In this article, I will share with you how to deploy a secure (SFTP) service based on Azure Container Instance (ACI) and Azure File Shares.
SSH File Transfer Protocol (SFTP) is a network protocol used for secure file transfer over a secure shell. FTP/SFTP is still very common protocols used by many customers in several industries. Microsoft does not have a fully managed SFTP service in Azure yet, however, Amazon AWS has an SFTP as a service, and if you are purely an Azure customer, then this is obviously a less desirable solution.
Azure should have SFTP as-a-service, so it will be so much easy to implement rather than creating some IaaS VMs and enable FTP, because creating a VM based SFTP is costly and require high-maintenance. The user-voice is very active and many customers are requesting an SFTP as a service on Azure. Please add your vote here.
So if you are still want to deploy a secure FTP on Azure today, you still have couple of options as follows:
- Get a FileZilla Pro license and send the files to Azure blob storage, however, this is still an IaaS solution and not a full PaaS solution.
- Use third-party solutions such as GoAnywhere MFT, etc. OR,
- Use an Azure Container Instance (ACI) powered by an Azure File Share as a storage back-end for a less VM approach. This solution will be a good workaround for a cost-effective SFTP solution in Azure which is backed by durable persistent storage. ACI service is inexpensive and requires very little maintenance, while data is stored in Azure Files which is a fully managed SMB service in the cloud.
In this article, I will share with you how to deploy an SFTP service based on Azure Container Instance (ACI) and Azure File Shares.
Deploy SFTP Service on Azure
Microsoft has released two Azure ARM Templates to create an on-demand SFTP Service on Azure for two different scenarios:
- Scenario 1: Create a SFTP Service with a new Azure Files storage.
- Scenario 2: Create SFTP Service with an existing Azure Files storage.
This template creates on-demand SFTP server using an Azure Container Instance (ACI). It creates a Storage Account and a File Share via the Azure CLI using another ACI. This File Share is then mounted into the main ACI to provide persistent storage after the container is terminated. The container is Linux based. The beauty of this solution is, once you transfer/upload are completed, you can stop the ACI and the files will remain accessible. You can also delete/recreate the ACI and mount the same file share to copy more files.
Please note that the templates published by Microsoft above will create a (general purpose v1) storage account. To this end, I have updated the template here to support (general purpose v2) storage account type. Additionally, the price per GB for general purpose v1 and general purpose v2 storage account is the same. So why not use the latest Azure storage features.
Save the updated template on your machine and follow the short video below to deploy an SFTP service with a new Azure storage account and file share (Scenario 1).
Please take a note of the username and password during the deployment since you will need to use them to access the SFTP service in the next step.
Last but not least, copy the public IP address from the container group (sftp-group), and then connect securely to the SFTP service with your desired FTP client such as (FileZilla). Enjoy :)
The good news is, Microsoft is actively investigating to create a fully managed SFTP (PaaS) service on Azure, and would very much appreciated if you could help them understand more about what you and your customers need. To this end, they’ve created a survey, please take a minute and fill it out here: http://aka.ms/ftprequirements
Restrict Public IP Access
Now the SFTP service is publicly accessible from anywhere over a secure shell. You have a new requirements to whitelists specific IPs to connect to the SFTP service. In other words, you want to restrict access to the SFTP service in Azure and allow only a certain set of IP ranges.
What you could do is the following, you can implement a Network Security Group (NSG) on the subnet in Azure and then only allow Inbound communications from a specific public IP ranges. Now in order to use an NSG, you’ll need to deploy the Azure Container Instances (ACI) into a virtual network (VNET) as documented by Microsoft here. However, as noted in the “limitations” section there, Public IP isn’t supported in this scenario (Container groups deployed to a virtual network don’t currently support exposing containers directly to the internet with a public IP address or a fully qualified domain name), so you would need to proxy the connection through something else that would support the IP restrictions such as using an Azure Firewall for example. Hopefully the Azure Container Team will address that limitation in the near future.
So until Microsoft releases a fully managed SFTP as service, you can create an SFTP service based on Azure Container Instance (ACI) now, and then once the PaaS solution is available, you can switch and use the same Azure File Share. Your data will be intact.
That’s it there you have it!
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.