How to Deploy a Secure FTP (SFTP) Service on Microsoft Azure

| ,

Published on | Updated on April 15, 2021

11 Min. Read

In this article, I will share with you how to deploy a secure (SFTP) service based on Microsoft Azure and Azure File Shares.

Updates

Based on the user’s feedback and comments, the SFTP deployment in Azure was updated with 6 new options as follows:

  1. Updated – 13/04/2021 – A new scenario was created to integrate the SFTP service with an existing Azure virtual network, so you can transfer files to SFTP over a private IP instead of pubic IP addresses. This scenario is useful if you have a site-to-site VPN between your on-premises network and Azure, or you need an SFTP service within your Azure environment. So, you want to keep SFTP access private for added security. Please check the following section for more details on how to deploy that scenario.
  2. Updated – 10/04/2021 A new scenario was created to address the most requested feature by the readers. Add multiple users for the SFTP and have multiple different file shares mounted for each user. Please check the following section for more details on how to deploy that scenario.
  3. Updated – 01/02/2021 A new scenario was created to address and limit the access of who can upload files via SFTP. In this scenario, you will use the container to upload files via SFTP from specific public IPs only for added security, then you can access those files via a web service (HTTP/HTTPS) from anywhere. Please check the following section for more details on how to deploy that scenario.
  4. Updated – 11/11/2020 A new scenario was created to address the authentication scenario using SSH keys instead of using usernames and passwords. Please check the following section for more details on how to deploy it.
  5. Updated – 06/10/2020 – The ARM Template has been updated to include the new file share access tier to reduce cost, you can choose now between (Hot, Cool, or Transaction Optimized).How to Deploy a Secure FTP (SFTP) Service on Microsoft Azure 1
  6. Updated – 05/10/2020 – The ARM Template has been updated to mount the volume inside the container instance with the same Azure file share name. This is useful if you want to create another folder with a certain name that you need for a specific project.How to Deploy a Secure FTP (SFTP) Service on Microsoft Azure 2

What would you like to see next? You are welcome to share your thoughts in the comment section below.

Introduction

SSH File Transfer Protocol (SFTP) is a network protocol used for secure file transfer over a secure shell. FTP/SFTP is still a very common protocol used by many customers in several industries. Microsoft does not have a fully managed SFTP service in Azure yet, however, Amazon AWS has an SFTP as a service, and if you are purely an Azure customer, then this is obviously a less desirable solution.

Azure should have SFTP as-a-service, so it will be so much easy to implement rather than creating some IaaS VMs and enable FTP because creating a VM-based SFTP is costly and require high maintenance. The user-voice is very active and many customers are requesting an SFTP as a service on Azure. Please add your vote here.

So if you are still want to deploy a secure FTP on Azure today, you still have a couple of options as follows:

  1. Get a FileZilla Pro license and send the files to Azure blob storage, however, this is still an IaaS solution and not a full PaaS solution.
  2. Use a third-party solution such as SFTP on Files.com and integrate with Microsoft Azure blob storage. Files.com is a great solution that integrates seamlessly with Azure. Check the following step-by-step guide and see how to mount Azure blob storage on top of the FTP/SFTP service.
  3. Use an Azure Container Instance (ACI) powered by an Azure File Share as a storage back-end for a less VM approach. This solution will be a good workaround for a cost-effective SFTP solution in Azure which is backed by durable persistent storage. ACI service is inexpensive and requires very little maintenance, while data is stored in Azure Files which is a fully managed SMB service in the cloud.

In this article, I will share with you how to deploy an SFTP service based on Azure Container Instance (ACI) and Azure File Shares.

Deploy SFTP Service on Azure

Microsoft has released two Azure ARM Templates to create an on-demand SFTP Service on Azure for two different scenarios:

  1. Scenario 1: Create an SFTP Service with a new Azure Files share.
  2. Scenario 2: Create SFTP Service with an existing Azure Files share.

This template creates an on-demand SFTP server using an Azure Container Instance (ACI). It creates a Storage Account and a File Share via the Azure CLI using another ACI. This File Share is then mounted into the main ACI to provide persistent storage after the container is terminated. The container is Linux-based. The beauty of this solution is, once you transfer/upload are completed, you can stop the ACI and the files will remain accessible. You can also delete/recreate the ACI and mount the same file share to copy more files.

Please note that the templates published by Microsoft above will create a (general purpose v1) storage account. To this end, I have updated the ARM template to support (general purpose v2) storage account type besides the improvement mentioned in the updates section. Additionally, the price per GB for general-purpose v1 and general-purpose v2 storage account is the same. So why not use the latest Azure storage features.

Click on the “Deploy to Azure” button and follow the steps as shown in the video below to deploy an SFTP service with a new Azure storage account and file share (Scenario 1).

Deploy To Azure

Please take note of the username and password during the deployment since you will need to use them to access the SFTP service in the next step.

Last but not least, copy the public IP address from the container group (sftp-group), and then connect securely to the SFTP service with your desired FTP client such as (FileZilla). Enjoy :)

Restrict Public IP Access

Now the SFTP service is publicly accessible from anywhere over a secure shell. You have a new requirement to whitelists specific IPs to connect to the SFTP service. In other words, you want to restrict access to the SFTP service in Azure and allow only a certain set of IP ranges.

What you could do is the following, you can implement a Network Security Group (NSG) on the subnet in Azure and then only allow Inbound communications from specific public IP ranges. Now in order to use an NSG, you’ll need to deploy the Azure Container Instances (ACI) into a virtual network (VNET) as documented by Microsoft here. However, as noted in the “limitations” section there, Public IP isn’t supported in this scenario (Container groups deployed to a virtual network don’t currently support exposing containers directly to the internet with a public IP address or a fully qualified domain name), so you would need to proxy the connection through something else that would support the IP restrictions such as using an Azure Firewall for example. Hopefully, the Azure Container Team will address that limitation in the near future.

To restrict access to the SFTP service, please check the following section where you can enable an IP allowlist and co-locate Nginx as front-end with SFTP in the backend.

Restricted SFTP access with NGINX Reverse Proxy

NGINX is one of the most popular web servers in the world. Not only is NGINX a fast and reliable static web server, but it is also used by a ton of developers as a reverse proxy that sits in front of their APIs.

A reverse proxy server is a server that typically sits in front of other web servers in order to provide additional functionality that the web servers may not provide themselves.

For example, a reverse proxy can provide SSL termination, load balancing, request routing, caching, compression, or even A/B testing.

When running web and SFTP services in docker containers, it can be useful to run a reverse proxy in front of the containers so you can have more control over who can access your files and serve static content using Nginx for example.

In this section, I will share with you a useful and interesting scenario where you can use the container with SFTP to upload files from a restricted set of public IP addresses, and then use Nginx reverse proxy as a front-end to access those files securely via HTTPS.

The entire process is the following:

  1. Update the following Nginx.conf file with your public IP addresses that you want to allow who can upload files via SFTP. In this configuration, I have two ports so we can connect via SFTP to the public IP using port 2222 (which is passed to port 22 of the SFTP container) and also connect natively to port 80 with HTTP.
    user  nginx;
    worker_processes  1;
    
    error_log  /var/log/nginx/error.log warn;
    pid        /var/run/nginx.pid;
    
    events {
        worker_connections  1024;
    }
    
    http {
        default_type  application/octet-stream;
    
        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                          '$status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" "$http_x_forwarded_for"';
    
        access_log  /var/log/nginx/access.log  main;
    
        sendfile        on;
        #tcp_nopush     on;
    
        keepalive_timeout  65;
    
        #gzip  on;
    
        include /etc/nginx/conf.d/*.conf;
    
        server {
            root /mnt/sftp;
            listen 80;
            location / {
                autoindex on;
            }
        }
    }
    
    stream {
        server {
            listen 2222;
            proxy_pass localhost:22;
            allow add_your_public_ip_1;
            allow add_your_public_ip_2;
            allow add_your_public_ip_3;
            # Need this IP range for the ACI monitoring infrastructure
            allow 10.240.0.0/16;
            deny all;
        }
    }
  2. Upload the updated Nginx.conf file to an existing Azure file share, assuming you already have a storage account deployed in Microsoft Azure. In this way, Nginx will be configured at runtime automatically.
  3. Deploy the SFTP service using the ARM template (more on this in a bit).
  4. Connect using the public IP address or the container DNS (FQDN) via TCP Port 2222, then authenticate to the SFTP service using your favorite FTP/SFTP client (FileZilla), and upload some files.
  5. Access the SFTP Service using the public IP address or the container DNS (FQDN) from your favorite browser and enjoy!

Click on the “Deploy to Azure” button and follow the steps as shown in the video below to deploy the SFTP service with a username and password authentication (for SSH keys authentication, check the next deployment option). The template will create a new Azure storage account and one file share, assuming that you have already uploaded the Nginx.conf file to an existing Azure storage account and file share.

Deploy To Azure

For SSH keys authentication, click on the “Deploy to Azure” button below to deploy the SFTP service with Nginx reverse proxy. The template will create a new Azure storage account and one file share, assuming that you have already uploaded the Nginx.conf file to an existing Azure storage account and file share.

Deploy To Azure

With this scenario, you will use the container for SFTP to upload files from restricted public IP addresses, then you can access those files as static via HTTP/HTTPS using Nginx reverse proxy as front-end.

Logging in with SSH keys

If you interact regularly with SSH commands and remote hosts, you may find that using a key pair instead of passwords can be convenient. Instead of the remote system prompting for a password with each connection, authentication can be automatically negotiated using public and private key pairs.

In this section, I will share with you another interesting scenario that you can use to logging in and authenticating with SSH keys to your SFTP service based on Azure Container Instance (ACI) instead of using passwords.

The entire process is the following:

  1. Generate your SSH (public/private) keys with OpenSSH: ssh-keygen -t rsa -b 4096 -f ssh_sftp_rsa_key
  2. Deploy the SFTP service using the new ARM template (more on this in a bit).
  3. Upload your public key (xxxxx.pub) to the Azure File Share where the SSH key will be stored (e.g. adminsftp).
  4. Restart the Azure Container Instance (sftp-group).
  5. Load the private key on your machine using (Pageant from PuTTY) for example.
  6. Connect using the public IP address and authenticate to the SFTP service using your favorite FTP/SFTP client (FileZilla) for example.

Click on the “Deploy to Azure” button and follow the steps as shown in the video below to deploy the SFTP service with a new storage account and two Azure file shares, one for the SFTP data upload, and the second one will be used to store the SSH public keys.

Deploy To Azure

Add multiple users for SFTP in Azure

In this section, I will show you how to add multiple users for the SFTP so you can have multiple different shares mounted for each user by using public SSH keys authentication instead of using Passwords.

We have two different possibilities:

  1. The first one is to create one user per file share and then mount each user to the corresponding file share (1:1 mapping). In this option, we can use the same Azure Container Instance (ACI) – one container only.
  2. An alternative option would be to have a different Azure Container Instance (ACI) per user, however, this option will cost more money, and you want to make sure that you shut down the container instances when they weren’t in use to minimize the cost.

Please note that I won’t cover scenario 2 here to make sure we have an affordable SFTP solution in Azure.

Now the Pros and Cons for each option noted above:

  1. For the first one, you need to update the ARM template manually if you want more than three users, and then adjust the Environment Variables, and finally update the volume mounts section in the container to match the number of users, so this option is a more static approach. In this example, I will create three users, three Azure file shares for upload, and additional three file shares for SSH keys (one per user), so the other user does not see the other public keys in the .ssh/keys folder (secure by design). Please note that the creation of Azure file shares (upload folder and SSH keys folder) is dynamic so you don’t want to adjust this in the template.
  2. However, with option two, we can leverage the dynamic capability of the copy element in the ARM template, and create dynamically the number of users that we want with multiple Azure Container Instances (one ACI per user).

The entire process for the deployment is the following:

  1. Generate your SSH (public/private) keys with OpenSSH for each user by using the following command: ssh-keygen -t rsa -b 4096 -f ssh_sftp_rsa_key
  2. Deploy the SFTP service using the new ARM template (more on this in a bit).
  3. Upload your public key (xxxxx.pub) to the Azure File Share where the SSH key will be stored for each user (e.g. sshkey-username) file share.
  4. Restart the Azure Container Instance (sftp-group).
  5. Load the private key on your machine using (Pageant from PuTTY) for example.
  6. Finally, connect using the public IP address and authenticate to the SFTP service using your favorite FTP/SFTP client.

Click on the “Deploy to Azure” button and follow the steps as shown in the video below to deploy the SFTP service with multiple users and multiple shares mounted for each user. In this example, I will be using SSH keys authentication instead of passwords.

Deploy To Azure

Please remember that if you change the number of users, the deployment will take only the first three users. You need to update the environment variables section, as well as, the volume mounts.

What about creating multiple users for one Azure File Share?

This is unfortunately quite a complex task, as the default behavior of the SFTP container is to force a separate folder for each user.

To get around this, you would need to create a new container image based on the existing one, and modify a few things:

  • sshd_config to change the ChrootDirectory to one of your choice rather than %h (i.e. each user home).
  • create-sftp-user script to create the directory of your choice and then ensure the correct permissions are set.
  • Change the ARM template to mount the Azure File share to this new directory.

That’s it there you have it!

SFTP access over Private IP in Azure

In this section, I will show you how to deploy the SFTP service in Azure and integrate it with your existing virtual network.

The entire process for the deployment is the following:

  • Deploy the SFTP service using the new ARM template (more on this in a bit).
  • Specify your existing virtual network name.
  • Specify your existing resource group name where the virtual network is created.
  • Enter a new subnet name and address prefix in CIDR format (i.e. 10.71.11.0/24). In this step, I create a new subnet dedicated to the Azure Container Instances, because Azure delegates the subnet to Azure Container Instances, so you can deploy only container groups to this subnet. You can also deploy additional container groups in the future to this subnet. You can also attach a Network Security Group (NSG) on this subnet and then only allow Inbound communications from specific private IP addresses.
  • Finally, provide a username and password for the person or the application that wants SFTP access. Please note that you also use SSH keys for authentication (please check this section for more details).

Click on the “Deploy to Azure” button below and fill in the details as shown in the figure below.

Deploy To Azure

SFTP access over Private IP in Azure

Once the deployment is completed, you can see the container group is running on a private IP address as shown in the figure below.

Azure Container Instances over Private IP

Last but not least, copy the private IP address from the container group, and then connect securely to the service with your desired SFTP client such as (FileZilla, or WinSCP). Enjoy :)

Summary

In this article, I showed you how to deploy an SFTP service based on Azure Container Instance (ACI) and Azure File Shares in two different scenarios. However, if you want to deploy a secure FTP with Azure blob storage without using containers, then you can create an SFTP service based on Files.com today, and then sync your data to Microsoft Azure blob storage. This is a great solution because your data can be mounted directly or synced to/from Microsoft Azure, thus reducing additional storage costs.

The good news is, Microsoft is actively investigating to create a fully managed SFTP (PaaS) service on Azure, I will update this article as soon as I can share what’s coming. Please stay tuned!

The following survey has been recently closed by Microsoft which was open to collect customers feedback and use cases: To this end, they’ve created a survey, please take a minute and fill it out here: http://aka.ms/ftprequirements

So until Microsoft releases a fully managed SFTP as service, you can create an SFTP service based on Azure Container Instance (ACI), and then once the PaaS solution is available, you can switch and use the same Azure File Share. Your data will be intact.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Related Posts

Previous

How To Set Multiple IP Addresses on One NSG Rule in Azure Stack

Passed Exam: Business Continuity Management Based on ISO/IEC 22301

Next

43 thoughts on “How to Deploy a Secure FTP (SFTP) Service on Microsoft Azure”

Leave a comment...

  1. Great solution, thanks for that! 2 Quick questions from a linux noob – Can I create additional users who have access to that same upload folder? or better how could I make use of AAD to control access – or combination of both

  2. Thanks David for the comment!

    This is unfortunately quite a complex task, as the default behavior of the container is to force a separate folder for each user.
    To get around this, you would need to create a new container image based on the existing one, and modify a few things in there.
    For the use of AAD to control access… this isn’t something that’s natively possible at the moment. There’s a VM extension that has been in Preview for years, but I’m not sure what the future of that one is.

    Thanks!

  3. Thanks for the detail outline which I was looking for my presentation, planning to move in Azure soon but the missing part of SFTP solution was not really clear. Even I have asked Microsoft so many time how this can achieve without 3rd party and IaaS solution, they told me that it will be done via Data Factory which not make sense much really, didn’t see it DF can do what SFTP server capable.
    Question for you what’s the missing part using of ACI than having SFTP as a service, can you add on this? Thanks again

  4. Thank you Daniel for the comment!
    There is no missing part of using ACI, the container is running a Linux version listening on SSH port 22 which then mount Azure File Share in the back-end!
    SFTP service alone is not yet available in Azure, the ACI is playing the role of the front-end service endpoint.
    If you don’t want to use ACI, I have a better solution for you here:
    https://charbelnemnom.com/deploy-an-sftp-service-on-files-com-and-integrate-with-microsoft-azure/
    You can leverage Files.com and mount Azure Blob Storage in the back-end and access with SFTP/FTP (no data will be reside in Files.com)
    Thanks!

  5. Thanks Charbel for the fast replay. I’m more focusing with Azure stand alone solutions ACI will work for now until Azure come up with SFTP as a service, I’m dealing inbound and outbound connection initiation to sftp limiting with IP whitelist to the container will work for access. Since I’m planning to apply for gov cloud using 3rd party solution very titend to get approval but as you mention files.come, sftp gateway lot out there most of them also require to run VM (cons cost will be high). Thanks again great article.

  6. Thanks Charbel for the wonderful solution. How can be use public private key instead of username password for the authentication.

  7. Hello Sam,
    Thank you for the feedback!
    Please note that I have updated this guide to include a new scenario where you can deploy the SFTP service with SSH keys instead of username and passwords.
    Please check it here and let me know how it works for you.
    Thanks!
    -Charbel

  8. Hello!

    Thank you for the awesome demo.

    I have a question about the SSH setup. I followed your steps and deployed a ACI. I also generated a SSH key pair on my laptop.

    However, my confusion lies somewhere in the later steps (steps 5-6). I uploaded the public key to the file-share (as it is, not in any hidden folder) and restarted the Instance. However, before performing step 5, I wanted to test my connection. So, on FileZilla, I entered the host name, user name & password, but did NOT upload the private key file. However, it still connected. I uploaded the private key file (through FileZilla) and the same result was produced. My concern is that the host should not even allow a connection from the client that does not have the private key. What should I do or what I have done wrong?

    Note: unlike the demo video/GIF which creates a new resource, I used the option to use existing resources. I also understand I may not have given all details necessary, so if you require any other detail please ask me!

    Thank you in advance! :)

  9. Thanks Varun for the comment!
    Please note that if you deployed a new ACI following my SSH template scenario, there is no Password to enter during the deployment.
    Which template did you use? if you followed the existing Azure File share (Scenario 2) here, then this won’t work because this template only accept username and password as authentication. Which existing resources do you have already (storage account and file share)?
    If you want to test the SSH scenario, please click Deploy to Azure in this section Logging in with SSH keys.
    I need to address your scenario in an upcoming update for SSH Setup with existing Azure File Shares.
    Hope that helps!
    Best,
    -Charbel

  10. Hey Charbel,

    Thank you so much for the clarification. I think I should be able to manage that.

    However, my next question is if it’s possible to make the .ssh folder a hidden folder. When I connect through FileZilla the .ssh folder shows up, but is it possible to completely hide it. (the client should not be able to see it at all).

    Another question I have is what would you recommend the best method for having multiple users (different volumes)?

    This website has been a saviour and I absolutely love your template! Thank you so so much again!!

  11. Hello Varun,
    I think that the .ssh folder requires very specific permissions, so it will always need to be readable by the user.
    By default any folder starting with a (.) will be hidden in Linux, but is probably shown by default in FileZilla.
    Could you please try a different FTP/SFTP client and check?
    For the second question, what I can think of that you need to have a different Azure File share(s) per user: one for each SSH public key, with the appropriate mappings in the ARM template.
    Hope this helps!
    -Charbel

  12. Hi Charbel.

    Thank you so much, I believe I have figured it out.

    I do have a few more questions I would want to ask you. Do you know how add multiple users for the SFTP in different File Shares?

    Thanks in advance,
    – Varun Sampat

  13. Yes, I know how to add multiple users for the SFTP in different file shares.
    This is out of scope of this guide.
    If you are interested to have that as a project, please ping me privately here.
    Thanks!

  14. Hello,
    Can we create more users with different access level?

    ET

  15. Do you mean for (Read, Write, Modify/Delete)?
    This could be achieved using the Linux directory/file permissions.
    Yes, you can create more users and do the appropriate mapping (user => File share).

  16. Great article and followup questions. Do you have a recommendation on how best to assign a static IP to the SFTP ACI? Or, would it be better to have this behind an Application Gateway?

  17. Hello Travis,
    Thank you for the feedback.
    The best way to assign a static IP address to the SFTP ACI is to use Azure Application Gateway.
    Application Gateway will cost additional money to the SFTP service, just keep that in mind.
    Hope this helps.

  18. Thanks Travis,
    No, I don’t have that deployment scenario on my site yet.
    I will consider it for 2021.
    Happy New Year!

  19. For the above service of SFTP server I want to create multiple users with different folder level permissions in the storage account. From the portal we can create only 1 user account. Also in which region is this service supported. Please let us know.

  20. Hello Syed,
    You can deploy the SFTP service following this article in any Azure region.
    You can create multiple Azure File Shares and assign each one for a specific user.
    You need to update the template to match your requirements.
    Hope this helps!

  21. Hello dear, do you know any way to implement a web service to access these existing files via HTTPS? I will use the container with SFTP only to upload files, but I need to implement an HTTPS service to be able to access the files. I would appreciate your guidance. Thank you very much for the article, it is very helpful.
    Regards.

  22. Am I correct that if I wanted to have the Nginx / SFTP solution work entirely with port 22, one would just change the Azure template and nginx.conf file’s 2222 entries to 22?

  23. Hello Bill,
    Yes correct, you would need to update the template and nginx.conf file’s from port 2222 entries to 22.
    I would recommend using a different port for security purposes. For this reason, I selected a different port.
    Thanks!

  24. I did some more testing and found that i can’t use the Nginx container to map Internet port 22 to the SFTP container’s port 22. I’ve temporarily switched things back to port 2222 externally, but it would be nice to find a simple way to have the Nginx/SFTP solution advertise port 22 to the Internet

  25. Hello Bill, here is a quick update:
    Please note that since the SFTP container is listening on port 22, you can’t have nginx listening on the same port. However, you could modify the SFTP container to listen on 2222 instead, and then you could expose port 22 via nginx to the Internet.
    Hope this helps!

  26. Hello again–I’ve got most things working, but my testing indicates that the strategy of including Allow public IP addresses does not work. IP addresses that are NOT one of the Allow entries can still access the SFTP server on the back end. The log files on the Ngnix Container show that Azure is NAT’ing all public IP addresses to one of the private IP addresses in the CIDR block that’s included in the Allow list.

    Essentially, it seems that an Azure Nginx Container does not get access to the public IP addresses for any of its Azure traffic. Therefore, it can’t white list them.

    Thoughts?

  27. Hello Bill, thanks for your comment. Yes, you are right. I saw the same thing here.
    After investigating, I found out that the Azure Container Instance is not preserving the client IP address. You can read about it here.
    I am checking with the team to see when they will support preserving the client IP address so we can filter incoming public IP addresses.
    Hope this helps!

  28. Hello Charbel,
    It’s really a great article, Thank you for posting it.
    I came across a scenario, where storage account used for the sftp got delete and would like to update storage account details in the existing container. is it possible to update.

  29. Hello Uday, thanks for the comment. Yes, it’s possible to update the existing container and use a new storage account/file share. You can update it by passing the new storage account/file share using the same ARM template. The template should pick up the keys from the new storage account.
    I would recommend protecting your storage account from deletion by either using Azure Files soft-delete as described here, or set a resource lock on the storage account level.

  30. Hello Charbel,
    Great article, thank you for posting it.

    However I have encountered a difficulty and I would like to know if there is a solution or if you have come across this.

    After creating all the resources in Azure through the informed template, I configure the SFTP in FileZilla to access it and I can also copy files from my machine via SFTP to be saved in the Storage File service, for security measures I enabled the Firewall of Storage Account thus restricting access only to the container IP and my public IP for no other access can be made to Storage, however after that the connection in FileZilla is closed and when trying to access and copy files, an access failure is generated.

    Would you know if this solution using a firewall on Storage would be possible?

    Is there any way I can restrict access to this SFTP to just a few IPs?
    I saw that in the article you proposed a restriction only to containers but for Storage, is there anything keeping the communication between container and storage?

  31. Hello Eliaquim, thanks for the comment, and great question. The Public IP for the container instance is not static, it’s dynamic. If you remove the storage firewall does it work again?
    Please check the current container Public IP and the one you just set in the storage firewall, is it the same?
    The best way to assign a static IP address to the SFTP ACI is to use Azure Application Gateway, NAT Gateway, or Azure Firewall which will cost additional money to the SFTP service, just keep that in mind.
    To keep the communication between container and storage, you could launch ACI inside a virtual network, and then use a Service Endpoint on your Storage Account down to the ACI subnet. Or you could assign a Private Endpoint for the Storage Account in the same virtual network as the ACI and connect via that. However, at the time of this writing, Microsoft does NOT support the combination of Public IP + vNet integration just yet. Hope this helps!

  32. Hi Charbel,

    Thanks for the quick response.

    Answering your questions, Yes, if I have a Storage Firewall configured for All Networks (disabled) the SFTP solution works perfectly, however when configuring for Selected Networks associating the ACI IP in the Storage Firewall the solution stops working and I cannot upload any file to Storage.

    The case here is not to restrict access to SFTP itself but to the Storage so that no extra access is made to write data to Storage, generating higher costs and guaranteeing only access to the right people.

    Unfortunately today, the Storage service does not have an ACI as a trusted service, so I understand that even if I associate the public IP of the ACI with Storage, this connection could have failures as happens in the tests I performed with the Firewall enabled.

    To try to come up with a new approach, I noticed that when trying to create a single ACI it is possible to create it as Private with this it will create a VNET and a private IP for ACI. However, in the template, I am not able to change it so that I can create it as private, so I would try to associate this VNET with Storage to see if the connection through a VNET would be possible.

    Do you know if it would be possible to generate a template to create ACI as Private or what exactly should be changed in this template for this new approach?

    I followed the steps to create with a private IP but I am not able to connect to ACI Private IP through FileZilla, I will try to see this more calmly to see if I can associate VNET with Storage and thus ensure data transfer.
    https://charbelnemnom.com/how-to-deploy-sftp-service-on-microsoft-azure/#SFTP_access_over_Private_IP_in_Azure

    I thank you for your attention and help.

  33. Hello Eliaquim, thanks for the details. Yes, the idea is clear here for restricting storage access to ACI only for added security. You can use other methods to restrict access to storage accounts such as disable-shared access keys and join the storage account to Azure AD.
    Unfortunately, there isn’t a great option here currently: Static Public IP won’t work if the ACI and Storage Account are in the same region as Storage will see a private IP for the ACI. And for private IP scenario, that would work but Microsoft does NOT support the combination of Public IP and virtual network Integration just yet; you could put the ACI behind e.g. an Azure Firewall for the Public IP, but that only makes sense as part of a wider deployment rather than something in isolation. The scenario that I added to deploy ACI in a private network here, would work if you have a site-to-site VPN, point-to-site VPN, or trying to access the SFTP within your Azure virtual network without storage restriction, and it won’t work from Public IP. I have that scenario deployed in production and it’s working as expected. Please note that the private IP that the Storage Account sees is actually related to the underlying hardware node on which the ACI is running, which is definitely subject to change, this is by design, so it won’t work. Hope this helps!

  34. Hello Charbel, thank you for this really interesting article.
    I used the template “Logging in with SSH keys”. I generated my public/private keys thanks to putty gen, uploaded the .pub in the file share…. Everything seems ok but.. I can’t connect to the sftp thanks to filezilla! Do you have any particular thing I may have missed?
    One more question: the basic one works (user/password..). But I want to secure the access to the storage account. I add some networking policy (only authorized some public ips) and, of course, the ACI doesn’t have accees anymore. Is there a way to do that? Using a private storage account…
    Thank you

    Loïc

  35. Hello Loïc, thanks for the comment. Have you checked my video in the Logging in with SSH keys section?
    I understand that you generated the public/private keys with PuttyGen. Did you load the private key on your machine using (Pageant from PuTTY) for example, and then try to connect?
    As I mentioned in a previous comment here. Unfortunately, there isn’t a great option yet to use a private storage account: Static Public IP won’t work if the ACI and Storage Account are in the same region as Storage will see a private IP for the ACI. And for private IP scenario, that would work to use private storage but Microsoft does NOT support the combination of Public IP and virtual network Integration just yet; you could put the ACI behind e.g. an Azure Firewall for the Public IP, but that only makes sense as part of a wider deployment rather than something in isolation.
    Hope this helps!

  36. Thanks Charbel for your quick reply :) .
    1- about ssh: i didn’t use pageant but in filezilla, i used the optiion “key file” and configured my ppk file. I thought it was supposed to work like this, no?
    2- yes, it is something in isolation… I think I have to find another way to offer a SFTP service to our partner!
    Anyway, many thanks!!! Really nice and exhaustive article!

  37. Great articles.
    I am looking for restriction sftp access solution in Azure ACI.
    However, when I check the log of SFTP container, it keep getting something like this.

    Did not receive identification string from ::1 port 37282
    Did not receive identification string from 127.0.0.1 port 55026

    the similar log repeat endlessly.

  38. Could you please clarify more about the restriction SFTP access in Azure ACI?
    What would you like to achieve?

  39. First off, I am no ACI expert, so bear with me a bit.

    Regarding the access restriction, I want ranged of IP can access my SFTP, not all IP. So your reverse proxy works fine for me.

    However, my issue here is with the sftp container. The container seems to be probed constantly. I guess that come from Azure. So I want to get rid of those probing thing because.
    – From my understanding, that port probing kept my container active, so I will get charge constantly.
    – My cyber security team does not like being probe on 22 port.

    Did you get the log similar to previous reply from your sftp container ?

  40. Please note that the container will be always running for SFTP, it’s not set to run on demand. How the user will be able to access it if it’s not running.
    The policy is set to restart on failure and not never. If you look in the Containers blade in ACI (portal), you will see the container state is Running. The price is cheap for the running container (2vCPU+1GB RAM = $35.4780 per vCPU and $3.8909 per 1GB per month). You could try with 1vCPU instead of 2 and see if it works for you.
    In my deployment, I don’t see a similar log that you noted here:
    Did not receive identification string from :1 port 37282
    Did not receive identification string from 127.0.0.1 port 55026

    For the IP Public access restriction, after extensive testing, I found out that the Azure Container Instance is not preserving the client IP address. You can read about it here.
    As of today, Microsoft does not support the combination of Public IP + virtual Network Integration just yet; you could put the ACI behind e.g. an Azure Firewall for the Public IP, but that only makes sense as part of a wider deployment rather than something in isolation for SFTP only.
    Check this scenario if it works for you (SFTP access over Private IP).
    Hope this helps!

Let me know what you think, or ask a question...

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to Stay in Touch

Never miss out on your favorite posts and our latest announcements!

The content of this website is copyrighted from being plagiarized! You can copy from the 'Code Blocks' in Black.

Please send your feedback to the author using this form for any 'Code' you like.

Thank you for visiting!