This section will describe the basic architecture of an on-premises data gateway and list the different components that communicate with each other to provide secure messaging between cloud-hosted services and on-premises resources.

When you install and configure your instance of an on-premises data gateway on a server, it creates a gateway that runs under NT SERVICEPBIEgwService. With initial On-premise data gateway Setup NT SERVICEPBIEgwService gets log-on-as-service rights on the server and uses port 443 for outbound communicate with other Azure services.

Under the hood, after the installation/configuration of an on-premises data gateway, it is registered with the gateway-cloud service hosted on Azure with Azure Service Bus. The architecture is described in the following diagram:

Let's now analyze what happens when queries and data flow through an on-premises data gateway:

1. When a query is created by the cloud service, the cloud service sends the query along with the encrypted credentials for the on-premises data source to the gateway to process.
2. The gateway cloud service will then look into the query and send the request to the Azure Service Bus queue.
3. The on-premises data gateway polls the Azure Service Bus queue for any new service requests.
4. The gateway then gets the query, decrypts the credentials, and connects to the systems with those credentials.

5. The gateway sends the message to the data source for execution.
6. The results are sent from the data source back to the gateway, and then on to the cloud service. The service then uses the results returned from the on-premises data gateway.