Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

Deploy Native SFTP (Secure FTP) in Storage Account | Microsoft Azure

I was working with a software product based startup client, They wanted to have SFTP server where their customer will upload logs. Here they didn't want to host a FTP solution On-Prem or in Virtual Machine. For this design, we chose PAAS service available on Microsoft Azure Cloud. There is a option in Storage Account, which can be setup as SFTP server without much configuration and administration. 

Storage Account is Microsoft Azure provides scalable, durable cloud storage, backaup, and recovery solutions for any data, big or small, it works with the infrastructure you already have to cost-effectively enhance your existing applications and business continuity strategy, and provide the storage required by your cloud applications, including unstructured text or binary data such as video, audio and images.

To start configuration I need Azure Storage account first. To created one I am inside Resource group and click + Create button. Search and click Storage Account.

Microsoft Azure resoruce group create storage account datastore deployment security sftp configuration security policies.png

Click Create button.

Microsoft Azure windows storage account microsoft iot hub scalable durable cloud storage sftp recovery solution data big binary data application.png

Azure Storage is a Microsoft-managed service providing cloud storage that is highly available secure durable scalable and redundant Azure storage includes Azure Blobs (objects). Azure Data Lake Storage Gen2 Azure files, Azure Queues and azure Tables, The cost of your storage account depends on the usage and the options you choose below.

In the Create a Storage Account basics wizard provide information of Subscription, Resource group, Name (The name must be unique across all existing storage account names in Azure. It must be 3 to 24 characters long, and can contain only lowercase letters and numbers.), Region (Choose the Azure region that's right for you and your customers. Not all storage account configurations are available in all regions.), Performance (Determine whether you want to have premium performance for block blobs, file shares, or page blobs in your storage account.), Redundancy (The data in your Azure storage account is always replicated to ensure durability and high availability. Choose a replication strategy that matches your durability requirements. Some settings can't be changed after the storage account is created.). Click Next: Advanced >.

In the Advanced option, Keep all the options default 

Data Lake Storage Gen 2 section, Enable hierarchical namespace (The Data Lake Storage Gen2 hierarchical namespace accelerates big data analytics workloads and enables file-level access control lists (ACLs).)

To enable SFTP, 'hierarchical namespace' must be enabled. SSH File Transfer Protocol (SFTP) option Enables the SSH File Transfer Protocol for your storage account that allows users to access blobs via an SFTP endpoint. Local users need to be created before the SFTP endpoint can be accessed. Local users need to be created in order to access the SFTP endpoint after storage account is created. Click Next: Networking >

Microsoft azure storage account create basics project details instance region performance lrs zrs locally redundant storage data lake storage gen2 namespace sftp enable ssh.png

In the Networking and Data protection tab keep all the option default. Click Review + create button.

Microsoft azure storage account enable sftp network connectivity method public endpoint private networks routing internet data protection enable soft delete for containers shareds blobs tracking.png

Once the validation passed, verify configuration and click Create button, Once the deployment is completed, click Go to resource button.

Microsoft Azure create storage account validation passed tags resource group location subscription replication zrs grs secure transfer enabled sftp tls access tier cool hot networking.png

This is Azure Storage Account overview.

MIcrosoft Azure sftp enable data migration access control iam tags data storage containers file shares queues tables networking access keys shared access signature encryption security geo replication.png

Click on Settings >> SFTP from the left side navigation pane. click + Add local user button. In the Username + Authentication tab provide Username, Authentication methods allowed for this user are SSH Password (You'll be able to retrieve your password once the local user has been added) and SSH Public Key enable them.

For SSH keys click + Add key source, Public key source Generate new key pair and provide Key/Key name.  Azure can automatically generate an SSH key pair and store it for future use. You can download the private key once the local user is added. The key pair will be created in the same resource group as this storage account. Click Next button.

In the Container permissions tab, specify container access and permissions, provide containers a name (click Create new to create one), in the docs provide permissions, I am giving permissions Read, Write, List, Create, Delete and Provide Home directory and click Add button.

Microsoft Azure SFTP blob add local user username authentication ssh password public key add key source storage account container permissions home directory add.png

Now in the SFTP you can view the user is added, copy the Connection string it contains username and sftp url location, in the Authentication method Click Regenerate to see SSH key password. After you close this dialog you won't be able to access the password again, so make sure to copy it and store it in place where it can be retrieved.

Microsoft Azure SFTP blob storage account username connection string authentication method container permissions secure with a password cors locks insights.png

Setup and configuration of SFTP on Azure with Storage Account PAAS service is complete. I am using winscp tool to connect SFTP service. The Session file protocol is SFTP, Host name is the connection string consist of storage account name with suffix blob.core.windows.net and port number. Provide user name prefixed with SA name and the  password copied, hit Login button. You will see SFTP host key message click Yes button to proceed.

Microsoft aZure winscp storage account enable sftp gen lake blob.core.windows.net file protocol sha algorithm md5 cache.png

Here I am logged in successful, I will copy a file from local drive (left side of commander view) to right hand side Azure SFTP.

Microsoft Azure test script sftp enable storage account blob. core.windows .net testscript.ps1 synchronize remote sftp connection secure ssh.png

To verify file is uploaded successfully, I can see inside the Storage Account Blob containers using Storage browser (preview option), inside the docs folder I see file exists.

Microsoft azure Storage browser preview blob containers docs sftp add directory ps1 files storage account enable sftp objects file shares queues tables networking access keys shared access signature encryption security.png

Useful Articles
Create and manage Azure budgets
Connect-AzAccount The 'Connect-AzAccount' command was found in the module 'Az.Accounts', but the module could not be loaded
Microsoft Azure Rest API using PowerShell
Microsoft Azure Rest API using PowerShell Part 2
How to switch to other Azure AD tenant using PowerShell and Azure CLI
Creating a new user in Azure AD using oneliner PowerShell and Azure CLI
Connect-AzureAD: One or more errors occurred. Could not load type 'System.Security.Cryptography.SHA256Cng'
Create key vault and secrets with access policies in Microsoft Azure
Working With Azure Key Vault Using Azure PowerShell and AzureCLI
Use Key Vault secret identifier url to get the secret value using Powershell
Use a Azure VM system assigned managed identity to access Azure Key Vault
Create Azure Key Vault Certificates on Azure Portal and Powershell
Export certificates from Azure Key Vault using PowerShell

Go Back



Comment

Blog Search

Page Views

8174620

Follow me on Blogarama