I have a storage account with SFTP enabled. Currently, this can access anyone who in the internet. I don't want to expose my storage to the public. I want to allow only port 22 for this. also, We don't want to add single public IPs or networks. The goal is for anyone in the public to gain access via port 22.

Hello Pradeep Narangoda , Thank you for posting your query here! To ensure your Azure Storage account with SFTP enabled is secure and not exposed to the public, you can consider the following options: Option 1: Enable for All Networks It is possible to enable your storage account for access from all networks, relying solely on the strength of username/password and encryption keys. Option 2: Enable from Selected Virtual Networks and Whitelist Public IP Addresses This option provides a higher level of security by restricting access to specific IP addresses. Option 3: Securing Azure Storage Account with Private Endpoint To ensure that your Azure Storage account with SFTP enabled is not exposed to the public internet, you may consider using Azure Private Endpoint. This approach provides the highest level of security by allowing access to your storage account only through a private IP address within your Azure Virtual Network (VNet). Do let us know if you have any further queries. I’m happy to assist you further. Please do not forget to "Accept the answer” and “up-vote ” wherever the information provided helps you, this can be beneficial to other community members.

Storage account (SFTP enabled) expose to public

Accepted answer

Anand Prakash Yadav 7,780 Reputation points Microsoft Vendor

2024-06-07T09:20:59.86+00:00

Hello Pradeep Narangoda,

Thank you for posting your query here!

To ensure your Azure Storage account with SFTP enabled is secure and not exposed to the public, you can consider the following options:

Option 1: Enable for All Networks

It is possible to enable your storage account for access from all networks, relying solely on the strength of username/password and encryption keys.

Option 2: Enable from Selected Virtual Networks and Whitelist Public IP Addresses

This option provides a higher level of security by restricting access to specific IP addresses.

Option 3: Securing Azure Storage Account with Private Endpoint

To ensure that your Azure Storage account with SFTP enabled is not exposed to the public internet, you may consider using Azure Private Endpoint. This approach provides the highest level of security by allowing access to your storage account only through a private IP address within your Azure Virtual Network (VNet).

Do let us know if you have any further queries. I’m happy to assist you further.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Please sign in to rate this answer.
Pradeep Narangoda 20 Reputation points

2024-06-10T08:11:59.8966667+00:00

In this scenario, we need to enable SFTP for all public users without having to use firewall rules and add individual IP addresses. Currently, the Azure SFTP service is operational on the Storage account.

Could you please provide detailed configurations on the Azure environment configurations needed to secure our Storage without exposing it to the public, while still allowing the SFTP service to be accessible to the public? Thank you!

Anand Prakash Yadav 7,780 Reputation points Microsoft Vendor

2024-06-24T07:09:01.2633333+00:00

Hello Pradeep Narangoda,

Apologies for the delay in response.

I understand your requirement is to secure your Azure Storage account with SFTP enabled, ensuring it's not exposed to the public while allowing public access via port 22 without specifying individual IP addresses.

In order to achieve this, you can use Azure Private Endpoint for SFTP. Azure Private Endpoint allows you to secure your Azure Storage account by providing a private IP address within your Virtual Network (VNet). This ensures that access to your storage account is restricted to your VNet.

Then you can integrate Azure Bastion for SFTP Access. Azure Bastion allows secure and seamless RDP/SSH connectivity to your VMs without exposing them to the public internet. You can use Azure Bastion in combination with a VM to access your storage account securely via SFTP.

By utilizing Azure Private Endpoint and Azure Bastion, you can ensure that your Azure Storage account with SFTP enabled is securely accessed without exposing it to the public internet. This configuration allows secure public access via SFTP without the need to manage individual IP addresses.

Do let us know if you have any further queries. I’m happy to assist you further.
Sign in to comment

Share via

Storage account (SFTP enabled) expose to public

0 additional answers