Azure File Sync proxy and firewall settings

Azure File Sync connects your on-premises servers to Azure Files, enabling multi-site synchronization and cloud tiering features. As such, an on-premises server must be connected to the internet. An IT admin needs to decide the best path for the server to reach into Azure cloud services.

This article will provide insight into specific requirements and options available to successfully and securely connect your server to Azure File Sync.


Azure File Sync acts as an orchestration service between your Windows Server, your Azure file share, and several other Azure services to sync data as described in your sync group. For Azure File Sync to work correctly, you will need to configure your servers to communicate with the following Azure services:

  • Azure Storage
  • Azure File Sync
  • Azure Resource Manager
  • Authentication services


The Azure File Sync agent on Windows Server initiates all requests to cloud services which results in only having to consider outbound traffic from a firewall perspective.
No Azure service initiates a connection to the Azure File Sync agent.


Azure File Sync moves file data and metadata exclusively over HTTPS and requires port 443 to be open outbound. As a result all traffic is encrypted.

Networks and special connections to Azure

The Azure File Sync agent has no requirements regarding special channels like ExpressRoute, etc. to Azure.

Azure File Sync will work through any means available that allow reach into Azure, automatically adapting to various network characteristics like bandwidth, latency as well as offering admin control for fine-tuning. Not all features are available at this time. If you would like to configure specific behavior, let us know via Azure Files UserVoice.


Azure File Sync supports app-specific and machine-wide proxy settings.

App-specific proxy settings allow configuration of a proxy specifically for Azure File Sync traffic. App-specific proxy settings are supported on agent version or newer and can be configured during the agent installation or by using the Set-StorageSyncProxyConfiguration PowerShell cmdlet.

PowerShell commands to configure app-specific proxy settings:

Import-Module "C:\Program Files\Azure\StorageSyncAgent\StorageSync.Management.ServerCmdlets.dll"
Set-StorageSyncProxyConfiguration -Address <url> -Port <port number> -ProxyCredential <credentials>

Machine-wide proxy settings are transparent to the Azure File Sync agent as the entire traffic of the server is routed through the proxy.

To configure machine-wide proxy settings, follow the steps below:

  1. Configure proxy settings for .NET applications

    • Edit these two files:

    • Add the <> section in the machine.config files (below the <system.serviceModel> section). Change 127.0.01:8888 to the IP address and port for the proxy server.

         <defaultProxy enabled="true" useDefaultCredentials="true">
           <proxy autoDetect="false" bypassonlocal="false" proxyaddress="" usesystemdefault="false" />
  2. Set the WinHTTP proxy settings

    • Run the following command from an elevated command prompt or PowerShell to see the existing proxy setting:

      netsh winhttp show proxy

    • Run the following command from an elevated command prompt or PowerShell to set the proxy setting (change 127.0.01:8888 to the IP address and port for the proxy server):

      netsh winhttp set proxy

  3. Restart the Storage Sync Agent service by running the following command from an elevated command prompt or PowerShell:

    net stop filesyncsvc

    Note: The Storage Sync Agent (filesyncsvc) service will auto-start once stopped.


As mentioned in a previous section, port 443 needs to be open outbound. Based on policies in your datacenter, branch or region, further restricting traffic over this port to specific domains may be desired or required.

The following table describes the required domains for communication:

Service Public cloud endpoint Azure Government endpoint Usage
Azure Resource Manager Any user call (like PowerShell) goes to/through this URL, including the initial server registration call.
Azure Active Directory Azure Resource Manager calls must be made by an authenticated user. To succeed, this URL is used for user authentication.
Azure Active Directory As part of deploying Azure File Sync, a service principal in the subscription's Azure Active Directory will be created. This URL is used for that. This principal is used for delegating a minimal set of rights to the Azure File Sync service. The user performing the initial setup of Azure File Sync must be an authenticated user with subscription owner privileges.
Azure Storage * * When the server downloads a file, then the server performs that data movement more efficiently when talking directly to the Azure file share in the Storage Account. The server has a SAS key that only allows for targeted file share access.
Azure File Sync * * After initial server registration, the server receives a regional URL for the Azure File Sync service instance in that region. The server can use the URL to communicate directly and efficiently with the instance handling its sync.
Microsoft PKI
Once the Azure File Sync agent is installed, the PKI URL is used to download intermediate certificates required to communicate with the Azure File Sync service and Azure file share. The OCSP URL is used to check the status of a certificate.


When allowing traffic to *, traffic to more than just the sync service is possible from the server. There are many more Microsoft services available under subdomains.

If * is too broad, you can limit the server's communication by allowing communication to only explicit regional instances of the Azure Files Sync service. Which instance(s) to choose depends on the region of the storage sync service you have deployed and registered the server to. That region is called "Primary endpoint URL" in the table below.

For business continuity and disaster recovery (BCDR) reasons you may have specified your Azure file shares in a globally redundant (GRS) storage account. If that is the case, then your Azure file shares will fail over to the paired region in the event of a lasting regional outage. Azure File Sync uses the same regional pairings as storage. So if you use GRS storage accounts, you need to enable additional URLs to allow your server to talk to the paired region for Azure File Sync. The table below calls this "Paired region". Additionally, there is a traffic manager profile URL that needs to be enabled as well. This will ensure network traffic can be seamlessly re-routed to the paired region in the event of a fail-over and is called "Discovery URL" in the table below.

Cloud Region Primary endpoint URL Paired region Discovery URL
Public Australia East Australia Southeast
Public Australia Southeast Australia East
Public Brazil South South Central US
Public Canada Central Canada East
Public Canada East Canada Central
Public Central India South India
Public Central US East US 2
Public East Asia Southeast Asia
Public East US West US
Public East US 2 Central US
Public Japan East Japan West
Public Japan West Japan East
Public Korea Central Korea South
Public Korea South Korea Central
Public North Central US South Central US
Public North Europe West Europe
Public South Central US North Central US
Public South India Central India
Public Southeast Asia East Asia
Public UK South UK West
Public UK West UK South
Public West Central US West US 2
Public West Europe North Europe
Public West US East US
Public West US 2 West Central US
Government US Gov Arizona US Gov Texas
Government US Gov Texas US Gov Arizona
  • If you use locally redundant (LRS) or zone redundant (ZRS) storage accounts, you only need to enable the URL listed under "Primary endpoint URL".

  • If you use globally redundant (GRS) storage accounts, enable three URLs.

Example: You deploy a storage sync service in "West US" and register your server with it. The URLs to allow the server to communicate to for this case are:

  • (primary endpoint: West US)
  • (paired fail-over region: East US)
  • (discovery URL of the primary region)

Summary and risk limitation

The lists earlier in this document contain the URLs Azure File Sync currently communicates with. Firewalls must be able to allow traffic outbound to these domains. Microsoft strives to keep this list updated.

Setting up domain restricting firewall rules can be a measure to improve security. If these firewall configurations are used, one needs to keep in mind that URLs will be added and might even change over time. Check this article periodically.

Next steps