Azure file share protocols

Azure Files offers two protocols for connecting and mounting your Azure file shares. Server Message Block (SMB) protocol and Network File System (NFS) protocol (preview). Azure Files does not currently support multi-protocol access, so a share can only be either an NFS share, or an SMB share. Due to this, we recommend determining which protocol best suits your needs before creating Azure file shares.

Differences at a glance

Feature NFS (preview) SMB
Access protocols NFS 4.1 SMB 2.1, SMB 3.0
Recommended OS Linux kernel version 4.3+ Windows 2008 R2+, Linux kernel version 4.11+
Available tiers Premium storage Premium storage, transaction optimized, hot, cool
Billing Model Pay for provisioned capacity Pay for provisioned capacity for Premium Tier, Pay-as-you-go for Standard Tier
Redundancy LRS, ZRS LRS, ZRS, GRS
Authentication Host-based authentication only Identity-based authentication, user-based authentication
Permissions UNIX-style permissions NTFS-style permissions
File system semantics POSIX compliant Not POSIX compliant
Case sensitivity Case sensitive Not case sensitive
Hard link support Supported Not supported
Symbolic links support Supported Not supported
Deleting or modifying open files Supported Not supported
Locking Byte-range advisory network lock manager Supported
Public IP safe listing Not supported Supported
Protocol interop Not supported FileREST

NFS shares (preview)

Mounting Azure file shares with NFS 4.1 is currently in preview. It offers a tighter integration with Linux. This is a fully POSIX-compliant offer that is a standard across variants of Unix and other *nix based operating systems. This enterprise-grade file storage service scales up to meet your storage needs and can be accessed concurrently by thousands of compute instances.

Limitations

While in preview, NFS has the following limitations:

  • NFS 4.1 currently only supports most features from the protocol specification. Some features such as delegations and callback of all kinds, lock upgrades and downgrades, Kerberos authentication, and encryption are not supported.
  • If the majority of your requests are metadata-centric, then the latency will be worse when compared to read/write/update operations.
  • Must create a new storage account in order to create an NFS share.
  • Only the management plane REST APIs are supported. Data plane REST APIs are not available, which means that tools like Storage Explorer will not work with NFS shares nor will you be able to browse NFS share data in the Azure portal.
  • AzCopy is not currently supported.
  • Only available for the premium tier.
  • NFS shares only accept numeric UID/GID. To avoid your clients sending alphanumeric UID/GID, you should disable ID mapping.
  • Shares can only be mounted from one storage account on an individual VM, when using private links. Attempting to mount shares from other storage accounts will fail.

Azure Storage features not yet supported

Also, the following Azure Files features are not available with NFS shares:

  • Identity-based authentication
  • Azure Backup support
  • Snapshots
  • Soft delete
  • Full encryption-in-transit support (for details see NFS security)
  • Azure File Sync (only available for Windows clients, which NFS 4.1 does not support)

Regional availability

NFS is supported in ALL 30+ regions where Premium Files Storage is available.

We are continuously adding regions. For the most up-to-date list, use the sample below to query the list of regions with NFS support. You can also check for your region support at Azure Products available by region page under Premium Files Storage.

# Log in first with Connect-AzAccount if not using Cloud Shell

$azContext = Get-AzContext
$azProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
$profileClient = New-Object -TypeName Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient -ArgumentList ($azProfile)
$token = $profileClient.AcquireAccessToken($azContext.Subscription.TenantId)
$authHeader = @{
    'Content-Type'='application/json'
    'Authorization'='Bearer ' + $token.AccessToken
}

# Provide specific subscription id if you want  list for a different subscription
$subscription = $azContext.Subscription.Id

# Invoke the REST API
$restUri = "https://management.azure.com/subscriptions/$subscription/providers/Microsoft.Storage/skus?api-version=2019-06-01"
$response = Invoke-RestMethod -Uri $restUri -Method Get -Headers $authHeader

# List of all regions that has NFS support.
$response.value| Where-Object -FilterScript {$_.capabilities| Where-Object { $_.name -eq 'supportsNfsShare' -and $_.value -eq 'true'}}| Select-Object locations, kind, name

# List of regions that support NFS Zonal redundancy.
$response.value| Where-Object -FilterScript {($_.name -EQ 'Premium_ZRS') -and ($_.capabilities| Where-Object { $_.name -eq 'supportsNfsShare' -and $_.value -eq 'true'})}| Select-Object locations

Sample response

List of regions that support NFS Zonal redundancy
locations
---------
{eastus}
{eastus2}
{westeurope}
{southeastasia}
{japaneast}
{northeurope}
{australiaeast}
{westus2}
{uksouth}
{eastus2euap}
{francecentral}

Best suited

NFS with Azure Files is ideal for:

  • Workloads that require POSIX-compliant file shares, case sensitivity, or Unix style permissions(UID/GID).
  • Linux-centric workloads that do not require Windows access.

Security

All Azure Files data is encrypted at rest. For encryption in transit, Azure provides a layer of encryption for all data in transit between Azure Datacenters using MACSec. Through this, encryption exists when data is transferred between Azure datacenters. Unlike Azure Files using the SMB protocol, file shares using the NFS protocol do not offer user-based authentication. Authentication for NFS shares is based on the configured network security rules. Due to this, to ensure only secure connections are established to your NFS share, you must use either service endpoints or private endpoints. If you want to access shares from on-premises then, in addition to a private endpoint, you must setup a VPN or ExpressRoute. Requests that do not originate from the following sources will be rejected:

For more details on the available networking options, see Azure Files networking considerations.

SMB shares

Azure file shares mounted with SMB offer more Azure Files features and have no Azure Files feature restrictions since it is generally available.

Features

  • Azure file sync
  • Identity-based authentication
  • Azure Backup support
  • Snapshots
  • Soft delete
  • Encryption-in-transit and encryption-at-rest

Best suited

SMB with Azure Files is ideal for:

  • Production environments
  • Customers that require any of the features listed in Features

Next steps