Planning for an Azure Files deployment
Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard SMB protocol. Because Azure Files is fully managed, deploying it in production scenarios is much easier than deploying and managing a file server or NAS device. This article addresses the topics to consider when deploying an Azure File share for production use within your organization.
The following diagram illustrates the Azure Files management constructs:
Storage Account: All access to Azure Storage is done through a storage account. See Scalability and Performance Targets for details about storage account capacity.
Share: A File Storage share is an SMB file share in Azure. All directories and files must be created in a parent share. An account can contain an unlimited number of shares, and a share can store an unlimited number of files, up to the 5 TiB total capacity of the file share.
Directory: An optional hierarchy of directories.
File: A file in the share. A file may be up to 1 TiB in size.
URL format: For requests to an Azure File share made with the File REST protocol, files are addressable using the following URL format:
Data access method
Azure Files offers two, built-in, convenient data access methods that you can use separately, or in combination with each other, to access your data:
- Direct cloud access: Any Azure File share can be mounted by Windows, macOS, and/or Linux with the industry standard Server Message Block (SMB) protocol or via the File REST API. With SMB, reads and writes to files on the share are made directly on the file share in Azure. To mount by a VM in Azure, the SMB client in the OS must support at least SMB 2.1. To mount on-premises, such as on a user's workstation, the SMB client supported by the workstation must support at least SMB 3.0 (with encryption). In addition to SMB, new applications or services may directly access the file share via File REST, which provides an easy and scalable application programming interface for software development.
- Azure File Sync (preview): With Azure File Sync, shares can be replicated to Windows Servers on-premises or in Azure. Your users would access the file share through the Windows Server, such as through an SMB or NFS share. This is useful for scenarios in which data will be accessed and modified far away from an Azure datacenter, such as in a branch office scenario. Data may be replicated between multiple Windows Server endpoints, such as between multiple branch offices. Finally, data may be tiered to Azure Files, such that all data is still accessible via the Server, but the Server does not have a full copy of the data. Rather, data is seamlessly recalled when opened by your user.
The following table illustrates how your users and applications can access your Azure File share:
|Direct cloud access||Azure File Sync|
|What protocols do you need to use?||Azure Files supports SMB 2.1, SMB 3.0, and File REST API.||Access your Azure File share via any supported protocol on Windows Server (SMB, NFS, FTPS, etc.)|
|Where are you running your workload?||In Azure: Azure Files offers direct access to your data.||On-premises with slow network: Windows, Linux, and macOS clients can mount a local on-premises Windows File share as a fast cache of your Azure File share.|
|What level of ACLs do you need?||Share and file level.||Share, file, and user level.|
Azure Files has several built-in options for ensuring data security:
- Support for encryption in both over-the-wire protocols: SMB 3.0 encryption and File REST over HTTPS. By default:
- Clients which support SMB 3.0 encryption send and receive data over an encrypted channel.
- Clients which do not support SMB 3.0, can communicate intra-datacenter over SMB 2.1 or SMB 3.0 without encryption. Note that clients are not allowed to communicate inter-datacenter over SMB 2.1 or SMB 3.0 without encryption.
- Clients can communicate over File REST with either HTTP or HTTPS.
- Encryption at-rest (Azure Storage Service Encryption): We are in the process of enabling Storage Service Encryption (SSE) on the underlying Azure Storage platform. This means that encryption will be enabled by default for all storage accounts. If you are creating a new storage account in a region with encryption at-rest on default, you don't have to do anything to enable. Data at-rest is encrypted with fully-managed keys. Encryption at-rest does not increase storage costs or reduce performance.
Optional requirement of encrypted data in-transit: when selected, Azure Files will not allow access to the data over unencrypted channels. Specifically, only HTTPS and SMB 3.0 with encryption connections will be allowed.
For maximum security, we strongly recommend always enabling both encryption at-rest and enabling encryption of data in-transit whenever you are using modern clients to access your data. For example, if you need to mount a share on a Windows Server 2008 R2 VM, which only supports SMB 2.1, you need to allow unencrypted traffic to your storage account since SMB 2.1 does not support encryption.
If you are using Azure File Sync to access your Azure File share, we will always use HTTPS and SMB 3.0 with encryption to sync your data to your Windows Servers, regardless of whether you require encryption of data at-rest.
Azure Files supports two data redundancy options: locally redundant storage (LRS) and geo-redundant storage (GRS). The following sections describe the differences between locally redundant storage and geo-redundant storage:
Locally redundant storage
Locally redundant storage (LRS) is designed to provide at least 99.999999999% (11 9's) durability of objects over a given year by replicating your data within a storage scale unit, which is hosted in a datacenter in the region in which you created your storage account. A write request returns successfully only once it has been written to all replicas. These replicas each reside in separate fault domains and upgrade domains within one storage scale unit.
A storage scale unit is a collection of racks of storage nodes. A fault domain (FD) is a group of nodes that represent a physical unit of failure and can be considered as nodes belonging to the same physical rack. An upgrade domain (UD) is a group of nodes that are upgraded together during the process of a service upgrade (rollout). The replicas are spread across UDs and FDs within one storage scale unit to ensure that data is available even if hardware failure impacts a single rack or when nodes are upgraded during a rollout.
LRS is the lowest cost option and offers least durability compared to other options. In the event of a datacenter level disaster (fire, flooding etc.) all replicas might be lost or unrecoverable. To mitigate this risk, Geo Redundant Storage (GRS) is recommended for most applications.
Locally redundant storage may still be desirable in certain scenarios:
- Provides highest maximum bandwidth of Azure Storage replication options.
- If your application stores data that can be easily reconstructed, you may opt for LRS.
- Some applications are restricted to replicating data only within a country due to data governance requirements. A paired region could be in another country. For more information on region pairs, see Azure regions.
Geo-redundant storage (GRS) is designed to provide at least 99.99999999999999% (16 9's) durability of objects over a given year by replicating your data to a secondary region that is hundreds of miles away from the primary region. If your storage account has GRS enabled, then your data is durable even in the case of a complete regional outage or a disaster in which the primary region is not recoverable.
For a storage account with GRS enabled, an update is first committed to the primary region. Then the update is replicated asynchronously to the secondary region, where it is also replicated.
With GRS, both the primary and secondary regions manage replicas across separate fault domains and upgrade domains within a storage scale unit as described with LRS.
- Since asynchronous replication involves a delay, in the event of a regional disaster it is possible that changes that have not yet been replicated to the secondary region will be lost if the data cannot be recovered from the primary region.
- The replica is not available unless Microsoft initiates failover to the secondary region. If Microsoft does initiate a failover to the secondary region, you will have read and write access to that data after the failover has completed. For more information, please see Disaster Recovery Guidance.
- If an application wants to read from the secondary region, the user should enable RA-GRS.
When you create a storage account, you select the primary region for the account. The secondary region is determined based on the primary region, and cannot be changed. The following table shows the primary and secondary region pairings.
|North Central US||South Central US|
|South Central US||North Central US|
|East US||West US|
|West US||East US|
|US East 2||Central US|
|Central US||US East 2|
|North Europe||West Europe|
|West Europe||North Europe|
|South East Asia||East Asia|
|East Asia||South East Asia|
|East China||North China|
|North China||East China|
|Japan East||Japan West|
|Japan West||Japan East|
|Brazil South||South Central US|
|Australia East||Australia Southeast|
|Australia Southeast||Australia East|
|India South||India Central|
|India Central||India South|
|India West||India South|
|US Gov Iowa||US Gov Virginia|
|US Gov Virginia||US Gov Texas|
|US Gov Texas||US Gov Arizona|
|US Gov Arizona||US Gov Texas|
|Canada Central||Canada East|
|Canada East||Canada Central|
|UK West||UK South|
|UK South||UK West|
|Germany Central||Germany Northeast|
|Germany Northeast||Germany Central|
|West US 2||West Central US|
|West Central US||West US 2|
For up-to-date information about regions supported by Azure, see Azure regions.
US Gov Virginia secondary region is US Gov Texas. Previously, US Gov Virginia utilized US Gov Iowa as a secondary region. Storage accounts still leveraging US Gov Iowa as a secondary region are being migrated to US Gov Texas as a secondary region.
Data growth pattern
Today, the maximum size for an Azure File share is 5 TiB, inclusive of share snapshots. Because of this current limitation, you must consider the expected data growth when deploying an Azure File share. Note that an Azure Storage account, can store multiple shares with a total of 500 TiB stored across all shares.
It is possible to sync multiple Azure File shares to a single Windows File Server with Azure File Sync. This allows you to ensure that older, very large file shares that you may have on-premises can be brought into Azure File Sync. Please see Planning for an Azure File Sync Deployment for more information.
Data transfer method
There are many easy options to bulk transfer data from an existing file share, such as an on-premises file share, into Azure Files. A few popular ones include (non-exhaustive list):
- Azure File Sync: As part of a first sync between an Azure File share (a "Cloud Endpoint") and a Windows directory namespace (a "Server Endpoint"), Azure File Sync will replicate all data from the existing file share to Azure Files.
- Azure Import/Export: The Azure Import/Export service allows you to securely transfer large amounts of data into an Azure File share by shipping hard disk drives to an Azure datacenter.
- Robocopy: Robocopy is a well known copy tool that ships with Windows and Windows Server. Robocopy may be used to transfer data into Azure Files by mounting the file share locally, and then using the mounted location as the destination in the Robocopy command.
- AzCopy: AzCopy is a command-line utility designed for copying data to and from Azure Files, as well as Azure Blob storage, using simple commands with optimal performance. AzCopy is available for Windows and Linux.