How to create and check Logs for SFTP i created with blob storage

Rakesh Kamboj 60 Reputation points
2024-03-12T11:16:36.6833333+00:00

I have created a SFTP with blob storage in my Azure account. While customer application have to access this SFTP, but they are not able to connect with their whitelisted IPs. How can I check Logs etc. for SFTP so I can check from which IPs I am getting requests to my SFTP.

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,404 questions
0 comments No comments
{count} votes

Accepted answer
  1. Amrinder Singh 1,655 Reputation points Microsoft Employee
    2024-03-12T12:52:31.7066667+00:00

    Hi @Rakesh Kamboj - Thanks for reaching out.

    You can start by enabling the diagnostic logging on the account:

    https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage?tabs=azure-portal

    https://learn.microsoft.com/en-us/azure/storage/blobs/blob-storage-monitoring-scenarios

    You can route these logs to LA workspace and then check for the field such as CallerIP to gain insights to the IP's hitting the storage account.

    Please let me know for any further queries and will be glad to assist.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.


2 additional answers

Sort by: Most helpful
  1. Ben Gimblett 3,410 Reputation points Microsoft Employee
    2024-03-12T14:21:26.6866667+00:00

    Hi - Thanks for the question
    To quote the information here https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support-how-to?tabs=azure-portal#networking-considerations

    "SFTP is a platform level service, so port 22 will be open even if the account option is disabled. If SFTP access is not configured, then all requests will receive a disconnect from the service. When using SFTP, you may want to limit public access through configuration of a firewall, virtual network, or private endpoint. These settings are enforced at the application layer, which means they aren't specific to SFTP and will impact connectivity to all Azure Storage Endpoints."
    *
    So by enabling SFTP you are implicitly required to allow access into your VNET on port 22. If the storage account isn't configured for SFTP then 22 when using the storage account host name/IP wont work.

    *
    The storage firewall on the storage public endpoint will act upon client SFTP requests if you restrict by network or public IP(s)
    https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#configure-network-access-to-azure-storage
    You can see activity when you opt into the storage logs - written to the storage logs table in LogAnalytics (assuming this is what you choose as a destination)
    https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage-reference#resource-logs
    To query for blob storage SFTP access records for example:

    
    StorageBlobLogs 
    | where OperationName  == "SftpConnect"
    | where Protocol== "SFTP"
    | order by TimeGenerated
    

    And you can look for the status code returned .

    Alternatively private endpoints can be deployed (see networking link above) note the storage firewall doesn't apply here, but NSGs would

    You could use your own firewall in conjunction with the sftp enabled storage account as per https://learn.microsoft.com/en-us/azure/firewall/firewall-sftp

    There's a client connectivity troubleshooting guide here too https://techcommunity.microsoft.com/t5/azure-paas-blog/troubleshooting-connectivity-to-azure-storage-over-sftp-via/ba-p/3990625

    In order for me to answer more fully you would need to expand on this part of your question "While customer application have to access this SFTP, but they are not able to connect with their whitelisted IPs" with more detail

    Thanks in advance and hope the above helps

    0 comments No comments

  2. Nehruji R 1,511 Reputation points Microsoft Vendor
    2024-03-13T10:07:08.5733333+00:00

    Hello Rakesh Kamboj,

    Greetings! Welcome to Microsoft Q&A Forum.

    You just need to enable Azure Monitor logging in diagnostics settings: Azure Monitor Logs - Azure Monitor | Microsoft Learn

     This feature is supported refer to this Doc: Blob Storage feature support in Azure storage accounts | Microsoft Learn

    User's image

     Classic Storage Analytics logging to $logs container is also supported, but note that not all pre-auth connection attempt failures are logged there.

    Here is another similar thread that discusses the same- https://stackoverflow.com/questions/70682123/logs-for-azure-storage-account-sftp-service

    If Storage account firewall setting "enabled for selected networks," but you are facing connectivity issues when connecting with an SFTP client in your environment, there are several factors to consider in order to securely allow SFTP access,

    Firewall Settings:

    • Verify that you have correctly added all the intended IP addresses to the whitelist.
    • Ensure that your firewall rules are correctly configured to allow traffic from the whitelisted IPs.
    • Confirm that the rules are applied to the correct network interface (public or private).
    • check if there are any NSGs associated with your SFTP server’s subnet.
    • Ensure that the NSGs allow traffic from the whitelisted IPs.

    SFTP Client Configuration:

    Please verify that your SFTP client is configured correctly to connect to Azure Blob Storage. Check that you are using the correct hostname, port (SFTP typically uses port 22), username and password.

    Ensure that your SFTP client uses secure SFTP protocols.

    Public PC Firewall and Proxy:

    • Kindly check if the user PC has any local firewall or proxy settings that might be blocking the SFTP connection. You may temporarily disable local firewalls for testing purposes and check.

    For limitation and known issues with SFTP, please refer: https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-known-issues

    If you've checked all these points and are still experiencing issues, it may be helpful to provide specific error messages or details about the issue you're encountering.

    Hope this helps. Please do let us know if you need any further assistance. Thank you!

    Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.