- Article
- 12 minutes to read
You can securely connect to the Blob Storage endpoint of an Azure Storage account by using an SFTP client, and then upload and download files. This article shows you how to enable SFTP, and then connect to Blob Storage by using an SFTP client.
To learn more about SFTP support for Azure Blob Storage, see SSH File Transfer Protocol (SFTP) in Azure Blob Storage.
Prerequisites
A standard general-purpose v2 or premium block blob storage account. You can also enable SFTP as you create the account. For more information on these types of storage accounts, see Storage account overview.
The hierarchical namespace feature of the account must be enabled. To enable the hierarchical namespace feature, see Upgrade Azure Blob Storage with Azure Data Lake Storage Gen2 capabilities.
If you're connecting from an on-premises network, make sure that your client allows outgoing communication through port 22 used by SFTP.
Enable SFTP support
This section shows you how to enable SFTP support for an existing storage account. To view an Azure Resource Manager template that enables SFTP support as part of creating the account, see Create an Azure Storage Account and Blob Container accessible using SFTP protocol on Azure. To view the Local User REST APIs and .NET references, see Local Users and LocalUser Class.
- Portal
- PowerShell
- Azure CLI
In the Azure portal, navigate to your storage account.
Under Settings, select SFTP.
Note
This option appears only if the hierarchical namespace feature of the account has been enabled. To enable the hierarchical namespace feature, see Upgrade Azure Blob Storage with Azure Data Lake Storage Gen2 capabilities.
Select Enable SFTP.
(Video) Setup SFTP on Azure Blob Storage Account
Note
If no local users appear in the SFTP configuration page, you'll need to add at least one of them. To add local users, see the next section.
Configure permissions
Azure Storage doesn't support shared access signature (SAS), or Azure Active directory (Azure AD) authentication for accessing the SFTP endpoint. Instead, you must use an identity called local user that can be secured with an Azure generated password or a secure shell (SSH) key pair. To grant access to a connecting client, the storage account must have an identity associated with the password or key pair. That identity is called a local user.
In this section, you'll learn how to create a local user, choose an authentication method, and assign permissions for that local user.
To learn more about the SFTP permissions model, see SFTP Permissions model.
Tip
This section shows you how to configure local users for an existing storage account. To view an Azure Resource Manager template that configures a local user as part of creating an account, see Create an Azure Storage Account and Blob Container accessible using SFTP protocol on Azure.
- Portal
- PowerShell
- Azure CLI
In the Azure portal, navigate to your storage account.
Under Settings, select SFTP, and then select Add local user.
In the Add local user configuration pane, add the name of a user, and then select which methods of authentication you'd like associate with this local user. You can associate a password and / or an SSH key.
(Video) SFTP With Azure Blob StorageImportant
While you can enable both forms of authentication, SFTP clients can connect by using only one of them. Multifactor authentication, whereby both a valid password and a valid public and private key pair are required for successful authentication is not supported.
If you select SSH Password, then your password will appear when you've completed all of the steps in the Add local user configuration pane. SSH passwords are generated by Azure and are minimum 32 characters in length.
If you select SSH Key pair, then select Public key source to specify a key source.
The following table describes each key source option:
Option Guidance Generate a new key pair Use this option to create a new public / private key pair. The public key is stored in Azure with the key name that you provide. The private key can be downloaded after the local user has been successfully added. Use existing key stored in Azure Use this option if you want to use a public key that is already stored in Azure. To find existing keys in Azure, see List keys. When SFTP clients connect to Azure Blob Storage, those clients need to provide the private key associated with this public key. Use existing public key Use this option if you want to upload a public key that is stored outside of Azure. If you don't have a public key, but would like to generate one outside of Azure, see Generate keys with ssh-keygen. Select Next to open the Container permissions tab of the configuration pane.
In the Container permissions tab, select the containers that you want to make available to this local user. Then, select which types of operations you want to enable this local user to perform.
In the Home directory edit box, type the name of the container or the directory path (including the container name) that will be the default location associated with this local user.
To learn more about the home directory, see Home directory.
Select the Add button to add the local user.
If you enabled password authentication, then the Azure generated password appears in a dialog box after the local user has been added.
Important
You can't retrieve this password later, so make sure to copy the password, and then store it in a place where you can find it.
(Video) Azure SFTP on Blob StorageIf you chose to generate a new key pair, then you'll be prompted to download the private key of that key pair after the local user has been added.
Note
Local users have a
sharedKeyproperty that is used for SMB authentication only.
Connect an SFTP client
You can use any SFTP client to securely connect and then transfer files. The following screenshot shows a Windows PowerShell session that uses Open SSH and password authentication to connect and then upload a file named logfile.txt.
Note
The SFTP username is storage_account_name.username. In the example above the storage_account_name is "contoso4" and the username is "contosouser." The combined username becomes contoso4.contosouser for the SFTP command.
Note
You might be prompted to trust a host key. Valid host keys are published here.
After the transfer is complete, you can view and manage the file in the Azure portal.
Note
The Azure portal uses the Blob REST API and Data Lake Storage Gen2 REST API. Being able to interact with an uploaded file in the Azure portal demonstrates the interoperability between SFTP and REST.
See the documentation of your SFTP client for guidance about how to connect and transfer files.
Connect using a custom domain
When using custom domains the connection string is myaccount.myuser@customdomain.com. If home directory hasn't been specified for the user, it's myaccount.mycontainer.myuser@customdomain.com.
Important
Ensure your DNS provider does not proxy requests. Proxying may cause the connection attempt to time out.
Connect using a private endpoint
When using a private endpoint the connection string is myaccount.myuser@myaccount.privatelink.blob.core.windows.net. If home directory hasn't been specified for the user, it's myaccount.mycontainer.myuser@myaccount.privatelink.blob.core.windows.net.
Note
Ensure you change networking configuration to "Enabled from selected virtual networks and IP addresses" and select your private endpoint, otherwise the regular SFTP endpoint will still be publicly accessible.
Networking considerations
SFTP is a platform level service, so port 22 will be open even if the account option is disabled. If SFTP access is not configured, then all requests will receive a disconnect from the service. When using SFTP, you may want to limit public access through configuration of a firewall, virtual network, or private endpoint. These settings are enforced at the application layer, which means they aren't specific to SFTP and will impact connectivity to all Azure Storage Endpoints. For more information on firewalls and network configuration, see Configure Azure Storage firewalls and virtual networks.
Note
Audit tools that attempt to determine TLS support at the protocol layer may return TLS versions in addition to the minimum required version when run directly against the storage account endpoint. For more information, see Enforce a minimum required version of Transport Layer Security (TLS) for requests to a storage account.
See also
- SSH File Transfer Protocol (SFTP) support for Azure Blob Storage
- Limitations and known issues with SSH File Transfer Protocol (SFTP) support for Azure Blob Storage
- Host keys for SSH File Transfer Protocol (SFTP) support for Azure Blob Storage
- SSH File Transfer Protocol (SFTP) performance considerations in Azure Blob storage
FAQs
Can you SFTP to Azure blob storage? ›
Blob storage now supports the SSH File Transfer Protocol (SFTP). This support lets you securely connect to Blob Storage via an SFTP endpoint, allowing you to use SFTP for file access, file transfer, and file management.
What is the limitation of Azure SFTP? ›Maximum file upload size via the SFTP endpoint is 100 GB. To change the storage account's redundancy/replication settings or initiate account failover, SFTP must be disabled.
How do I connect to Azure blob storage? ›- Launch Microsoft Azure Storage Explorer.
- To bring up the Sign in to your account... ...
- To bring up the Connect to Azure Storage wizard, select the Connect to Azure Storage icon.
- Enter the access key from your Azure Storage account on the Connect to Azure Storage wizard and then Next.
Enabling the SFTP endpoint on Azure Blob Storage costs $0.30 per hour, on top of the transaction, storage, and networking costs for the underlying object storage.
How do I send files to Azure Blob storage? ›- In the Azure portal, navigate to the container you created in the previous section.
- Select the container to show a list of blobs it contains. ...
- Select the Upload button to open the upload blade and browse your local file system to find a file to upload as a block blob.
SFTP does secure data in transit – but only in transit. The data kept on the SFTP server while it is at rest, is not encrypted – unless the business takes additional steps to perform their own encryption for the data at rest.
How many SFTP connections can a server handle? ›The default is 10. MaxStartups Specifies the maximum number of concurrent unauthenticated con- nections to the SSH daemon. Additional connections will be dropped until authentication succeeds or the LoginGraceTime expires for a connection. The default is 10.
What is the limit of Azure Blob storage? ›| Resource | Target |
|---|---|
| Maximum size of single blob container | Same as maximum storage account capacity |
| Maximum number of blocks in a block blob or append blob | 50,000 blocks |
| Maximum size of a block in a block blob | 4000 MiB |
| Maximum size of a block blob | 50,000 X 4000 MiB (approximately 190.7 TiB) |
- Open a connection to a remote system by using the sftp command. $ sftp remote-system. If the connection succeeds, a confirmation message and prompt are displayed.
- If prompted, type your password. Password: password. ...
- Close the sftp connection. sftp> bye.
- Here are the steps to enable SFTP on Windows Server 2019:
- Installing OpenSSH.
- Opening the SSH port in the Windows Firewall manually.
- Test SFTP server can use WinSCP, run WinSCP and select “SFTP” as the protocol. Enter your Windows username and password to allow the program to connect to the server.
How do I access SFTP connection? ›
...
Open your SFTP client, and enter the following details, replacing yourdomain.com with your own domain:
- Host: ssh.yourdomain.com.
- Username: yourdomain.com.
- Password: the password you have chosen for SFTP.
- Port: 22.
SFTP Gateway is a secure-by-default, pre-configured SFTP server that saves uploaded files to Azure Blob Storage. This product is built on Ubuntu. SFTP is still commonly used to support long established business processes and securely transfer files with 3rd party vendors.
How do you access blob storage from Azure function? ›- Press F1 to open the command palette, then search for and run the command Azure Functions: Download Remote Settings.... .
- Choose the function app you created in the previous article. ...
- Copy the value AzureWebJobsStorage , which is the key for the storage account connection string value.
- Connect to SQL Server Management Studio.
- Open a new query window and connect to the SQL Server 2016 instance of the database engine in your Azure virtual machine.
- Open Object Explorer and connect to Azure storage using your storage account and account key.
- Sign in to the Azure portal.
- Select Monitor from the left-hand pane in the Azure portal, and.
- Under the Insights section, select Storage Accounts (preview).
sftp-group is a container group with a mounted Azure File Share. The Azure File Share will provide persistent storage after the container is terminated.
Is Azure blob storage Unlimited? ›A Blob can contain many blocks but not more than 50,000 blocks per Blob. This means you can split a Blob into 50,000 blocks to upload to Azure Blobs storage. The minimum size of a block is 64KB and the maximum is 100 MB.
What is SFTP storage? ›SFTP, or Secure File Transfer Protocol, is a secure file transfer protocol that uses secure shell encryption to provide a high level of security for sending and receiving file transfers. SFTP is similar to FTPS in that it uses AES and other algorithms to secure data as it travels between different systems.
What is the drawback of SFTP? ›Critical data needs to remain secure and under your control, but FTP was not designed with secure file transfer in mind and SFTP lacks security controls to handle today's cyber threats. For example: – User IDs and passwords to login to FTP servers and send files aren't always protected.
How do I know if my SFTP connection is successful? ›You use a test file to test the SFTP connection and the web server. Use a command line SFTP tool available from a third-party source. For example, PuTTY SFTP client (PSFTP) works well for this test. Note: There are several PuTTY applications for download, but only PSFTP works for this test.
How do you know if SFTP is successful? ›
All you can do is to check that there are no errors, when uploading the file. That's all information the SFTP server gives you. With command-line OpenSSH sftp client, you can check its exit code (you need to use the -b switch).
How do I determine SFTP server size? ›How to check size of file system on remote sftp server using commands? Use the service sftp and pass the required command/s. ls will give you filesize also. you can probably parse string.
Is SFTP obsolete? ›What is SFTP? File Transfer Protocol (FTP) is the standard method of transferring files or data between computers, but it is an outdated technology in today's security-conscious environment.
What are the requirements for SFTP? ›Basic authentication requires a user ID and password from the SFTP client user to connect to the SFTP server. SSH authentication uses SSH keys to authenticate SFTP connections instead of, or in combination with, a user ID and password. An SSH public key and private key pair are required in this case.
How do I receive files via SFTP? ›- Step 1: Generating SSH Keys.
- Step 2: Copying SSH Keys to a Remote Server.
- Step 3: Initiating an SFTP Connection.
- Step 4: Transferring Files from Remote Servers to Local Systems.
- Step 5: Transferring Files from Local Systems to Remote Servers.
Secure Shell (SSH) creates a secure connection when you log in to a remote computer. Secure File Transfer Protocol (SFTP) uses SSH and provides a secure way to transfer files between computers.
Why SFTP is not working? ›Make sure you log in to your server's IP ADDRESS (not your domain) with the SYSTEM USER used to create your app; attempting to connect to your domain directly is one of the most common causes of SFTP connection failures. Make sure you attempt to connect over SFTP. ServerPilot does not support unsecure FTP connections.
Why is SFTP connection refused? ›Typos or incorrect credentials are common reasons for a refused SSH connection. Make sure you are not mistyping the username or password. Then, check whether you are using the correct IP address of the server. The output displays the port number, as in the image below.
How do I set up SFTP transfer? ›- In the Control Panel, navigate to the Windows Defender Firewall. Click on “Advanced settings” in the left panel to open a new pop-up window.
- Click on “Inbound Rules” in the pop-up window's left panel. Next, click on “New Rule…” in the right panel.
- By default, SFTP uses port 22 for communications.
How to Connect to SFTP. By default, the same SSH protocol is used to authenticate and establish an SFTP connection. To start an SFTP session, enter the username and remote hostname or IP address at the command prompt. Once authentication is successful, you will see a shell with an sftp> prompt.
How do I add users to Azure SFTP? ›
You can add a local user by going to Settings, select SFTP, and then select Add local user. Walking through the prompts you will also be able to setup the users permissions for the storage containers.
What is the default path for SFTP? ›By default, when a client user starts an SFTP session, the user has access to files and directories located within the configured Login directory (the Windows profile folder. The default is: \Users\username by default).
What are default ports for SFTP? ›Unlike FTP over SSL/TLS (FTPS), SFTP only needs a single port to establish a server connection — port 22.
How do I access blob storage from URL? ›You can also retrieve a blob using an HTTPS/HTTP request. One way to find the URL of the blob is by using the Azure portal by going to Home > Storage Account > Container > Blob > Properties. However, probably the easiest way is to find the blob in the Storage Explorer, right-click, then select 'Copy URL'.
How do I access my Azure storage files? ›- Sign in to the Azure portal.
- Navigate to the storage account that contains the file share you'd like to mount.
- Select File shares.
- Select the file share you'd like to mount.
- Select Connect.
- Select the drive letter to mount the share to.
- Copy the provided script.
...
Provisioning a storage account
- Create a resource group or use the existing resource group you provide.
- Create a storage account or use an existing storage account you provide.
- Upload the files to the storage account.
Microsoft's Blob Storage system on Azure is designed to make unstructured data available to customers anywhere through REST-based object storage. Azure SQL Database is Microsoft's relational database as a service (DBaaS).
Can I access Azure blob storage from browser? ›The shared access signature (SAS) is used by code running in the browser to authorize Azure Blob storage requests. By using the SAS, the client can authorize access to storage resources without the account access key or connection string. For more information on SAS, see Using shared access signatures (SAS).
Can we query Azure blob storage? ›There are multiple ways to access files stored in blob storage. We can access them from anywhere using HTTP or HTTPS. Applications can use Azure REST API, Azure PowerShell, Azure CLI, and Azure storage client libraries to access data stored in blob storage.
Does Azure data/factory support SFTP? ›Azure Data Factory now supports SFTP as a sink and as a source. Use copy activity to copy data from any supported data store to your SFTP server located on-premises or in the cloud.
How do I connect FileZilla to Azure blob storage? ›
Configuring FileZilla Pro for Blob Storage type accounts
In the menu bar, click on File > Site Manager…. Select Microsoft Azure Blob Storage Service from the Protocol drop down list. Enter your storage account name in the Storage account field. Paste the access key that you copied from Azure into the Access Key field.
You can also go to your Azure Storage account in Azure portal and select the Data transfer feature. Provide the network bandwidth in your environment, the size of the data you want to transfer, and the frequency of data transfer.
How do I connect to SFTP from Azure data Factory? ›- Browse to the Manage tab in your Azure Data Factory or Synapse workspace and select Linked Services, then click New: Azure Data Factory. ...
- Search for SFTP and select the SFTP connector.
- Configure the service details, test the connection, and create the new linked service.
SFTP doesn't natively provide encryption at rest.
This is a configuration that an admin must make, which usually entails that it is being modified for other purposes.
The key difference between FTP vs SFTP is that SFTP uses a secure channel to transfer files while FTP doesn't. With SFTP, your connection is always secured and the data that moves between your FTP client and your web server is encrypted.