In this solution I show how to publish through Azure Firewall an SFTP endpoint delivered by an Azure Storage.
The service is exposed by the Azure Firewall public IP.
Exposing an SFTP server through a firewall, rather than directly exposing it to the public, adds an additional layer of security. An Azure firewall can be configured to only allow certain types of traffic to pass through to the SFTP server, reducing the attack surface and making it more difficult for attackers to exploit vulnerabilities. Additionally, a firewall can monitor and log traffic, providing valuable information for detecting and responding to security incidents. It is generally considered a best practice to use a firewall to protect any publicly accessible server.
The scenario is deployed into a Hub and Spoke network topology context. Specifically, the virtual network that hosts the Azure Storage is different from the virtual network that hosts the Azure Firewall.
In this configuration, inbound SFTP traffic goes through both Azure Firewall, the peering, the spoke and finally the Azure Storage thanks to the private endpoint.
The resulting overall architecture is shown in the following schema.
Download a draw.io file of this architecture.
In order to apply this solution you have to deploy HUB playground only.
From Azure Portal go to Storage Accounts > Create:
Basic
- Storage account Name:
storage01 - Region:
west europe - Redundancy:
LRS
Advanced
- Hierarchical namespace:
Enable - SFTP:
Enable
Networking
-
Networking access:
disable public access -
Private endpoint > Add private endpoint
- Location:
West Europe - Name:
storage-01-pe - Storage sub resource:
blob - Virtual network:
spoke-01 - Subnet:
Services - Private DNS zone:
No
- Location:
-
click [Create]
From Azure Portal go to Storage accounts > storage01 > Containers > Create
- Name:
test-container-01
Click [Create].
From Azure Portal go to Storage accounts > storage01 > SFTP > Add local user
- username:
user01 - Authentication method:
SSH Password - Container permissiona
- Container:
test-container-01 - Permissions:
All
- Container:
click [Add] and copy the generated password.
Go to Azure Portal > Firewall Policies > Create:
Basic Tab
- Name:
hub-fw-policy - Region:
West Europe - Parent Policy:
Rules Tab
DNAT rules
| priority | collection name | rule name | src | port | protocol | destination | translated address | translated port | action |
|---|---|---|---|---|---|---|---|---|---|
| 1000 | coll01 | sftp | * | 22 | TCP UDP | x.x.x.x |
10.13.1.68 |
22 | Dnat |
Where:
x.x.x.xislab-firewallpublic IP10.13.1.68isstorage-01-pe's private IP.
Click [Create].
Associate the policy hub-fw-policy to lab-firewall via Firewall Manager
from internet, from your laptop:
C:>sftp [email protected]
ECDSA key fingerprint is SHA256:0WNMHmCNJE1YFBpHNeADuT5h+PfJ/jJPtUDHCxCSrO0.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])?
Warning: Permanently added 'x.x.x.x' (ECDSA) to the list of known hosts.
[email protected]'s password:
Connected to [email protected].
sftp>
You can successfully connect with the sftp server.
- Azure Firewall DNAT rules.
- Azure Storage SFTP Support.
- Azure Private Endpont.