Share via

Issues Creating Azure SMB share without a VPN

Thomas Lee 1 Reputation point
2021-04-06T11:53:20.813+00:00

Hi and thanks for reading this post. I am trying to create an Azure SMB share and am having an issue.

First, here it the code I am using:

# 1.  Defining Variables
    $Locname   = 'uksouth'      # location name
    $RgName    = 'packt_rg'     # resource group we are using
    $SAName    = 'packt42sa'    # storage account name - but see note below
    $ShareName = 'packtshare'   # must be lower case!

   # 2. Logging in to your Azure Account
    $CredAZ = Get-Credential
    $Account = Login-AzAccount -Credential $CredAZ
    $Account

    # 3. Getting storage account, accountkey and context
    $SA = Get-AzStorageAccount -ResourceGroupName $Rgname 
    $SAKHT = @{
        Name              = $SAName
        ResourceGroupName = $RgName
    }
    $Sak = Get-AzStorageAccountKey @SAKHT
    $Key = ($Sak | Select-Object -First 1).Value
    $SCHT = @{
        StorageAccountName = $SAName
        StorageAccountKey  = $Key
    }
    $SACon = New-AzStorageContext @SCHT

    # 4. Adding credentials to local store
    $T = "$SAName.file.core.windows.net"
    cmdkey /add:$T /user:"AZURE\$SAName" /pass:$Key

    # 5. Creating an Azure share
    New-AzStorageShare -Name $ShareName -Context $SACon

    # 6. Checking that the share is reachable
    $TNCHT = @{
      ComputerName = "$SAName.file.core.windows.net"
      Port         = 445
    }
    Test-NetConnection @TNCHT

    # 7. Mounting the share as M:
    $Mount = 'M:'
    $Rshare = "\\$SaName.file.core.windows.net\$ShareName"
    $SMHT = @{
        LocalPath  = $Mount 
        RemotePath = $Rshare 
        UserName   = $SAName 
        Password   = $Key
    }
    New-SmbMapping @SMHT

    # 8. Viewing the share in Azure
    Get-AzStorageShare -Context $SACon  |
        Format-List -Property *

This sample works a treat through step 5. The Azure share IS created ( I can verify that using the Azure Portal), but step 6 consistently fails.

Then, if I use PureVPN to create a VPN to somewhere here in the UK - step and beyond work great. My ISP say they do no filtering.

Not too sure where to look?

Is a VPN required to use SMBs in Azure??

Azure Storage
Azure Storage
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,529 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sumarigo-MSFT 47,466 Reputation points Microsoft Employee Moderator
    2021-04-07T10:14:05.58+00:00

    @destop to Microsoft Q&A platform, Thank you for posting your query here!

    Are you getting any error, if so can you share the screenshot the error message? Are using azure Fileshare on on-premises? Is port 445 is blocked?

    If port 445 is blocked then you can use the VPN connection, By Setting up a VPN to your specific Storage Account, the traffic will go through a secure tunnel as opposed to over the internet. Follow the instructions to setup VPN to access Azure Files from Windows

    If you want to bring data from outside of a region, use a VPN or a Expressroute to mount to your file system from your on-premises data center.

    You can use a Point-to-Site (P2S) VPN connection to mount your Azure file shares over SMB from outside of Azure, without opening up port 445. A Point-to-Site VPN connection is a VPN connection between Azure and an individual client. To use a P2S VPN connection with Azure Files, a P2S VPN connection will need to be configured for each client that wants to connect. If you have many clients that need to connect to your Azure file shares from your on-premises network, you can use a Site-to-Site (S2S) VPN connection instead of a Point-to-Site connection for each client. To learn more, see Configure a Site-to-Site VPN for use with Azure Files.

    Please check the prerequisites before configuring the VPN and let me know the status.

    Azure Files also supports REST in addition to SMB. REST access works over port 443 (standard tcp). There are various tools that are written using REST API which enable rich UI experience. Storage Explorer is one of them. Download and Install Storage Explorer and connect to your file share backed by Azure Files. You can also use PowerShell which also user REST API: https://learn.microsoft.com/en-us/azure/storage/files/storage-troubleshoot-windows-file-connection-problems#cause-1-port-445-is-blocked

    ISP to open port 445 outbound to Azure IP ranges

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.

    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments
  2. Thomas Lee 1 Reputation point
    2021-04-07T10:28:59.95+00:00

    I feel like I am in a helicopter...

    That being said:

    1. I am trying to work out why I can not access a share without a VPN.
    2. You can see the specific steps I took in the above post.
    3. As I said, when I attempt to test connection to the share, I get this: PS C:\Foo> # 6. Checking that the share is reachable PS C:\Foo> $TNCHT = @{

      ComputerName = "$SAName.file.core.windows.net"

      Port = 445

      }

      PS C:\Foo> Test-NetConnection @TNCHT WARNING: TCP connect to (51.141.128.40 : 445) failed WARNING: Ping to 51.141.128.40 failed with status: TimedOut ComputerName : packt42sa.file.core.windows.net RemoteAddress : 51.141.128.40 RemotePort : 445 InterfaceAlias : Ethernet 2 SourceAddress : 10.10.1.21 PingSucceeded : False PingReplyDetails (RTT) : 0 ms TcpTestSucceeded : False
    4. I know a VPN works and I thought I'd demonstrated it. But are you saying that share access requires a VPN?

    To help; a bit with the context, I am writing a book and one section involves using an Azure file share as a way of moving data to the cloud and continuing to use the mapped SMB share. I need to provide concise, and accurate, instructions to my readers. Please can you confirm that the Azure file shares require a VPN.

    0 comments
  3. Sumarigo-MSFT 47,466 Reputation points Microsoft Employee Moderator
    2021-04-23T13:31:36.067+00:00

    @Thomas Lee Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused. If port 445 is blocked you need VPN ,

    The SMB protocol requires TCP port 445 to be open; connections will fail if port 445 is blocked. Azure Files only allows connections using SMB 3.0 (with encryption support) from outside the region or datacenter. SMB 3.0 protocol has introduced many security features including channel encryption which is very secure to use over internet. However its possible that port 445 has been blocked due to historical reasons of vulnerabilities found in lower SMB versions. In ideal case, the port should be blocked for only for SMB 1.0 traffic and SMB 1.0 should be turned off on all clients.

    90822-image.png

    To check if your firewall or ISP is blocking port 445, use the AzFileDiagnostics tool or Test-NetConnection cmdlet.

    To use the Test-NetConnection cmdlet, the Azure PowerShell module must be installed, see Install Azure PowerShell module for more information. Remember to replace <your-storage-account-name> and <your-resource-group-name> with the relevant names for your storage account.

    This article will provide detailed explain when Port 445 is blocked and why and when you need VPN (You can learn about various ways to workaround blocked port 445 here.)

    Kindly let us know if you still have more questions on this. I wish to engage with you offline for a closer look and provide a quick and specialized assistance, please send an email with subject line “Attn:subm” to AzCommunity[at]Microsoft[dot]com referencing this thread and the Azure subscription ID, I will follow-up with you. Once again, apologies for any inconvenience with this issue.

    Additional information: TCP port 445 is used for direct TCP/IP MS Networking access without the need for a NetBIOS layer. The SMB (Server Message Block) protocol is used among other things for file sharing in Windows

    • ExpressRoute is not required to access an Azure file share. If you are mounting an Azure file share directly on-premises, all that's required is to have port 445 (TCP outbound) open for internet access (this is the port that SMB uses to communicate). If you're using Azure File Sync, all that's required is port 443 (TCP outbound) for HTTPS access (no SMB required). However, you can use ExpressRoute with either of these access options.
    • You can mount the file share by using the SMB protocol if port 445 (TCP outbound) is open and your client supports the SMB 3.0 protocol (for example, if you're using Windows 10 or Windows Server 2016). If port 445 is blocked by your organization's policy or by your ISP, you can use Azure File Sync to access your Azure file share.

    Thanks for your patience and co-operation.

    ----------------------------------------------------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.