Azure File Sync proxy and firewall settings
Azure File Sync connects your on-premises servers to Azure Files, enabling multi-site synchronization and cloud tiering features. As such, an on-premises server must be connected to the internet. An IT admin needs to decide the best path for the server to reach into Azure cloud services.
This article will provide insight into specific requirements and options available to successfully and securely connect your server to Azure File Sync.
Azure File Sync does not yet support firewalls and virtual networks for a storage account.
Azure File Sync acts as an orchestration service between your Windows Server, your Azure file share, and several other Azure services to sync data as described in your sync group. For Azure File Sync to work correctly, you will need to configure your servers to communicate with the following Azure services:
- Azure Storage
- Azure File Sync
- Azure Resource Manager
- Authentication services
The Azure File Sync agent on Windows Server initiates all requests to cloud services which results in only having to consider outbound traffic from a firewall perspective.
No Azure service initiates a connection to the Azure File Sync agent.
Azure File Sync moves file data and metadata exclusively over HTTPS and requires port 443 to be open outbound. As a result all traffic is encrypted.
Networks and special connections to Azure
The Azure File Sync agent has no requirements regarding special channels like ExpressRoute, etc. to Azure.
Azure File Sync will work through any means available that allow reach into Azure, automatically adapting to various network characteristics like bandwidth, latency as well as offering admin control for fine-tuning. Not all features are available at this time. If you would like to configure specific behavior, let us know via Azure Files UserVoice.
Azure File Sync supports app-specific and machine-wide proxy settings.
App-specific proxy settings allow configuration of a proxy specifically for Azure File Sync traffic. App-specific proxy settings are supported on agent version 188.8.131.52 or newer and can be configured during the agent installation or by using the Set-StorageSyncProxyConfiguration PowerShell cmdlet.
PowerShell commands to configure app-specific proxy settings:
Import-Module "C:\Program Files\Azure\StorageSyncAgent\StorageSync.Management.ServerCmdlets.dll" Set-StorageSyncProxyConfiguration -Address <url> -Port <port number> -ProxyCredential <credentials>
Machine-wide proxy settings are transparent to the Azure File Sync agent as the entire traffic of the server is routed through the proxy.
To configure machine-wide proxy settings, follow the steps below:
Configure proxy settings for .NET applications
Edit these two files:
Add the <system.net> section in the machine.config files (below the <system.serviceModel> section). Change 127.0.01:8888 to the IP address and port for the proxy server.
<system.net> <defaultProxy enabled="true" useDefaultCredentials="true"> <proxy autoDetect="false" bypassonlocal="false" proxyaddress="http://127.0.0.1:8888" usesystemdefault="false" /> </defaultProxy> </system.net>
Set the WinHTTP proxy settings
Run the following command from an elevated command prompt or PowerShell to see the existing proxy setting:
netsh winhttp show proxy
Run the following command from an elevated command prompt or PowerShell to set the proxy setting (change 127.0.01:8888 to the IP address and port for the proxy server):
netsh winhttp set proxy 127.0.0.1:8888
Restart the Storage Sync Agent service by running the following command from an elevated command prompt or PowerShell:
net stop filesyncsvc
Note: The Storage Sync Agent (filesyncsvc) service will auto-start once stopped.
As mentioned in a previous section, port 443 needs to be open outbound. Based on policies in your datacenter, branch or region, further restricting traffic over this port to specific domains may be desired or required.
The following table describes the required domains for communication:
|Service||Public cloud endpoint||Azure Government endpoint||Usage|
|Azure Resource Manager||https://management.azure.com||https://management.usgovcloudapi.net||Any user call (like PowerShell) goes to/through this URL, including the initial server registration call.|
|Azure Active Directory||https://login.windows.net||https://login.microsoftonline.us||Azure Resource Manager calls must be made by an authenticated user. To succeed, this URL is used for user authentication.|
|Azure Active Directory||https://graph.windows.net/||https://graph.windows.net/||As part of deploying Azure File Sync, a service principal in the subscription's Azure Active Directory will be created. This URL is used for that. This principal is used for delegating a minimal set of rights to the Azure File Sync service. The user performing the initial setup of Azure File Sync must be an authenticated user with subscription owner privileges.|
|Azure Storage||*.core.windows.net||*.core.usgovcloudapi.net||When the server downloads a file, then the server performs that data movement more efficiently when talking directly to the Azure file share in the Storage Account. The server has a SAS key that only allows for targeted file share access.|
|Azure File Sync||*.one.microsoft.com||*.afs.azure.us||After initial server registration, the server receives a regional URL for the Azure File Sync service instance in that region. The server can use the URL to communicate directly and efficiently with the instance handling its sync.|
|Once the Azure File Sync agent is installed, the PKI URL is used to download intermediate certificates required to communicate with the Azure File Sync service and Azure file share. The OCSP URL is used to check the status of a certificate.|
When allowing traffic to *.one.microsoft.com, traffic to more than just the sync service is possible from the server. There are many more Microsoft services available under subdomains.
If *.one.microsoft.com is too broad, you can limit the server's communication by allowing communication to only explicit regional instances of the Azure Files Sync service. Which instance(s) to choose depends on the region of the storage sync service you have deployed and registered the server to. That region is called "Primary endpoint URL" in the table below.
For business continuity and disaster recovery (BCDR) reasons you may have specified your Azure file shares in a globally redundant (GRS) storage account. If that is the case, then your Azure file shares will fail over to the paired region in the event of a lasting regional outage. Azure File Sync uses the same regional pairings as storage. So if you use GRS storage accounts, you need to enable additional URLs to allow your server to talk to the paired region for Azure File Sync. The table below calls this "Paired region". Additionally, there is a traffic manager profile URL that needs to be enabled as well. This will ensure network traffic can be seamlessly re-routed to the paired region in the event of a fail-over and is called "Discovery URL" in the table below.
If you use locally redundant (LRS) or zone redundant (ZRS) storage accounts, you only need to enable the URL listed under "Primary endpoint URL".
If you use globally redundant (GRS) storage accounts, enable three URLs.
Example: You deploy a storage sync service in
"West US" and register your server with it. The URLs to allow the server to communicate to for this case are:
Summary and risk limitation
The lists earlier in this document contain the URLs Azure File Sync currently communicates with. Firewalls must be able to allow traffic outbound to these domains. Microsoft strives to keep this list updated.
Setting up domain restricting firewall rules can be a measure to improve security. If these firewall configurations are used, one needs to keep in mind that URLs will be added and might even change over time. Check this article periodically.
Send feedback about: