I'm currently working on a project that's implementing Azure SFTP service for a storage account meant for external clients. I want to avoid making the storage account accessible to all networks and minimize the hassle of using a firewall with a bunch of whitelisted IPs. Has anyone had real-world experience setting up SFTP this way? My past setups allowed for open network access, but I'm looking for a more secure approach this time.
3 Answers
Have you considered using Couchdrop? It's another option to manage these file transfers more easily without being too tied to Azure.
I tried using Azure SFTP for automated data uploads, but I hit some walls. The biggest issue was that I needed private subdirectories for client uploads, but Azure's solution doesn't have an equivalent to UNIX's chroot to keep users confined to a directory. I ended up having to use a Linux VM instead for that flexibility.
Thanks for sharing! We're definitely going to test it out first to see if it meets our needs. I'm aware that Azure SFTP lets us create local accounts with specific directory settings.
I recommend setting up a firewall. It's crucial to restrict access properly, so even if it may feel like extra effort, it's worth it in the long run. You'll want to ensure that only the necessary traffic gets through.
I appreciate the advice! We have some NVAs already, so we're planning to route external SFTP traffic through those to avoid compromising the storage account.
Alternatively, you might look into using RBAC for access control with SSH keys or complex passwords instead of a firewall. This way, you won't need to deal with public endpoint whitelisting. It's similar to managing a DMZ.
Thanks for the suggestion! They prefer to keep things native to Azure, but I’ll look into Couchdrop if we run into issues.