Google Interconnect) make this easy.

References

  1. AWS Hybrid Cloud
  2. Azure Hybrid Cloud
  3. Google Hybrid Cloud
© 2001 - 2025 Brian Braatz Blog