Azure File Sync proxy and firewall settings

Article
05/13/2024

Azure File Sync connects your on-premises servers to Azure Files, enabling multi-site synchronization and cloud tiering features. As such, an on-premises server must be connected to the internet. An IT admin needs to decide the best path for the server to reach into Azure cloud services.

This article provides insight into specific requirements and options available to successfully and securely connect your server to Azure File Sync.

We recommend reading Azure File Sync networking considerations prior to reading this how to guide.

Overview

Azure File Sync acts as an orchestration service between your Windows Server, your Azure file share, and several other Azure services to sync data as described in your sync group. For Azure File Sync to work correctly, you'll need to configure your servers to communicate with the following Azure services:

Azure Storage
Azure File Sync
Azure Resource Manager
Authentication services

Note

The Azure File Sync agent on Windows Server initiates all requests to cloud services which results in only having to consider outbound traffic from a firewall perspective. No Azure service initiates a connection to the Azure File Sync agent.

Ports

Azure File Sync moves file data and metadata exclusively over HTTPS and requires port 443 to be open outbound. As a result, all traffic is encrypted.

Networks and special connections to Azure

The Azure File Sync agent has no requirements regarding special channels like ExpressRoute, etc. to Azure.

Azure File Sync will work through any means available that allow reach into Azure, automatically adapting to network characteristics like bandwidth and latency, as well as offering admin control for fine-tuning.

Proxy

Azure File Sync supports app-specific and machine-wide proxy settings.

App-specific proxy settings allow configuration of a proxy specifically for Azure File Sync traffic. App-specific proxy settings are supported on agent version 4.0.1.0 or newer and can be configured during the agent installation or by using the Set-StorageSyncProxyConfiguration PowerShell cmdlet. Use the Get-StorageSyncProxyConfiguration cmdlet to return any proxy settings that are currently configured. A blank result indicates that there are no proxy settings configured. To remove the existing proxy configuration, use the Remove-StorageSyncProxyConfiguration cmdlet.

PowerShell commands to configure app-specific proxy settings:

Import-Module "C:\Program Files\Azure\StorageSyncAgent\StorageSync.Management.ServerCmdlets.dll"
Set-StorageSyncProxyConfiguration -Address <url> -Port <port number> -ProxyCredential <credentials>

For example, if your proxy server requires authentication with a user name and password, run the following PowerShell commands:

# IP address or name of the proxy server.
$Address="http://127.0.0.1"

# The port to use for the connection to the proxy.
$Port=8080

# The user name for a proxy.
$UserName="user_name"

# Please type or paste a string with a password for the proxy.
$SecurePassword = Read-Host -AsSecureString

$Creds = New-Object System.Management.Automation.PSCredential ($UserName, $SecurePassword)

# Please verify that you have entered the password correctly.
Write-Host $Creds.GetNetworkCredential().Password

Import-Module "C:\Program Files\Azure\StorageSyncAgent\StorageSync.Management.ServerCmdlets.dll"

Set-StorageSyncProxyConfiguration -Address $Address -Port $Port -ProxyCredential $Creds

Machine-wide proxy settings are transparent to the Azure File Sync agent as the entire traffic of the server is routed through the proxy.

To configure machine-wide proxy settings, follow the steps below:

Configure proxy settings for .NET applications
- Edit these two files:
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
- Add the <system.net> section in the machine.config files (below the <system.serviceModel> section). Change 127.0.01:8888 to the IP address and port for the proxy server.
```
<system.net>
   <defaultProxy enabled="true" useDefaultCredentials="true">
     <proxy autoDetect="false" bypassonlocal="false" proxyaddress="http://127.0.0.1:8888" usesystemdefault="false" />
   </defaultProxy>
</system.net>
```
Set the WinHTTP proxy settings

Note

There are several methods (WPAD, PAC file, netsh, etc.) to configure a Windows Server to use a proxy server. The steps below cover how to configure the proxy settings using netsh but any method listed in the Configure proxy server settings in Windows documentation is supported.
- Run the following command from an elevated command prompt or PowerShell to see the existing proxy setting:
  
  netsh winhttp show proxy
- Run the following command from an elevated command prompt or PowerShell to set the proxy setting (change 127.0.01:8888 to the IP address and port for the proxy server):
  
  netsh winhttp set proxy 127.0.0.1:8888
Restart the Storage Sync Agent service by running the following command from an elevated command prompt or PowerShell:

net stop filesyncsvc

Note: The Storage Sync Agent (filesyncsvc) service will auto-start once stopped.

Firewall

As mentioned in a previous section, port 443 needs to be open outbound. Based on policies in your datacenter, branch or region, further restricting traffic over this port to specific domains may be desired or required.

The following table describes the required domains for communication:

Service	Public cloud endpoint	Azure Government endpoint	Usage
Azure Resource Manager	`https://management.azure.com`	`https://management.usgovcloudapi.net`	Any user call (like PowerShell) goes to/through this URL, including the initial server registration call.
Microsoft Entra ID	`https://login.windows.net` `https://login.microsoftonline.com` `https://aadcdn.msftauth.net`	`https://login.microsoftonline.us`	Azure Resource Manager calls must be made by an authenticated user. To succeed, this URL is used for user authentication.
Microsoft Entra ID	`https://graph.microsoft.com/`	`https://graph.microsoft.com/`	As part of deploying Azure File Sync, a service principal in the subscription's Microsoft Entra ID will be created. This URL is used for that. This principal is used for delegating a minimal set of rights to the Azure File Sync service. The user performing the initial setup of Azure File Sync must be an authenticated user with subscription owner privileges.
Microsoft Entra ID	`https://secure.aadcdn.microsoftonline-p.com`	`https://secure.aadcdn.microsoftonline-p.com` (same as public cloud endpoint URL)	This URL is accessed by the Active Directory authentication library that the Azure File Sync server registration UI uses to log in the administrator.
Azure Storage	*.core.windows.net	*.core.usgovcloudapi.net	When the server downloads a file, then the server performs that data movement more efficiently when talking directly to the Azure file share in the Storage Account. The server has a SAS key that only allows for targeted file share access.
Azure File Sync	.one.microsoft.com .afs.azure.net	*.afs.azure.us	After initial server registration, the server receives a regional URL for the Azure File Sync service instance in that region. The server can use the URL to communicate directly and efficiently with the instance handling its sync.
Microsoft PKI	`https://www.microsoft.com/pki/mscorp/cps` `http://crl.microsoft.com/pki/mscorp/crl/` `http://mscrl.microsoft.com/pki/mscorp/crl/` `http://ocsp.msocsp.com` `http://ocsp.digicert.com/` `http://crl3.digicert.com/`	`https://www.microsoft.com/pki/mscorp/cps` `http://crl.microsoft.com/pki/mscorp/crl/` `http://mscrl.microsoft.com/pki/mscorp/crl/` `http://ocsp.msocsp.com` `http://ocsp.digicert.com/` `http://crl3.digicert.com/`	Once the Azure File Sync agent is installed, the PKI URL is used to download intermediate certificates required to communicate with the Azure File Sync service and Azure file share. The OCSP URL is used to check the status of a certificate.
Microsoft Update	.update.microsoft.com .download.windowsupdate.com .ctldl.windowsupdate.com .dl.delivery.mp.microsoft.com *.emdl.ws.microsoft.com	.update.microsoft.com .download.windowsupdate.com .ctldl.windowsupdate.com .dl.delivery.mp.microsoft.com *.emdl.ws.microsoft.com	Once the Azure File Sync agent is installed, the Microsoft Update URLs are used to download Azure File Sync agent updates.

Important

When allowing traffic to *.afs.azure.net, traffic is only possible to the sync service. There are no other Microsoft services using this domain. When allowing traffic to *.one.microsoft.com, traffic to more than just the sync service is possible from the server. There are many more Microsoft services available under subdomains.

If *.afs.azure.net or *.one.microsoft.com is too broad, you can limit the server's communication by allowing communication to only explicit regional instances of the Azure File Sync service. Which instance(s) to choose depends on the region of the storage sync service you have deployed and registered the server to. That region is called "Primary endpoint URL" in the table below.

For business continuity and disaster recovery (BCDR) reasons you may have created your Azure file shares in a storage account that is configured for geo-redundant storage (GRS). If that is the case, your Azure file shares will fail over to the paired region in the event of a lasting regional outage. Azure File Sync uses the same regional pairings as storage. So if you use GRS storage accounts, you need to enable additional URLs to allow your server to talk to the paired region for Azure File Sync. The table below calls this "Paired region". Additionally, there is a traffic manager profile URL that needs to be enabled as well. This will ensure network traffic can be seamlessly re-routed to the paired region in the event of a failover and is called "Discovery URL" in the table below.

Cloud	Region	Primary endpoint URL	Paired region	Discovery URL
Public	Australia East	https://australiaeast01.afs.azure.net https://kailani-aue.one.microsoft.com	Australia Southeast	https://tm-australiaeast01.afs.azure.net https://tm-kailani-aue.one.microsoft.com
Public	Australia Southeast	https://australiasoutheast01.afs.azure.net https://kailani-aus.one.microsoft.com	Australia East	https://tm-australiasoutheast01.afs.azure.net https://tm-kailani-aus.one.microsoft.com
Public	Brazil South	https://brazilsouth01.afs.azure.net	South Central US	https://tm-brazilsouth01.afs.azure.net
Public	Canada Central	https://canadacentral01.afs.azure.net https://kailani-cac.one.microsoft.com	Canada East	https://tm-canadacentral01.afs.azure.net https://tm-kailani-cac.one.microsoft.com
Public	Canada East	https://canadaeast01.afs.azure.net https://kailani-cae.one.microsoft.com	Canada Central	https://tm-canadaeast01.afs.azure.net https://tm-kailani.cae.one.microsoft.com
Public	Central India	https://centralindia01.afs.azure.net https://kailani-cin.one.microsoft.com	South India	https://tm-centralindia01.afs.azure.net https://tm-kailani-cin.one.microsoft.com
Public	Central US	https://centralus01.afs.azure.net https://kailani-cus.one.microsoft.com	East US 2	https://tm-centralus01.afs.azure.net https://tm-kailani-cus.one.microsoft.com
Microsoft Azure operated by 21Vianet	China East 2	https://chinaeast201.afs.azure.cn	China North 2	https://tm-chinaeast201.afs.azure.cn
Microsoft Azure operated by 21Vianet	China North 2	https://chinanorth201.afs.azure.cn	China East 2	https://tm-chinanorth201.afs.azure.cn
Public	East Asia	https://eastasia01.afs.azure.net https://kailani11.one.microsoft.com	Southeast Asia	https://tm-eastasia01.afs.azure.net https://tm-kailani11.one.microsoft.com
Public	East US	https://eastus01.afs.azure.net https://kailani1.one.microsoft.com	West US	https://tm-eastus01.afs.azure.net https://tm-kailani1.one.microsoft.com
Public	East US 2	https://eastus201.afs.azure.net https://kailani-ess.one.microsoft.com	Central US	https://tm-eastus201.afs.azure.net https://tm-kailani-ess.one.microsoft.com
Public	Germany North	https://germanynorth01.afs.azure.net	Germany West Central	https://tm-germanywestcentral01.afs.azure.net
Public	Germany West Central	https://germanywestcentral01.afs.azure.net	Germany North	https://tm-germanynorth01.afs.azure.net
Public	Japan East	https://japaneast01.afs.azure.net	Japan West	https://tm-japaneast01.afs.azure.net
Public	Japan West	https://japanwest01.afs.azure.net	Japan East	https://tm-japanwest01.afs.azure.net
Public	Korea Central	https://koreacentral01.afs.azure.net/	Korea South	https://tm-koreacentral01.afs.azure.net/
Public	Korea South	https://koreasouth01.afs.azure.net/	Korea Central	https://tm-koreasouth01.afs.azure.net/
Public	North Central US	https://northcentralus01.afs.azure.net	South Central US	https://tm-northcentralus01.afs.azure.net
Public	North Europe	https://northeurope01.afs.azure.net https://kailani7.one.microsoft.com	West Europe	https://tm-northeurope01.afs.azure.net https://tm-kailani7.one.microsoft.com
Public	South Central US	https://southcentralus01.afs.azure.net	North Central US	https://tm-southcentralus01.afs.azure.net
Public	South India	https://southindia01.afs.azure.net https://kailani-sin.one.microsoft.com	Central India	https://tm-southindia01.afs.azure.net https://tm-kailani-sin.one.microsoft.com
Public	Southeast Asia	https://southeastasia01.afs.azure.net https://kailani10.one.microsoft.com	East Asia	https://tm-southeastasia01.afs.azure.net https://tm-kailani10.one.microsoft.com
Public	Switzerland North	https://switzerlandnorth01.afs.azure.net https://tm-switzerlandnorth01.afs.azure.net	Switzerland West	https://switzerlandwest01.afs.azure.net https://tm-switzerlandwest01.afs.azure.net
Public	Switzerland West	https://switzerlandwest01.afs.azure.net https://tm-switzerlandwest01.afs.azure.net	Switzerland North	https://switzerlandnorth01.afs.azure.net https://tm-switzerlandnorth01.afs.azure.net
Public	UAE Central	https://uaecentral01.afs.azure.net	UAE North	https://tm-uaecentral01.afs.azure.net
Public	UAE North	https://uaenorth01.afs.azure.net	UAE Central	https://tm-uaenorth01.afs.azure.net
Public	UK South	https://uksouth01.afs.azure.net https://kailani-uks.one.microsoft.com	UK West	https://tm-uksouth01.afs.azure.net https://tm-kailani-uks.one.microsoft.com
Public	UK West	https://ukwest01.afs.azure.net https://kailani-ukw.one.microsoft.com	UK South	https://tm-ukwest01.afs.azure.net https://tm-kailani-ukw.one.microsoft.com
Public	West Central US	https://westcentralus01.afs.azure.net	West US 2	https://tm-westcentralus01.afs.azure.net
Public	West Europe	https://westeurope01.afs.azure.net https://kailani6.one.microsoft.com	North Europe	https://tm-westeurope01.afs.azure.net https://tm-kailani6.one.microsoft.com
Public	West US	https://westus01.afs.azure.net https://kailani.one.microsoft.com	East US	https://tm-westus01.afs.azure.net https://tm-kailani.one.microsoft.com
Public	West US 2	https://westus201.afs.azure.net	West Central US	https://tm-westus201.afs.azure.net
Government	US Gov Arizona	https://usgovarizona01.afs.azure.us	US Gov Texas	https://tm-usgovarizona01.afs.azure.us
Government	US Gov Texas	https://usgovtexas01.afs.azure.us	US Gov Arizona	https://tm-usgovtexas01.afs.azure.us

If you use a storage account configured for locally redundant storage (LRS) or zone redundant storage (ZRS), you only need to enable the URL listed under "Primary endpoint URL".
If you use a storage account configured for GRS, enable three URLs.

Example: You deploy a storage sync service in "West US" and register your server with it. The URLs to allow the server to communicate to for this case are:

https://westus01.afs.azure.net (primary endpoint: West US)

https://eastus01.afs.azure.net (paired failover region: East US)

https://tm-westus01.afs.azure.net (discovery URL of the primary region)

Allow list for Azure File Sync IP addresses

Azure File Sync supports the use of service tags, which represent a group of IP address prefixes for a given Azure service. You can use service tags to create firewall rules that enable communication with the Azure File Sync service. The service tag for Azure File Sync is StorageSyncService.

If you're using Azure File Sync within Azure, you can use name of service tag directly in your network security group to allow traffic. To learn more about how to do this, see Network security groups.

If you're using Azure File Sync on-premises, you can use the service tag API to get specific IP address ranges for your firewall's allow list. There are two methods for getting this information:

The current list of IP address ranges for all Azure services supporting service tags are published weekly on the Microsoft Download Center in the form of a JSON document. Each Azure cloud has its own JSON document with the IP address ranges relevant for that cloud:
The service tag discovery API allows programmatic retrieval of the current list of service tags. You can use the API surface based on your automation preference:

Because the service tag discovery API might not be updated as frequently as the JSON documents published to the Microsoft Download Center, we recommend using the JSON document to update your on-premises firewall's allow list. This can be done as follows:

# The specific region to get the IP address ranges for. Replace westus2 with the desired region code 
# from Get-AzLocation.
$region = "westus2"

# The service tag for Azure File Sync. Don't change unless you're adapting this
# script for another service.
$serviceTag = "StorageSyncService"

# Download date is the string matching the JSON document on the Download Center. 
$possibleDownloadDates = 0..7 | `
    ForEach-Object { [System.DateTime]::Now.AddDays($_ * -1).ToString("yyyyMMdd") }

# Verify the provided region
$validRegions = Get-AzLocation | `
    Where-Object { $_.Providers -contains "Microsoft.StorageSync" } | `
    Select-Object -ExpandProperty Location

if ($validRegions -notcontains $region) {
    Write-Error `
            -Message "The specified region $region isn't available. Either Azure File Sync isn't deployed there or the region doesn't exist." `
            -ErrorAction Stop
}

# Get the Azure cloud. This should automatically based on the context of 
# your Az PowerShell login, however if you manually need to populate, you can find
# the correct values using Get-AzEnvironment.
$azureCloud = Get-AzContext | `
    Select-Object -ExpandProperty Environment | `
    Select-Object -ExpandProperty Name

# Build the download URI
$downloadUris = @()
switch($azureCloud) {
    "AzureCloud" { 
        $downloadUris = $possibleDownloadDates | ForEach-Object {  
            "https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_$_.json"
        }
    }

    "AzureUSGovernment" {
        $downloadUris = $possibleDownloadDates | ForEach-Object { 
            "https://download.microsoft.com/download/6/4/D/64DB03BF-895B-4173-A8B1-BA4AD5D4DF22/ServiceTags_AzureGovernment_$_.json"
        }
    }

    "AzureChinaCloud" {
        $downloadUris = $possibleDownloadDates | ForEach-Object { 
            "https://download.microsoft.com/download/9/D/0/9D03B7E2-4B80-4BF3-9B91-DA8C7D3EE9F9/ServiceTags_China_$_.json"
        }
    }

    "AzureGermanCloud" {
        $downloadUris = $possibleDownloadDates | ForEach-Object { 
            "https://download.microsoft.com/download/0/7/6/076274AB-4B0B-4246-A422-4BAF1E03F974/ServiceTags_AzureGermany_$_.json"
        }
    }

    default {
        Write-Error -Message "Unrecognized Azure Cloud: $_" -ErrorAction Stop
    }
}

# Find most recent file
$found = $false 
foreach($downloadUri in $downloadUris) {
    try { $response = Invoke-WebRequest -Uri $downloadUri -UseBasicParsing } catch { }
    if ($response.StatusCode -eq 200) {
        $found = $true
        break
    }
}

if ($found) {
    # Get the raw JSON 
    $content = [System.Text.Encoding]::UTF8.GetString($response.Content)

    # Parse the JSON
    $serviceTags = ConvertFrom-Json -InputObject $content -Depth 100

    # Get the specific $ipAddressRanges
    $ipAddressRanges = $serviceTags | `
        Select-Object -ExpandProperty values | `
        Where-Object { $_.id -eq "$serviceTag.$region" } | `
        Select-Object -ExpandProperty properties | `
        Select-Object -ExpandProperty addressPrefixes
} else {
    # If the file cannot be found, that means there hasn't been an update in
    # more than a week. Please verify the download URIs are still accurate
    # by checking https://learn.microsoft.com/azure/virtual-network/service-tags-overview
    Write-Verbose -Message "JSON service tag file not found."
    return
}

You can then use the IP address ranges in $ipAddressRanges to update your firewall. Check your firewall/network appliance's website for information on how to update your firewall.

Test network connectivity to service endpoints

Once a server is registered with the Azure File Sync service, the Test-StorageSyncNetworkConnectivity cmdlet and ServerRegistration.exe can be used to test communications with all endpoints (URLs) specific to this server. This cmdlet can help troubleshoot when incomplete communication prevents the server from fully working with Azure File Sync and it can be used to fine-tune proxy and firewall configurations.

To run the network connectivity test, run the following PowerShell commands:

Import-Module "C:\Program Files\Azure\StorageSyncAgent\StorageSync.Management.ServerCmdlets.dll"
Test-StorageSyncNetworkConnectivity

If the test fails, collect WinHTTP debug traces to troubleshoot: netsh trace start scenario=InternetClient_dbg capture=yes overwrite=yes maxsize=1024

Run the network connectivity test again, and then stop collecting traces: netsh trace stop

Put the generated NetTrace.etl file into a ZIP archive, open a support case, and share the file with support.

Summary and risk limitation

The lists earlier in this document contain the URLs Azure File Sync currently communicates with. Firewalls must be able to allow traffic outbound to these domains. Microsoft strives to keep this list updated.

Setting up domain restricting firewall rules can be a measure to improve security. If these firewall configurations are used, keep in mind that URLs will be added and might even change over time. Check this article periodically.

Share via