How to create and check Logs for SFTP i created with blob storage

Question

I have created a SFTP with blob storage in my Azure account. While customer application have to access this SFTP, but they are not able to connect with their whitelisted IPs. How can I check Logs etc. for SFTP so I can check from which IPs I am getting requests to my SFTP.

Answer 1

Hi @Rakesh Kamboj - Thanks for reaching out.

You can start by enabling the diagnostic logging on the account:

https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage?tabs=azure-portal

https://learn.microsoft.com/en-us/azure/storage/blobs/blob-storage-monitoring-scenarios

You can route these logs to LA workspace and then check for the field such as CallerIP to gain insights to the IP's hitting the storage account.

Please let me know for any further queries and will be glad to assist.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

Hi - Thanks for the question
To quote the information here https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support-how-to?tabs=azure-portal#networking-considerations

"SFTP is a platform level service, so port 22 will be open even if the account option is disabled. If SFTP access is not configured, then all requests will receive a disconnect from the service. When using SFTP, you may want to limit public access through configuration of a firewall, virtual network, or private endpoint. These settings are enforced at the application layer, which means they aren't specific to SFTP and will impact connectivity to all Azure Storage Endpoints."
*
So by enabling SFTP you are implicitly required to allow access into your VNET on port 22. If the storage account isn't configured for SFTP then 22 when using the storage account host name/IP wont work.
*
The storage firewall on the storage public endpoint will act upon client SFTP requests if you restrict by network or public IP(s)
https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#configure-network-access-to-azure-storage
You can see activity when you opt into the storage logs - written to the storage logs table in LogAnalytics (assuming this is what you choose as a destination)
https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage-reference#resource-logs
To query for blob storage SFTP access records for example:

StorageBlobLogs 
| where OperationName  == "SftpConnect"
| where Protocol== "SFTP"
| order by TimeGenerated

And you can look for the status code returned .

Alternatively private endpoints can be deployed (see networking link above) note the storage firewall doesn't apply here, but NSGs would

You could use your own firewall in conjunction with the sftp enabled storage account as per https://learn.microsoft.com/en-us/azure/firewall/firewall-sftp

There's a client connectivity troubleshooting guide here too https://techcommunity.microsoft.com/t5/azure-paas-blog/troubleshooting-connectivity-to-azure-storage-over-sftp-via/ba-p/3990625

In order for me to answer more fully you would need to expand on this part of your question "While customer application have to access this SFTP, but they are not able to connect with their whitelisted IPs" with more detail

Thanks in advance and hope the above helps

Answer 3

Hello Rakesh Kamboj,

Greetings! Welcome to Microsoft Q&A Forum.

You just need to enable Azure Monitor logging in diagnostics settings: Azure Monitor Logs - Azure Monitor | Microsoft Learn

 This feature is supported refer to this Doc: Blob Storage feature support in Azure storage accounts | Microsoft Learn

 Classic Storage Analytics logging to $logs container is also supported, but note that not all pre-auth connection attempt failures are logged there.

Here is another similar thread that discusses the same- https://stackoverflow.com/questions/70682123/logs-for-azure-storage-account-sftp-service

If Storage account firewall setting "enabled for selected networks," but you are facing connectivity issues when connecting with an SFTP client in your environment, there are several factors to consider in order to securely allow SFTP access,

Firewall Settings:

• Verify that you have correctly added all the intended IP addresses to the whitelist.
• Ensure that your firewall rules are correctly configured to allow traffic from the whitelisted IPs.
• Confirm that the rules are applied to the correct network interface (public or private).
• check if there are any NSGs associated with your SFTP server’s subnet.
• Ensure that the NSGs allow traffic from the whitelisted IPs.

SFTP Client Configuration:

Please verify that your SFTP client is configured correctly to connect to Azure Blob Storage. Check that you are using the correct hostname, port (SFTP typically uses port 22), username and password.

Ensure that your SFTP client uses secure SFTP protocols.

Public PC Firewall and Proxy:

• Kindly check if the user PC has any local firewall or proxy settings that might be blocking the SFTP connection. You may temporarily disable local firewalls for testing purposes and check.

For limitation and known issues with SFTP, please refer: https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-known-issues

If you've checked all these points and are still experiencing issues, it may be helpful to provide specific error messages or details about the issue you're encountering.

Hope this helps. Please do let us know if you need any further assistance. Thank you!

Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.