Connectivity from Azure Data Factory to SFTP via NAT Gateway fails

Question

Connectivity from Azure Data Factory to SFTP via NAT Gateway fails

Pratima Patil 50

I have to reach to the client sftp through my adf linked service. Client needs a single static ip to whitelist on their end.

I created a SHIR within adf in a subnet that further is associated with a NAT gateway public ip.

I requested the client to whitelist my nat public IP.

I logged in to the VM, search for 'whats my ip?' It shows the nat gw IP.

But still my linked service fails.

Tracert / ping/ tcpping nothing works.

Chandra Boorla 14,665 Reputation points Microsoft External Staff Moderator

2025-03-19T19:08:55.7433333+00:00

@Pratima Patil

Just checking in to see if the below answer helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

2 answers

Your answer

Chandra Boorla 14,665 Reputation points Microsoft External Staff Moderator

2025-03-19T19:08:55.7433333+00:00

@Pratima Patil

Just checking in to see if the below answer helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Answer 1

Amira Bedhiafi 33,631 Volunteer Moderator

Hello Pratima !

Thank you for posting on Microsoft Learn.

When dealing with connectivity issues between ADF and an SFTP server via a NAT Gateway, there are several potential points of failure to investigate :

Verify that the NAT Gateway is correctly associated with the public IP address that the client has whitelisted.
Verify that the subnet where the Self-hosted Integration Runtime (SHIR) is deployed is correctly associated with the NAT Gateway.
The SHIR VM must be correctly configured to use the NAT Gateway for outbound traffic. This typically involves ensuring that the VM’s subnet is associated with the NAT Gateway.
Verify that there are no firewall rules on the SHIR VM that might be blocking outbound traffic to the SFTP server.
- Outbound Rules: Check the NSG associated with the subnet of the SHIR VM to ensure that outbound traffic to the SFTP server’s IP and port (usually port 22 for SFTP) is allowed.
Although not directly related to outbound traffic, ensure that there are no restrictive inbound rules that might be affecting the SHIR’s ability to communicate.

Example Commands for Testing Connectivity


# Test DNS resolution

nslookup <sftp-server-hostname>

# Test connectivity to SFTP server on port 22

tcpping <sftp-server-ip> 22

telnet <sftp-server-ip> 22

# Manual SFTP connection test

sftp -P 22 <username>@<sftp-server-hostname>

Pratima Patil 50 Reputation points

2025-03-18T11:02:55.9666667+00:00
Hi @Amira Bedhiafi ,

Thank you for your response.

I did check below things-

NAT Gateway is correctly associated with public IP that the client has whitelisted.

Subnet where SHIR instance is deployed in associated with the NAT Gateway.

No firewall rule is blocking outbound traffic, in fact I have added below rule-

Everything is checked.
If I login to the SHIR VM, from there I can connect to the sftp(through NAT Gateway). But not through linked service.
Error-

Note: Traffic flows through private network by default rather than going through public ip. Because, when i whitelist the shir vm subnet on test sftp server, connection works.
Pratima Patil 50 Reputation points

2025-04-02T12:01:52.4366667+00:00

Hi @Vinodh247 ,

In - https://learn.microsoft.com/en-us/answers/questions/2035362/getting-socket-error-code-timed-out-while-connecti

I see that you have given a reference of using nat gateway for adf shir instance so that it connects to sftp server(after the nat public ip is whitelisted on the sftp server).
I have been using the same with basic auth in sftp linked service that is created.

But I am getting an error while doing testing connection on linked service-

When I login to shir vm & test connection to sftp using winscp, it works. But through linked service it fails. Can you please suggest if I am missing something?

Answer 2

Chandra Boorla 14,665 Microsoft External Staff Moderator

@Pratima Patil

I understand you're experiencing issues connecting to the SFTP server, as indicated by the error code: SftpFailedToConnectToSftpServer. Here are some troubleshooting steps that might help you:

Firewalls and NSG Configuration - Check NSG Rules: Ensure that the NSG rules allow traffic to the SFTP server. Source: Any Source Port Ranges: * Destination: SFTP Server IP (ensure it’s correctly configured) Destination Port Ranges: 22 (the default for SFTP) Action: Allow Priority: Make sure it has a higher priority than any deny rules.

Server Status Verify Server Availability - Ensure that the SFTP server is up and running, and check if there are any known outages or maintenance activities.

Protocol and Configuration Protocol Check - Confirm that the SFTP protocol is correctly implemented on the server. Binary Data Issue: The error suggests a potential issue with reading binary packet data. Verify that the server configuration aligns with the client’s expectations for data transmission.

Logs and Additional Diagnostics Check Server Logs - Look for any relevant logs on the SFTP server that might give additional details on the connection issue. Activity ID: Use the Activity ID (9d8c4406-e17f-43f5-aa0a-3017cde2a543) for reference during support calls or further investigation.

Testing Tools Use SFTP Client - Try connecting to the server with a different SFTP client (such as FileZilla or WinSCP) to rule out client-side issues.

For additional information please refer the following link for some useful insights.

Troubleshoot the FTP, SFTP, and HTTP connectors in Azure Data Factory and Azure Synapse.

Additionally, you may refer to the below similar threads:

I hope this information helps. Please do let us know if you have any further queries.

Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.

Thank you.

Chandra Boorla 14,665 Reputation points Microsoft External Staff Moderator

2025-03-20T19:16:30.4233333+00:00

@Pratima Patil

Following up to see if the above suggestion was helpful. If you found this response helpful, do click Accept Answer and Yes for was this answer helpful so that it may assist others with a similar issue. Let us know if you need any further assistance.
Pratima Patil 50 Reputation points

2025-04-02T09:19:12.3533333+00:00

Hi @Chandra Boorla

Thank you for your response. I did check the links/documents you shared but no luck yet.

I tried to login to the shir instance & then using winscp, tried connecting to the sftp server & there it works. But when using linked service, it fails.

Error:
Anonymous

2025-04-04T11:53:14.99+00:00
Hello @Pratima Patil,

Apologies for the inconvenience caused to you.

Can you please confirm the following

whether your VM public IP address and NAC public address same or not?

if there are same, have you selected allow for the SFTP in the VM NSG?
Anonymous

2025-04-07T04:44:05.11+00:00

@Pratima Patil,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Pratima Patil 50 Reputation points

2025-04-07T06:07:33.72+00:00

Hi @Anonymous

Apologies for the delay.

Yes, the VM Public IP address and the NAT Public IP address are the same.

NSG currently has inbound & outbound bond allow for everything.
Bhargava-MSFT 31,261 Reputation points Microsoft Employee Moderator

2025-04-08T17:37:59.37+00:00

Hello Pratima Patil,

Did you check the SFTP server logs during the connection failed attempts.

also, can you please try connecting to SFTP server using different clients (ex: WinSCP) from the SHIR VM to rule out any client-side issues.
Pratima Patil 50 Reputation points

2025-04-08T17:41:29.5866667+00:00

Hi @Bhargava-MSFT

from shir vm if i try the connection using winscp, it works fine.
Bhargava-MSFT 31,261 Reputation points Microsoft Employee Moderator

2025-04-10T00:52:35.5333333+00:00

Since WinSCP works fine from the same VM, we can rule out issues with NAT Gateway, Network routing, Firewall/NSG restrictions.

Can you double check the authentication method you are using (is WinSCP is using same username and password)

Can you also temporarily enable SSH Host key validation, and see?

as the connectivity works at the network level but fails at the application level, which could be authentication or protocol configuration issue.

Share via

Connectivity from Azure Data Factory to SFTP via NAT Gateway fails

2 answers

Your answer