Azure Blob SFTP Custom Domain

Question

Azure Blob SFTP Custom Domain

Nick Vigors 1

Hi All,

I am testing the 'new' SFTP support for Azure Blob Storage. First, I think this is a great addition!

I am now trying to use it with a custom domain. For example, rather than my connection string being:

Matt Spradley 26 Reputation points

2022-03-11T18:52:20.557+00:00

I am wanting to do the same thing.

One issue is you have to have a valid SSL cert with the custom domain to support the SFTP protocol. Storage accounts don't support adding certs directly right now and only offer SSL protection for the native domain.

From what I've gathered, the only way to add a cert to a storage account is using a CDN endpoint as described here. I did that and was able to get https working for accessing files over ssl. However, I couldn't get SFTP to work. I think this is due to the port used (22) and maybe the CDN doesn't support SFTP regardless. I did change the https port on the CDN to 22 and it did not help.

@Microsoft, are there any plans to add custom domain support directly to storage accounts and fix the SFTP for custom domain issue or some other way to add custom domains to the new SFTP server?

3 answers

Your answer

Matt Spradley 26 Reputation points

2022-03-11T18:52:20.557+00:00

I am wanting to do the same thing.

One issue is you have to have a valid SSL cert with the custom domain to support the SFTP protocol. Storage accounts don't support adding certs directly right now and only offer SSL protection for the native domain.

From what I've gathered, the only way to add a cert to a storage account is using a CDN endpoint as described here. I did that and was able to get https working for accessing files over ssl. However, I couldn't get SFTP to work. I think this is due to the port used (22) and maybe the CDN doesn't support SFTP regardless. I did change the https port on the CDN to 22 and it did not help.

@Microsoft, are there any plans to add custom domain support directly to storage accounts and fix the SFTP for custom domain issue or some other way to add custom domains to the new SFTP server?

Answer 1

For future reader of this thread: This feature currently work as expected with very minimal config (at least for me).

Just add a custom CNAME to the Storage Account Hostname and use it within your SFTP connection string.

accountname.username@<custom DNS Name>

note that this format assume a Home directory has been specified (refer to MS Doc)

Some additional notes

This is not an HTTPS connection so you don't need to bother with supporting custom CERT on the Azure Storage (this is irrelevant for SFTP).
I found that the Custom Domain configuration within the Storage Account do not seams to be mandatory. A DNS CNAME was sufficient.
If you want to add a custom DNS Name, you would be required to do it programmatically as the Portal GUI won't show the option when SFTP is used.
Also, make sure to use a DNS domain name that can be verified.

Particular scenarios

Private Endpoint - If you are using private endpoint to reach the Storage Account, ensure port 22 is open on your network (within NSGs, Firewalls, NVA,...)
Frontdoor - This is not an option you can use for SFTP traffic

Troubleshooting

Per Microsoft documentation, make sure your DNS Provider does not proxy requests as this may cause network connection timeout (this may be a candidate to explain Nick issue above).

Joakim Westin 21 Reputation points

2023-02-28T14:48:02.4233333+00:00

@Michel Lapointe thanks for sharing, the Azure documentation isn't very clear.
Anitosh Saha 0 Reputation points

2024-06-26T23:40:59.6466667+00:00

I totally agree that Azure Documentation does not talk about this anywhere.

Answer 2

I am wanting to do the same thing.

One issue is you have to have a valid SSL cert with the custom domain to support the SFTP protocol. Storage accounts don't support adding certs directly right now and only offer SSL protection for the native domain.

From what I've gathered, the only way to add a cert to a storage account is using a CDN endpoint as described here. I did that and was able to get https working for accessing files over ssl. However, I couldn't get SFTP to work. I think this is due to the port used (22) and maybe the CDN doesn't support SFTP regardless. I did change the https port on the CDN to 22 and it did not help.

@Microsoft, are there any plans to add custom domain support directly to storage accounts and fix the SFTP for custom domain issue or some other way to add custom domains to the new SFTP server?

Answer 3

Manu Philip 20,206 MVP Volunteer Moderator

I think, the CNAME created to be checked. Reference: https://learn.microsoft.com/en-us/azure/cloud-services/cloud-services-custom-domain-name-portal#add-a-cname-record-for-your-custom-domain

You must also provide the domain or subdomain alias for the CNAME, such as www if you want to create an alias for www.customdomain.com. If you want to create an alias for the root domain, it may be listed as the '@' symbol in your registrar's DNS tools.
Then, you must provide a canonical host name, which is your application's cloudapp.net domain in this case.

For example, the following CNAME record forwards all traffic from www.contoso.com to contoso.cloudapp.net, the custom domain name of your deployed application:
Alias/Host name/Subdomain Canonical domain
www contoso.cloudapp.net

----------

--please don't forget to upvote and Accept as answer if the reply is helpful--

Nick Vigors 1 Reputation point

2022-03-07T16:52:32.633+00:00
Hi,

Thanks very much for the reply. I have checked my CNAM record again. It is formatted:

inline with my DNS provider's requirements;

according to the Azure doc you sent over (thanks for that); and

it is correctly routing to my Azure storage account.

Thanks,
Nick
Manu Philip 20,206 Reputation points MVP Volunteer Moderator

2022-03-08T01:56:08.683+00:00

SFTP implementation of Blob storage is currently under preview and there may be some challenges in start using the feature.
For further troubleshooting and understanding known issues, please visit the page here: https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-known-issues

See the following statement under 'Authentication and authorization'

Local users is the only form of identity management that is currently supported for the SFTP endpoint.
So, local account connection should be supported.

Check all troubleshooting steps Note the following points especially
The account needs to be a general-purpose v2 and premium block blob accounts.
Customer's subscription needs to be signed up for the preview. Request to join via 'Preview features' in the Azure portal. Requests are automatically approved.

----------

--please don't forget to upvote and Accept as answer if the reply is helpful--
Anitosh Saha 0 Reputation points

2024-07-01T05:23:57.95+00:00

What will be the solution if we have requirement to publish the sftp through our internal network and outside network using azure firewall in between.

Share via

Azure Blob SFTP Custom Domain

3 answers

Your answer