Adding to an already very feature rich Storage service family Microsoft have FINALLY brought Secure FTP (SFTP) natively to Azure. Although Azure Storage offers an incredibly feature set around modern, secure Blob data services such as REST API, SDKs etc. there are still many times when there is a need for traditional secure FTP. Secure FTP has been possible using third party solutions or creating your own, it’s great to see the service now natively supported in Azure.

Public Preview

Although still in public preview at the time of writing (November 2021) and all the usual preview warnings apply it is possible to setup in your test / lab environments and have a play with the new service. To get up and running there are a few pre-requisites you need to go though to get up and running. The first is you must complete this form and the second is you must enable the preview feature in the Azure portal.

Enabling a preview Feature

You can enable a preview feature using the ‘preview features’ blade on the subscription.

Setting up the storage account

Pre-requisites

Hierarchical Namespace

To get up and running with SFTP you will, of course, need a storage account. This storage account must use the hierarchical namespace, a feature Microsoft first introduced with the Azure Data Lake Storage Gen2 service a while ago. This feature can only be enabled during the creation of the storage account. Hierarchical namespaces allow for files to be stored the same way as they are on your computer, in directories and subdirectories without degrading the performance. One thing to note is that Hierarchical Namespaces are extendable – different protocols can extend the service and STFP is one of those services.

Regions

As is typical with the public preview phase, not all regions are supported. You will find the usual suspects on there: East US 2, West Europe, North Europe and eight others from across the globe:

North Central US
East US 2
Canada East
Canada Central
North Europe
Australia East
Switzerland North
Germany West Central
East Asia
France Central
West Europe

Microsoft will, of course, add to this list as time goes on.

Your storage account

There are a few other considerations when creating your storage account such as the redundancy options. During the preview phase only LRS and ZRS are supported. You cannot use a redundancy type that uses any type of Geo redundancy. This makes sense with the limited regions supported at the moment. Your storage account must be GPv2 or a Block Blob storage account. Other account types are not supported. It’s also worth noting that you cannot enable Network File System (NFS) 3.0 and SFTP on the same storage account.

Access Control

Identities

Controlling access to SFTP is only possible through a new identity management feature called ‘local users’ in other words you cannot use Azure AD identities. There is currently a limitation of up to 1000 local users per-storage account but as this is in preview and shouldn’t be used in production this is likely OK for now. You can specify at each container level the access you want to give each local user.

Authentication

Each local user can authenticate with the Azure storage account using either use a SSH Private Key pair or a password to authenticate. You can have both enabled for a local user but only one will be used to authenticate. For example, if you have both authentication options enabled you cannot specify using a password AND the SSH key to create a 2FA effect.

Password

Azure creates a password for you and as with other services will only display this once. You need to ensure you copy the password before navigating away. You can easily regenerate the password if needed.

SSH Key Pairs

This is the more traditional approach to authentication using SSH. Azure stores the public key while you have the private key locally for your client. You have the option of having Azure generate the key-pair for you, using a key-pair already stored in Azure or provide the public key of a previously created.

Permissions & Limitations

As mentioned above, permissions can be set on the container level. During the public preview the setting of permissions on a directory level isn’t supported. Again, as this is preview and shouldn’t be used in production this is likely OK for exploring the service. As you would expect you can set the usual permissions: Read, Write, List, Delete and Create.

These permissions can be set on up to 100 containers per-local user.

Home Directories

This one caught me out at first (RTFM). Each local user can be assigned to a Home Directory, the directory they are ‘attached’ to when they authenticate. This is optional however but if you don’t set the Home Directory you MUST specify a container with the authentication request otherwise the connection attempt would fail.

Setting up the storage account:

Using PowerShell:

Unfortunately, at the time of writing, you cannot enable to the SFTP feature on a storage account using PowerShell. You will notice on the official Microsoft documentation they have the command:

Set-AzStorageAccount -ResourceGroupName "JH-Demo-SFTP" -Name jhdemosftp

The Set-AzStorageAccount is part of the Az.Storage module but even when using the the latest available PowerShell module, Az.Storage version 4.2.0 at this time it doesn’t have the command. You will be greeted with the error:

Set-AzStorageAccount: A parameter cannot be found that matches parameter name 'EnableSftp'

You can use these commands to create the storage account, but you will need to compete the rest manually in the portal:

#First you will need to login to Azure:
Login-AzAccount 

#Select your subscription:
Select-AzSubscription -SubscriptionName {YOUR SUBSCRIPTION Name}

#Register the SFTP feature:
Register-AzProviderFeature -FeatureName "AllowSFTP" -ProviderNamespace "Microsoft.Storage"

#Check if the SMTP feature is already enabled:
Get-AzProviderFeature -FeatureName "AllowSFTP" -ProviderNamespace "Microsoft.Storage"

#Create your Resource Group
New-AzResourceGroup -Name {RG Name} -Location {RG Location}
#Example - New-AzResourceGroup -Name "JH-Demo-SFTP" -Location UKSouth

# Create your storage Account
New-AzStorageAccount -ResourceGroupName {RG Name} -Name {NAME - must be lowercase} -Location {LOCATION} -EnableHierarchicalNamespace $true -SkuName Standard_LRS -Kind BlobStorage -AccessTier Hot
# Example - New-AzStorageAccount -ResourceGroupName "JH-Demo-SFTP" -Name "jhdemosftp" -Location "UK South" -EnableHierarchicalNamespace $true -SkuName Standard_LRS -Kind BlobStorage -AccessTier Hot

ARM Template

You can however use this ARM template if you want to deploy with code. You can use this template to deploy a storage account with SFTP enabled into West Europe.

It will also create a local user and a container with the name of the user set as the home directory. You will just need to set the authentication method.