File and message exchange processes between company’s has always been a struggle, technically it is easy. But when it comes to compliancy, security and maintainability it is challenging.
At the company where I am currently working for also struggles with this IT process. At this moment they have an IAAS VM with a (really) basic SFTP tool. The VM is exposed to the outside world with port 22. Although it is protected with a NSG (Network Security Group) you can imagine that this is a vulnerable situation.
Maintenance of this SFTP solution is being done within the VM’s SFTP tool. The NSG is filled with a series of IP addresses for ‘whitelisting’ purposes. The initial setup of it was not quite future-proof because nobody knows which customer/client is using which external IP address. The better solution was to create a rule for each customer within the NSG.
A few months ago I was looking for a better, cloud native, solution for SFTP. But somehow Microsoft did not provide it, only 3rd party solutions where in the marketplace. I’ve tried container instances with NGINX webinterfaces, some where good but the most solutions did not check all the boxes. Because I also want to store the credentials or SSH key pair within an Azure Key Vault. And I want to save the files/home folders on a storage account instead of traditional server disks.
But at 24-11 Microsoft announced that they are going to support SFTP via the Azure Blob Storage service, which is great because it (almost :)) checks all the boxes.
Important
This feature is still in preview and only available in some regions. If you want to enroll in the preview you have to complete this form and request to join via ‘Preview features’ in the Azure portal.
In action
So when creating a new storage account, within the advanced tab you can check to Enable SFTP.
You can see the “opt-in” option here. You can go to your desired subscription > Preview features > Register for the ‘SFTP support for Azure blob storage’.
Now you can create your storage account. If you already checked Enable SFTP on the creation of the Storage account you will mention that SFTP is now under the Settings section of the storage account:
Azure Storage does not support SAS (Shared Access Signature) or Azure AD authentication for accessing SFTP. Instead use an identity called local user that can be secured with an Azure generated password or a SSH key pair. Let’s create one. I will secure it with a password and a public key.
Option | Guidance |
Generate a new key pair | Use this option to create a new public / private key pair. The public key is stored in Azure with the key name that you provide. The private key can be downloaded after the local user has been successfully added. |
Use existing key stored in Azure | Use this option if you want to use a public key that is already stored in Azure. To find existing keys in Azure, see List keys. When SFTP clients connect to Azure Blob Storage, those clients need to provide the private key associated with this public key. |
Use existing public key | Use this option if you want to upload a public key that is stored outside of Azure. If you don’t have a public key, but would like to generate one outside of Azure, see Generate keys with ssh-keygen. |
Add local user
After you create the local user a pop-up shows the posibility to copy or store the password:
After you click Next you have the possibility to download the new key pair:
Let’s test
I will use WinSCP. WinSCP is just a great tool and it can easily convert your private key into a .ppk file.
So enter your SFTP information:
In the advanced option pick the PPK file which will be used to connect.
And we’re in! Awesome. Let’s upload a file.
As expected the file is stored in the home folder of the local user. Really nice!
It is still under preview but I am enthusiast about the simplicity and ease of setup. I am really monitoring the progress of this feature and cannot wait until it is GA (general available). With the firewall nicely configured on the storage account it is a really secure SFTP solution with a low-footprint maintainability-wise.
For those who are also playing in this preview, please also monitor the ‘Known issues‘ page Microsoft launched.