Recently I’ve been trying to connect to a On-Premises SFTP server using a SSH public-private keypair but I was having issues with Key Vault. Because of security restrictions at my client, I was having a hard time trying to understand what was the real problem. So the best way to see at the code-level what was happening was to have a local SFTP server that I could try out since I couldn’t at my client.
So I thought it was a good time to try the new feature in the Storage Account where you can enable SFTP on it.
In this post I’ll show how to do the the Storage Account configuration. How I managed to do the KeyVault to host the SSH keypair and use it in my code I’ll show that in another post. Please be aware that this feature is still in Preview and it’s not available in all regions.
The Microsoft documentation about it is here https://docs.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support and here Connect to Azure Blob Storage using SFTP (preview) | Microsoft Docs.
Setup Storage Account
The first thing we need to do is to create the Storage account and enable the SFTP on it. But before doing that, we need to enable the following setting in the subscription where the storage account will be managed. To do that go to your subscription, click on Preview features and search for SFTP support for Blob Storage and enable it as the picture below shows it.
After that is done, the Enable SFTP checkbox will be available for you to check it. You need to enable first the Enable hierarchical namespace setting.
After that is done, proceed with the creation of the storage account as usual based on the remaining pages for network, encryption and so on.
After the creation of the storage account is complete go to the overview page and click on the SFTP settings as below:
The users page will open up and you can start creating the users for this SFTP server.
When adding a new user it can be a simple user and password or you can also enable SSH key pair on it.
Setup user with password
For creating a user with only the password you need to specify the username and the password, and also the kind of access this user will have as below:
After the user is created record the the password generated because you will not have access to it after that. You can only regenerate a new one.
Please be aware that the configuration of the user above will create the container, but not the directory test, so you need to do this step manually before trying to connect to it.
Now that we have the user created let’s connect to the SFTP location and copy a file into it.
For this test I’m using WinSCP. To create the connection go to Session, New Session and specify the following settings on it where Host name is the location of the storage account, username is the name of the storage plus the username. Paste the password you copied during the creation of the user and you need to specify the remote directory you will connect otherwise it will fail. Specify the same value we did on the creation of the user.
After the connection is successful you are able to access the storage account through the SFTP protocol and copy files to it as the picture below shows:
Setup user with SSH keypair
Another way to connect to this SFTP is through the use of SSH key pairs. You can create a new SSH key or import an existing one you may already have. For simplicity I’m generating a new one for this post.
You can create a new user or change an existing one to have a SSH associated to it.
To connect to it through WinSCP you specify the host name and user name but this time we are not using password, only the SSH key. So, you need to go to the advanced settings and specify the location of the key that you download during the creation of the user and don’t forget to specify the directory to connect.
You can also enable both password and SSH on the user, so it will have a two-factor authentication on it to improve security.
This SFTP will be used quite a lot in several scenarios due to the simplicity of the configuration and allow clients that normally just had to deal with SFTP so far to use Azure Storage Accounts from now on without having to change the way they are used to do file transfers.
Hope you guys enjoy the post as it has been some time that I did one. I’ll post about how I used Key Vault to use SSH keys to access SFTP servers in the next couple weeks, so stay tunned.