The installation on both Azure and Sql Server side is done exactly according to Microsoft specifications in https://learn.microsoft.com/en-us/azure/app-service/app-service-hybrid-connections. The endpoint host is the SQL Server machine name using fixed port 1433. The SQL Server is a named instance of SQL Server Express in a Windows 2012 Server.
The connection is also shown as Connected both on Azure and Server HCM sides.
I have done several similar installations before without any problems in more open networks, but in this case the SQL Server is installed on a "security network" and the only TCP/IP connection opened from the server is to the Service Bus relay on port 443. But this should be possible according to the specs.
When my Azure Web App tries to open the SQL connection it responds with the error:
"Connection Timeout Expired. The timeout period elapsed while attempting to consume the pre-login handshake acknowledgement. This could be because the pre-login handshake failed or the server was unable to respond back in time. The duration spent while attempting to connect to this server was - [Pre-Login] initialization=0; handshake=15028; "
In Azure diagnostics tool tcpping also works fine to machinename:1433.
What could be the reason for this behaviour?
Are there still some more ports to open or some other settings to change?
EDIT: The solution which finally solved this problem was a quite obvious one. The original settings had the firewall for the on Premise server open only for the Service Bus relay on port 443, just as the specs said would be enough. By opening port 443 for all outbound TCP/IP addresses the connection started immediately to work from my Azure Web App. So there are obviously more addresses used by Hybrid Connection, but I haven't found which ones.