The integration proxy has a local configuration file that controls the endpoint to connect to in Azure along with an access key and policy needed to establish the connection. The endpoint, key and policy are unique for each customer. Only the encrypted version of these values is stored in the local configuration file. These values are needed to establish the connection from the on-premise Azure WCF Relay Client to its projected endpoint in Azure. The policy is used to control if the requesting application has permission to send data to the endpoint, or receive data from the endpoint. The on-premise Azure WCF Relay Client needs the ability to receive data from the endpoint.
The azure cloud hosted applications that need to transfer data to the customers private network via the WCF Relay endpoint also need a key and a policy to allow them to send data to the endpoint. This information is stored in the application configuration, within Azure, for each application that needs to use the WCF Relay service.
If any of the access keys are compromised in any way, the access key can be blocked from sending and/or receiving via the Azure Management Portal.