Hello Wasip J,
Thank you for posting your query here!
Azure Blob Storage now supports the SSH File Transfer Protocol (SFTP), which allows you to securely connect to Blob Storage via an SFTP endpoint for file access, transfer, and management. https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support This support includes several security features:
· Azure Blob Storage supports Transport Layer Security (TLS) 1.2 for secure data transfer. Additionally, you can enable secure access features for HTTPS only, ensuring that all data transfer occurs over a secure, encrypted connection.
· You can limit the IP addresses that have access to your Azure Blob Storage account. This means you can restrict access to specific ranges of subnet or IPs, adding an additional layer of security.
· Azure Blob Storage doesn’t support shared access signature (SAS), or Microsoft Entra authentication for accessing the SFTP endpoint. Instead, you must use an identity called local user that can be secured with an Azure generated password or a secure shell (SSH) key pair. https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support-how-to?tabs=azure-portal
But as you mentioned when you allow specific IP addresses to access your SFTP storage account, the network traffic between the users and the SFTP storage account will not be inspected by a Layer 4 firewall. However, the security implications depend on your specific use case and security requirements.
Allowing specific IP addresses can be a part of a defense-in-depth strategy. It reduces the attack surface by ensuring only known and trusted IP addresses can access your SFTP storage account. This is a common practice and can significantly enhance security.
However, the traffic itself is not inspected for malicious content with this method.
SFTP itself provides a level of security as it operates over SSH, which provides secure, encrypted communications between two untrusted hosts over an insecure network.
If your security requirements demand inspection of the actual data being transferred, you might need to consider additional security measures. This could include using a data loss prevention (DLP) solution, or a more advanced firewall solution that can inspect SFTP traffic.
Do let us know if you have any further queries. I’m happy to assist you further.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.